NFLOG and NFQUEUE targets' full support for iptables. Includes all needed kernel modules (Xtables's and Netlink's) and userspace libraries. All added kernel modules can be individually disabled, all other new libraries get their own individual packages.
Reported-by: Fabian Hugelshofer <hugelshofer2...@gmx.ch> Reported-by: Rainer Poisel <rainer.poi...@fhstp.ac.at> Reported-by: Derek LaHousse <dlaho...@mtu.edu> Signed-off-by: Guillaume Déflache <guillaume.defla...@ibwag.com> --- This patch merges the work from: - ddx0n which got initially submitted in 2011 as patch in ticket #9969 and completed with the kmod-ipt-nfqueue module by me - Fabian Hugelshofer he initially submitted in 2008 as patch on openwrt-devel which... - ...Rainer Poisel reworked and resend there in 2010 which... - ...Derek LaHousse reworked and resend there in 2013 (!). I hope all this work can be finally submitted. Please be kind as this is my first OpenWrt patch! include/netfilter.mk | 29 ++++++++++++++++ package/kernel/linux/modules/netfilter.mk | 58 +++++++++++++++++++++++++------ package/network/utils/iptables/Makefile | 28 +++++++++++++++ 3 files changed, 105 insertions(+), 10 deletions(-) diff --git a/include/netfilter.mk b/include/netfilter.mk index 906eb0f..c6d5322 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -224,6 +224,16 @@ $(eval $(call nf_add,IPT_QUEUE,CONFIG_IP_NF_QUEUE, $(P_V4)ip_queue, lt 3.5.0)) $(eval $(call nf_add,IPT_ULOG,CONFIG_IP_NF_TARGET_ULOG, $(P_V4)ipt_ULOG)) +# nflog + +$(eval $(call nf_add,IPT_NFLOG,CONFIG_NETFILTER_XT_TARGET_NFLOG, $(P_XT)xt_NFLOG)) + + +# nfqueue + +$(eval $(call nf_add,IPT_NFQUEUE,CONFIG_NETFILTER_XT_TARGET_NFQUEUE, $(P_XT)xt_NFQUEUE)) + + # debugging $(eval $(call nf_add,IPT_DEBUG,CONFIG_NETFILTER_XT_TARGET_TRACE, $(P_XT)xt_TRACE)) @@ -244,6 +254,21 @@ $(eval $(call nf_add,IPT_TEE,CONFIG_NETFILTER_XT_TARGET_TEE, $(P_XT)xt_TEE)) $(eval $(call nf_add,IPT_U32,CONFIG_NETFILTER_XT_MATCH_U32, $(P_XT)xt_u32)) + +# netlink + +$(eval $(call nf_add,NFNETLINK,CONFIG_NETFILTER_NETLINK, $(P_XT)nfnetlink)) + +# nflog + +$(eval $(call nf_add,NFNETLINK_LOG,CONFIG_NETFILTER_NETLINK_LOG, $(P_XT)nfnetlink_log)) +$(eval $(call nf_add,NFNETLINK_LOG,CONFIG_NETFILTER_XT_TARGET_NFLOG, $(P_XT)xt_NFLOG)) + +# nfqueue + +$(eval $(call nf_add,NFNETLINK_QUEUE,CONFIG_NETFILTER_NETLINK_QUEUE, $(P_XT)nfnetlink_queue)) +$(eval $(call nf_add,NFNETLINK_QUEUE,CONFIG_NETFILTER_XT_TARGET_NFQUEUE, $(P_XT)xt_NFQUEUE)) + # # ebtables # @@ -278,6 +303,7 @@ $(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_SNAT, $(P_EBT)ebt_snat)) $(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_LOG, $(P_EBT)ebt_log)) $(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_ULOG, $(P_EBT)ebt_ulog)) $(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_NFLOG, $(P_EBT)ebt_nflog)) +$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_NFQUEUE, $(P_EBT)ebt_nfqueue)) # userland only @@ -298,6 +324,9 @@ IPT_BUILTIN += $(IPT_NATHELPER_EXTRA-y) IPT_BUILTIN += $(IPT_ULOG-y) IPT_BUILTIN += $(IPT_DEBUG-y) IPT_BUILTIN += $(IPT_TPROXY-y) +IPT_BUILTIN += $(NFNETLINK-y) +IPT_BUILTIN += $(NFNETLINK_LOG-y) +IPT_BUILTIN += $(NFNETLINK_QUEUE-y) IPT_BUILTIN += $(EBTABLES-y) IPT_BUILTIN += $(EBTABLES_IP4-y) IPT_BUILTIN += $(EBTABLES_IP6-y) diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk index 316df69..4901b04 100644 --- a/package/kernel/linux/modules/netfilter.mk +++ b/package/kernel/linux/modules/netfilter.mk @@ -278,6 +278,40 @@ endef $(eval $(call KernelPackage,ipt-ulog)) +define KernelPackage/ipt-nflog + TITLE:=Module for user-space packet logging + KCONFIG:=$(KCONFIG_IPT_NFLOG) + FILES:=$(foreach mod,$(IPT_NFLOG-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_NFLOG-m))) + $(call AddDepends/ipt,+kmod-nfnetlink-log) +endef + +define KernelPackage/ipt-nflog/description + Netfilter module for user-space packet logging + Includes: + - NFLOG +endef + +$(eval $(call KernelPackage,ipt-nflog)) + + +define KernelPackage/ipt-nfqueue + TITLE:=Module for user-space packet queuing + KCONFIG:=$(KCONFIG_IPT_NFQUEUE) + FILES:=$(foreach mod,$(IPT_NFQUEUE-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_NFQUEUE-m))) + $(call AddDepends/ipt,+kmod-nfnetlink-queue) +endef + +define KernelPackage/ipt-nfqueue/description + Netfilter module for user-space packet queuing + Includes: + - NFQUEUE +endef + +$(eval $(call KernelPackage,ipt-nfqueue)) + + define KernelPackage/ipt-debug TITLE:=Module for debugging/development KCONFIG:=$(KCONFIG_IPT_DEBUG) @@ -530,10 +564,10 @@ $(eval $(call KernelPackage,ebtables-watchers)) define KernelPackage/nfnetlink SUBMENU:=$(NF_MENU) TITLE:=Netlink-based userspace interface - DEPENDS:=+kmod-ipt-core - FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink.ko - KCONFIG:=CONFIG_NETFILTER_NETLINK - AUTOLOAD:=$(call AutoProbe,nfnetlink) + FILES:=$(foreach mod,$(NFNETLINK-m),$(LINUX_DIR)/net/$(mod).ko) + KCONFIG:=$(KCONFIG_NFNETLINK) + AUTOLOAD:=$(call AutoProbe,$(NFNETLINK-m)) + $(call AddDepends/ipt) endef define KernelPackage/nfnetlink/description @@ -551,14 +585,16 @@ endef define KernelPackage/nfnetlink-log TITLE:=Netfilter LOG over NFNETLINK interface - FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_log.ko - KCONFIG:=CONFIG_NETFILTER_NETLINK_LOG - AUTOLOAD:=$(call AutoProbe,nfnetlink_log) + FILES:=$(foreach mod,$(NFNETLINK_LOG-m),$(LINUX_DIR)/net/$(mod).ko) + KCONFIG:=$(KCONFIG_NFNETLINK_LOG) + AUTOLOAD:=$(call AutoLoad,45,$(notdir $(NFNETLINK_LOG-m))) $(call AddDepends/nfnetlink) endef define KernelPackage/nfnetlink-log/description Kernel modules support for logging packets via NFNETLINK + Includes: + - NFLOG endef $(eval $(call KernelPackage,nfnetlink-log)) @@ -566,14 +602,16 @@ $(eval $(call KernelPackage,nfnetlink-log)) define KernelPackage/nfnetlink-queue TITLE:=Netfilter QUEUE over NFNETLINK interface - FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_queue.ko - KCONFIG:=CONFIG_NETFILTER_NETLINK_QUEUE - AUTOLOAD:=$(call AutoProbe,nfnetlink_queue) + FILES:=$(foreach mod,$(NFNETLINK_QUEUE-m),$(LINUX_DIR)/net/$(mod).ko) + KCONFIG:=$(KCONFIG_NFNETLINK_QUEUE) + AUTOLOAD:=$(call AutoLoad,45,$(notdir $(NFNETLINK_QUEUE-m))) $(call AddDepends/nfnetlink) endef define KernelPackage/nfnetlink-queue/description Kernel modules support for queueing packets via NFNETLINK + Includes: + - NFQUEUE endef $(eval $(call KernelPackage,nfnetlink-queue)) diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile index 8266f14..cf6e59c 100644 --- a/package/network/utils/iptables/Makefile +++ b/package/network/utils/iptables/Makefile @@ -194,6 +194,32 @@ iptables extensions for user-space packet logging. endef +define Package/iptables-mod-nflog +$(call Package/iptables/Module, +kmod-nfnetlink-log) + TITLE:=Netfilter NFLOG target +endef + +define Package/iptables-mod-nflog/description + iptables extension for user-space logging via NFNETLINK. + + Includes: + - libxt_NFLOG + +endef + +define Package/iptables-mod-nfqueue +$(call Package/iptables/Module, +kmod-nfnetlink-queue) + TITLE:=Netfilter NFQUEUE target +endef + +define Package/iptables-mod-nfqueue/description + iptables extension for user-space queuing via NFNETLINK. + + Includes: + - libxt_NFQUEUE + +endef + define Package/iptables-mod-hashlimit $(call Package/iptables/Module, +kmod-ipt-hashlimit) TITLE:=hashlimit matching @@ -469,6 +495,8 @@ $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m))) $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m))) $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m))) $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m))) +$(eval $(call BuildPlugin,iptables-mod-nflog,$(NFNETLINK_LOG-m))) +$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(NFNETLINK_QUEUE-m))) $(eval $(call BuildPackage,ip6tables)) $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m))) $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m))) --- Diese E-Mail ist frei von Viren und Malware, denn der avast! Antivirus Schutz ist aktiv. http://www.avast.com _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
