3 # Copyright (C) 2006-2010 OpenWrt.org
5 # This is free software, licensed under the GNU General Public License v2.
6 # See /LICENSE for more information.
9 NF_MENU
:=Netfilter Extensions
11 include $(INCLUDE_DIR
)/netfilter.mk
13 define KernelPackage
/ipt-core
18 CONFIG_NETFILTER_ADVANCED
=y \
20 FILES
:=$(foreach mod
,$(IPT_CORE-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
21 AUTOLOAD
:=$(call AutoLoad
,40,$(notdir $(IPT_CORE-m
)))
24 define KernelPackage
/ipt-core
/description
25 Netfilter core kernel modules
36 $(eval
$(call KernelPackage
,ipt-core
))
41 DEPENDS
+= +kmod-ipt-core
$(1)
45 define KernelPackage
/ipt-conntrack
46 TITLE
:=Basic connection tracking modules
47 KCONFIG
:=$(KCONFIG_IPT_CONNTRACK
)
48 FILES
:=$(foreach mod
,$(IPT_CONNTRACK-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
49 AUTOLOAD
:=$(call AutoLoad
,41,$(notdir $(IPT_CONNTRACK-m
)))
50 $(call AddDepends
/ipt
)
53 define KernelPackage
/ipt-conntrack
/description
54 Netfilter
(IPv4
) kernel modules for connection tracking
63 $(eval
$(call KernelPackage
,ipt-conntrack
))
66 define KernelPackage
/ipt-conntrack-extra
67 TITLE
:=Extra connection tracking modules
68 KCONFIG
:=$(KCONFIG_IPT_CONNTRACK_EXTRA
)
69 FILES
:=$(foreach mod
,$(IPT_CONNTRACK_EXTRA-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
70 AUTOLOAD
:=$(call AutoLoad
,42,$(notdir $(IPT_CONNTRACK_EXTRA-m
)))
71 $(call AddDepends
/ipt
,+kmod-ipt-conntrack
)
74 define KernelPackage
/ipt-conntrack-extra
/description
75 Netfilter
(IPv4
) extra kernel modules for connection tracking
84 $(eval
$(call KernelPackage
,ipt-conntrack-extra
))
87 define KernelPackage
/ipt-filter
88 TITLE
:=Modules for packet content inspection
89 KCONFIG
:=$(KCONFIG_IPT_FILTER
)
90 FILES
:=$(foreach mod
,$(IPT_FILTER-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
91 AUTOLOAD
:=$(call AutoLoad
,45,$(notdir $(IPT_FILTER-m
)))
92 $(call AddDepends
/ipt
,+kmod-lib-textsearch
+kmod-ipt-conntrack
)
95 define KernelPackage
/ipt-filter
/description
96 Netfilter
(IPv4
) kernel modules for packet content inspection
102 $(eval
$(call KernelPackage
,ipt-filter
))
105 define KernelPackage
/ipt-ipopt
106 TITLE
:=Modules for matching
/changing IP packet options
107 KCONFIG
:=$(KCONFIG_IPT_IPOPT
)
108 FILES
:=$(foreach mod
,$(IPT_IPOPT-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
109 AUTOLOAD
:=$(call AutoLoad
,45,$(notdir $(IPT_IPOPT-m
)))
110 $(call AddDepends
/ipt
)
113 define KernelPackage
/ipt-ipopt
/description
114 Netfilter
(IPv4
) modules for matching
/changing IP packet options
129 $(eval
$(call KernelPackage
,ipt-ipopt
))
132 define KernelPackage
/ipt-ipsec
133 TITLE
:=Modules for matching IPSec packets
134 KCONFIG
:=$(KCONFIG_IPT_IPSEC
)
135 FILES
:=$(foreach mod
,$(IPT_IPSEC-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
136 AUTOLOAD
:=$(call AutoLoad
,45,$(notdir $(IPT_IPSEC-m
)))
137 $(call AddDepends
/ipt
)
140 define KernelPackage
/ipt-ipsec
/description
141 Netfilter
(IPv4
) modules for matching IPSec packets
148 $(eval
$(call KernelPackage
,ipt-ipsec
))
151 define KernelPackage
/ipt-nat
152 TITLE
:=Basic NAT targets
153 KCONFIG
:=$(KCONFIG_IPT_NAT
)
154 FILES
:=$(foreach mod
,$(IPT_NAT-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
155 AUTOLOAD
:=$(call AutoLoad
,42,$(notdir $(IPT_NAT-m
)))
156 $(call AddDepends
/ipt
,+kmod-ipt-conntrack
)
159 define KernelPackage
/ipt-nat
/description
160 Netfilter
(IPv4
) kernel modules for basic NAT targets
165 $(eval
$(call KernelPackage
,ipt-nat
))
168 define KernelPackage
/ipt-nat-extra
169 TITLE
:=Extra NAT targets
170 KCONFIG
:=$(KCONFIG_IPT_NAT_EXTRA
)
171 FILES
:=$(foreach mod
,$(IPT_NAT_EXTRA-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
172 AUTOLOAD
:=$(call AutoLoad
,43,$(notdir $(IPT_NAT_EXTRA-m
)))
173 $(call AddDepends
/ipt
,+kmod-ipt-nat
)
176 define KernelPackage
/ipt-nat-extra
/description
177 Netfilter
(IPv4
) kernel modules for extra NAT targets
183 $(eval
$(call KernelPackage
,ipt-nat-extra
))
186 define KernelPackage
/ipt-nathelper
187 TITLE
:=Basic Conntrack and NAT helpers
188 KCONFIG
:=$(KCONFIG_IPT_NATHELPER
)
189 FILES
:=$(foreach mod
,$(IPT_NATHELPER-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
190 AUTOLOAD
:=$(call AutoLoad
,45,$(notdir $(IPT_NATHELPER-m
)))
191 $(call AddDepends
/ipt
,+kmod-ipt-nat
)
194 define KernelPackage
/ipt-nathelper
/description
195 Default Netfilter
(IPv4
) Conntrack and NAT helpers
202 $(eval
$(call KernelPackage
,ipt-nathelper
))
205 define KernelPackage
/ipt-nathelper-extra
206 TITLE
:=Extra Conntrack and NAT helpers
207 KCONFIG
:=$(KCONFIG_IPT_NATHELPER_EXTRA
)
208 FILES
:=$(foreach mod
,$(IPT_NATHELPER_EXTRA-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
209 AUTOLOAD
:=$(call AutoLoad
,45,$(notdir $(IPT_NATHELPER_EXTRA-m
)))
210 $(call AddDepends
/ipt
,+kmod-ipt-nat
+kmod-lib-textsearch
)
213 define KernelPackage
/ipt-nathelper-extra
/description
214 Extra Netfilter
(IPv4
) Conntrack and NAT helpers
226 $(eval
$(call KernelPackage
,ipt-nathelper-extra
))
229 define KernelPackage
/ipt-queue
230 TITLE
:=Module for user-space packet queueing
231 KCONFIG
:=$(KCONFIG_IPT_QUEUE
)
233 FILES
:=$(foreach mod
,$(IPT_QUEUE-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
234 AUTOLOAD
:=$(call AutoLoad
,45,$(notdir $(IPT_QUEUE-m
)))
235 $(call AddDepends
/ipt
)
238 define KernelPackage
/ipt-queue
/description
239 Netfilter
(IPv4
) module for user-space packet queueing
244 $(eval
$(call KernelPackage
,ipt-queue
))
247 define KernelPackage
/ipt-ulog
248 TITLE
:=Module for user-space packet logging
249 KCONFIG
:=$(KCONFIG_IPT_ULOG
)
250 FILES
:=$(foreach mod
,$(IPT_ULOG-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
251 AUTOLOAD
:=$(call AutoLoad
,45,$(notdir $(IPT_ULOG-m
)))
252 $(call AddDepends
/ipt
)
255 define KernelPackage
/ipt-ulog
/description
256 Netfilter
(IPv4
) module for user-space packet logging
261 $(eval
$(call KernelPackage
,ipt-ulog
))
264 define KernelPackage
/ipt-debug
265 TITLE
:=Module for debugging
/development
266 KCONFIG
:=$(KCONFIG_IPT_DEBUG
)
268 FILES
:=$(foreach mod
,$(IPT_DEBUG-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
269 AUTOLOAD
:=$(call AutoLoad
,45,$(notdir $(IPT_DEBUG-m
)))
270 $(call AddDepends
/ipt
)
273 define KernelPackage
/ipt-debug
/description
274 Netfilter modules for debugging
/development of the firewall
279 $(eval
$(call KernelPackage
,ipt-debug
))
282 define KernelPackage
/ipt-led
283 TITLE
:=Module to trigger a LED with a Netfilter rule
284 KCONFIG
:=$(KCONFIG_IPT_LED
)
285 FILES
:=$(foreach mod
,$(IPT_LED-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
286 AUTOLOAD
:=$(call AutoLoad
,61,$(notdir $(IPT_LED-m
)))
287 $(call AddDepends
/ipt
)
290 define KernelPackage
/ipt-led
/description
291 Netfilter target to trigger a LED when a network packet is matched.
294 $(eval
$(call KernelPackage
,ipt-led
))
296 define KernelPackage
/ipt-tproxy
297 TITLE
:=Transparent proxying support
298 DEPENDS
+=+kmod-ipt-conntrack
+IPV6
:kmod-ipv6
+IPV6
:kmod-ip6tables
300 CONFIG_NETFILTER_TPROXY \
301 CONFIG_NETFILTER_XT_MATCH_SOCKET \
302 CONFIG_NETFILTER_XT_TARGET_TPROXY
304 $(LINUX_DIR
)/net
/netfilter
/nf_tproxy_core.ko \
305 $(foreach mod
,$(IPT_TPROXY-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
306 AUTOLOAD
:=$(call AutoLoad
,50,$(notdir nf_tproxy_core
$(IPT_TPROXY-m
)))
307 $(call AddDepends
/ipt
)
310 define KernelPackage
/ipt-tproxy
/description
311 Kernel modules for Transparent Proxying
314 $(eval
$(call KernelPackage
,ipt-tproxy
))
316 define KernelPackage
/ipt-tee
318 DEPENDS
:=+kmod-ipt-conntrack
+IPV6
:kmod-ipv6
320 CONFIG_NETFILTER_XT_TARGET_TEE
322 $(LINUX_DIR
)/net
/netfilter
/xt_TEE.ko \
323 $(foreach mod
,$(IPT_TEE-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
324 AUTOLOAD
:=$(call AutoLoad
,45,$(notdir nf_tee
$(IPT_TEE-m
)))
325 $(call AddDepends
/ipt
)
328 define KernelPackage
/ipt-tee
/description
329 Kernel modules for TEE
332 $(eval
$(call KernelPackage
,ipt-tee
))
335 define KernelPackage
/ipt-u32
338 CONFIG_NETFILTER_XT_MATCH_U32
340 $(LINUX_DIR
)/net
/netfilter
/xt_u32.ko \
341 $(foreach mod
,$(IPT_U32-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
342 AUTOLOAD
:=$(call AutoLoad
,45,$(notdir nf_tee
$(IPT_U32-m
)))
343 $(call AddDepends
/ipt
)
346 define KernelPackage
/ipt-u32
/description
347 Kernel modules for U32
350 $(eval
$(call KernelPackage
,ipt-u32
))
353 define KernelPackage
/ipt-iprange
354 TITLE
:=Module for matching ip ranges
355 KCONFIG
:=$(KCONFIG_IPT_IPRANGE
)
356 FILES
:=$(foreach mod
,$(IPT_IPRANGE-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
357 AUTOLOAD
:=$(call AutoLoad
,45,$(notdir $(IPT_IPRANGE-m
)))
358 $(call AddDepends
/ipt
)
361 define KernelPackage
/ipt-iprange
/description
362 Netfilter
(IPv4
) module for matching ip ranges
367 $(eval
$(call KernelPackage
,ipt-iprange
))
370 define KernelPackage
/ipt-extra
372 KCONFIG
:=$(KCONFIG_IPT_EXTRA
)
373 FILES
:=$(foreach mod
,$(IPT_EXTRA-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
374 AUTOLOAD
:=$(call AutoLoad
,45,$(notdir $(IPT_EXTRA-m
)))
375 $(call AddDepends
/ipt
)
378 define KernelPackage
/ipt-extra
/description
379 Other Netfilter
(IPv4
) kernel modules
383 - physdev
(if bridge support was enabled in kernel
)
388 $(eval
$(call KernelPackage
,ipt-extra
))
391 define KernelPackage
/ip6tables
394 DEPENDS
:=+kmod-ipv6
+kmod-ipt-core
+kmod-ipt-conntrack
395 KCONFIG
:=$(KCONFIG_IPT_IPV6
)
396 FILES
:=$(foreach mod
,$(IPT_IPV6-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
397 AUTOLOAD
:=$(call AutoLoad
,49,$(notdir $(IPT_IPV6-m
)))
400 define KernelPackage
/ip6tables
/description
401 Netfilter IPv6 firewalling support
404 $(eval
$(call KernelPackage
,ip6tables
))
406 ARP_MODULES
= arp_tables arpt_mangle arptable_filter
407 define KernelPackage
/arptables
409 TITLE
:=ARP firewalling modules
410 DEPENDS
:=+kmod-ipt-core
411 FILES
:=$(LINUX_DIR
)/net
/ipv4
/netfilter
/arp
*.ko
412 KCONFIG
:=CONFIG_IP_NF_ARPTABLES \
413 CONFIG_IP_NF_ARPFILTER \
414 CONFIG_IP_NF_ARP_MANGLE
415 AUTOLOAD
:=$(call AutoLoad
,49,$(ARP_MODULES
))
418 define KernelPackage
/arptables
/description
419 Kernel modules for ARP firewalling
422 $(eval
$(call KernelPackage
,arptables
))
425 define KernelPackage
/ebtables
427 TITLE
:=Bridge firewalling modules
428 DEPENDS
:=+kmod-ipt-core
+kmod-bridge
429 FILES
:=$(foreach mod
,$(EBTABLES-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
430 KCONFIG
:=CONFIG_BRIDGE_NETFILTER
=y \
432 AUTOLOAD
:=$(call AutoLoad
,49,$(notdir $(EBTABLES-m
)))
435 define KernelPackage
/ebtables
/description
436 ebtables is a general
, extensible frame
/packet identification
437 framework. It provides you to do Ethernet
438 filtering
/NAT
/brouting on the Ethernet bridge.
441 $(eval
$(call KernelPackage
,ebtables
))
444 define AddDepends
/ebtables
446 DEPENDS
+=kmod-ebtables
$(1)
450 define KernelPackage
/ebtables-ipv4
451 TITLE
:=ebtables
: IPv4 support
452 FILES
:=$(foreach mod
,$(EBTABLES_IP4-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
453 KCONFIG
:=$(KCONFIG_EBTABLES_IP4
)
454 AUTOLOAD
:=$(call AutoLoad
,49,$(notdir $(EBTABLES_IP4-m
)))
455 $(call AddDepends
/ebtables
)
458 define KernelPackage
/ebtables-ipv4
/description
459 This option adds the IPv4 support to ebtables
, which allows basic
460 IPv4 header field filtering
, ARP filtering
as well
as SNAT
, DNAT targets.
463 $(eval
$(call KernelPackage
,ebtables-ipv4
))
466 define KernelPackage
/ebtables-ipv6
467 TITLE
:=ebtables
: IPv6 support
468 FILES
:=$(foreach mod
,$(EBTABLES_IP6-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
469 KCONFIG
:=$(KCONFIG_EBTABLES_IP6
)
470 AUTOLOAD
:=$(call AutoLoad
,49,$(notdir $(EBTABLES_IP6-m
)))
471 $(call AddDepends
/ebtables
)
474 define KernelPackage
/ebtables-ipv6
/description
475 This option adds the IPv6 support to ebtables
, which allows basic
476 IPv6 header field filtering and target support.
479 $(eval
$(call KernelPackage
,ebtables-ipv6
))
482 define KernelPackage
/ebtables-watchers
483 TITLE
:=ebtables
: watchers support
484 FILES
:=$(foreach mod
,$(EBTABLES_WATCHERS-m
),$(LINUX_DIR
)/net
/$(mod
).ko
)
485 KCONFIG
:=$(KCONFIG_EBTABLES_WATCHERS
)
486 AUTOLOAD
:=$(call AutoLoad
,49,$(notdir $(EBTABLES_WATCHERS-m
)))
487 $(call AddDepends
/ebtables
)
490 define KernelPackage
/ebtables-watchers
/description
491 This option adds the log watchers
, that you can use in any rule
492 in any ebtables table.
495 $(eval
$(call KernelPackage
,ebtables-watchers
))
498 define KernelPackage
/nfnetlink
500 TITLE
:=Netlink-based userspace interface
501 DEPENDS
:=+kmod-ipt-core
502 FILES
:=$(LINUX_DIR
)/net
/netfilter
/nfnetlink.ko
503 KCONFIG
:=CONFIG_NETFILTER_NETLINK
504 AUTOLOAD
:=$(call AutoLoad
,48,nfnetlink
)
507 define KernelPackage
/nfnetlink
/description
508 Kernel modules support for a netlink-based userspace interface
511 $(eval
$(call KernelPackage
,nfnetlink
))
514 define AddDepends
/nfnetlink
516 DEPENDS
+=+kmod-nfnetlink
$(1)
520 define KernelPackage
/nfnetlink-log
521 TITLE
:=Netfilter LOG over NFNETLINK interface
522 FILES
:=$(LINUX_DIR
)/net
/netfilter
/nfnetlink_log.ko
523 KCONFIG
:=CONFIG_NETFILTER_NETLINK_LOG
524 AUTOLOAD
:=$(call AutoLoad
,48,nfnetlink_log
)
525 $(call AddDepends
/nfnetlink
)
528 define KernelPackage
/nfnetlink-log
/description
529 Kernel modules support for logging packets via NFNETLINK
532 $(eval
$(call KernelPackage
,nfnetlink-log
))
535 define KernelPackage
/nfnetlink-queue
536 TITLE
:=Netfilter QUEUE over NFNETLINK interface
537 FILES
:=$(LINUX_DIR
)/net
/netfilter
/nfnetlink_queue.ko
538 KCONFIG
:=CONFIG_NETFILTER_NETLINK_QUEUE
539 AUTOLOAD
:=$(call AutoLoad
,48,nfnetlink_queue
)
540 $(call AddDepends
/nfnetlink
)
543 define KernelPackage
/nfnetlink-queue
/description
544 Kernel modules support for queueing packets via NFNETLINK
547 $(eval
$(call KernelPackage
,nfnetlink-queue
))
550 define KernelPackage
/nf-conntrack-netlink
551 TITLE
:=Connection tracking netlink interface
552 FILES
:=$(LINUX_DIR
)/net
/netfilter
/nf_conntrack_netlink.ko
553 KCONFIG
:=CONFIG_NF_CT_NETLINK
554 AUTOLOAD
:=$(call AutoLoad
,49,nf_conntrack_netlink
)
555 $(call AddDepends
/nfnetlink
,+kmod-ipt-conntrack
)
558 define KernelPackage
/nf-conntrack-netlink
/description
559 Kernel modules support for a netlink-based connection tracking
563 $(eval
$(call KernelPackage
,nf-conntrack-netlink
))
565 define KernelPackage
/ipt-hashlimit
567 TITLE
:=Netfilter hashlimit match
568 DEPENDS
:=+kmod-ipt-core
569 KCONFIG
:=$(KCONFIG_IPT_HASHLIMIT
)
570 FILES
:=$(LINUX_DIR
)/net
/netfilter
/xt_hashlimit.ko
571 AUTOLOAD
:=$(call AutoLoad
,50,xt_hashlimit
)
572 $(call KernelPackage
/ipt
)
575 define KernelPackage
/ipt-hashlimit
/description
576 Kernel modules support for the hashlimit bucket match module
579 $(eval
$(call KernelPackage
,ipt-hashlimit
))