summaryrefslogtreecommitdiffstats
path: root/include/netfilter.mk
Commit message (Collapse)AuthorAgeFilesLines
* netfilter, iptables: add optional CHECKSUM moduleDenis Osvald2017-11-061-0/+4
| | | | Signed-off-by: Denis Osvald <denis.osvald@sartura.hr>
* iptables: Fix target TRACE issueMartin Wetterwald2017-10-271-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | The package kmod-ipt-debug builds the module xt_TRACE, which allows users to use '-j TRACE' as target in the chain PREROUTING of the table raw in iptables. The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so that this feature which is implemented deep inside the linux IP stack (for example in sk_buff) is compiled. But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which fails as this dynamic library is not present on the system. I created the package iptables-mod-trace which takes care of that, and target TRACE now works! https://dev.openwrt.org/ticket/16694 https://dev.openwrt.org/ticket/19661 Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com> [Jo-Philipp Wich: also remove trace extension from builtin extension list and depend on kmod-ipt-raw since its required for rules] Signed-off-by: Jo-Philipp Wich <jo@mein.io> Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
* netfilter: add iptables-mod-rpfilter packageAlin Nastac2017-07-111-0/+2
| | | | | | | | | Unlike /proc/sys/net/ipv4/conf/INTF/rp_filter flag, rule iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP prevents conntrack table to become full when a packet flood with randomly selected source IP addresses is received from the lan side. Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
* netfilter.mk: prepare for linux 4.9 supportFelix Fietkau2017-01-271-2/+6
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* kernel: netfilter: split out iptable_raw into a separate packageFelix Fietkau2016-12-141-2/+0
| | | | | | | | This will avoid loading it in the default configuration, which reduces image size a bit, and (more importantly) improves performance by avoiding some unnecessary netfilter hooks Signed-off-by: Felix Fietkau <nbd@nbd.name>
* netfilter: drop proprietary xt_id matchJo-Philipp Wich2016-12-141-2/+1
| | | | | | | | The xt_id match was used by the firewall3 package to track its own rules but the approach has been changed to use xt_comment instead now, so we can drop this nonstandard extension. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* netfilter: fix file conflicts between kmod-ipt- and kmod-nft- packagesMatthias Schiffer2016-09-301-8/+5
| | | | | | | | The nf_reject_* and nf_nat_masquerade_* modules are moved into the corresponding kmod-nf- packages. Appropriate dependencies are added to the kmod-nft- packages. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* include/netfilter.mk: fix kmod-ipt-tee build with 4.3/4.4Felix Fietkau2015-12-131-0/+2
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 47890
* netfilter.mk: fix redirect module locations for 3.19+Jonas Gorski2015-06-221-3/+3
| | | | | | | | | | | | ntf_redir_ipvX is part of NAT support, so they should be in the appropriate nft-nat kmods. Since they depend on nf_nat_redirect, nf_nat_redirect should be part of nf-nat, not ipt-nat. Fixes nft-core gaining a missing dependency on nf_nat_redirect.ko. Signed-off-by: Jonas Gorski <jogo@openwrt.org> SVN-Revision: 46109
* netfilter.mk: remove obsolete ip_nat_ftp related lineFelix Fietkau2015-04-201-1/+0
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45516
* netfilter.mk: move IRC conntrack/nat helpers to kmod-nf-nathelper-extraFelix Fietkau2015-04-201-2/+2
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45515
* kernel: finally remove layer7 filter supportFelix Fietkau2015-04-131-1/+0
| | | | | | | | | | | it has been non-functional for years and caused numerous memleaks and crashes for people that tried to enable it. it has no maintained upstream source, and it does not look like it's going to be fixed any time soon Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45423
* netfilter.mk: remove bogus NAT related kernel module entries (#19451)Felix Fietkau2015-04-111-3/+0
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45382
* netfilter.mk: drop obsolete kernel version dependenciesFelix Fietkau2015-04-111-36/+36
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45381
* include: remove trailing whitespacesLuka Perkov2015-03-291-2/+2
| | | | | | Signed-off-by: Luka Perkov <luka@openwrt.org> SVN-Revision: 45127
* netfilter: add missing module/symbolFelix Fietkau2015-03-291-0/+1
| | | | | | | | ipv4 symbol was added but ipv6 symbol is missing Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de> SVN-Revision: 45122
* netfilter: clean up compatibility code for old kernelsFelix Fietkau2015-03-201-32/+16
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 44904
* netfilter: fix nf_nat_redirect dependencies for 3.19 and 4.0John Crispin2015-03-051-0/+1
| | | | | | Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com> SVN-Revision: 44598
* include: netfilter: fix packaging of LOG target for Linux >= 3.16 (#19031)Jo-Philipp Wich2015-02-181-0/+3
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 44488
* netfilter: add missing symbols and modules for Linux 3.18+Jo-Philipp Wich2015-01-291-1/+7
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 44187
* generic: add preliminary 3.19 supportImre Kaloz2015-01-251-0/+2
| | | | | | Signed-off-by: Imre Kaloz <kaloz@openwrt.org> SVN-Revision: 44126
* netfilter: handle NFT_MASQ_IPV6Imre Kaloz2015-01-141-0/+1
| | | | | | Signed-off-by: Imre Kaloz <kaloz@openwrt.org> SVN-Revision: 43966
* netfilter: handle nft_masq and nft_masq_ipv4Imre Kaloz2015-01-121-0/+2
| | | | | | Signed-off-by: Imre Kaloz <kaloz@openwrt.org> SVN-Revision: 43950
* kernel: add a patch to make netfilter conntrack cache routing informationFelix Fietkau2014-12-091-0/+1
| | | | | | | | Significantly improves routing / NAT performance Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 43587
* keernel: Fixed dependencies in netfilter modules introduced with 3.18 kernelJohn Crispin2014-11-191-0/+3
| | | | | | | | | | Building current trunk with 3.18 kernel fired some errors like 'missed dependancy of module XXX from library kmod_YYY.ko'. These patch fixes 3 of such issues which are critical to have a successful build. Signed-off-by: Alexey N Vinogradov <a.n.vinogradov@gmail.com> SVN-Revision: 43318
* kernel: 3.18: Fix kmod-ipt-natSteven Barth2014-11-081-0/+2
| | | | | | | | | | | The 3.18 kernel introduced new Kconfig options for the xt_nat and iptable_nat kernel modules, that both belong to the ipt_nat kernel package. Enable this new options. Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com> SVN-Revision: 43212
* netfilter: Enable compiling iptables match clusterFelix Fietkau2014-11-031-0/+7
| | | | | | | | | | | | | | | | | | This patch adds the userspace and kernelspace for - match NETFILTER_XT_MATCH_CLUSTER This match can be used to deploy gateway and back-end load-sharing clusters. - target IP_NF_TARGET_CLUSTERIP This module allows you to configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them. Connections are statically distributed between the nodes in this cluster. This is used i.e. by strongswan-ha. Signed-off-by: Christian Scheele <cs@embedd.com> SVN-Revision: 43174
* netfilter: unbreak kmod-ipt-nat for <3.7Steven Barth2014-09-291-0/+1
| | | | SVN-Revision: 42696
* netfilter: fix a typo in TTL-match moduleSteven Barth2014-09-181-1/+1
| | | | SVN-Revision: 42611
* netfilter: remove redundant CONFIG_IP_NF_IPTABLESSteven Barth2014-09-171-1/+0
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 42599
* Reorganize netfilter kernel modules and package nftables kernel supportSteven Barth2014-09-171-40/+75
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 42596
* iptables: NFLOG and NFQUEUE targets' full supportSteven Barth2014-08-071-0/+27
| | | | | | | | | | | | | | | | NFLOG and NFQUEUE targets' full support for iptables. Includes all needed kernel modules (Xtables's and Netlink's) and userspace libraries. All added kernel modules can be individually disabled, all other new libraries get their own individual packages. Reported-by: Fabian Hugelshofer <hugelshofer2006@gmx.ch> Reported-by: Rainer Poisel <rainer.poisel@fhstp.ac.at> Reported-by: Derek LaHousse <dlahouss@mtu.edu> Signed-off-by: Guillaume Déflache <guillaume.deflache@ibwag.com> SVN-Revision: 42022
* netfilter: introduce xt_id matchJo-Philipp Wich2014-08-011-1/+2
| | | | | | | | | This commit implements a new netfilter match "xt_id" which can be used to attach unsigned 32bit IDs to iptables rules. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 41945
* netfilter: split off header matching modules not used by the default config ↵Felix Fietkau2014-06-021-7/+9
| | | | | | | | (reduces rootfs size and memory usage) Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 40983
* iptables/netfilter: add connlimit to conntrack-extraSteven Barth2014-03-111-0/+1
| | | | SVN-Revision: 39878
* Fix IPv6 NAT breaking older kernelsSteven Barth2013-09-031-2/+0
| | | | SVN-Revision: 37891
* netfilter: Add IPv6-NAT support for kernel and ipt Thanks to Berni, Adam ↵Steven Barth2013-09-011-1/+9
| | | | | | Novak and Sedat Dilek for patches and inspiration SVN-Revision: 37866
* netfilter: fix typoLuka Perkov2013-08-211-1/+1
| | | | | | Signed-off-by: Luka Perkov <luka@openwrt.org> SVN-Revision: 37821
* netfilter: remove use of obsolete compatibility config symbols for mark and ↵Felix Fietkau2013-07-151-8/+4
| | | | | | | | | | connmark fixes duplication of xt_mark and xt_connmark module entries Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 37344
* netfilter: move time, mark, set matches and MARK, REDIRECT, SET targets into ↵Jo-Philipp Wich2013-05-211-11/+11
| | | | | | base iptables package - drop iptables-mod-ipset SVN-Revision: 36683
* netfilter: Fix typo in last commitSteven Barth2013-03-071-1/+1
| | | | SVN-Revision: 35899
* iptables: Add missing IPv6 builtin modulesSteven Barth2013-03-071-1/+3
| | | | SVN-Revision: 35898
* package/kernel: xt_NOTRACK has been removed in 3.7-rc1Gabor Juhos2013-02-041-1/+1
| | | | | | Signed-off-by: Gabor Juhos <juhosg@openwrt.org> SVN-Revision: 35475
* netfilter.mk: add addrtype match to iptables-mod-extra (kmod-ipt-extra)Jo-Philipp Wich2013-01-141-2/+1
| | | | SVN-Revision: 35155
* netfilter: xt_NOTRACK is incorporated in xt_CT as of 3.8-rc3Florian Fainelli2013-01-101-1/+1
| | | | | | Signed-off-by: Florian Fainelli <florian@openwrt.org> SVN-Revision: 35087
* fix ipv4 nat on 3.7 by adding missing iptables modulesJohn Crispin2012-12-221-1/+1
| | | | SVN-Revision: 34841
* netfilter: fix module list for 3.7 kernelGabor Juhos2012-12-181-6/+11
| | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: Gabor Juhos <juhosg@openwrt.org> SVN-Revision: 34750
* netfilter.mk: extend nf_add macro to take a version dependency expressionJo-Philipp Wich2012-12-151-19/+16
| | | | | | | | - nf_add now takes an optional 4th argument which specifies a kernel version dependency, e.g. "lt 3.7.0" - remove CompareKernelPatchVer conditionals around nf_add invocations, use version depends instead - fixes xt_LOG.ko packaging with Linux 3.6.0 and later SVN-Revision: 34681
* netfilter.mk: fix packaging of xt_LOG.ko, it moved between 3.3.8 and 3.6.xJo-Philipp Wich2012-12-111-2/+6
| | | | SVN-Revision: 34625
* kernel: fix loading of nf_nat_ircHauke Mehrtens2012-11-181-1/+1
| | | | | | | nf_nat_irc depends on nf_conntrack_irc and it should be defined after that. This fixes a problem introduced in r34247. SVN-Revision: 34251
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-26 11:55:48 +0000