| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
The ulog iptables target was removed with kernel 3.17, remove the kernel
and also the iptables package in OpenWrt too.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2a0284fb0325f07e79b9b4c58a7d280ba9999a39)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The nft NAT packages for IPv4 and IPv6 were merged into the common
packages with kernel 5.1. The kmod-nft-nat6 package was empty in our
build, remove it.
Multiple kernel configuration options were also removed, remove them
from our generic kernel configuration too.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit b75425370d8de747457c137463bc4d15f6f44d00)
|
| |
|
|
|
|
|
| |
Add kmod-nft-xfrm package.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 9379bc2fcf905568ef329a121c8c8a11fc98b02c)
|
| |
|
|
|
|
|
|
|
| |
Both legacy iptables and nftables require nf-log modules for rule logging,
so move them into a separate package both firewall implementations can
depend on.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit bea01fa57f5c9c333138bbbc5c9f83b9d7553fb5)
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
| |
This modules is required by iptables-nft
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This allows to implement statefull bridge filtering
As the uncompressed size is only 7.6k (arm64), just add
nf_conntrack_bridge.ko to kmod-nft-bridge package
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
These have long been obsolete. For reference, here's the Linux version where
each symbol has been dropped:
CONFIG_IP6_NF_QUEUE - 3.5
CONFIG_IP6_NF_TARGET_LOG - 3.4
CONFIG_IP_NF_MATCH_DSCP - 2.6.19
CONFIG_NF_CONNTRACK_IPV4 - 4.19
CONFIG_NF_CONNTRACK_IPV6 - 4.19
CONFIG_NF_CONNTRACK_RTCACHE - out-of-tree, superseded by flow offloading
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
|
| |
|
|
|
|
|
|
| |
FS#3574
Adding cgroup support enables adding rules on processes
to limit resources in terms of iptable policies
Signed-off-by: Supriya Mane <sm.supriya@globaledgesoft.com>
|
| |
|
|
|
|
|
|
|
| |
The license folder is a core part of OpenWrt and all GPL-2.0 licensed.
Use SPDX license tags to allow machines to check licenses.
Signed-off-by: Paul Spooren <mail@aparcar.org>
[rebase, keep some Copyright lines, sharpen commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
| |
|
|
|
|
|
|
|
| |
This change adds the configuration option to build and include
the nft_queue kernel module, which allows traffic to be queued up
to userspace from an nftables rule
Tested-by: Sébastien Delafond sdelafond@gmail.com
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
|
| |
|
|
|
|
|
| |
This removes switches dependent on kernel version 4.19 as well as
several packages/modules selected only for that version.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 7f94e2afcf090f751c9f7f7ea46e8ef8d93ee84b.
Package kmod-nft-core is missing dependencies for the following libraries:
nft_reject.ko
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
| |
Seeing the following:
ERROR: module '/home/philipp/lede/build_dir/target-x86_64_musl/linux-x86_64/linux-5.4.33/net/ipv4/netfilter/nft_reject_ipv4.ko' is missing.
modules/netfilter.mk:1068: recipe for target '/home/philipp/lede/bin/targets/x86/64/packages/kmod-nft-core_5.4.33-1_x86_64.ipk' failed
make[3]: *** [/home/philipp/lede/bin/targets/x86/64/packages/kmod-nft-core_5.4.33-1_x86_64.ipk] Error 1
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
| |
Now that the minimal kernel version maintained here is 4.19
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel commit 1ac89d20150e ("netfilter: nat: merge nf_nat_redirect into
nf_nat") made the redirect module part of the nat core and changed the
CONFIG_NF_NAT_REDIRECT option to a boolean, without prompt, affecting
kernel 4.18 onwards. CONFIG_NF_NAT_REDIRECT now can only be selected by
CONFIG_NFT_REDIR or NETFILTER_XT_TARGET_REDIRECT
Fixes: FS#2476
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=2476
Fixes: FS#2990 (partial)
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=2990
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
[note that the option has no prompt and can only be selected by other
kconfig options]
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
| |
It was removed in upstream linux commit faec18db ("netfilter: nat:
remove l4proto->manip_pkt"). This happened since linux 5.0
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel commit 22fc4c4c9fd6 ("netfilter: conntrack: gre: switch module to
be built-in") moved the CT GRE code into the core nf_conntrack.ko module
and changed the CONFIG_NF_CT_PROTO_GRE option to boolean for kernel 5.1
and onwards.
CONFIG_NF_CT_PROTO_GRE at the moment has no prompt and can only be
selected by NF_CONNTRACK_PPTP
Fixes: FS#2990 (partial)
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=2990
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
[note that the option now can not be enabled on its own]
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
| |
The upstream linux commit is 3bf195ae ("netfilter: nat: merge
nf_nat_ipv4,6 into nat core"). It was included since linux 5.1
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
| |
CONFIG_IP_NF_TARGET_REDIRECT is a compat option since upstream commit
2cbc78a2 ("netfilter: combine ipt_REDIRECT and ip6t_REDIRECT"). That
happened since linux 3.10
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
CONFIG_IP_NF_TARGET_MASQUERADE and its counterpart
CONFIG_IP6_NF_TARGET_MASQUERADE are "backwards-compat option for the
user's convenience"
Related commit d22c1755 ("netfilter: fix NAT packaging with kernels
5.2+")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The former nft_chain_nat_ipv4 and nft_chain_nat_ipv6 modules have been merged
into a common nft_chain_nat module starting with Linux 5.1.
Ensure that this common module is shipped along with kmod-nft-nat on recent
kernels.
While we're at it, also apply version constraints to other nft modules that
have been merged into the core with newer kernels.
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=2815#comment8016
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
| |
This removes switches dependent on kernel version 4.14 as well as
several packages/modules selected only for that version.
This also removes sched-cake-virtual, which is not required anymore
now that we have only one variant of cake.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
| |
|
|
|
|
|
|
|
|
| |
xt_MASQUERADE.ko is picked up by both kmod-ipt-nat and kmod-ipt-nat6, causing
conflict
As kmod-ipt-nat6 already depends on kmod-ipt-nat, remove xt_MASQUERADE from it
Fixes: FS#2924
Fixes: 0fad8af85158 ("kernel: Include xt_MASQUERADE for kernel 5.2 and later")
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
|
| |
|
|
|
|
| |
Instead of ip6t_MASQUERADE, include xt_MASQUERADE on kernel >= 5.2.
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Package new kmods "nf_tables_set" and "nft_objref" which got introduced
with kernel 4.18 and restrict the old "nft_set_rbtree" and "nft_set_hash"
modules to sub-4.18 versions.
Also reorder the nftables related netfilter.mk entries alphabetically
while touching this code section.
Fixes: FS#2699
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=2699#comment7450
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
nft_hash hash falsely removed in commit 97940f876616
("kernel: remove obsolete kernel version switches").
Add the module back, as otherwise the build fails.
Fixes: 97940f876616 ("kernel: remove obsolete kernel version switches")
Signed-off-by: David Bauer <mail@david-bauer.net>
|
| |
|
|
|
|
|
|
|
| |
After kernel 4.9 has been removed, this removes all (now obsolete)
kernel version switches that deal with versions before 4.14.
Package kmod-crypto-iv is empty now and thus removed entirely.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
| |
|
|
|
|
|
| |
It's related to the upstream kernel commit adf82accc5f5 ("netfilter:
x_tables: merge ip and ipv6 masquerade modules").
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
| |
|
|
| |
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In mainline kernel commit 02c7b25e5f5 ("netfilter: nf_tables: build-in
filter chain type") all chain filters were merged into one file and into
one kernel module to save some memory. The code protected by these
configuration options CONFIG_NF_TABLES_BRIDGE, CONFIG_NF_TABLES_IPV4,
CONFIG_NF_TABLES_ARP, CONFIG_NF_TABLES_IPV6, CONFIG_NF_TABLES_NETDEV and
CONFIG_NF_TABLES_INET was merged into the nft_chain_filter.c file which
is now always compiled into the nf_tables.ko file.
This only happened in kernel 4.19 and OpenWrt has to select these as
modules in older kennel versions. Mark them as build-in in the kernel
4.19 specific kernel configuration file which will then not be
overwritten by the package specific settings which try to make them
modular again.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In kernel commit 0168e8b361 ("netfilter: nat: merge ipv4/ipv6 masquerade
code into main nat module") the CONFIG_NF_NAT_MASQUERADE_IPV4 and
CONFIG_NF_NAT_MASQUERADE_IPV6 kernel configuration option were changed
to bool and the code will not be compiled as a own module any more, but
it will be integrated into nf_nat_ipv4.ko or nf_nat_ipv6.ko to save some
memory.
Activate these options as bool in the generic kernel 4.19 configuration
only, to always build them into the nf_nat_ipv*.ko modules. The kmod
file will still try to select them as module, but the generic
configuration will not be overwritten.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
| |
Some kernel modules from kmod-ipt-conntrack-extra depend on
nf_conncount.ko, which was added in kernel 4.16, add it to the kmod.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
| |
The nf_socket.ko module was split in commit 8db4c5be88f ("netfilter:
move socket lookup infrastructure to nf_socket_ipv{4,6}.c") into a
common, n IPv4 and an IPv6 part.
The nf_tproxy.ko module was split in commit 45ca4e0cf27 ("netfilter:
Libify xt_TPROXY") into a common, an IPv4 and an IPv6 part.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
In kernel commit a0ae2562c6c ("netfilter: conntrack: remove l3proto
abstraction") The modules nf_conntrack_ipv4.ko, nf_conntrack_ipv6.ko and
nf_conntrack.ko were squashed together into one module. This module now
depends on nf_defrag_ipv6 when IPv6 support was activated. This is part
of the main netfilter packages, so add nf_defrag_ipv6.ko also to the
default netfilter packages on kernel 4.19 and later.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 42a3c6465a230a4e03f2a185f4db5ac57b89f673.
The change was apparently never build-tested with all kmods enabled. I took
a brief look but found no simple way to untangle this, so revert it.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
| |
Signed-off-by: Rosy Song <rosysong@rosinson.com>
|
| |
|
|
|
|
|
|
|
| |
Add xt_bpf modules to {kmod-ipt,iptables-mod}-filter.
Match using Linux Socket Filter. Expects a BPF program in decimal
format. This is the format generated by the nfbpf_compile utility.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
|
| |
|
|
|
|
|
| |
Split physdev match out of ipt-extra to allow installing ipt-extra without
pulling in br-netfilter.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
| |
|
|
|
|
|
|
|
|
| |
This makes it possible to add an iptables rule that offloads routing/NAT
packet processing to a software fast path. This fast path is much
quicker than running packets through the regular tables/chains.
Requires Linux 4.14
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
|
| |
It is currently possible to enable connlabel-support in iptables.
However, in order for connlabel to work properly, the kernel module must
also be present. This patch adds support for building the
connlabel-module, and selects it by default when connlabel-support is
enabled.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
|
| |
|
|
| |
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
| |
|
|
|
|
|
|
|
| |
The nf_reject_ipv4 and nf_reject_ipv6 modules are moved into separate
packages, as they are a common dependency of ip(6)tables and nftables. This
avoids a dependency of nftables on kmod-nf-ipt(6). Also, fewer iptables
modules depend on nf-conntrack(6) now.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
| |
|
|
| |
Signed-off-by: Denis Osvald <denis.osvald@sartura.hr>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The package kmod-ipt-debug builds the module xt_TRACE, which allows
users to use '-j TRACE' as target in the chain PREROUTING of the table
raw in iptables.
The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so
that this feature which is implemented deep inside the linux IP stack
(for example in sk_buff) is compiled.
But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals
that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which
fails as this dynamic library is not present on the system.
I created the package iptables-mod-trace which takes care of that, and
target TRACE now works!
https://dev.openwrt.org/ticket/16694
https://dev.openwrt.org/ticket/19661
Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com>
[Jo-Philipp Wich: also remove trace extension from builtin extension list
and depend on kmod-ipt-raw since its required for rules]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Unlike /proc/sys/net/ipv4/conf/INTF/rp_filter flag, rule iptables -t raw
-I PREROUTING -m rpfilter --invert -j DROP prevents conntrack table to
become full when a packet flood with randomly selected source IP addresses
is received from the lan side.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
| |
This will avoid loading it in the default configuration, which reduces
image size a bit, and (more importantly) improves performance by
avoiding some unnecessary netfilter hooks
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
