diff options
author | Martin Wetterwald <martin.wetterwald@corp.ovh.com> | 2017-01-12 15:06:00 +0100 |
---|---|---|
committer | Yousong Zhou <yszhou4tech@gmail.com> | 2018-01-26 15:32:46 +0800 |
commit | 6ea9a702c5b6ff0866ae93241d6b2bdd80ead5e4 (patch) | |
tree | 247ecddedfd03ca7006b84fd01f87fbcaac8e7f6 | |
parent | 00fa1e4108db4b41dae76909ae5adcdf837ba6ef (diff) | |
download | upstream-6ea9a702c5b6ff0866ae93241d6b2bdd80ead5e4.tar.gz upstream-6ea9a702c5b6ff0866ae93241d6b2bdd80ead5e4.tar.bz2 upstream-6ea9a702c5b6ff0866ae93241d6b2bdd80ead5e4.zip |
iptables: Fix target TRACE issue
The package kmod-ipt-debug builds the module xt_TRACE, which allows
users to use '-j TRACE' as target in the chain PREROUTING of the table
raw in iptables.
The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so
that this feature which is implemented deep inside the linux IP stack
(for example in sk_buff) is compiled.
But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals
that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which
fails as this dynamic library is not present on the system.
I created the package iptables-mod-trace which takes care of that, and
target TRACE now works!
https://dev.openwrt.org/ticket/16694
https://dev.openwrt.org/ticket/19661
Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com>
[Jo-Philipp Wich: also remove trace extension from builtin extension list
and depend on kmod-ipt-raw since its required for rules]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
-rw-r--r-- | include/netfilter.mk | 1 | ||||
-rw-r--r-- | package/network/utils/iptables/Makefile | 15 |
2 files changed, 15 insertions, 1 deletions
diff --git a/include/netfilter.mk b/include/netfilter.mk index ac1e1899c7..39c8e7c90f 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -362,7 +362,6 @@ IPT_BUILTIN += $(IPT_NAT_EXTRA-y) IPT_BUILTIN += $(NF_NATHELPER-y) IPT_BUILTIN += $(NF_NATHELPER_EXTRA-y) IPT_BUILTIN += $(IPT_ULOG-y) -IPT_BUILTIN += $(IPT_DEBUG-y) IPT_BUILTIN += $(IPT_TPROXY-y) IPT_BUILTIN += $(NFNETLINK-y) IPT_BUILTIN += $(NFNETLINK_LOG-y) diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile index bf1a792c00..89922d17f4 100644 --- a/package/network/utils/iptables/Makefile +++ b/package/network/utils/iptables/Makefile @@ -203,6 +203,20 @@ define Package/iptables-mod-nflog/description endef +define Package/iptables-mod-trace +$(call Package/iptables/Module, +kmod-ipt-debug +kmod-ipt-raw) + TITLE:=Netfilter TRACE target +endef + +define Package/iptables-mod-trace/description + iptables extension for TRACE target + + Includes: + - libxt_TRACE + +endef + + define Package/iptables-mod-nfqueue $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue) TITLE:=Netfilter NFQUEUE target @@ -562,6 +576,7 @@ $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m))) $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m))) $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m))) $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m))) +$(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m))) $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m))) $(eval $(call BuildPackage,ip6tables)) $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m))) |