sysmocom
/
openwrt
11
0
Fork 0
Code Pull Requests Releases Activity

iptables: NFLOG and NFQUEUE targets' full support 

NFLOG and NFQUEUE targets' full support for iptables.

Includes all needed kernel modules (Xtables's and Netlink's)
 and userspace libraries.
All added kernel modules can be individually disabled,
 all other new libraries get their own individual packages.

Reported-by: Fabian Hugelshofer <hugelshofer2006@gmx.ch>
Reported-by: Rainer Poisel <rainer.poisel@fhstp.ac.at>
Reported-by: Derek LaHousse <dlahouss@mtu.edu>
Signed-off-by: Guillaume Déflache <guillaume.deflache@ibwag.com>

git-svn-id: svn://svn.openwrt.org/openwrt/branches/barrier_breaker@42030 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
cyrus 2014-08-07 10:00:28 +00:00
parent f985bf8a39
commit 0241b7792f
3 changed files with 103 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
include/netfilter.mk
View File

@ -225,6 +225,16 @@ $(eval $(call nf_add,IPT_QUEUE,CONFIG_IP_NF_QUEUE, $(P_V4)ip_queue, lt 3.5.0))
$(eval $(call nf_add,IPT_ULOG,CONFIG_IP_NF_TARGET_ULOG, $(P_V4)ipt_ULOG)) $(eval $(call nf_add,IPT_ULOG,CONFIG_IP_NF_TARGET_ULOG, $(P_V4)ipt_ULOG))
# nflog
$(eval $(call nf_add,IPT_NFLOG,CONFIG_NETFILTER_XT_TARGET_NFLOG, $(P_XT)xt_NFLOG))
# nfqueue
$(eval $(call nf_add,IPT_NFQUEUE,CONFIG_NETFILTER_XT_TARGET_NFQUEUE, $(P_XT)xt_NFQUEUE))
# debugging # debugging
$(eval $(call nf_add,IPT_DEBUG,CONFIG_NETFILTER_XT_TARGET_TRACE, $(P_XT)xt_TRACE)) $(eval $(call nf_add,IPT_DEBUG,CONFIG_NETFILTER_XT_TARGET_TRACE, $(P_XT)xt_TRACE))
@ -245,6 +255,19 @@ $(eval $(call nf_add,IPT_TEE,CONFIG_NETFILTER_XT_TARGET_TEE, $(P_XT)xt_TEE))
$(eval $(call nf_add,IPT_U32,CONFIG_NETFILTER_XT_MATCH_U32, $(P_XT)xt_u32)) $(eval $(call nf_add,IPT_U32,CONFIG_NETFILTER_XT_MATCH_U32, $(P_XT)xt_u32))
# netlink
$(eval $(call nf_add,NFNETLINK,CONFIG_NETFILTER_NETLINK, $(P_XT)nfnetlink))
# nflog
$(eval $(call nf_add,NFNETLINK_LOG,CONFIG_NETFILTER_NETLINK_LOG, $(P_XT)nfnetlink_log))
# nfqueue
$(eval $(call nf_add,NFNETLINK_QUEUE,CONFIG_NETFILTER_NETLINK_QUEUE, $(P_XT)nfnetlink_queue))
# #
# ebtables # ebtables
# #
@ -279,6 +302,7 @@ $(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_SNAT, $(P_EBT)ebt_snat))
$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_LOG, $(P_EBT)ebt_log)) $(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_LOG, $(P_EBT)ebt_log))
$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_ULOG, $(P_EBT)ebt_ulog)) $(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_ULOG, $(P_EBT)ebt_ulog))
$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_NFLOG, $(P_EBT)ebt_nflog)) $(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_NFLOG, $(P_EBT)ebt_nflog))
$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_NFQUEUE, $(P_EBT)ebt_nfqueue))
# userland only # userland only
@ -299,6 +323,9 @@ IPT_BUILTIN += $(IPT_NATHELPER_EXTRA-y)
IPT_BUILTIN += $(IPT_ULOG-y) IPT_BUILTIN += $(IPT_ULOG-y)
IPT_BUILTIN += $(IPT_DEBUG-y) IPT_BUILTIN += $(IPT_DEBUG-y)
IPT_BUILTIN += $(IPT_TPROXY-y) IPT_BUILTIN += $(IPT_TPROXY-y)
IPT_BUILTIN += $(NFNETLINK-y)
IPT_BUILTIN += $(NFNETLINK_LOG-y)
IPT_BUILTIN += $(NFNETLINK_QUEUE-y)
IPT_BUILTIN += $(EBTABLES-y) IPT_BUILTIN += $(EBTABLES-y)
IPT_BUILTIN += $(EBTABLES_IP4-y) IPT_BUILTIN += $(EBTABLES_IP4-y)
IPT_BUILTIN += $(EBTABLES_IP6-y) IPT_BUILTIN += $(EBTABLES_IP6-y)

58
package/kernel/linux/modules/netfilter.mk
View File

@ -278,6 +278,40 @@ endef
$(eval $(call KernelPackage,ipt-ulog)) $(eval $(call KernelPackage,ipt-ulog))
define KernelPackage/ipt-nflog
TITLE:=Module for user-space packet logging
KCONFIG:=$(KCONFIG_IPT_NFLOG)
FILES:=$(foreach mod,$(IPT_NFLOG-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NFLOG-m)))
$(call AddDepends/ipt,+kmod-nfnetlink-log)
endef
define KernelPackage/ipt-nflog/description
Netfilter module for user-space packet logging
Includes:
- NFLOG
endef
$(eval $(call KernelPackage,ipt-nflog))
define KernelPackage/ipt-nfqueue
TITLE:=Module for user-space packet queuing
KCONFIG:=$(KCONFIG_IPT_NFQUEUE)
FILES:=$(foreach mod,$(IPT_NFQUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NFQUEUE-m)))
$(call AddDepends/ipt,+kmod-nfnetlink-queue)
endef
define KernelPackage/ipt-nfqueue/description
Netfilter module for user-space packet queuing
Includes:
- NFQUEUE
endef
$(eval $(call KernelPackage,ipt-nfqueue))
define KernelPackage/ipt-debug define KernelPackage/ipt-debug
TITLE:=Module for debugging/development TITLE:=Module for debugging/development
KCONFIG:=$(KCONFIG_IPT_DEBUG) KCONFIG:=$(KCONFIG_IPT_DEBUG)
@ -530,10 +564,10 @@ $(eval $(call KernelPackage,ebtables-watchers))
define KernelPackage/nfnetlink define KernelPackage/nfnetlink
SUBMENU:=$(NF_MENU) SUBMENU:=$(NF_MENU)
TITLE:=Netlink-based userspace interface TITLE:=Netlink-based userspace interface
DEPENDS:=+kmod-ipt-core FILES:=$(foreach mod,$(NFNETLINK-m),$(LINUX_DIR)/net/$(mod).ko)
FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink.ko KCONFIG:=$(KCONFIG_NFNETLINK)
KCONFIG:=CONFIG_NETFILTER_NETLINK AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK-m)))
AUTOLOAD:=$(call AutoProbe,nfnetlink) $(call AddDepends/ipt)
endef endef
define KernelPackage/nfnetlink/description define KernelPackage/nfnetlink/description
@ -551,14 +585,16 @@ endef
define KernelPackage/nfnetlink-log define KernelPackage/nfnetlink-log
TITLE:=Netfilter LOG over NFNETLINK interface TITLE:=Netfilter LOG over NFNETLINK interface
FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_log.ko FILES:=$(foreach mod,$(NFNETLINK_LOG-m),$(LINUX_DIR)/net/$(mod).ko)
KCONFIG:=CONFIG_NETFILTER_NETLINK_LOG KCONFIG:=$(KCONFIG_NFNETLINK_LOG)
AUTOLOAD:=$(call AutoProbe,nfnetlink_log) AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK_LOG-m)))
$(call AddDepends/nfnetlink) $(call AddDepends/nfnetlink)
endef endef
define KernelPackage/nfnetlink-log/description define KernelPackage/nfnetlink-log/description
Kernel modules support for logging packets via NFNETLINK Kernel modules support for logging packets via NFNETLINK
Includes:
- NFLOG
endef endef
$(eval $(call KernelPackage,nfnetlink-log)) $(eval $(call KernelPackage,nfnetlink-log))
@ -566,14 +602,16 @@ $(eval $(call KernelPackage,nfnetlink-log))
define KernelPackage/nfnetlink-queue define KernelPackage/nfnetlink-queue
TITLE:=Netfilter QUEUE over NFNETLINK interface TITLE:=Netfilter QUEUE over NFNETLINK interface
FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_queue.ko FILES:=$(foreach mod,$(NFNETLINK_QUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
KCONFIG:=CONFIG_NETFILTER_NETLINK_QUEUE KCONFIG:=$(KCONFIG_NFNETLINK_QUEUE)
AUTOLOAD:=$(call AutoProbe,nfnetlink_queue) AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK_QUEUE-m)))
$(call AddDepends/nfnetlink) $(call AddDepends/nfnetlink)
endef endef
define KernelPackage/nfnetlink-queue/description define KernelPackage/nfnetlink-queue/description
Kernel modules support for queueing packets via NFNETLINK Kernel modules support for queueing packets via NFNETLINK
Includes:
- NFQUEUE
endef endef
$(eval $(call KernelPackage,nfnetlink-queue)) $(eval $(call KernelPackage,nfnetlink-queue))

28
package/network/utils/iptables/Makefile
View File

@ -194,6 +194,32 @@ iptables extensions for user-space packet logging.
endef endef
define Package/iptables-mod-nflog
$(call Package/iptables/Module, +kmod-nfnetlink-log)
TITLE:=Netfilter NFLOG target
endef
define Package/iptables-mod-nflog/description
iptables extension for user-space logging via NFNETLINK.
Includes:
- libxt_NFLOG
endef
define Package/iptables-mod-nfqueue
$(call Package/iptables/Module, +kmod-nfnetlink-queue)
TITLE:=Netfilter NFQUEUE target
endef
define Package/iptables-mod-nfqueue/description
iptables extension for user-space queuing via NFNETLINK.
Includes:
- libxt_NFQUEUE
endef
define Package/iptables-mod-hashlimit define Package/iptables-mod-hashlimit
$(call Package/iptables/Module, +kmod-ipt-hashlimit) $(call Package/iptables/Module, +kmod-ipt-hashlimit)
TITLE:=hashlimit matching TITLE:=hashlimit matching
@ -469,6 +495,8 @@ $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m))) $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m))) $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m))) $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
$(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
$(eval $(call BuildPackage,ip6tables)) $(eval $(call BuildPackage,ip6tables))
$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m))) $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
$(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m))) $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))