X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fopenwrt.git;a=blobdiff_plain;f=package%2Fkernel%2Flinux%2Fmodules%2Fnetfilter.mk;h=6d751cc658a26276535659e5729d24ff2dfda009;hp=496a9f9d4d21ddf1b41796d7a4b506d5c73a14f2;hb=b4d4e4ceb56825033dd4c8e401e9250ae5042a99;hpb=b037b0011eeab52a3cf7029c84041862ba44498f diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk index 496a9f9d4d..6d751cc658 100644 --- a/package/kernel/linux/modules/netfilter.mk +++ b/package/kernel/linux/modules/netfilter.mk @@ -10,15 +10,67 @@ NF_MENU:=Netfilter Extensions NF_KMOD:=1 include $(INCLUDE_DIR)/netfilter.mk -define KernelPackage/ipt-core + +define KernelPackage/nf-reject + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter IPv4 reject support + KCONFIG:= \ + CONFIG_NETFILTER=y \ + CONFIG_NETFILTER_ADVANCED=y \ + $(KCONFIG_NF_REJECT) + FILES:=$(foreach mod,$(NF_REJECT-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_REJECT-m))) +endef + +$(eval $(call KernelPackage,nf-reject)) + + +define KernelPackage/nf-reject6 SUBMENU:=$(NF_MENU) - TITLE:=Netfilter core + TITLE:=Netfilter IPv6 reject support KCONFIG:= \ - CONFIG_NETFILTER=y \ + CONFIG_NETFILTER=y \ CONFIG_NETFILTER_ADVANCED=y \ - $(KCONFIG_IPT_CORE) + $(KCONFIG_NF_REJECT6) + DEPENDS:=@IPV6 + FILES:=$(foreach mod,$(NF_REJECT6-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_REJECT6-m))) +endef + +$(eval $(call KernelPackage,nf-reject6)) + + +define KernelPackage/nf-ipt + SUBMENU:=$(NF_MENU) + TITLE:=Iptables core + KCONFIG:=$(KCONFIG_NF_IPT) + FILES:=$(foreach mod,$(NF_IPT-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_IPT-m))) +endef + +$(eval $(call KernelPackage,nf-ipt)) + + +define KernelPackage/nf-ipt6 + SUBMENU:=$(NF_MENU) + TITLE:=Ip6tables core + KCONFIG:=$(KCONFIG_NF_IPT6) + FILES:=$(foreach mod,$(NF_IPT6-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_IPT6-m))) + DEPENDS:=+kmod-nf-ipt +endef + +$(eval $(call KernelPackage,nf-ipt6)) + + + +define KernelPackage/ipt-core + SUBMENU:=$(NF_MENU) + TITLE:=Iptables core + KCONFIG:=$(KCONFIG_IPT_CORE) FILES:=$(foreach mod,$(IPT_CORE-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,40,$(notdir $(IPT_CORE-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CORE-m))) + DEPENDS:=+kmod-nf-reject +kmod-nf-ipt endef define KernelPackage/ipt-core/description @@ -36,6 +88,80 @@ endef $(eval $(call KernelPackage,ipt-core)) +define KernelPackage/nf-conntrack + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter connection tracking + KCONFIG:= \ + CONFIG_NETFILTER=y \ + CONFIG_NETFILTER_ADVANCED=y \ + CONFIG_NF_CONNTRACK_MARK=y \ + CONFIG_NF_CONNTRACK_ZONES=y \ + $(KCONFIG_NF_CONNTRACK) + FILES:=$(foreach mod,$(NF_CONNTRACK-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNTRACK-m))) +endef + +define KernelPackage/nf-conntrack/install + $(INSTALL_DIR) $(1)/etc/sysctl.d + $(INSTALL_DATA) ./files/sysctl-nf-conntrack.conf $(1)/etc/sysctl.d/11-nf-conntrack.conf +endef + +$(eval $(call KernelPackage,nf-conntrack)) + + +define KernelPackage/nf-conntrack6 + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter IPv6 connection tracking + KCONFIG:=$(KCONFIG_NF_CONNTRACK6) + DEPENDS:=@IPV6 +kmod-nf-conntrack + FILES:=$(foreach mod,$(NF_CONNTRACK6-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNTRACK6-m))) +endef + +$(eval $(call KernelPackage,nf-conntrack6)) + + +define KernelPackage/nf-nat + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter NAT + KCONFIG:=$(KCONFIG_NF_NAT) + DEPENDS:=+kmod-nf-conntrack + FILES:=$(foreach mod,$(NF_NAT-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NAT-m))) +endef + +$(eval $(call KernelPackage,nf-nat)) + + +define KernelPackage/nf-nat6 + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter IPV6-NAT + KCONFIG:=$(KCONFIG_NF_NAT6) + DEPENDS:=+kmod-nf-conntrack6 +kmod-nf-nat + FILES:=$(foreach mod,$(NF_NAT6-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NAT6-m))) +endef + +$(eval $(call KernelPackage,nf-nat6)) + + +define KernelPackage/nf-flow + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter flowtable support + KCONFIG:= \ + CONFIG_NETFILTER_INGRESS=y \ + CONFIG_NF_FLOW_TABLE \ + CONFIG_NF_FLOW_TABLE_HW + DEPENDS:=+kmod-nf-conntrack @!LINUX_3_18 @!LINUX_4_4 @!LINUX_4_9 + FILES:= \ + $(LINUX_DIR)/net/netfilter/nf_flow_table.ko \ + $(LINUX_DIR)/net/netfilter/nf_flow_table_hw.ko + AUTOLOAD:=$(call AutoProbe,nf_flow_table nf_flow_table_hw) +endef + +$(eval $(call KernelPackage,nf-flow)) + + define AddDepends/ipt SUBMENU:=$(NF_MENU) DEPENDS+= +kmod-ipt-core $(1) @@ -46,8 +172,8 @@ define KernelPackage/ipt-conntrack TITLE:=Basic connection tracking modules KCONFIG:=$(KCONFIG_IPT_CONNTRACK) FILES:=$(foreach mod,$(IPT_CONNTRACK-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,41,$(notdir $(IPT_CONNTRACK-m))) - $(call AddDepends/ipt) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK-m))) + $(call AddDepends/ipt,+kmod-nf-conntrack) endef define KernelPackage/ipt-conntrack/description @@ -67,7 +193,7 @@ define KernelPackage/ipt-conntrack-extra TITLE:=Extra connection tracking modules KCONFIG:=$(KCONFIG_IPT_CONNTRACK_EXTRA) FILES:=$(foreach mod,$(IPT_CONNTRACK_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,42,$(notdir $(IPT_CONNTRACK_EXTRA-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK_EXTRA-m))) $(call AddDepends/ipt,+kmod-ipt-conntrack) endef @@ -83,30 +209,56 @@ endef $(eval $(call KernelPackage,ipt-conntrack-extra)) +define KernelPackage/ipt-conntrack-label + TITLE:=Module for handling connection tracking labels + KCONFIG:=$(KCONFIG_IPT_CONNTRACK_LABEL) + FILES:=$(foreach mod,$(IPT_CONNTRACK_LABEL-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK_LABEL-m))) + $(call AddDepends/ipt,+kmod-ipt-conntrack) +endef + +define KernelPackage/ipt-conntrack-label/description + Netfilter (IPv4) module for handling connection tracking labels + Includes: + - connlabel +endef + +$(eval $(call KernelPackage,ipt-conntrack-label)) define KernelPackage/ipt-filter TITLE:=Modules for packet content inspection KCONFIG:=$(KCONFIG_IPT_FILTER) FILES:=$(foreach mod,$(IPT_FILTER-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_FILTER-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_FILTER-m))) $(call AddDepends/ipt,+kmod-lib-textsearch +kmod-ipt-conntrack) endef define KernelPackage/ipt-filter/description Netfilter (IPv4) kernel modules for packet content inspection Includes: - - layer7 - string + - bpf endef $(eval $(call KernelPackage,ipt-filter)) +define KernelPackage/ipt-offload + TITLE:=Netfilter routing/NAT offload support + KCONFIG:=CONFIG_NETFILTER_XT_TARGET_FLOWOFFLOAD + FILES:=$(foreach mod,$(IPT_FLOW-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_FLOW-m))) + $(call AddDepends/ipt,+kmod-nf-flow) +endef + +$(eval $(call KernelPackage,ipt-offload)) + + define KernelPackage/ipt-ipopt TITLE:=Modules for matching/changing IP packet options KCONFIG:=$(KCONFIG_IPT_IPOPT) FILES:=$(foreach mod,$(IPT_IPOPT-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_IPOPT-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_IPOPT-m))) $(call AddDepends/ipt) endef @@ -133,7 +285,7 @@ define KernelPackage/ipt-ipsec TITLE:=Modules for matching IPSec packets KCONFIG:=$(KCONFIG_IPT_IPSEC) FILES:=$(foreach mod,$(IPT_IPSEC-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_IPSEC-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_IPSEC-m))) $(call AddDepends/ipt) endef @@ -147,13 +299,61 @@ endef $(eval $(call KernelPackage,ipt-ipsec)) +IPSET_MODULES:= \ + ipset/ip_set \ + ipset/ip_set_bitmap_ip \ + ipset/ip_set_bitmap_ipmac \ + ipset/ip_set_bitmap_port \ + ipset/ip_set_hash_ip \ + ipset/ip_set_hash_ipmark \ + ipset/ip_set_hash_ipport \ + ipset/ip_set_hash_ipportip \ + ipset/ip_set_hash_ipportnet \ + ipset/ip_set_hash_mac \ + ipset/ip_set_hash_netportnet \ + ipset/ip_set_hash_net \ + ipset/ip_set_hash_netnet \ + ipset/ip_set_hash_netport \ + ipset/ip_set_hash_netiface \ + ipset/ip_set_list_set \ + xt_set + +define KernelPackage/ipt-ipset + SUBMENU:=Netfilter Extensions + TITLE:=IPset netfilter modules + DEPENDS+= +kmod-ipt-core +kmod-nfnetlink + KCONFIG:= \ + CONFIG_IP_SET \ + CONFIG_IP_SET_MAX=256 \ + CONFIG_NETFILTER_XT_SET \ + CONFIG_IP_SET_BITMAP_IP \ + CONFIG_IP_SET_BITMAP_IPMAC \ + CONFIG_IP_SET_BITMAP_PORT \ + CONFIG_IP_SET_HASH_IP \ + CONFIG_IP_SET_HASH_IPMARK \ + CONFIG_IP_SET_HASH_IPPORT \ + CONFIG_IP_SET_HASH_IPPORTIP \ + CONFIG_IP_SET_HASH_IPPORTNET \ + CONFIG_IP_SET_HASH_MAC \ + CONFIG_IP_SET_HASH_NET \ + CONFIG_IP_SET_HASH_NETNET \ + CONFIG_IP_SET_HASH_NETIFACE \ + CONFIG_IP_SET_HASH_NETPORT \ + CONFIG_IP_SET_HASH_NETPORTNET \ + CONFIG_IP_SET_LIST_SET \ + CONFIG_NET_EMATCH_IPSET=n + FILES:=$(foreach mod,$(IPSET_MODULES),$(LINUX_DIR)/net/netfilter/$(mod).ko) + AUTOLOAD:=$(call AutoLoad,49,$(notdir $(IPSET_MODULES))) +endef +$(eval $(call KernelPackage,ipt-ipset)) + define KernelPackage/ipt-nat TITLE:=Basic NAT targets KCONFIG:=$(KCONFIG_IPT_NAT) FILES:=$(foreach mod,$(IPT_NAT-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,42,$(notdir $(IPT_NAT-m))) - $(call AddDepends/ipt,+kmod-ipt-conntrack) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NAT-m))) + $(call AddDepends/ipt,+kmod-nf-nat) endef define KernelPackage/ipt-nat/description @@ -165,11 +365,51 @@ endef $(eval $(call KernelPackage,ipt-nat)) +define KernelPackage/ipt-raw + TITLE:=Netfilter IPv4 raw table support + KCONFIG:=CONFIG_IP_NF_RAW + FILES:=$(LINUX_DIR)/net/ipv4/netfilter/iptable_raw.ko + AUTOLOAD:=$(call AutoProbe,iptable_raw) + $(call AddDepends/ipt) +endef + +$(eval $(call KernelPackage,ipt-raw)) + + +define KernelPackage/ipt-raw6 + TITLE:=Netfilter IPv6 raw table support + KCONFIG:=CONFIG_IP6_NF_RAW + FILES:=$(LINUX_DIR)/net/ipv6/netfilter/ip6table_raw.ko + AUTOLOAD:=$(call AutoProbe,ip6table_raw) + $(call AddDepends/ipt,+kmod-ip6tables) +endef + +$(eval $(call KernelPackage,ipt-raw6)) + + +define KernelPackage/ipt-nat6 + TITLE:=IPv6 NAT targets + KCONFIG:=$(KCONFIG_IPT_NAT6) + FILES:=$(foreach mod,$(IPT_NAT6-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoLoad,43,$(notdir $(IPT_NAT6-m))) + $(call AddDepends/ipt,+kmod-nf-nat6) + $(call AddDepends/ipt,+kmod-ipt-conntrack) + $(call AddDepends/ipt,+kmod-ipt-nat) + $(call AddDepends/ipt,+kmod-ip6tables) +endef + +define KernelPackage/ipt-nat6/description + Netfilter (IPv6) kernel modules for NAT targets +endef + +$(eval $(call KernelPackage,ipt-nat6)) + + define KernelPackage/ipt-nat-extra TITLE:=Extra NAT targets KCONFIG:=$(KCONFIG_IPT_NAT_EXTRA) FILES:=$(foreach mod,$(IPT_NAT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,43,$(notdir $(IPT_NAT_EXTRA-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NAT_EXTRA-m))) $(call AddDepends/ipt,+kmod-ipt-nat) endef @@ -183,72 +423,56 @@ endef $(eval $(call KernelPackage,ipt-nat-extra)) -define KernelPackage/ipt-nathelper +define KernelPackage/nf-nathelper + SUBMENU:=$(NF_MENU) TITLE:=Basic Conntrack and NAT helpers - KCONFIG:=$(KCONFIG_IPT_NATHELPER) - FILES:=$(foreach mod,$(IPT_NATHELPER-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_NATHELPER-m))) - $(call AddDepends/ipt,+kmod-ipt-nat) + KCONFIG:=$(KCONFIG_NF_NATHELPER) + FILES:=$(foreach mod,$(NF_NATHELPER-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NATHELPER-m))) + DEPENDS:=+kmod-nf-nat endef -define KernelPackage/ipt-nathelper/description +define KernelPackage/nf-nathelper/description Default Netfilter (IPv4) Conntrack and NAT helpers Includes: - ftp - - irc - - tftp endef -$(eval $(call KernelPackage,ipt-nathelper)) +$(eval $(call KernelPackage,nf-nathelper)) -define KernelPackage/ipt-nathelper-extra +define KernelPackage/nf-nathelper-extra + SUBMENU:=$(NF_MENU) TITLE:=Extra Conntrack and NAT helpers - KCONFIG:=$(KCONFIG_IPT_NATHELPER_EXTRA) - FILES:=$(foreach mod,$(IPT_NATHELPER_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_NATHELPER_EXTRA-m))) - $(call AddDepends/ipt,+kmod-ipt-nat +kmod-lib-textsearch) + KCONFIG:=$(KCONFIG_NF_NATHELPER_EXTRA) + FILES:=$(foreach mod,$(NF_NATHELPER_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NATHELPER_EXTRA-m))) + DEPENDS:=+kmod-nf-nat +kmod-lib-textsearch endef -define KernelPackage/ipt-nathelper-extra/description +define KernelPackage/nf-nathelper-extra/description Extra Netfilter (IPv4) Conntrack and NAT helpers Includes: - amanda - h323 + - irc - mms - pptp - proto_gre - sip - snmp_basic + - tftp - broadcast endef -$(eval $(call KernelPackage,ipt-nathelper-extra)) - - -define KernelPackage/ipt-queue - TITLE:=Module for user-space packet queueing - KCONFIG:=$(KCONFIG_IPT_QUEUE) - DEPENDS:=@!LINUX_3_6 - FILES:=$(foreach mod,$(IPT_QUEUE-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_QUEUE-m))) - $(call AddDepends/ipt) -endef - -define KernelPackage/ipt-queue/description - Netfilter (IPv4) module for user-space packet queueing - Includes: - - QUEUE -endef - -$(eval $(call KernelPackage,ipt-queue)) +$(eval $(call KernelPackage,nf-nathelper-extra)) define KernelPackage/ipt-ulog TITLE:=Module for user-space packet logging KCONFIG:=$(KCONFIG_IPT_ULOG) FILES:=$(foreach mod,$(IPT_ULOG-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_ULOG-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_ULOG-m))) $(call AddDepends/ipt) endef @@ -261,13 +485,46 @@ endef $(eval $(call KernelPackage,ipt-ulog)) +define KernelPackage/ipt-nflog + TITLE:=Module for user-space packet logging + KCONFIG:=$(KCONFIG_IPT_NFLOG) + FILES:=$(foreach mod,$(IPT_NFLOG-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NFLOG-m))) + $(call AddDepends/ipt,+kmod-nfnetlink-log) +endef + +define KernelPackage/ipt-nflog/description + Netfilter module for user-space packet logging + Includes: + - NFLOG +endef + +$(eval $(call KernelPackage,ipt-nflog)) + + +define KernelPackage/ipt-nfqueue + TITLE:=Module for user-space packet queuing + KCONFIG:=$(KCONFIG_IPT_NFQUEUE) + FILES:=$(foreach mod,$(IPT_NFQUEUE-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NFQUEUE-m))) + $(call AddDepends/ipt,+kmod-nfnetlink-queue) +endef + +define KernelPackage/ipt-nfqueue/description + Netfilter module for user-space packet queuing + Includes: + - NFQUEUE +endef + +$(eval $(call KernelPackage,ipt-nfqueue)) + + define KernelPackage/ipt-debug TITLE:=Module for debugging/development KCONFIG:=$(KCONFIG_IPT_DEBUG) - DEFAULT:=n FILES:=$(foreach mod,$(IPT_DEBUG-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_DEBUG-m))) - $(call AddDepends/ipt) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_DEBUG-m))) + $(call AddDepends/ipt,+kmod-ipt-raw +IPV6:kmod-ipt-raw6) endef define KernelPackage/ipt-debug/description @@ -283,7 +540,7 @@ define KernelPackage/ipt-led TITLE:=Module to trigger a LED with a Netfilter rule KCONFIG:=$(KCONFIG_IPT_LED) FILES:=$(foreach mod,$(IPT_LED-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,61,$(notdir $(IPT_LED-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_LED-m))) $(call AddDepends/ipt) endef @@ -295,15 +552,13 @@ $(eval $(call KernelPackage,ipt-led)) define KernelPackage/ipt-tproxy TITLE:=Transparent proxying support - DEPENDS+=+kmod-ipt-conntrack +IPV6:kmod-ipv6 +IPV6:kmod-ip6tables + DEPENDS+=+kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +IPV6:kmod-ip6tables KCONFIG:= \ - CONFIG_NETFILTER_TPROXY \ CONFIG_NETFILTER_XT_MATCH_SOCKET \ CONFIG_NETFILTER_XT_TARGET_TPROXY FILES:= \ - $(LINUX_DIR)/net/netfilter/nf_tproxy_core.ko \ $(foreach mod,$(IPT_TPROXY-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,50,$(notdir nf_tproxy_core $(IPT_TPROXY-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_TPROXY-m))) $(call AddDepends/ipt) endef @@ -315,13 +570,13 @@ $(eval $(call KernelPackage,ipt-tproxy)) define KernelPackage/ipt-tee TITLE:=TEE support - DEPENDS:=+kmod-ipt-conntrack +IPV6:kmod-ipv6 + DEPENDS:=+kmod-ipt-conntrack KCONFIG:= \ CONFIG_NETFILTER_XT_TARGET_TEE FILES:= \ $(LINUX_DIR)/net/netfilter/xt_TEE.ko \ $(foreach mod,$(IPT_TEE-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,45,$(notdir nf_tee $(IPT_TEE-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir nf_tee $(IPT_TEE-m))) $(call AddDepends/ipt) endef @@ -339,7 +594,7 @@ define KernelPackage/ipt-u32 FILES:= \ $(LINUX_DIR)/net/netfilter/xt_u32.ko \ $(foreach mod,$(IPT_U32-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,45,$(notdir nf_tee $(IPT_U32-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir nf_tee $(IPT_U32-m))) $(call AddDepends/ipt) endef @@ -349,12 +604,29 @@ endef $(eval $(call KernelPackage,ipt-u32)) +define KernelPackage/ipt-checksum + TITLE:=CHECKSUM support + KCONFIG:= \ + CONFIG_NETFILTER_XT_TARGET_CHECKSUM + FILES:= \ + $(LINUX_DIR)/net/netfilter/xt_CHECKSUM.ko \ + $(foreach mod,$(IPT_CHECKSUM-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CHECKSUM-m))) + $(call AddDepends/ipt) +endef + +define KernelPackage/ipt-checksum/description + Kernel modules for CHECKSUM fillin target +endef + +$(eval $(call KernelPackage,ipt-checksum)) + define KernelPackage/ipt-iprange TITLE:=Module for matching ip ranges KCONFIG:=$(KCONFIG_IPT_IPRANGE) FILES:=$(foreach mod,$(IPT_IPRANGE-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_IPRANGE-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_IPRANGE-m))) $(call AddDepends/ipt) endef @@ -366,12 +638,60 @@ endef $(eval $(call KernelPackage,ipt-iprange)) +define KernelPackage/ipt-cluster + TITLE:=Module for matching cluster + KCONFIG:=$(KCONFIG_IPT_CLUSTER) + FILES:=$(foreach mod,$(IPT_CLUSTER-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CLUSTER-m))) + $(call AddDepends/ipt) +endef + +define KernelPackage/ipt-cluster/description + Netfilter (IPv4/IPv6) module for matching cluster + This option allows you to build work-load-sharing clusters of + network servers/stateful firewalls without having a dedicated + load-balancing router/server/switch. Basically, this match returns + true when the packet must be handled by this cluster node. Thus, + all nodes see all packets and this match decides which node handles + what packets. The work-load sharing algorithm is based on source + address hashing. + + This module is usable for ipv4 and ipv6. + + To use it also enable iptables-mod-cluster + + see `iptables -m cluster --help` for more information. +endef + +$(eval $(call KernelPackage,ipt-cluster)) + +define KernelPackage/ipt-clusterip + TITLE:=Module for CLUSTERIP + KCONFIG:=$(KCONFIG_IPT_CLUSTERIP) + FILES:=$(foreach mod,$(IPT_CLUSTERIP-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CLUSTERIP-m))) + $(call AddDepends/ipt,+kmod-nf-conntrack) +endef + +define KernelPackage/ipt-clusterip/description + Netfilter (IPv4-only) module for CLUSTERIP + The CLUSTERIP target allows you to build load-balancing clusters of + network servers without having a dedicated load-balancing + router/server/switch. + + To use it also enable iptables-mod-clusterip + + see `iptables -j CLUSTERIP --help` for more information. +endef + +$(eval $(call KernelPackage,ipt-clusterip)) + define KernelPackage/ipt-extra TITLE:=Extra modules KCONFIG:=$(KCONFIG_IPT_EXTRA) FILES:=$(foreach mod,$(IPT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_EXTRA-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_EXTRA-m))) $(call AddDepends/ipt) endef @@ -380,7 +700,6 @@ define KernelPackage/ipt-extra/description Includes: - addrtype - owner - - physdev (if bridge support was enabled in kernel) - pkttype - quota endef @@ -388,13 +707,28 @@ endef $(eval $(call KernelPackage,ipt-extra)) +define KernelPackage/ipt-physdev + TITLE:=physdev module + KCONFIG:=$(KCONFIG_IPT_PHYSDEV) + FILES:=$(foreach mod,$(IPT_PHYSDEV-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_PHYSDEV-m))) + $(call AddDepends/ipt,+kmod-br-netfilter) +endef + +define KernelPackage/ipt-physdev/description + The iptables physdev kernel module +endef + +$(eval $(call KernelPackage,ipt-physdev)) + + define KernelPackage/ip6tables SUBMENU:=$(NF_MENU) TITLE:=IPv6 modules - DEPENDS:=+kmod-ipv6 +kmod-ipt-core +kmod-ipt-conntrack + DEPENDS:=+kmod-nf-reject6 +kmod-nf-ipt6 +kmod-ipt-core KCONFIG:=$(KCONFIG_IPT_IPV6) FILES:=$(foreach mod,$(IPT_IPV6-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoLoad,49,$(notdir $(IPT_IPV6-m))) + AUTOLOAD:=$(call AutoLoad,42,$(notdir $(IPT_IPV6-m))) endef define KernelPackage/ip6tables/description @@ -403,6 +737,21 @@ endef $(eval $(call KernelPackage,ip6tables)) +define KernelPackage/ip6tables-extra + SUBMENU:=$(NF_MENU) + TITLE:=Extra IPv6 modules + DEPENDS:=+kmod-ip6tables + KCONFIG:=$(KCONFIG_IPT_IPV6_EXTRA) + FILES:=$(foreach mod,$(IPT_IPV6_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoLoad,43,$(notdir $(IPT_IPV6_EXTRA-m))) +endef + +define KernelPackage/ip6tables-extra/description + Netfilter IPv6 extra header matching modules +endef + +$(eval $(call KernelPackage,ip6tables-extra)) + ARP_MODULES = arp_tables arpt_mangle arptable_filter define KernelPackage/arptables SUBMENU:=$(NF_MENU) @@ -412,7 +761,7 @@ define KernelPackage/arptables KCONFIG:=CONFIG_IP_NF_ARPTABLES \ CONFIG_IP_NF_ARPFILTER \ CONFIG_IP_NF_ARP_MANGLE - AUTOLOAD:=$(call AutoLoad,49,$(ARP_MODULES)) + AUTOLOAD:=$(call AutoProbe,$(ARP_MODULES)) endef define KernelPackage/arptables/description @@ -422,14 +771,30 @@ endef $(eval $(call KernelPackage,arptables)) +define KernelPackage/br-netfilter + SUBMENU:=$(NF_MENU) + TITLE:=Bridge netfilter support modules + DEPENDS:=+kmod-ipt-core + FILES:=$(LINUX_DIR)/net/bridge/br_netfilter.ko + KCONFIG:=CONFIG_BRIDGE_NETFILTER + AUTOLOAD:=$(call AutoProbe,br_netfilter) +endef + +define KernelPackage/br-netfilter/install + $(INSTALL_DIR) $(1)/etc/sysctl.d + $(INSTALL_DATA) ./files/sysctl-br-netfilter.conf $(1)/etc/sysctl.d/11-br-netfilter.conf +endef + +$(eval $(call KernelPackage,br-netfilter)) + + define KernelPackage/ebtables SUBMENU:=$(NF_MENU) TITLE:=Bridge firewalling modules - DEPENDS:=+kmod-ipt-core +kmod-bridge + DEPENDS:=+kmod-ipt-core FILES:=$(foreach mod,$(EBTABLES-m),$(LINUX_DIR)/net/$(mod).ko) - KCONFIG:=CONFIG_BRIDGE_NETFILTER=y \ - $(KCONFIG_EBTABLES) - AUTOLOAD:=$(call AutoLoad,49,$(notdir $(EBTABLES-m))) + KCONFIG:=$(KCONFIG_EBTABLES) + AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES-m))) endef define KernelPackage/ebtables/description @@ -443,7 +808,7 @@ $(eval $(call KernelPackage,ebtables)) define AddDepends/ebtables SUBMENU:=$(NF_MENU) - DEPENDS+=kmod-ebtables $(1) + DEPENDS+= +kmod-ebtables $(1) endef @@ -451,7 +816,7 @@ define KernelPackage/ebtables-ipv4 TITLE:=ebtables: IPv4 support FILES:=$(foreach mod,$(EBTABLES_IP4-m),$(LINUX_DIR)/net/$(mod).ko) KCONFIG:=$(KCONFIG_EBTABLES_IP4) - AUTOLOAD:=$(call AutoLoad,49,$(notdir $(EBTABLES_IP4-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES_IP4-m))) $(call AddDepends/ebtables) endef @@ -467,7 +832,7 @@ define KernelPackage/ebtables-ipv6 TITLE:=ebtables: IPv6 support FILES:=$(foreach mod,$(EBTABLES_IP6-m),$(LINUX_DIR)/net/$(mod).ko) KCONFIG:=$(KCONFIG_EBTABLES_IP6) - AUTOLOAD:=$(call AutoLoad,49,$(notdir $(EBTABLES_IP6-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES_IP6-m))) $(call AddDepends/ebtables) endef @@ -483,7 +848,7 @@ define KernelPackage/ebtables-watchers TITLE:=ebtables: watchers support FILES:=$(foreach mod,$(EBTABLES_WATCHERS-m),$(LINUX_DIR)/net/$(mod).ko) KCONFIG:=$(KCONFIG_EBTABLES_WATCHERS) - AUTOLOAD:=$(call AutoLoad,49,$(notdir $(EBTABLES_WATCHERS-m))) + AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES_WATCHERS-m))) $(call AddDepends/ebtables) endef @@ -498,10 +863,9 @@ $(eval $(call KernelPackage,ebtables-watchers)) define KernelPackage/nfnetlink SUBMENU:=$(NF_MENU) TITLE:=Netlink-based userspace interface - DEPENDS:=+kmod-ipt-core - FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink.ko - KCONFIG:=CONFIG_NETFILTER_NETLINK - AUTOLOAD:=$(call AutoLoad,48,nfnetlink) + FILES:=$(foreach mod,$(NFNETLINK-m),$(LINUX_DIR)/net/$(mod).ko) + KCONFIG:=$(KCONFIG_NFNETLINK) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK-m))) endef define KernelPackage/nfnetlink/description @@ -519,14 +883,16 @@ endef define KernelPackage/nfnetlink-log TITLE:=Netfilter LOG over NFNETLINK interface - FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_log.ko - KCONFIG:=CONFIG_NETFILTER_NETLINK_LOG - AUTOLOAD:=$(call AutoLoad,48,nfnetlink_log) + FILES:=$(foreach mod,$(NFNETLINK_LOG-m),$(LINUX_DIR)/net/$(mod).ko) + KCONFIG:=$(KCONFIG_NFNETLINK_LOG) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK_LOG-m))) $(call AddDepends/nfnetlink) endef define KernelPackage/nfnetlink-log/description Kernel modules support for logging packets via NFNETLINK + Includes: + - NFLOG endef $(eval $(call KernelPackage,nfnetlink-log)) @@ -534,14 +900,16 @@ $(eval $(call KernelPackage,nfnetlink-log)) define KernelPackage/nfnetlink-queue TITLE:=Netfilter QUEUE over NFNETLINK interface - FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_queue.ko - KCONFIG:=CONFIG_NETFILTER_NETLINK_QUEUE - AUTOLOAD:=$(call AutoLoad,48,nfnetlink_queue) + FILES:=$(foreach mod,$(NFNETLINK_QUEUE-m),$(LINUX_DIR)/net/$(mod).ko) + KCONFIG:=$(KCONFIG_NFNETLINK_QUEUE) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK_QUEUE-m))) $(call AddDepends/nfnetlink) endef define KernelPackage/nfnetlink-queue/description Kernel modules support for queueing packets via NFNETLINK + Includes: + - NFQUEUE endef $(eval $(call KernelPackage,nfnetlink-queue)) @@ -550,8 +918,8 @@ $(eval $(call KernelPackage,nfnetlink-queue)) define KernelPackage/nf-conntrack-netlink TITLE:=Connection tracking netlink interface FILES:=$(LINUX_DIR)/net/netfilter/nf_conntrack_netlink.ko - KCONFIG:=CONFIG_NF_CT_NETLINK - AUTOLOAD:=$(call AutoLoad,49,nf_conntrack_netlink) + KCONFIG:=CONFIG_NF_CT_NETLINK CONFIG_NF_CONNTRACK_EVENTS=y + AUTOLOAD:=$(call AutoProbe,nf_conntrack_netlink) $(call AddDepends/nfnetlink,+kmod-ipt-conntrack) endef @@ -568,7 +936,7 @@ define KernelPackage/ipt-hashlimit DEPENDS:=+kmod-ipt-core KCONFIG:=$(KCONFIG_IPT_HASHLIMIT) FILES:=$(LINUX_DIR)/net/netfilter/xt_hashlimit.ko - AUTOLOAD:=$(call AutoLoad,50,xt_hashlimit) + AUTOLOAD:=$(call AutoProbe,xt_hashlimit) $(call KernelPackage/ipt) endef @@ -577,3 +945,130 @@ define KernelPackage/ipt-hashlimit/description endef $(eval $(call KernelPackage,ipt-hashlimit)) + +define KernelPackage/ipt-rpfilter + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter rpfilter match + DEPENDS:=+kmod-ipt-core + KCONFIG:=$(KCONFIG_IPT_RPFILTER) + FILES:=$(realpath \ + $(LINUX_DIR)/net/ipv4/netfilter/ipt_rpfilter.ko \ + $(LINUX_DIR)/net/ipv6/netfilter/ip6t_rpfilter.ko) + AUTOLOAD:=$(call AutoProbe,ipt_rpfilter ip6t_rpfilter) + $(call KernelPackage/ipt) +endef + +define KernelPackage/ipt-rpfilter/description + Kernel modules support for the Netfilter rpfilter match +endef + +$(eval $(call KernelPackage,ipt-rpfilter)) + + +define KernelPackage/nft-core + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter nf_tables support + DEPENDS:=+kmod-nfnetlink +kmod-nf-reject +kmod-nf-reject6 +kmod-nf-conntrack6 + FILES:=$(foreach mod,$(NFT_CORE-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_CORE-m))) + KCONFIG:= \ + CONFIG_NFT_COMPAT=n \ + CONFIG_NFT_QUEUE=n \ + $(KCONFIG_NFT_CORE) +endef + +define KernelPackage/nft-core/description + Kernel module support for nftables +endef + +$(eval $(call KernelPackage,nft-core)) + + +define KernelPackage/nft-arp + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter nf_tables ARP table support + DEPENDS:=+kmod-nft-core + FILES:=$(foreach mod,$(NFT_ARP-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_ARP-m))) + KCONFIG:=$(KCONFIG_NFT_ARP) +endef + +$(eval $(call KernelPackage,nft-arp)) + + +define KernelPackage/nft-bridge + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter nf_tables bridge table support + DEPENDS:=+kmod-nft-core + FILES:=$(foreach mod,$(NFT_BRIDGE-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_BRIDGE-m))) + KCONFIG:= \ + CONFIG_NF_LOG_BRIDGE=n \ + $(KCONFIG_NFT_BRIDGE) +endef + +$(eval $(call KernelPackage,nft-bridge)) + + +define KernelPackage/nft-nat + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter nf_tables NAT support + DEPENDS:=+kmod-nft-core +kmod-nf-nat + FILES:=$(foreach mod,$(NFT_NAT-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_NAT-m))) + KCONFIG:=$(KCONFIG_NFT_NAT) +endef + +$(eval $(call KernelPackage,nft-nat)) + + +define KernelPackage/nft-offload + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter nf_tables routing/NAT offload support + DEPENDS:=+kmod-nf-flow +kmod-nft-nat + KCONFIG:= \ + CONFIG_NF_FLOW_TABLE_INET \ + CONFIG_NF_FLOW_TABLE_IPV4 \ + CONFIG_NF_FLOW_TABLE_IPV6 \ + CONFIG_NFT_FLOW_OFFLOAD + FILES:= \ + $(LINUX_DIR)/net/netfilter/nf_flow_table_inet.ko \ + $(LINUX_DIR)/net/ipv4/netfilter/nf_flow_table_ipv4.ko \ + $(LINUX_DIR)/net/ipv6/netfilter/nf_flow_table_ipv6.ko \ + $(LINUX_DIR)/net/netfilter/nft_flow_offload.ko + AUTOLOAD:=$(call AutoProbe,nf_flow_table_inet nf_flow_table_ipv4 nf_flow_table_ipv6 nft_flow_offload) +endef + +$(eval $(call KernelPackage,nft-offload)) + + +define KernelPackage/nft-nat6 + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter nf_tables IPv6-NAT support + DEPENDS:=+kmod-nft-nat +kmod-nf-nat6 + FILES:=$(foreach mod,$(NFT_NAT6-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_NAT6-m))) + KCONFIG:=$(KCONFIG_NFT_NAT6) +endef + +$(eval $(call KernelPackage,nft-nat6)) + +define KernelPackage/nft-netdev + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter nf_tables netdev support + DEPENDS:=+kmod-nft-core + KCONFIG:= \ + CONFIG_NETFILTER_INGRESS=y \ + CONFIG_NF_TABLES_NETDEV \ + CONFIG_NF_DUP_NETDEV \ + CONFIG_NFT_DUP_NETDEV \ + CONFIG_NFT_FWD_NETDEV + FILES:= \ + $(LINUX_DIR)/net/netfilter/nf_tables_netdev.ko \ + $(LINUX_DIR)/net/netfilter/nf_dup_netdev.ko \ + $(LINUX_DIR)/net/netfilter/nft_dup_netdev.ko \ + $(LINUX_DIR)/net/netfilter/nft_fwd_netdev.ko + AUTOLOAD:=$(call AutoProbe,nf_tables_netdev nf_dup_netdev nft_dup_netdev nft_fwd_netdev) +endef + +$(eval $(call KernelPackage,nft-netdev))