diff options
author | Felix Fietkau <nbd@nbd.name> | 2018-02-05 13:35:24 +0100 |
---|---|---|
committer | Felix Fietkau <nbd@nbd.name> | 2018-02-21 20:12:42 +0100 |
commit | 103335644265d96c656a7de3d5994fbd11246300 (patch) | |
tree | 2b19dea75e812b8240d6a458f0ed6dd22a8148b2 /target/linux/generic/backport-4.14/346-netfilter-flowtable-infrastructure-depends-on-NETFIL.patch | |
parent | b7265c59ab7dd0ec5dccb96e7b0dc1432404feb7 (diff) | |
download | upstream-103335644265d96c656a7de3d5994fbd11246300.tar.gz upstream-103335644265d96c656a7de3d5994fbd11246300.tar.bz2 upstream-103335644265d96c656a7de3d5994fbd11246300.zip |
kernel: backport netfilter NAT offload support to 4.14
This only works with nftables for now, iptables support will be added
later. Includes a number of related upstream nftables improvements to
simplify backporting follow-up changes
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Diffstat (limited to 'target/linux/generic/backport-4.14/346-netfilter-flowtable-infrastructure-depends-on-NETFIL.patch')
-rw-r--r-- | target/linux/generic/backport-4.14/346-netfilter-flowtable-infrastructure-depends-on-NETFIL.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/target/linux/generic/backport-4.14/346-netfilter-flowtable-infrastructure-depends-on-NETFIL.patch b/target/linux/generic/backport-4.14/346-netfilter-flowtable-infrastructure-depends-on-NETFIL.patch new file mode 100644 index 0000000000..5267fd2f67 --- /dev/null +++ b/target/linux/generic/backport-4.14/346-netfilter-flowtable-infrastructure-depends-on-NETFIL.patch @@ -0,0 +1,73 @@ +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Wed, 31 Jan 2018 18:13:39 +0100 +Subject: [PATCH] netfilter: flowtable infrastructure depends on + NETFILTER_INGRESS + +config NF_FLOW_TABLE depends on NETFILTER_INGRESS. If users forget to +enable this toggle, flowtable registration fails with EOPNOTSUPP. + +Moreover, turn 'select NF_FLOW_TABLE' in every flowtable family flavour +into dependency instead, otherwise this new dependency on +NETFILTER_INGRESS causes a warning. This also allows us to remove the +explicit dependency between family flowtables <-> NF_TABLES and +NF_CONNTRACK, given they depend on the NF_FLOW_TABLE core that already +expresses the general dependencies for this new infrastructure. + +Moreover, NF_FLOW_TABLE_INET depends on NF_FLOW_TABLE_IPV4 and +NF_FLOWTABLE_IPV6, which already depends on NF_FLOW_TABLE. So we can get +rid of direct dependency with NF_FLOW_TABLE. + +In general, let's avoid 'select', it just makes things more complicated. + +Reported-by: John Crispin <john@phrozen.org> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + +--- a/net/ipv4/netfilter/Kconfig ++++ b/net/ipv4/netfilter/Kconfig +@@ -79,8 +79,7 @@ endif # NF_TABLES + + config NF_FLOW_TABLE_IPV4 + tristate "Netfilter flow table IPv4 module" +- depends on NF_CONNTRACK && NF_TABLES +- select NF_FLOW_TABLE ++ depends on NF_FLOW_TABLE + help + This option adds the flow table IPv4 support. + +--- a/net/ipv6/netfilter/Kconfig ++++ b/net/ipv6/netfilter/Kconfig +@@ -73,8 +73,7 @@ endif # NF_TABLES + + config NF_FLOW_TABLE_IPV6 + tristate "Netfilter flow table IPv6 module" +- depends on NF_CONNTRACK && NF_TABLES +- select NF_FLOW_TABLE ++ depends on NF_FLOW_TABLE + help + This option adds the flow table IPv6 support. + +--- a/net/netfilter/Kconfig ++++ b/net/netfilter/Kconfig +@@ -670,8 +670,8 @@ endif # NF_TABLES + + config NF_FLOW_TABLE_INET + tristate "Netfilter flow table mixed IPv4/IPv6 module" +- depends on NF_FLOW_TABLE_IPV4 && NF_FLOW_TABLE_IPV6 +- select NF_FLOW_TABLE ++ depends on NF_FLOW_TABLE_IPV4 ++ depends on NF_FLOW_TABLE_IPV6 + help + This option adds the flow table mixed IPv4/IPv6 support. + +@@ -679,7 +679,9 @@ config NF_FLOW_TABLE_INET + + config NF_FLOW_TABLE + tristate "Netfilter flow table module" +- depends on NF_CONNTRACK && NF_TABLES ++ depends on NETFILTER_INGRESS ++ depends on NF_CONNTRACK ++ depends on NF_TABLES + help + This option adds the flow table core infrastructure. + |