| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Instead of ip6t_MASQUERADE, include xt_MASQUERADE on kernel >= 5.2.
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Package new kmods "nf_tables_set" and "nft_objref" which got introduced
with kernel 4.18 and restrict the old "nft_set_rbtree" and "nft_set_hash"
modules to sub-4.18 versions.
Also reorder the nftables related netfilter.mk entries alphabetically
while touching this code section.
Fixes: FS#2699
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=2699#comment7450
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
nft_hash hash falsely removed in commit 97940f876616
("kernel: remove obsolete kernel version switches").
Add the module back, as otherwise the build fails.
Fixes: 97940f876616 ("kernel: remove obsolete kernel version switches")
Signed-off-by: David Bauer <mail@david-bauer.net>
|
| |
|
|
|
|
|
|
|
| |
After kernel 4.9 has been removed, this removes all (now obsolete)
kernel version switches that deal with versions before 4.14.
Package kmod-crypto-iv is empty now and thus removed entirely.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
| |
|
|
|
|
|
| |
It's related to the upstream kernel commit adf82accc5f5 ("netfilter:
x_tables: merge ip and ipv6 masquerade modules").
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
| |
|
|
| |
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In mainline kernel commit 02c7b25e5f5 ("netfilter: nf_tables: build-in
filter chain type") all chain filters were merged into one file and into
one kernel module to save some memory. The code protected by these
configuration options CONFIG_NF_TABLES_BRIDGE, CONFIG_NF_TABLES_IPV4,
CONFIG_NF_TABLES_ARP, CONFIG_NF_TABLES_IPV6, CONFIG_NF_TABLES_NETDEV and
CONFIG_NF_TABLES_INET was merged into the nft_chain_filter.c file which
is now always compiled into the nf_tables.ko file.
This only happened in kernel 4.19 and OpenWrt has to select these as
modules in older kennel versions. Mark them as build-in in the kernel
4.19 specific kernel configuration file which will then not be
overwritten by the package specific settings which try to make them
modular again.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In kernel commit 0168e8b361 ("netfilter: nat: merge ipv4/ipv6 masquerade
code into main nat module") the CONFIG_NF_NAT_MASQUERADE_IPV4 and
CONFIG_NF_NAT_MASQUERADE_IPV6 kernel configuration option were changed
to bool and the code will not be compiled as a own module any more, but
it will be integrated into nf_nat_ipv4.ko or nf_nat_ipv6.ko to save some
memory.
Activate these options as bool in the generic kernel 4.19 configuration
only, to always build them into the nf_nat_ipv*.ko modules. The kmod
file will still try to select them as module, but the generic
configuration will not be overwritten.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
| |
Some kernel modules from kmod-ipt-conntrack-extra depend on
nf_conncount.ko, which was added in kernel 4.16, add it to the kmod.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
| |
The nf_socket.ko module was split in commit 8db4c5be88f ("netfilter:
move socket lookup infrastructure to nf_socket_ipv{4,6}.c") into a
common, n IPv4 and an IPv6 part.
The nf_tproxy.ko module was split in commit 45ca4e0cf27 ("netfilter:
Libify xt_TPROXY") into a common, an IPv4 and an IPv6 part.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
In kernel commit a0ae2562c6c ("netfilter: conntrack: remove l3proto
abstraction") The modules nf_conntrack_ipv4.ko, nf_conntrack_ipv6.ko and
nf_conntrack.ko were squashed together into one module. This module now
depends on nf_defrag_ipv6 when IPv6 support was activated. This is part
of the main netfilter packages, so add nf_defrag_ipv6.ko also to the
default netfilter packages on kernel 4.19 and later.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 42a3c6465a230a4e03f2a185f4db5ac57b89f673.
The change was apparently never build-tested with all kmods enabled. I took
a brief look but found no simple way to untangle this, so revert it.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
| |
Signed-off-by: Rosy Song <rosysong@rosinson.com>
|
| |
|
|
|
|
|
|
|
| |
Add xt_bpf modules to {kmod-ipt,iptables-mod}-filter.
Match using Linux Socket Filter. Expects a BPF program in decimal
format. This is the format generated by the nfbpf_compile utility.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
|
| |
|
|
|
|
|
| |
Split physdev match out of ipt-extra to allow installing ipt-extra without
pulling in br-netfilter.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
| |
|
|
|
|
|
|
|
|
| |
This makes it possible to add an iptables rule that offloads routing/NAT
packet processing to a software fast path. This fast path is much
quicker than running packets through the regular tables/chains.
Requires Linux 4.14
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
|
| |
It is currently possible to enable connlabel-support in iptables.
However, in order for connlabel to work properly, the kernel module must
also be present. This patch adds support for building the
connlabel-module, and selects it by default when connlabel-support is
enabled.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
|
| |
|
|
| |
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
| |
|
|
|
|
|
|
|
| |
The nf_reject_ipv4 and nf_reject_ipv6 modules are moved into separate
packages, as they are a common dependency of ip(6)tables and nftables. This
avoids a dependency of nftables on kmod-nf-ipt(6). Also, fewer iptables
modules depend on nf-conntrack(6) now.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
| |
|
|
| |
Signed-off-by: Denis Osvald <denis.osvald@sartura.hr>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The package kmod-ipt-debug builds the module xt_TRACE, which allows
users to use '-j TRACE' as target in the chain PREROUTING of the table
raw in iptables.
The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so
that this feature which is implemented deep inside the linux IP stack
(for example in sk_buff) is compiled.
But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals
that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which
fails as this dynamic library is not present on the system.
I created the package iptables-mod-trace which takes care of that, and
target TRACE now works!
https://dev.openwrt.org/ticket/16694
https://dev.openwrt.org/ticket/19661
Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com>
[Jo-Philipp Wich: also remove trace extension from builtin extension list
and depend on kmod-ipt-raw since its required for rules]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Unlike /proc/sys/net/ipv4/conf/INTF/rp_filter flag, rule iptables -t raw
-I PREROUTING -m rpfilter --invert -j DROP prevents conntrack table to
become full when a packet flood with randomly selected source IP addresses
is received from the lan side.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
| |
This will avoid loading it in the default configuration, which reduces
image size a bit, and (more importantly) improves performance by
avoiding some unnecessary netfilter hooks
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
| |
The xt_id match was used by the firewall3 package to track its own rules but
the approach has been changed to use xt_comment instead now, so we can drop
this nonstandard extension.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
| |
The nf_reject_* and nf_nat_masquerade_* modules are moved into the
corresponding kmod-nf- packages. Appropriate dependencies are added to the
kmod-nft- packages.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 47890
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ntf_redir_ipvX is part of NAT support, so they should be in the
appropriate nft-nat kmods. Since they depend on nf_nat_redirect,
nf_nat_redirect should be part of nf-nat, not ipt-nat.
Fixes nft-core gaining a missing dependency on nf_nat_redirect.ko.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 46109
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 45516
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 45515
|
| |
|
|
|
|
|
|
|
|
|
| |
it has been non-functional for years and caused numerous memleaks and
crashes for people that tried to enable it.
it has no maintained upstream source, and it does not look like it's
going to be fixed any time soon
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 45423
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 45382
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 45381
|
| |
|
|
|
|
| |
Signed-off-by: Luka Perkov <luka@openwrt.org>
SVN-Revision: 45127
|
| |
|
|
|
|
|
|
| |
ipv4 symbol was added but ipv6 symbol is missing
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
SVN-Revision: 45122
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 44904
|
| |
|
|
|
|
| |
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
SVN-Revision: 44598
|
| |
|
|
|
|
| |
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 44488
|
| |
|
|
|
|
| |
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 44187
|
| |
|
|
|
|
| |
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
SVN-Revision: 44126
|
| |
|
|
|
|
| |
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
SVN-Revision: 43966
|
| |
|
|
|
|
| |
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
SVN-Revision: 43950
|
| |
|
|
|
|
|
|
| |
Significantly improves routing / NAT performance
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 43587
|
| |
|
|
|
|
|
|
|
|
| |
Building current trunk with 3.18 kernel fired some errors like 'missed
dependancy of module XXX from library kmod_YYY.ko'. These patch fixes 3
of such issues which are critical to have a successful build.
Signed-off-by: Alexey N Vinogradov <a.n.vinogradov@gmail.com>
SVN-Revision: 43318
|
| |
|
|
|
|
|
|
|
|
|
| |
The 3.18 kernel introduced new Kconfig options for the xt_nat and iptable_nat
kernel modules, that both belong to the ipt_nat kernel package.
Enable this new options.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
SVN-Revision: 43212
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the userspace and kernelspace for
- match NETFILTER_XT_MATCH_CLUSTER
This match can be used to deploy gateway and back-end load-sharing clusters.
- target IP_NF_TARGET_CLUSTERIP
This module allows you to configure a simple cluster of nodes
that share a certain IP and MAC address
without an explicit load balancer in front of them.
Connections are statically distributed between the nodes in this cluster.
This is used i.e. by strongswan-ha.
Signed-off-by: Christian Scheele <cs@embedd.com>
SVN-Revision: 43174
|
| |
|
|
| |
SVN-Revision: 42696
|
| |
|
|
| |
SVN-Revision: 42611
|
| |
|
|
|
|
| |
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 42599
|
| |
|
|
|
|
| |
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 42596
|
