diff options
| author | Joel Low | 2024-12-14 13:39:36 +0000 |
|---|---|---|
| committer | Hauke Mehrtens | 2024-12-23 22:37:57 +0000 |
| commit | 0e2dcfc4f488ecd7acf31e01bd10624d8a273cde (patch) | |
| tree | d47af8c9af03c4f2f0d0dc0e07dd348dc46b698e | |
| parent | b3ce08e0b6fa6780bf7ee295a1f176c053b1100b (diff) | |
| download | openwrt-0e2dcfc4f488ecd7acf31e01bd10624d8a273cde.tar.gz | |
netfilter: add kmod-nfnetlink-ct{helper,timeout}
Add kmod-nfnetlink-ct{helper,timeout} to allow handling firewall rules
in userspace (together with conntrackd). The timeout module allows
specifying custom expiration rules.
Signed-off-by: Joel Low <joel@joelsplace.sg>
Link: https://github.com/openwrt/openwrt/pull/17267
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
| -rw-r--r-- | config/Config-kernel.in | 7 | ||||
| -rw-r--r-- | package/kernel/linux/modules/netfilter.mk | 34 |
2 files changed, 41 insertions, 0 deletions
diff --git a/config/Config-kernel.in b/config/Config-kernel.in index 91678cf2a6..64c8c63466 100644 --- a/config/Config-kernel.in +++ b/config/Config-kernel.in @@ -1239,6 +1239,13 @@ config KERNEL_MPTCP_IPV6 default KERNEL_MPTCP endif +config KERNEL_NF_CONNTRACK_TIMEOUT + bool "Per-connection connection tracking timeout" + default y if !SMALL_FLASH + help + Select this option to enable support for per-connection conntrack timeouts. + Increases the (uncompressed) size of nf_conntrack.ko by ~8kB. + # # NFS related symbols # diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk index cf66bd8cd8..30ff35ca6b 100644 --- a/package/kernel/linux/modules/netfilter.mk +++ b/package/kernel/linux/modules/netfilter.mk @@ -1048,6 +1048,40 @@ endef $(eval $(call KernelPackage,nfnetlink-queue)) +define KernelPackage/nfnetlink-cthelper + TITLE:=Netfilter User space conntrack helpers + FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_cthelper.ko + KCONFIG:=CONFIG_NF_CT_NETLINK_HELPER + AUTOLOAD:=$(call AutoProbe,nfnetlink_cthelper) + $(call AddDepends/nfnetlink,+kmod-nfnetlink-queue +kmod-nf-conntrack-netlink) +endef + +define KernelPackage/nfnetlink-cthelper/description + Kernel modules support for a netlink-based connection tracking + userspace helpers interface +endef + +$(eval $(call KernelPackage,nfnetlink-cthelper)) + + +define KernelPackage/nfnetlink-cttimeout + TITLE:=Netfilter conntrack expectation timeout + FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_cttimeout.ko + KCONFIG:=CONFIG_NF_CT_NETLINK_TIMEOUT + AUTOLOAD:=$(call AutoProbe,nfnetlink_cttimeout) + $(call AddDepends/nfnetlink,+kmod-nf-conntrack +kmod-nf-conntrack-timeout @KERNEL_NF_CONNTRACK_TIMEOUT) +endef + +define KernelPackage/nfnetlink-cttimeout/description + Kernel modules support for a netlink-based connection tracking + userspace timeout interface + + Requires CONFIG_NF_CONNTRACK_TIMEOUT (only enabled for non-small flash devices) +endef + +$(eval $(call KernelPackage,nfnetlink-cttimeout)) + + define KernelPackage/nf-conntrack-netlink TITLE:=Connection tracking netlink interface FILES:=$(LINUX_DIR)/net/netfilter/nf_conntrack_netlink.ko |