Commit Graph

149 Commits

Author SHA1 Message Date
Brett Mastbergen 2b6eab507a netfilter: Add fib support for nftables
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
2018-12-16 00:57:20 +01:00
Hauke Mehrtens fbaf48387e kernel: netfilter: chain filters merged into nf_tables.ko
In mainline kernel commit 02c7b25e5f5 ("netfilter: nf_tables: build-in
filter chain type") all chain filters were merged into one file and into
one kernel module to save some memory. The code protected by these
configuration options CONFIG_NF_TABLES_BRIDGE, CONFIG_NF_TABLES_IPV4,
CONFIG_NF_TABLES_ARP, CONFIG_NF_TABLES_IPV6, CONFIG_NF_TABLES_NETDEV and
CONFIG_NF_TABLES_INET was merged into the nft_chain_filter.c file which
is now always compiled into the nf_tables.ko file.

This only happened in kernel 4.19 and OpenWrt has to select these as
modules in older kennel versions. Mark them as build-in in the kernel
4.19 specific kernel configuration file which will then not be
overwritten by the package specific settings which try to make them
modular again.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-12-15 14:28:50 +01:00
Hauke Mehrtens f891670704 kernel: netfilter: Adapt merge ipv4/ipv6 masquerade code
In kernel commit 0168e8b361 ("netfilter: nat: merge ipv4/ipv6 masquerade
code into main nat module") the CONFIG_NF_NAT_MASQUERADE_IPV4 and
CONFIG_NF_NAT_MASQUERADE_IPV6 kernel configuration option were changed
to bool and the code will not be compiled as a own module any more, but
it will be integrated into nf_nat_ipv4.ko or nf_nat_ipv6.ko to save some
memory.

Activate these options as bool in the generic kernel 4.19 configuration
only, to always build them into the nf_nat_ipv*.ko modules. The kmod
file will still try to select them as module, but the generic
configuration will not be overwritten.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-12-15 14:28:50 +01:00
Hauke Mehrtens f72f793c9e kernel: netfilter: Add nf_conncount.ko
Some kernel modules from kmod-ipt-conntrack-extra depend on
nf_conncount.ko, which was added in kernel 4.16, add it to the kmod.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-12-15 14:28:50 +01:00
Hauke Mehrtens 89806545cc kernel: netfilter: Add nf_tproxy_ipv{4,6} and nf_socket_ipv{4,6}
The nf_socket.ko module was split in commit 8db4c5be88f ("netfilter:
move socket lookup infrastructure to nf_socket_ipv{4,6}.c") into a
common, n IPv4 and an IPv6 part.
The nf_tproxy.ko module was split in commit 45ca4e0cf27 ("netfilter:
Libify xt_TPROXY") into a common, an IPv4 and an IPv6 part.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-12-15 14:28:50 +01:00
Hauke Mehrtens 35929059b7 kernel: netfilter: Add nf_defrag_ipv6.ko to NF_CONNTRACK on 4.19
In kernel commit a0ae2562c6c ("netfilter: conntrack: remove l3proto
abstraction") The modules nf_conntrack_ipv4.ko, nf_conntrack_ipv6.ko and
nf_conntrack.ko were squashed together into one module. This module now
depends on nf_defrag_ipv6 when IPv6 support was activated. This is part
of the main netfilter packages, so add nf_defrag_ipv6.ko also to the
default netfilter packages on kernel 4.19 and later.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-12-15 14:28:50 +01:00
Jo-Philipp Wich 93ac8b03b0 Revert "netfilter: separate IPv6 relevant kernel modules from IPv4"
This reverts commit 42a3c6465a.

The change was apparently never build-tested with all kmods enabled. I took
a brief look but found no simple way to untangle this, so revert it.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-06 19:46:37 +02:00
Rosy Song 42a3c6465a netfilter: separate IPv6 relevant kernel modules from IPv4
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-08-06 12:09:04 +02:00
Alin Nastac ab07ae2f27 netfilter: add bpf match support
Add xt_bpf modules to {kmod-ipt,iptables-mod}-filter.

Match using Linux Socket Filter. Expects a BPF program in decimal
format. This is the format generated by the nfbpf_compile utility.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
2018-06-26 08:57:25 +02:00
Matthias Schiffer 177fa14340
iptables: split physdev match out as a separate package
Split physdev match out of ipt-extra to allow installing ipt-extra without
pulling in br-netfilter.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-04-09 19:41:48 +02:00
Felix Fietkau 820f030998 netfilter: add a xt_FLOWOFFLOAD target for NAT/routing offload support
This makes it possible to add an iptables rule that offloads routing/NAT
packet processing to a software fast path. This fast path is much
quicker than running packets through the regular tables/chains.

Requires Linux 4.14

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-02-21 20:12:42 +01:00
Kristian Evensen 2d27ebbb93 iptables: Support building connlabel module
It is currently possible to enable connlabel-support in iptables.
However, in order for connlabel to work properly, the kernel module must
also be present. This patch adds support for building the
connlabel-module, and selects it by default when connlabel-support is
enabled.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
2018-02-13 10:01:52 +01:00
Matthias Schiffer 352c74fcb4
netfilter: add packages for arp and bridge tables of nftables
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-31 13:32:40 +01:00
Matthias Schiffer e7e025426a
netfilter: clean up dependencies of kernel modules
The nf_reject_ipv4 and nf_reject_ipv6 modules are moved into separate
packages, as they are a common dependency of ip(6)tables and nftables. This
avoids a dependency of nftables on kmod-nf-ipt(6). Also, fewer iptables
modules depend on nf-conntrack(6) now.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-31 13:32:40 +01:00
Denis Osvald ee791fa4ab netfilter, iptables: add optional CHECKSUM module
Signed-off-by: Denis Osvald <denis.osvald@sartura.hr>
2017-11-06 16:39:41 +01:00
Martin Wetterwald 378e1a4858 iptables: Fix target TRACE issue
The package kmod-ipt-debug builds the module xt_TRACE, which allows
users to use '-j TRACE' as target in the chain PREROUTING of the table
raw in iptables.

The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so
that this feature which is implemented deep inside the linux IP stack
(for example in sk_buff) is compiled.

But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals
that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which
fails as this dynamic library is not present on the system.

I created the package iptables-mod-trace which takes care of that, and
target TRACE now works!

https://dev.openwrt.org/ticket/16694
https://dev.openwrt.org/ticket/19661

Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com>
[Jo-Philipp Wich: also remove trace extension from builtin extension list
                  and depend on kmod-ipt-raw since its required for rules]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
2017-10-27 02:31:33 +02:00
Alin Nastac d8748e537f netfilter: add iptables-mod-rpfilter package
Unlike /proc/sys/net/ipv4/conf/INTF/rp_filter flag, rule iptables -t raw
-I PREROUTING -m rpfilter --invert -j DROP prevents conntrack table to
become full when a packet flood with randomly selected source IP addresses
is received from the lan side.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
2017-07-11 22:09:57 +02:00
Felix Fietkau 0519bafbda netfilter.mk: prepare for linux 4.9 support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-27 11:18:27 +01:00
Felix Fietkau 970dd4dd58 kernel: netfilter: split out iptable_raw into a separate package
This will avoid loading it in the default configuration, which reduces
image size a bit, and (more importantly) improves performance by
avoiding some unnecessary netfilter hooks

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-14 12:13:14 +01:00
Jo-Philipp Wich e2f8d200f5 netfilter: drop proprietary xt_id match
The xt_id match was used by the firewall3 package to track its own rules but
the approach has been changed to use xt_comment instead now, so we can drop
this nonstandard extension.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-12-14 01:05:06 +01:00
Matthias Schiffer cea09329e5
netfilter: fix file conflicts between kmod-ipt- and kmod-nft- packages
The nf_reject_* and nf_nat_masquerade_* modules are moved into the
corresponding kmod-nf- packages. Appropriate dependencies are added to the
kmod-nft- packages.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-30 23:32:05 +02:00
Felix Fietkau c0f4c9e0d8 include/netfilter.mk: fix kmod-ipt-tee build with 4.3/4.4
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47890
2015-12-13 18:33:11 +00:00
Jonas Gorski e9650d4557 netfilter.mk: fix redirect module locations for 3.19+
ntf_redir_ipvX is part of NAT support, so they should be in the
appropriate nft-nat kmods. Since they depend on nf_nat_redirect,
nf_nat_redirect should be part of nf-nat, not ipt-nat.

Fixes nft-core gaining a missing dependency on nf_nat_redirect.ko.

Signed-off-by: Jonas Gorski <jogo@openwrt.org>

SVN-Revision: 46109
2015-06-22 12:27:25 +00:00
Felix Fietkau 3edc273a33 netfilter.mk: remove obsolete ip_nat_ftp related line
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45516
2015-04-20 13:36:25 +00:00
Felix Fietkau 391387eb69 netfilter.mk: move IRC conntrack/nat helpers to kmod-nf-nathelper-extra
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45515
2015-04-20 13:36:02 +00:00
Felix Fietkau d0ba3bb1e2 kernel: finally remove layer7 filter support
it has been non-functional for years and caused numerous memleaks and
crashes for people that tried to enable it.
it has no maintained upstream source, and it does not look like it's
going to be fixed any time soon

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45423
2015-04-13 22:23:14 +00:00
Felix Fietkau 54a7ce626d netfilter.mk: remove bogus NAT related kernel module entries (#19451)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45382
2015-04-11 12:22:39 +00:00
Felix Fietkau da7ef81ad4 netfilter.mk: drop obsolete kernel version dependencies
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45381
2015-04-11 12:22:28 +00:00
Luka Perkov 7002f6326e include: remove trailing whitespaces
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 45127
2015-03-29 07:29:18 +00:00
Felix Fietkau c901f4fcbb netfilter: add missing module/symbol
ipv4 symbol was added but ipv6 symbol is missing

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>

SVN-Revision: 45122
2015-03-29 05:16:13 +00:00
Felix Fietkau 46efd56b40 netfilter: clean up compatibility code for old kernels
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 44904
2015-03-20 11:01:26 +00:00
John Crispin f26a59aa13 netfilter: fix nf_nat_redirect dependencies for 3.19 and 4.0
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>

SVN-Revision: 44598
2015-03-05 20:24:22 +00:00
Jo-Philipp Wich b2f666d098 include: netfilter: fix packaging of LOG target for Linux >= 3.16 (#19031)
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 44488
2015-02-18 13:28:28 +00:00
Jo-Philipp Wich 634e9fe920 netfilter: add missing symbols and modules for Linux 3.18+
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 44187
2015-01-29 10:22:17 +00:00
Imre Kaloz d26694243a generic: add preliminary 3.19 support
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>

SVN-Revision: 44126
2015-01-25 15:20:39 +00:00
Imre Kaloz 3a9e3dfa95 netfilter: handle NFT_MASQ_IPV6
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>

SVN-Revision: 43966
2015-01-14 08:53:11 +00:00
Imre Kaloz c3c00c4286 netfilter: handle nft_masq and nft_masq_ipv4
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>

SVN-Revision: 43950
2015-01-12 20:16:36 +00:00
Felix Fietkau 27f36718d3 kernel: add a patch to make netfilter conntrack cache routing information
Significantly improves routing / NAT performance

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 43587
2014-12-09 11:01:49 +00:00
John Crispin 6521f53c65 keernel: Fixed dependencies in netfilter modules introduced with 3.18 kernel
Building current trunk with 3.18 kernel fired some errors like 'missed
dependancy of module XXX from library kmod_YYY.ko'. These patch fixes 3
of such issues which are critical to have a successful build.

Signed-off-by: Alexey N Vinogradov <a.n.vinogradov@gmail.com>

SVN-Revision: 43318
2014-11-19 14:09:01 +00:00
Steven Barth 25a6d37e23 kernel: 3.18: Fix kmod-ipt-nat
The 3.18 kernel introduced new Kconfig options for the xt_nat and iptable_nat
kernel modules, that both belong to the ipt_nat kernel package.

Enable this new options.

Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>

SVN-Revision: 43212
2014-11-08 12:17:14 +00:00
Felix Fietkau 9a2cf10c33 netfilter: Enable compiling iptables match cluster
This patch adds the userspace and kernelspace for

- match NETFILTER_XT_MATCH_CLUSTER
  This match can be used to deploy gateway and back-end load-sharing clusters.
- target IP_NF_TARGET_CLUSTERIP
  This module allows you to configure a simple cluster of nodes
  that share a certain IP and MAC address
  without an explicit load balancer in front of them.
  Connections are statically distributed between the nodes in this cluster.

This is used i.e. by strongswan-ha.

Signed-off-by: Christian Scheele <cs@embedd.com>

SVN-Revision: 43174
2014-11-03 22:01:45 +00:00
Steven Barth a294c670e5 netfilter: unbreak kmod-ipt-nat for <3.7
SVN-Revision: 42696
2014-09-29 05:24:32 +00:00
Steven Barth aba8e9ceef netfilter: fix a typo in TTL-match module
SVN-Revision: 42611
2014-09-18 14:53:26 +00:00
Steven Barth 0e0efd4771 netfilter: remove redundant CONFIG_IP_NF_IPTABLES
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42599
2014-09-17 12:17:01 +00:00
Steven Barth e4e5c31f87 Reorganize netfilter kernel modules and package nftables kernel support
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42596
2014-09-17 12:10:44 +00:00
Steven Barth 9f2a17103f iptables: NFLOG and NFQUEUE targets' full support
NFLOG and NFQUEUE targets' full support for iptables.

Includes all needed kernel modules (Xtables's and Netlink's)
 and userspace libraries.
All added kernel modules can be individually disabled,
 all other new libraries get their own individual packages.

Reported-by: Fabian Hugelshofer <hugelshofer2006@gmx.ch>
Reported-by: Rainer Poisel <rainer.poisel@fhstp.ac.at>
Reported-by: Derek LaHousse <dlahouss@mtu.edu>
Signed-off-by: Guillaume Déflache <guillaume.deflache@ibwag.com>

SVN-Revision: 42022
2014-08-07 04:42:22 +00:00
Jo-Philipp Wich baa7c211f5 netfilter: introduce xt_id match
This commit implements a new netfilter match "xt_id" which can be used to
attach unsigned 32bit IDs to iptables rules.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 41945
2014-08-01 22:49:47 +00:00
Felix Fietkau 4b241e9827 netfilter: split off header matching modules not used by the default config (reduces rootfs size and memory usage)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 40983
2014-06-02 18:13:38 +00:00
Steven Barth 97ea9e3c2a iptables/netfilter: add connlimit to conntrack-extra
SVN-Revision: 39878
2014-03-11 14:58:00 +00:00
Steven Barth 2e2c4c2dd3 Fix IPv6 NAT breaking older kernels
SVN-Revision: 37891
2013-09-03 06:29:46 +00:00