From 177fa14340ebd1784ea87b7c914cde3ffea81c97 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Mon, 9 Apr 2018 19:41:26 +0200 Subject: [PATCH] iptables: split physdev match out as a separate package Split physdev match out of ipt-extra to allow installing ipt-extra without pulling in br-netfilter. Signed-off-by: Matthias Schiffer --- include/netfilter.mk | 5 ++++- package/kernel/linux/modules/netfilter.mk | 18 ++++++++++++++++-- package/network/utils/iptables/Makefile | 11 ++++++++++- 3 files changed, 30 insertions(+), 4 deletions(-) diff --git a/include/netfilter.mk b/include/netfilter.mk index c4e43a84a1..5d532cea5b 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -94,12 +94,14 @@ $(eval $(call nf_add,IPT_CONNTRACK_LABEL,CONFIG_NETFILTER_XT_MATCH_CONNLABEL, $( $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_ADDRTYPE, $(if $(NF_KMOD),$(P_XT)xt_addrtype,$(P_XT)ipt_addrtype))) $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_OWNER, $(P_XT)xt_owner)) -$(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_PHYSDEV, $(P_XT)xt_physdev)) $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_PKTTYPE, $(P_XT)xt_pkttype)) $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_QUOTA, $(P_XT)xt_quota)) #$(eval $(call nf_add,IPT_EXTRA,CONFIG_IP_NF_TARGET_ROUTE, $(P_V4)ipt_ROUTE)) +# physdev + +$(eval $(call nf_add,IPT_PHYSDEV,CONFIG_NETFILTER_XT_MATCH_PHYSDEV, $(P_XT)xt_physdev)) # filter @@ -371,6 +373,7 @@ IPT_BUILTIN += $(NF_CONNTRACK6-y) IPT_BUILTIN += $(IPT_CONNTRACK-y) IPT_BUILTIN += $(IPT_CONNTRACK_EXTRA-y) IPT_BUILTIN += $(IPT_EXTRA-y) +IPT_BUILTIN += $(IPT_PHYSDEV-y) IPT_BUILTIN += $(IPT_FILTER-y) IPT_BUILTIN += $(IPT_FLOW-y) $(IPT_FLOW-m) IPT_BUILTIN += $(IPT_IPOPT-y) diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk index 48db5d0599..99c24cc042 100644 --- a/package/kernel/linux/modules/netfilter.mk +++ b/package/kernel/linux/modules/netfilter.mk @@ -686,7 +686,7 @@ define KernelPackage/ipt-extra KCONFIG:=$(KCONFIG_IPT_EXTRA) FILES:=$(foreach mod,$(IPT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_EXTRA-m))) - $(call AddDepends/ipt,+kmod-br-netfilter) + $(call AddDepends/ipt) endef define KernelPackage/ipt-extra/description @@ -694,7 +694,6 @@ define KernelPackage/ipt-extra/description Includes: - addrtype - owner - - physdev (if bridge support was enabled in kernel) - pkttype - quota endef @@ -702,6 +701,21 @@ endef $(eval $(call KernelPackage,ipt-extra)) +define KernelPackage/ipt-physdev + TITLE:=physdev module + KCONFIG:=$(KCONFIG_IPT_PHYSDEV) + FILES:=$(foreach mod,$(IPT_PHYSDEV-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_PHYSDEV-m))) + $(call AddDepends/ipt,+kmod-br-netfilter) +endef + +define KernelPackage/ipt-physdev/description + The iptables physdev kernel module +endef + +$(eval $(call KernelPackage,ipt-physdev)) + + define KernelPackage/ip6tables SUBMENU:=$(NF_MENU) TITLE:=IPv6 modules diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile index ae9212a552..d70dc11d45 100644 --- a/package/network/utils/iptables/Makefile +++ b/package/network/utils/iptables/Makefile @@ -349,12 +349,20 @@ Other extra iptables extensions. - addrtype - condition - owner - - physdev (if ebtables is enabled) - pkttype - quota endef +define Package/iptables-mod-physdev +$(call Package/iptables/Module, +kmod-ipt-physdev) + TITLE:=physdev iptables extension +endef + +define Package/iptables-mod-physdev/description +The iptables physdev match. +endef + define Package/iptables-mod-led $(call Package/iptables/Module, +kmod-ipt-led) TITLE:=LED trigger iptables extension @@ -609,6 +617,7 @@ $(eval $(call BuildPackage,iptables)) $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m))) $(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m))) $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m))) +$(eval $(call BuildPlugin,iptables-mod-physdev,$(IPT_PHYSDEV-m))) $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m))) $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m))) $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m))) -- 2.30.2