aboutsummaryrefslogtreecommitdiffstats
path: root/package
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@nbd.name>2018-02-20 15:58:42 +0100
committerFelix Fietkau <nbd@nbd.name>2018-02-21 20:12:42 +0100
commit820f03099894bd48638fb5be326b5c551f0f2b98 (patch)
tree22522d219f3d5b9ae2574b10e8dad8a2bb381e1c /package
parent103335644265d96c656a7de3d5994fbd11246300 (diff)
downloadupstream-820f03099894bd48638fb5be326b5c551f0f2b98.tar.gz
upstream-820f03099894bd48638fb5be326b5c551f0f2b98.tar.bz2
upstream-820f03099894bd48638fb5be326b5c551f0f2b98.zip
netfilter: add a xt_FLOWOFFLOAD target for NAT/routing offload support
This makes it possible to add an iptables rule that offloads routing/NAT packet processing to a software fast path. This fast path is much quicker than running packets through the regular tables/chains. Requires Linux 4.14 Signed-off-by: Felix Fietkau <nbd@nbd.name>
Diffstat (limited to 'package')
-rw-r--r--package/kernel/linux/modules/netfilter.mk13
-rw-r--r--package/network/utils/iptables/patches/800-flowoffload_target.patch18
2 files changed, 30 insertions, 1 deletions
diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
index 57d68d4a55..f296a9096e 100644
--- a/package/kernel/linux/modules/netfilter.mk
+++ b/package/kernel/linux/modules/netfilter.mk
@@ -147,7 +147,7 @@ define KernelPackage/nf-flow
CONFIG_NETFILTER_INGRESS=y \
CONFIG_NF_FLOW_TABLE \
CONFIG_NF_FLOW_TABLE_HW
- DEPENDS:=+kmod-nf-conntrack +kmod-nft-core @!LINUX_3_18 @!LINUX_4_4 @!LINUX_4_9
+ DEPENDS:=+kmod-nf-conntrack @!LINUX_3_18 @!LINUX_4_4 @!LINUX_4_9
FILES:= \
$(LINUX_DIR)/net/netfilter/nf_flow_table.ko \
$(LINUX_DIR)/net/netfilter/nf_flow_table_hw.ko
@@ -237,6 +237,17 @@ endef
$(eval $(call KernelPackage,ipt-filter))
+define KernelPackage/ipt-offload
+ TITLE:=Netfilter routing/NAT offload support
+ KCONFIG:=CONFIG_NETFILTER_XT_TARGET_FLOWOFFLOAD
+ FILES:=$(foreach mod,$(IPT_FLOW-m),$(LINUX_DIR)/net/$(mod).ko)
+ AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_FLOW-m)))
+ $(call AddDepends/ipt,+kmod-nf-flow)
+endef
+
+$(eval $(call KernelPackage,ipt-offload))
+
+
define KernelPackage/ipt-ipopt
TITLE:=Modules for matching/changing IP packet options
KCONFIG:=$(KCONFIG_IPT_IPOPT)
diff --git a/package/network/utils/iptables/patches/800-flowoffload_target.patch b/package/network/utils/iptables/patches/800-flowoffload_target.patch
new file mode 100644
index 0000000000..c6fe65cd3e
--- /dev/null
+++ b/package/network/utils/iptables/patches/800-flowoffload_target.patch
@@ -0,0 +1,18 @@
+--- /dev/null
++++ b/extensions/libxt_FLOWOFFLOAD.c
+@@ -0,0 +1,15 @@
++#include <xtables.h>
++
++static struct xtables_target offload_tg_reg[] = {
++ {
++ .family = NFPROTO_UNSPEC,
++ .name = "FLOWOFFLOAD",
++ .revision = 0,
++ .version = XTABLES_VERSION,
++ },
++};
++
++void _init(void)
++{
++ xtables_register_targets(offload_tg_reg, ARRAY_SIZE(offload_tg_reg));
++}