From 144fa4d4e7c00df370924751f58781689cd333e7 Mon Sep 17 00:00:00 2001 From: Aviana Cruz Date: Thu, 2 Feb 2023 21:39:41 +0800 Subject: [PATCH] netfilter: add kmod-nf-conntrack There have been some demands for the `ct count` expression, like https://forum.openwrt.org/t/22-03-2-unable-to-use-ct-count-nft-rules/146680. This adds the required kernel modules for the expression to work. Signed-off-by: Aviana Cruz --- include/netfilter.mk | 7 ++++++- package/kernel/linux/modules/netfilter.mk | 23 +++++++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/include/netfilter.mk b/include/netfilter.mk index a9c5133ae4..81488fe5c8 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -73,7 +73,6 @@ $(eval $(call nf_add,IPT_CONNTRACK,CONFIG_NETFILTER_XT_MATCH_CONNTRACK, $(P_XT)x $(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_MATCH_CONNBYTES, $(P_XT)xt_connbytes)) $(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_MATCH_CONNLIMIT, $(P_XT)xt_connlimit)) -$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_CONNCOUNT, $(P_XT)nf_conncount)) $(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_CONNMARK, $(P_XT)xt_connmark)) $(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_MATCH_HELPER, $(P_XT)xt_helper)) $(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_MATCH_RECENT, $(P_XT)xt_recent)) @@ -278,6 +277,10 @@ $(eval $(call nf_add,NFNETLINK_LOG,CONFIG_NETFILTER_NETLINK_LOG, $(P_XT)nfnetlin $(eval $(call nf_add,NFNETLINK_QUEUE,CONFIG_NETFILTER_NETLINK_QUEUE, $(P_XT)nfnetlink_queue)) +# conncount + +$(eval $(if $(NF_KMOD),$(call nf_add,NF_CONNCOUNT,CONFIG_NETFILTER_CONNCOUNT, $(P_XT)nf_conncount),)) + # # ebtables # @@ -352,6 +355,8 @@ $(eval $(if $(NF_KMOD),$(call nf_add,NFT_COMPAT,CONFIG_NFT_COMPAT, $(P_XT)nft_co $(eval $(if $(NF_KMOD),$(call nf_add,NFT_XFRM,CONFIG_NFT_XFRM, $(P_XT)nft_xfrm),)) +$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CONNLIMIT,CONFIG_NFT_CONNLIMIT, $(P_XT)nft_connlimit),)) + # userland only IPT_BUILTIN += $(NF_IPT-y) $(NF_IPT-m) IPT_BUILTIN += $(IPT_CORE-y) $(IPT_CORE-m) diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk index e6e2c9b637..1772545f25 100644 --- a/package/kernel/linux/modules/netfilter.mk +++ b/package/kernel/linux/modules/netfilter.mk @@ -39,6 +39,17 @@ endef $(eval $(call KernelPackage,nf-reject6)) +define KernelPackage/nf-conncount + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter conncount support + KCONFIG:=$(KCONFIG_NF_CONNCOUNT) + HIDDEN:=1 + DEPENDS:=+kmod-nf-conntrack + FILES:=$(foreach mod,$(NF_CONNCOUNT-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNCOUNT-m))) +endef + +$(eval $(call KernelPackage,nf-conncount)) define KernelPackage/nf-ipt SUBMENU:=$(NF_MENU) @@ -234,6 +245,7 @@ $(eval $(call KernelPackage,ipt-conntrack)) define KernelPackage/ipt-conntrack-extra TITLE:=Extra connection tracking modules + DEPENDS:=+kmod-nf-conncount KCONFIG:=$(KCONFIG_IPT_CONNTRACK_EXTRA) FILES:=$(foreach mod,$(IPT_CONNTRACK_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK_EXTRA-m))) @@ -1254,3 +1266,14 @@ define KernelPackage/nft-xfrm endef $(eval $(call KernelPackage,nft-xfrm)) + +define KernelPackage/nft-connlimit + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter nf_tables connlimit support + DEPENDS:=+kmod-nft-core +kmod-nf-conncount + FILES:=$(foreach mod,$(NFT_CONNLIMIT-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_CONNLIMIT-m))) + KCONFIG:=$(KCONFIG_NFT_CONNLIMIT) +endef + +$(eval $(call KernelPackage,nft-connlimit)) -- 2.30.2