aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/utils/iptables
diff options
context:
space:
mode:
authorMartin Wetterwald <martin.wetterwald@corp.ovh.com>2017-01-12 15:06:00 +0100
committerYousong Zhou <yszhou4tech@gmail.com>2018-01-26 15:32:46 +0800
commit6ea9a702c5b6ff0866ae93241d6b2bdd80ead5e4 (patch)
tree247ecddedfd03ca7006b84fd01f87fbcaac8e7f6 /package/network/utils/iptables
parent00fa1e4108db4b41dae76909ae5adcdf837ba6ef (diff)
downloadupstream-6ea9a702c5b6ff0866ae93241d6b2bdd80ead5e4.tar.gz
upstream-6ea9a702c5b6ff0866ae93241d6b2bdd80ead5e4.tar.bz2
upstream-6ea9a702c5b6ff0866ae93241d6b2bdd80ead5e4.zip
iptables: Fix target TRACE issue
The package kmod-ipt-debug builds the module xt_TRACE, which allows users to use '-j TRACE' as target in the chain PREROUTING of the table raw in iptables. The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so that this feature which is implemented deep inside the linux IP stack (for example in sk_buff) is compiled. But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which fails as this dynamic library is not present on the system. I created the package iptables-mod-trace which takes care of that, and target TRACE now works! https://dev.openwrt.org/ticket/16694 https://dev.openwrt.org/ticket/19661 Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com> [Jo-Philipp Wich: also remove trace extension from builtin extension list and depend on kmod-ipt-raw since its required for rules] Signed-off-by: Jo-Philipp Wich <jo@mein.io> Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
Diffstat (limited to 'package/network/utils/iptables')
-rw-r--r--package/network/utils/iptables/Makefile15
1 files changed, 15 insertions, 0 deletions
diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
index bf1a792c00..89922d17f4 100644
--- a/package/network/utils/iptables/Makefile
+++ b/package/network/utils/iptables/Makefile
@@ -203,6 +203,20 @@ define Package/iptables-mod-nflog/description
endef
+define Package/iptables-mod-trace
+$(call Package/iptables/Module, +kmod-ipt-debug +kmod-ipt-raw)
+ TITLE:=Netfilter TRACE target
+endef
+
+define Package/iptables-mod-trace/description
+ iptables extension for TRACE target
+
+ Includes:
+ - libxt_TRACE
+
+endef
+
+
define Package/iptables-mod-nfqueue
$(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
TITLE:=Netfilter NFQUEUE target
@@ -562,6 +576,7 @@ $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
$(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
+$(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m)))
$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
$(eval $(call BuildPackage,ip6tables))
$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))