X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fopenwrt.git;a=blobdiff_plain;f=package%2Fkernel%2Flinux%2Fmodules%2Fnetfilter.mk;h=295cf7671b48cfcb95a28d80fe8d6fab153a0aea;hp=6c12ad3d6d65417699f89898b3aa05e5b6a73dc3;hb=24749ee88fe3a229e58268cf7edc9459d166b781;hpb=4476fb013e901aa144547b8586bf7895cec3c57f diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk index 6c12ad3d6d..295cf7671b 100644 --- a/package/kernel/linux/modules/netfilter.mk +++ b/package/kernel/linux/modules/netfilter.mk @@ -11,13 +11,39 @@ NF_KMOD:=1 include $(INCLUDE_DIR)/netfilter.mk -define KernelPackage/nf-ipt +define KernelPackage/nf-reject SUBMENU:=$(NF_MENU) - TITLE:=Iptables core + TITLE:=Netfilter IPv4 reject support + KCONFIG:= \ + CONFIG_NETFILTER=y \ + CONFIG_NETFILTER_ADVANCED=y \ + $(KCONFIG_NF_REJECT) + FILES:=$(foreach mod,$(NF_REJECT-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_REJECT-m))) +endef + +$(eval $(call KernelPackage,nf-reject)) + + +define KernelPackage/nf-reject6 + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter IPv6 reject support KCONFIG:= \ - CONFIG_NETFILTER=y \ + CONFIG_NETFILTER=y \ CONFIG_NETFILTER_ADVANCED=y \ - $(KCONFIG_NF_IPT) + $(KCONFIG_NF_REJECT6) + DEPENDS:=@IPV6 + FILES:=$(foreach mod,$(NF_REJECT6-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_REJECT6-m))) +endef + +$(eval $(call KernelPackage,nf-reject6)) + + +define KernelPackage/nf-ipt + SUBMENU:=$(NF_MENU) + TITLE:=Iptables core + KCONFIG:=$(KCONFIG_NF_IPT) FILES:=$(foreach mod,$(NF_IPT-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_IPT-m))) endef @@ -31,7 +57,7 @@ define KernelPackage/nf-ipt6 KCONFIG:=$(KCONFIG_NF_IPT6) FILES:=$(foreach mod,$(NF_IPT6-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_IPT6-m))) - DEPENDS:=+kmod-nf-ipt +kmod-nf-conntrack6 + DEPENDS:=+kmod-nf-ipt endef $(eval $(call KernelPackage,nf-ipt6)) @@ -44,7 +70,7 @@ define KernelPackage/ipt-core KCONFIG:=$(KCONFIG_IPT_CORE) FILES:=$(foreach mod,$(IPT_CORE-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CORE-m))) - DEPENDS:=+kmod-nf-ipt + DEPENDS:=+kmod-nf-reject +kmod-nf-ipt endef define KernelPackage/ipt-core/description @@ -68,6 +94,8 @@ define KernelPackage/nf-conntrack KCONFIG:= \ CONFIG_NETFILTER=y \ CONFIG_NETFILTER_ADVANCED=y \ + CONFIG_NF_CONNTRACK_MARK=y \ + CONFIG_NF_CONNTRACK_ZONES=y \ $(KCONFIG_NF_CONNTRACK) FILES:=$(foreach mod,$(NF_CONNTRACK-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNTRACK-m))) @@ -80,7 +108,7 @@ define KernelPackage/nf-conntrack6 SUBMENU:=$(NF_MENU) TITLE:=Netfilter IPv6 connection tracking KCONFIG:=$(KCONFIG_NF_CONNTRACK6) - DEPENDS:=+kmod-ipv6 +kmod-nf-conntrack + DEPENDS:=@IPV6 +kmod-nf-conntrack FILES:=$(foreach mod,$(NF_CONNTRACK6-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNTRACK6-m))) endef @@ -92,7 +120,7 @@ define KernelPackage/nf-nat SUBMENU:=$(NF_MENU) TITLE:=Netfilter NAT KCONFIG:=$(KCONFIG_NF_NAT) - DEPENDS:=+kmod-nf-conntrack +kmod-nf-ipt + DEPENDS:=+kmod-nf-conntrack FILES:=$(foreach mod,$(NF_NAT-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NAT-m))) endef @@ -104,7 +132,7 @@ define KernelPackage/nf-nat6 SUBMENU:=$(NF_MENU) TITLE:=Netfilter IPV6-NAT KCONFIG:=$(KCONFIG_NF_NAT6) - DEPENDS:=+kmod-nf-conntrack6 +kmod-nf-ipt6 +kmod-nf-nat + DEPENDS:=+kmod-nf-conntrack6 +kmod-nf-nat FILES:=$(foreach mod,$(NF_NAT6-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NAT6-m))) endef @@ -112,6 +140,23 @@ endef $(eval $(call KernelPackage,nf-nat6)) +define KernelPackage/nf-flow + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter flowtable support + KCONFIG:= \ + CONFIG_NETFILTER_INGRESS=y \ + CONFIG_NF_FLOW_TABLE \ + CONFIG_NF_FLOW_TABLE_HW + DEPENDS:=+kmod-nf-conntrack @!LINUX_3_18 @!LINUX_4_4 @!LINUX_4_9 + FILES:= \ + $(LINUX_DIR)/net/netfilter/nf_flow_table.ko \ + $(LINUX_DIR)/net/netfilter/nf_flow_table_hw.ko + AUTOLOAD:=$(call AutoProbe,nf_flow_table nf_flow_table_hw) +endef + +$(eval $(call KernelPackage,nf-flow)) + + define AddDepends/ipt SUBMENU:=$(NF_MENU) DEPENDS+= +kmod-ipt-core $(1) @@ -159,6 +204,21 @@ endef $(eval $(call KernelPackage,ipt-conntrack-extra)) +define KernelPackage/ipt-conntrack-label + TITLE:=Module for handling connection tracking labels + KCONFIG:=$(KCONFIG_IPT_CONNTRACK_LABEL) + FILES:=$(foreach mod,$(IPT_CONNTRACK_LABEL-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK_LABEL-m))) + $(call AddDepends/ipt,+kmod-ipt-conntrack) +endef + +define KernelPackage/ipt-conntrack-label/description + Netfilter (IPv4) module for handling connection tracking labels + Includes: + - connlabel +endef + +$(eval $(call KernelPackage,ipt-conntrack-label)) define KernelPackage/ipt-filter TITLE:=Modules for packet content inspection @@ -177,6 +237,17 @@ endef $(eval $(call KernelPackage,ipt-filter)) +define KernelPackage/ipt-offload + TITLE:=Netfilter routing/NAT offload support + KCONFIG:=CONFIG_NETFILTER_XT_TARGET_FLOWOFFLOAD + FILES:=$(foreach mod,$(IPT_FLOW-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_FLOW-m))) + $(call AddDepends/ipt,+kmod-nf-flow) +endef + +$(eval $(call KernelPackage,ipt-offload)) + + define KernelPackage/ipt-ipopt TITLE:=Modules for matching/changing IP packet options KCONFIG:=$(KCONFIG_IPT_IPOPT) @@ -288,6 +359,28 @@ endef $(eval $(call KernelPackage,ipt-nat)) +define KernelPackage/ipt-raw + TITLE:=Netfilter IPv4 raw table support + KCONFIG:=CONFIG_IP_NF_RAW + FILES:=$(LINUX_DIR)/net/ipv4/netfilter/iptable_raw.ko + AUTOLOAD:=$(call AutoProbe,iptable_raw) + $(call AddDepends/ipt) +endef + +$(eval $(call KernelPackage,ipt-raw)) + + +define KernelPackage/ipt-raw6 + TITLE:=Netfilter IPv6 raw table support + KCONFIG:=CONFIG_IP6_NF_RAW + FILES:=$(LINUX_DIR)/net/ipv6/netfilter/ip6table_raw.ko + AUTOLOAD:=$(call AutoProbe,ip6table_raw) + $(call AddDepends/ipt,+kmod-ip6tables) +endef + +$(eval $(call KernelPackage,ipt-raw6)) + + define KernelPackage/ipt-nat6 TITLE:=IPv6 NAT targets KCONFIG:=$(KCONFIG_IPT_NAT6) @@ -337,8 +430,6 @@ define KernelPackage/nf-nathelper/description Default Netfilter (IPv4) Conntrack and NAT helpers Includes: - ftp - - irc - - tftp endef $(eval $(call KernelPackage,nf-nathelper)) @@ -358,11 +449,13 @@ define KernelPackage/nf-nathelper-extra/description Includes: - amanda - h323 + - irc - mms - pptp - proto_gre - sip - snmp_basic + - tftp - broadcast endef @@ -423,10 +516,9 @@ $(eval $(call KernelPackage,ipt-nfqueue)) define KernelPackage/ipt-debug TITLE:=Module for debugging/development KCONFIG:=$(KCONFIG_IPT_DEBUG) - DEFAULT:=n FILES:=$(foreach mod,$(IPT_DEBUG-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_DEBUG-m))) - $(call AddDepends/ipt) + $(call AddDepends/ipt,+kmod-ipt-raw +IPV6:kmod-ipt-raw6) endef define KernelPackage/ipt-debug/description @@ -454,14 +546,13 @@ $(eval $(call KernelPackage,ipt-led)) define KernelPackage/ipt-tproxy TITLE:=Transparent proxying support - DEPENDS+=+kmod-ipt-conntrack +IPV6:kmod-ipv6 +IPV6:kmod-ip6tables + DEPENDS+=+kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +IPV6:kmod-ip6tables KCONFIG:= \ - CONFIG_NETFILTER_TPROXY \ CONFIG_NETFILTER_XT_MATCH_SOCKET \ CONFIG_NETFILTER_XT_TARGET_TPROXY FILES:= \ $(foreach mod,$(IPT_TPROXY-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoProbe,$(notdir nf_tproxy_core $(IPT_TPROXY-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_TPROXY-m))) $(call AddDepends/ipt) endef @@ -473,7 +564,7 @@ $(eval $(call KernelPackage,ipt-tproxy)) define KernelPackage/ipt-tee TITLE:=TEE support - DEPENDS:=+kmod-ipt-conntrack +IPV6:kmod-ipv6 + DEPENDS:=+kmod-ipt-conntrack KCONFIG:= \ CONFIG_NETFILTER_XT_TARGET_TEE FILES:= \ @@ -507,6 +598,23 @@ endef $(eval $(call KernelPackage,ipt-u32)) +define KernelPackage/ipt-checksum + TITLE:=CHECKSUM support + KCONFIG:= \ + CONFIG_NETFILTER_XT_TARGET_CHECKSUM + FILES:= \ + $(LINUX_DIR)/net/netfilter/xt_CHECKSUM.ko \ + $(foreach mod,$(IPT_CHECKSUM-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CHECKSUM-m))) + $(call AddDepends/ipt) +endef + +define KernelPackage/ipt-checksum/description + Kernel modules for CHECKSUM fillin target +endef + +$(eval $(call KernelPackage,ipt-checksum)) + define KernelPackage/ipt-iprange TITLE:=Module for matching ip ranges @@ -578,7 +686,7 @@ define KernelPackage/ipt-extra KCONFIG:=$(KCONFIG_IPT_EXTRA) FILES:=$(foreach mod,$(IPT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_EXTRA-m))) - $(call AddDepends/ipt) + $(call AddDepends/ipt,+kmod-br-netfilter) endef define KernelPackage/ipt-extra/description @@ -597,7 +705,7 @@ $(eval $(call KernelPackage,ipt-extra)) define KernelPackage/ip6tables SUBMENU:=$(NF_MENU) TITLE:=IPv6 modules - DEPENDS:=+kmod-nf-ipt6 +kmod-ipt-core +kmod-ipt-conntrack + DEPENDS:=+kmod-nf-reject6 +kmod-nf-ipt6 +kmod-ipt-core KCONFIG:=$(KCONFIG_IPT_IPV6) FILES:=$(foreach mod,$(IPT_IPV6-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoLoad,42,$(notdir $(IPT_IPV6-m))) @@ -643,13 +751,25 @@ endef $(eval $(call KernelPackage,arptables)) +define KernelPackage/br-netfilter + SUBMENU:=$(NF_MENU) + TITLE:=Bridge netfilter support modules + HIDDEN:=1 + DEPENDS:=+kmod-ipt-core + FILES:=$(LINUX_DIR)/net/bridge/br_netfilter.ko + KCONFIG:=CONFIG_BRIDGE_NETFILTER + AUTOLOAD:=$(call AutoProbe,br_netfilter) +endef + +$(eval $(call KernelPackage,br-netfilter)) + + define KernelPackage/ebtables SUBMENU:=$(NF_MENU) TITLE:=Bridge firewalling modules - DEPENDS:=+kmod-ipt-core +kmod-bridge + DEPENDS:=+kmod-ipt-core +kmod-br-netfilter FILES:=$(foreach mod,$(EBTABLES-m),$(LINUX_DIR)/net/$(mod).ko) - KCONFIG:=CONFIG_BRIDGE_NETFILTER=y \ - $(KCONFIG_EBTABLES) + KCONFIG:=$(KCONFIG_EBTABLES) AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES-m))) endef @@ -664,7 +784,7 @@ $(eval $(call KernelPackage,ebtables)) define AddDepends/ebtables SUBMENU:=$(NF_MENU) - DEPENDS+=kmod-ebtables $(1) + DEPENDS+= +kmod-ebtables $(1) endef @@ -774,7 +894,7 @@ $(eval $(call KernelPackage,nfnetlink-queue)) define KernelPackage/nf-conntrack-netlink TITLE:=Connection tracking netlink interface FILES:=$(LINUX_DIR)/net/netfilter/nf_conntrack_netlink.ko - KCONFIG:=CONFIG_NF_CT_NETLINK + KCONFIG:=CONFIG_NF_CT_NETLINK CONFIG_NF_CONNTRACK_EVENTS=y AUTOLOAD:=$(call AutoProbe,nf_conntrack_netlink) $(call AddDepends/nfnetlink,+kmod-ipt-conntrack) endef @@ -802,20 +922,34 @@ endef $(eval $(call KernelPackage,ipt-hashlimit)) +define KernelPackage/ipt-rpfilter + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter rpfilter match + DEPENDS:=+kmod-ipt-core + KCONFIG:=$(KCONFIG_IPT_RPFILTER) + FILES:=$(realpath \ + $(LINUX_DIR)/net/ipv4/netfilter/ipt_rpfilter.ko \ + $(LINUX_DIR)/net/ipv6/netfilter/ip6t_rpfilter.ko) + AUTOLOAD:=$(call AutoProbe,ipt_rpfilter ip6t_rpfilter) + $(call KernelPackage/ipt) +endef + +define KernelPackage/ipt-rpfilter/description + Kernel modules support for the Netfilter rpfilter match +endef + +$(eval $(call KernelPackage,ipt-rpfilter)) + define KernelPackage/nft-core SUBMENU:=$(NF_MENU) TITLE:=Netfilter nf_tables support - DEPENDS:=+kmod-nfnetlink +kmod-nf-conntrack6 + DEPENDS:=+kmod-nfnetlink +kmod-nf-reject +kmod-nf-reject6 +kmod-nf-conntrack6 FILES:=$(foreach mod,$(NFT_CORE-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_CORE-m))) KCONFIG:= \ - CONFIG_NETFILTER=y \ - CONFIG_NETFILTER_ADVANCED=y \ CONFIG_NFT_COMPAT=n \ CONFIG_NFT_QUEUE=n \ - CONFIG_NF_TABLES_ARP=n \ - CONFIG_NF_TABLES_BRIDGE=n \ $(KCONFIG_NFT_CORE) endef @@ -826,6 +960,32 @@ endef $(eval $(call KernelPackage,nft-core)) +define KernelPackage/nft-arp + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter nf_tables ARP table support + DEPENDS:=+kmod-nft-core + FILES:=$(foreach mod,$(NFT_ARP-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_ARP-m))) + KCONFIG:=$(KCONFIG_NFT_ARP) +endef + +$(eval $(call KernelPackage,nft-arp)) + + +define KernelPackage/nft-bridge + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter nf_tables bridge table support + DEPENDS:=+kmod-nft-core + FILES:=$(foreach mod,$(NFT_BRIDGE-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_BRIDGE-m))) + KCONFIG:= \ + CONFIG_NF_LOG_BRIDGE=n \ + $(KCONFIG_NFT_BRIDGE) +endef + +$(eval $(call KernelPackage,nft-bridge)) + + define KernelPackage/nft-nat SUBMENU:=$(NF_MENU) TITLE:=Netfilter nf_tables NAT support @@ -838,14 +998,33 @@ endef $(eval $(call KernelPackage,nft-nat)) +define KernelPackage/nft-offload + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter nf_tables routing/NAT offload support + DEPENDS:=+kmod-nf-flow +kmod-nft-nat + KCONFIG:= \ + CONFIG_NF_FLOW_TABLE_INET \ + CONFIG_NF_FLOW_TABLE_IPV4 \ + CONFIG_NF_FLOW_TABLE_IPV6 \ + CONFIG_NFT_FLOW_OFFLOAD + FILES:= \ + $(LINUX_DIR)/net/netfilter/nf_flow_table_inet.ko \ + $(LINUX_DIR)/net/ipv4/netfilter/nf_flow_table_ipv4.ko \ + $(LINUX_DIR)/net/ipv6/netfilter/nf_flow_table_ipv6.ko \ + $(LINUX_DIR)/net/netfilter/nft_flow_offload.ko + AUTOLOAD:=$(call AutoProbe,nf_flow_table_inet nf_flow_table_ipv4 nf_flow_table_ipv6 nft_flow_offload) +endef + +$(eval $(call KernelPackage,nft-offload)) + + define KernelPackage/nft-nat6 SUBMENU:=$(NF_MENU) TITLE:=Netfilter nf_tables IPv6-NAT support - DEPENDS:=+kmod-nft-core +kmod-nf-nat6 + DEPENDS:=+kmod-nft-nat +kmod-nf-nat6 FILES:=$(foreach mod,$(NFT_NAT6-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_NAT6-m))) KCONFIG:=$(KCONFIG_NFT_NAT6) endef $(eval $(call KernelPackage,nft-nat6)) -