X-Git-Url: http://git.openwrt.org/?a=blobdiff_plain;f=package%2Fkernel%2Flinux%2Fmodules%2Fnetfilter.mk;h=ccbd20a64349bcd0ba129f7a71bee4d67f54bfd5;hb=ce89535bce052c9463e32ad83b950d00c988c21f;hp=a25274efce4c830d39a01bd131a26fc1f8b5be52;hpb=5d501f9aa0311142b33893de3ffbc80c0f8a58cd;p=openwrt%2Fstaging%2Frmilecki.git diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk index a25274efce4..ccbd20a6434 100644 --- a/package/kernel/linux/modules/netfilter.mk +++ b/package/kernel/linux/modules/netfilter.mk @@ -68,6 +68,7 @@ define KernelPackage/nf-conntrack KCONFIG:= \ CONFIG_NETFILTER=y \ CONFIG_NETFILTER_ADVANCED=y \ + CONFIG_NF_CONNTRACK_ZONES=y \ $(KCONFIG_NF_CONNTRACK) FILES:=$(foreach mod,$(NF_CONNTRACK-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNTRACK-m))) @@ -80,7 +81,7 @@ define KernelPackage/nf-conntrack6 SUBMENU:=$(NF_MENU) TITLE:=Netfilter IPv6 connection tracking KCONFIG:=$(KCONFIG_NF_CONNTRACK6) - DEPENDS:=+kmod-ipv6 +kmod-nf-conntrack + DEPENDS:=@IPV6 +kmod-nf-conntrack FILES:=$(foreach mod,$(NF_CONNTRACK6-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNTRACK6-m))) endef @@ -171,7 +172,6 @@ endef define KernelPackage/ipt-filter/description Netfilter (IPv4) kernel modules for packet content inspection Includes: - - layer7 - string endef @@ -223,6 +223,54 @@ endef $(eval $(call KernelPackage,ipt-ipsec)) +IPSET_MODULES:= \ + ipset/ip_set \ + ipset/ip_set_bitmap_ip \ + ipset/ip_set_bitmap_ipmac \ + ipset/ip_set_bitmap_port \ + ipset/ip_set_hash_ip \ + ipset/ip_set_hash_ipmark \ + ipset/ip_set_hash_ipport \ + ipset/ip_set_hash_ipportip \ + ipset/ip_set_hash_ipportnet \ + ipset/ip_set_hash_mac \ + ipset/ip_set_hash_netportnet \ + ipset/ip_set_hash_net \ + ipset/ip_set_hash_netnet \ + ipset/ip_set_hash_netport \ + ipset/ip_set_hash_netiface \ + ipset/ip_set_list_set \ + xt_set + +define KernelPackage/ipt-ipset + SUBMENU:=Netfilter Extensions + TITLE:=IPset netfilter modules + DEPENDS+= +kmod-ipt-core +kmod-nfnetlink + KCONFIG:= \ + CONFIG_IP_SET \ + CONFIG_IP_SET_MAX=256 \ + CONFIG_NETFILTER_XT_SET \ + CONFIG_IP_SET_BITMAP_IP \ + CONFIG_IP_SET_BITMAP_IPMAC \ + CONFIG_IP_SET_BITMAP_PORT \ + CONFIG_IP_SET_HASH_IP \ + CONFIG_IP_SET_HASH_IPMARK \ + CONFIG_IP_SET_HASH_IPPORT \ + CONFIG_IP_SET_HASH_IPPORTIP \ + CONFIG_IP_SET_HASH_IPPORTNET \ + CONFIG_IP_SET_HASH_MAC \ + CONFIG_IP_SET_HASH_NET \ + CONFIG_IP_SET_HASH_NETNET \ + CONFIG_IP_SET_HASH_NETIFACE \ + CONFIG_IP_SET_HASH_NETPORT \ + CONFIG_IP_SET_HASH_NETPORTNET \ + CONFIG_IP_SET_LIST_SET \ + CONFIG_NET_EMATCH_IPSET=n + FILES:=$(foreach mod,$(IPSET_MODULES),$(LINUX_DIR)/net/netfilter/$(mod).ko) + AUTOLOAD:=$(call AutoLoad,49,$(notdir $(IPSET_MODULES))) +endef +$(eval $(call KernelPackage,ipt-ipset)) + define KernelPackage/ipt-nat TITLE:=Basic NAT targets @@ -247,6 +295,9 @@ define KernelPackage/ipt-nat6 FILES:=$(foreach mod,$(IPT_NAT6-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoLoad,43,$(notdir $(IPT_NAT6-m))) $(call AddDepends/ipt,+kmod-nf-nat6) + $(call AddDepends/ipt,+kmod-ipt-conntrack) + $(call AddDepends/ipt,+kmod-ipt-nat) + $(call AddDepends/ipt,+kmod-ip6tables) endef define KernelPackage/ipt-nat6/description @@ -319,24 +370,6 @@ endef $(eval $(call KernelPackage,nf-nathelper-extra)) -define KernelPackage/ipt-queue - TITLE:=Module for user-space packet queueing - KCONFIG:=$(KCONFIG_IPT_QUEUE) - DEPENDS:=@!LINUX_3_6 - FILES:=$(foreach mod,$(IPT_QUEUE-m),$(LINUX_DIR)/net/$(mod).ko) - AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_QUEUE-m))) - $(call AddDepends/ipt) -endef - -define KernelPackage/ipt-queue/description - Netfilter (IPv4) module for user-space packet queueing - Includes: - - QUEUE -endef - -$(eval $(call KernelPackage,ipt-queue)) - - define KernelPackage/ipt-ulog TITLE:=Module for user-space packet logging KCONFIG:=$(KCONFIG_IPT_ULOG) @@ -422,13 +455,12 @@ $(eval $(call KernelPackage,ipt-led)) define KernelPackage/ipt-tproxy TITLE:=Transparent proxying support - DEPENDS+=+kmod-ipt-conntrack +IPV6:kmod-ipv6 +IPV6:kmod-ip6tables + DEPENDS+=+kmod-ipt-conntrack +IPV6:kmod-ip6tables KCONFIG:= \ CONFIG_NETFILTER_TPROXY \ CONFIG_NETFILTER_XT_MATCH_SOCKET \ CONFIG_NETFILTER_XT_TARGET_TPROXY FILES:= \ - $(if $(call kernel_patchver_lt,3.12),$(LINUX_DIR)/net/netfilter/nf_tproxy_core.ko) \ $(foreach mod,$(IPT_TPROXY-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir nf_tproxy_core $(IPT_TPROXY-m))) $(call AddDepends/ipt) @@ -442,7 +474,7 @@ $(eval $(call KernelPackage,ipt-tproxy)) define KernelPackage/ipt-tee TITLE:=TEE support - DEPENDS:=+kmod-ipt-conntrack +IPV6:kmod-ipv6 + DEPENDS:=+kmod-ipt-conntrack @!LINUX_4_4 KCONFIG:= \ CONFIG_NETFILTER_XT_TARGET_TEE FILES:= \ @@ -493,13 +525,61 @@ endef $(eval $(call KernelPackage,ipt-iprange)) +define KernelPackage/ipt-cluster + TITLE:=Module for matching cluster + KCONFIG:=$(KCONFIG_IPT_CLUSTER) + FILES:=$(foreach mod,$(IPT_CLUSTER-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CLUSTER-m))) + $(call AddDepends/ipt) +endef + +define KernelPackage/ipt-cluster/description + Netfilter (IPv4/IPv6) module for matching cluster + This option allows you to build work-load-sharing clusters of + network servers/stateful firewalls without having a dedicated + load-balancing router/server/switch. Basically, this match returns + true when the packet must be handled by this cluster node. Thus, + all nodes see all packets and this match decides which node handles + what packets. The work-load sharing algorithm is based on source + address hashing. + + This module is usable for ipv4 and ipv6. + + To use it also enable iptables-mod-cluster + + see `iptables -m cluster --help` for more information. +endef + +$(eval $(call KernelPackage,ipt-cluster)) + +define KernelPackage/ipt-clusterip + TITLE:=Module for CLUSTERIP + KCONFIG:=$(KCONFIG_IPT_CLUSTERIP) + FILES:=$(foreach mod,$(IPT_CLUSTERIP-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CLUSTERIP-m))) + $(call AddDepends/ipt,+kmod-nf-conntrack) +endef + +define KernelPackage/ipt-clusterip/description + Netfilter (IPv4-only) module for CLUSTERIP + The CLUSTERIP target allows you to build load-balancing clusters of + network servers without having a dedicated load-balancing + router/server/switch. + + To use it also enable iptables-mod-clusterip + + see `iptables -j CLUSTERIP --help` for more information. +endef + +$(eval $(call KernelPackage,ipt-clusterip)) + define KernelPackage/ipt-extra TITLE:=Extra modules KCONFIG:=$(KCONFIG_IPT_EXTRA) FILES:=$(foreach mod,$(IPT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_EXTRA-m))) - $(call AddDepends/ipt) + $(call AddDepends/ipt,+kmod-br-netfilter) endef define KernelPackage/ipt-extra/description @@ -564,13 +644,25 @@ endef $(eval $(call KernelPackage,arptables)) +define KernelPackage/br-netfilter + SUBMENU:=$(NF_MENU) + TITLE:=Bridge netfilter support modules + HIDDEN:=1 + DEPENDS:=+kmod-ipt-core +kmod-bridge + FILES:=$(LINUX_DIR)/net/bridge/br_netfilter.ko + KCONFIG:=CONFIG_BRIDGE_NETFILTER + AUTOLOAD:=$(call AutoProbe,br_netfilter) +endef + +$(eval $(call KernelPackage,br-netfilter)) + + define KernelPackage/ebtables SUBMENU:=$(NF_MENU) TITLE:=Bridge firewalling modules - DEPENDS:=+kmod-ipt-core +kmod-bridge + DEPENDS:=+kmod-ipt-core +kmod-bridge +kmod-br-netfilter FILES:=$(foreach mod,$(EBTABLES-m),$(LINUX_DIR)/net/$(mod).ko) - KCONFIG:=CONFIG_BRIDGE_NETFILTER=y \ - $(KCONFIG_EBTABLES) + KCONFIG:=$(KCONFIG_EBTABLES) AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES-m))) endef @@ -695,7 +787,7 @@ $(eval $(call KernelPackage,nfnetlink-queue)) define KernelPackage/nf-conntrack-netlink TITLE:=Connection tracking netlink interface FILES:=$(LINUX_DIR)/net/netfilter/nf_conntrack_netlink.ko - KCONFIG:=CONFIG_NF_CT_NETLINK + KCONFIG:=CONFIG_NF_CT_NETLINK CONFIG_NF_CONNTRACK_EVENTS=y AUTOLOAD:=$(call AutoProbe,nf_conntrack_netlink) $(call AddDepends/nfnetlink,+kmod-ipt-conntrack) endef