aboutsummaryrefslogtreecommitdiffstats
path: root/package/kernel/linux/modules/netfilter.mk
Commit message (Collapse)AuthorAgeFilesLines
* kernel: kmod-ipt-ulog: Remove packageHauke Mehrtens2022-08-141-17/+0
| | | | | | | | The ulog iptables target was removed with kernel 3.17, remove the kernel and also the iptables package in OpenWrt too. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 2a0284fb0325f07e79b9b4c58a7d280ba9999a39)
* kernel: kmod-nft-nat6: Remove packageHauke Mehrtens2022-08-141-11/+0
| | | | | | | | | | | | The nft NAT packages for IPv4 and IPv6 were merged into the common packages with kernel 5.1. The kmod-nft-nat6 package was empty in our build, remove it. Multiple kernel configuration options were also removed, remove them from our generic kernel configuration too. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit b75425370d8de747457c137463bc4d15f6f44d00)
* kernel: ipt-ipset: Add ipset/ip_set_hash_ipmac.koHauke Mehrtens2022-08-141-0/+1
| | | | | | | | Add the ipset/ip_set_hash_ipmac.ko file. The CONFIG_IP_SET_HASH_IPMAC KConfig option is already set by the package. Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com> (cherry picked from commit 6a2e9f3da6d0f0f3ae382db1e77a65c2f0e67d24)
* netfilter: kmod-nft-xfrmFlorian Eckert2022-06-251-0/+11
| | | | | | | Add kmod-nft-xfrm package. Signed-off-by: Florian Eckert <fe@dev.tdt.de> (cherry picked from commit 9379bc2fcf905568ef329a121c8c8a11fc98b02c)
* netfilter: move nf-log modules into separate packagesJo-Philipp Wich2022-04-191-3/+26
| | | | | | | | | Both legacy iptables and nftables require nf-log modules for rule logging, so move them into a separate package both firewall implementations can depend on. Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit bea01fa57f5c9c333138bbbc5c9f83b9d7553fb5)
* netfilter: add kmod-nft-tproxyYousong Zhou2022-02-281-0/+11
| | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* netfilter: add kmod-nft-socketYousong Zhou2022-02-281-0/+11
| | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxyYousong Zhou2022-02-281-1/+38
| | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* netfilter: add kmod-nft-compatEtienne Champetier2022-02-021-0/+11
| | | | | | This modules is required by iptables-nft Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* netfilter: correct some dependenciesTiago Gaspar2022-01-271-2/+2
| | | | | | | | | | | | nf-nathelper-extra and nf-conntrack-netlink had iptables related dependencies, yet, when looking for the respective kernel symbols and checking it's dependencies it was confirmed that iptables wasn't required and that these were either it's own moodule or tool independent (nftables or iptables). Correct these and make sure no unneeded extras are pulled in. Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
* kernel: add linux 5.10 supportFelix Fietkau2021-02-161-2/+2
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* nf-conntrack: allow querying conntrack info in nfqueueEtan Kissling2021-01-141-1/+1
| | | | | | | | | | | This allows libnetfilter_queue to access connection tracking information by requesting NFQA_CFG_F_CONNTRACK. Connection tracking information is provided in the NFQA_CT attribute. CONFIG_NETFILTER_NETLINK_GLUE_CT enables the interaction between nf_queue and nf_conntrack_netlink. Without this option, trying to access connection tracking information results in "Operation not supported". Signed-off-by: Etan Kissling <etan_kissling@apple.com>
* netfilter: Add queue support for nftablesBrett Mastbergen2020-11-121-0/+12
| | | | | | | | | This change adds the configuration option to build and include the nft_queue kernel module, which allows traffic to be queued up to userspace from an nftables rule Tested-by: Sébastien Delafond sdelafond@gmail.com Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
* kernel: remove obsolete kernel version switches for 4.19Adrian Schmutzler2020-10-301-1/+1
| | | | | | | This removes switches dependent on kernel version 4.19 as well as several packages/modules selected only for that version. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* Revert "kmod-nft-reject: Fix for "nft_reject_ipv4.ko missing" warning"Daniel Golle2020-10-301-3/+0
| | | | | | | | | This reverts commit 7f94e2afcf090f751c9f7f7ea46e8ef8d93ee84b. Package kmod-nft-core is missing dependencies for the following libraries: nft_reject.ko Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* kmod-nft-reject: Fix for "nft_reject_ipv4.ko missing" warningPhilip Prindeville2020-10-301-0/+3
| | | | | | | | | | Seeing the following: ERROR: module '/home/philipp/lede/build_dir/target-x86_64_musl/linux-x86_64/linux-5.4.33/net/ipv4/netfilter/nft_reject_ipv4.ko' is missing. modules/netfilter.mk:1068: recipe for target '/home/philipp/lede/bin/targets/x86/64/packages/kmod-nft-core_5.4.33-1_x86_64.ipk' failed make[3]: *** [/home/philipp/lede/bin/targets/x86/64/packages/kmod-nft-core_5.4.33-1_x86_64.ipk] Error 1 Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* kernel: remove obsolete kernel version switches for 4.14Adrian Schmutzler2020-09-021-4/+3
| | | | | | | | | | This removes switches dependent on kernel version 4.14 as well as several packages/modules selected only for that version. This also removes sched-cake-virtual, which is not required anymore now that we have only one variant of cake. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* kernel: add @IPV6 dependency to ipv6 modulesEneas U de Queiroz2020-04-091-5/+8
| | | | | | | | | | | | | | IPv6 modules should all depend on @IPV6, to avoid circular dependencies problems, especially if they select a module that depends on IPV6 as well. In theory, if a package A depends on IPV6, any package doing 'select A' (DEPENDS+= A) should also depend on IPV6; otherwise selecting A will fail. Sometimes the build system is forgiving this, but eventually, and unexpectedly, it may blow up on some other commit. Alternatively one can conditionally add IPv6 dependencies only if CONFIG_IPV6 is selected: (DEPENDS+= +IPV6:package6). Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* kernel: Make kmod-nft-core depend on kmod-nf-natHauke Mehrtens2020-02-281-1/+1
| | | | | | | In kernel 5.4 kmod-nf-core depends on kmod-nf-nat, add this missing dependency. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* kernel: use older kernel for explicitly setting dependenciesAdrian Schmutzler2020-01-261-1/+1
| | | | | | | | | | | | It is generally more desirable to use older kernel versions for dependencies, as this will require less changes when newer kernels are added (they will by default select the newer packages). Since we currently only have two kernels (4.14 and 4.19) in master, this patch applies this logic by converting all LINUX_4_19 symbols to their inverted LINUX_4_14 equivalents. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* kernel: remove obsolete kernel version switchesAdrian Schmutzler2020-01-121-1/+1
| | | | | | | | | After kernel 4.9 has been removed, this removes all (now obsolete) kernel version switches that deal with versions before 4.14. Package kmod-crypto-iv is empty now and thus removed entirely. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* kernel: netfilter: reuse kconfig and files info from include dirYousong Zhou2019-10-241-23/+9
| | | | | | Less chance of missing out kconfig symbols at least Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* kernel: Remove support for kernel 3.18Hauke Mehrtens2019-05-031-1/+1
| | | | | | | | | | No target is using kernel 3.18 anymore, remove all the generic support for kernel 3.18. The removed packages are depending on kernel 3.18 only and are not used on any recent kernel. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* kernel: fix missing dependency in 4.14.108Koen Vandeputte2019-03-271-1/+1
| | | | | | | | | | | | The 4.14.108 bump introduced a missing dependency when building specific netfilters. Thsi was not seen as the error does not occur on all targets. Thanks to Jo-Philipp Wich for providing the fix Fixes: af6c86dbe56e ("kernel: bump 4.14 to 4.14.108") Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* kernel: Added required dependencies for socket match.Oldřich Jedlička2019-02-171-0/+2
| | | | | | | | | | | | | | This applies to kernel 4.10 and newer. See https://github.com/torvalds/linux/commit/8db4c5be88f62ffd7a552f70687a10c614dc697b The above commit added to kernel 4.10 added new dependency for building the NETFILTER_XT_MATCH_SOCKET (xt_socket.ko) module. The NF_SOCKET_IPVx options (both of them) need to be enabled in order to build the NETFILTER_XT_MATCH_SOCKET module. Without the change the module is not built. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
* ipset: add support for hash(ip,mac)Alin Nastac2019-02-171-0/+1
| | | | | Signed-off-by: Alin Nastac <alin.nastac@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netfilter: Add fib support for nftablesBrett Mastbergen2018-12-161-0/+12
| | | | Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
* kernel: netfilter: chain filters merged into nf_tables.koHauke Mehrtens2018-12-151-1/+1
| | | | | | | | | | | | | | | | | | In mainline kernel commit 02c7b25e5f5 ("netfilter: nf_tables: build-in filter chain type") all chain filters were merged into one file and into one kernel module to save some memory. The code protected by these configuration options CONFIG_NF_TABLES_BRIDGE, CONFIG_NF_TABLES_IPV4, CONFIG_NF_TABLES_ARP, CONFIG_NF_TABLES_IPV6, CONFIG_NF_TABLES_NETDEV and CONFIG_NF_TABLES_INET was merged into the nft_chain_filter.c file which is now always compiled into the nf_tables.ko file. This only happened in kernel 4.19 and OpenWrt has to select these as modules in older kennel versions. Mark them as build-in in the kernel 4.19 specific kernel configuration file which will then not be overwritten by the package specific settings which try to make them modular again. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* kernel: extract asn1_decoder.koHauke Mehrtens2018-12-151-1/+1
| | | | | | | The asn1_decoder.ko module is needed by the kmod-nf-nathelper-extra package in kernel 4.19, extract it and add the missing dependencies. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* kernel: nf-nathelper-extra depends on ipt-rawSteven Honson2018-11-261-1/+1
| | | | | | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. As automatic helper assignment is disabled in recent Linux kernels, explicit rules must be added to the raw table for each helper. While commit f50a524 in the firewall3 project added a set of default rules and other additional related functionality, both this and the alternative manual methods of defining these rules require kmod-ipt-raw. Signed-off-by: Steven Honson <steven@honson.id.au>
* kernel: Remove dependencies on old kernelsRosen Penev2018-11-011-1/+1
| | | | | | Kernels 4.1 and 4.4 are not part of the tree anymore. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* netfilter: add missing dependency for kernel 4.14Koen Vandeputte2018-10-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since kernel 4.14.75 commit ("netfilter: xt_cluster: add dependency on conntrack module") a dependency is required on kmod-nf-conntrack. It seems this was already present for kmod-ipt-clusterip but not yet for kmod-ipt-cluster Add it fixing a build error when including kmod-ipt-cluster: Package kmod-ipt-cluster is missing dependencies for the following libraries: nf_conntrack.ko modules/netfilter.mk:665: recipe for target '/mnt/ramdisk/koen/firmware/builds/openwrt/bin/targets/cns3xxx/generic/packages/kmod-ipt-cluster_4.14.75-1_arm_mpcore_vfp.ipk' failed make[3]: *** [/mnt/ramdisk/koen/firmware/builds/openwrt/bin/targets/cns3xxx/generic/packages/kmod-ipt-cluster_4.14.75-1_arm_mpcore_vfp.ipk] Error 1 make[3]: Leaving directory '/mnt/ramdisk/koen/firmware/builds/openwrt/package/kernel/linux' Command exited with non-zero status 2 time: package/kernel/linux/compile#1.80#0.05#2.07 package/Makefile:107: recipe for target 'package/kernel/linux/compile' failed make[2]: *** [package/kernel/linux/compile] Error 2 make[2]: Leaving directory '/mnt/ramdisk/koen/firmware/builds/openwrt' package/Makefile:103: recipe for target '/mnt/ramdisk/koen/firmware/builds/openwrt/staging_dir/target-arm_mpcore+vfp_musl_eabi/stamp/.package_compile' failed make[1]: *** [/mnt/ramdisk/koen/firmware/builds/openwrt/staging_dir/target-arm_mpcore+vfp_musl_eabi/stamp/.package_compile] Error 2 make[1]: Leaving directory '/mnt/ramdisk/koen/firmware/builds/openwrt' /mnt/ramdisk/koen/firmware/builds/openwrt/include/toplevel.mk:216: recipe for target 'world' failed make: *** [world] Error 2 Fixes: f983956a8b72 ("kernel: bump 4.14 to 4.14.75") Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com> [1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.14.75&id=b969656b46626a674232c0eadf92a394b89df07c
* kernel: netfilter: add IPVS kernel module supportMauro Mozzarelli2018-09-241-0/+92
| | | | | | | | | | | | | | | | IPVS (IP Virtual Server) implements transport-layer load balancing inside the Linux kernel, so called Layer-4 switching. IPVS running on a host acts as a load balancer at the front of a cluster of real servers, it can direct requests for TCP/UDP based services to the real servers, and makes services of the real servers to appear as a virtual service on a single IP address. This change adds the following kmod packages - kmod-nf-ipvs - kmod-nf-ipvs-ftp - kmod-nf-ipvs-sip Signed-off-by: Mauro Mozzarelli <mauro@ezplanet.org> Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* Revert "netfilter: separate IPv6 relevant kernel modules from IPv4"Jo-Philipp Wich2018-08-061-58/+5
| | | | | | | | | This reverts commit 42a3c6465a230a4e03f2a185f4db5ac57b89f673. The change was apparently never build-tested with all kmods enabled. I took a brief look but found no simple way to untangle this, so revert it. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* netfilter: separate IPv6 relevant kernel modules from IPv4Rosy Song2018-08-061-5/+58
| | | | Signed-off-by: Rosy Song <rosysong@rosinson.com>
* include: add netdev family support for nftablesRosy Song2018-07-301-0/+20
| | | | Signed-off-by: Rosy Song <rosysong@rosinson.com>
* netfilter: add bpf match supportAlin Nastac2018-06-261-0/+1
| | | | | | | | | Add xt_bpf modules to {kmod-ipt,iptables-mod}-filter. Match using Linux Socket Filter. Expects a BPF program in decimal format. This is the format generated by the nfbpf_compile utility. Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
* base-files: move netfilter sysctl defaults to specific kmod packagesMatthias Schiffer2018-04-131-0/+10
| | | | | | | Avoid warnings when applying settings for uninstalled kmods. See also FS#1073. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* iptables: split physdev match out as a separate packageMatthias Schiffer2018-04-091-2/+16
| | | | | | | Split physdev match out of ipt-extra to allow installing ipt-extra without pulling in br-netfilter. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* kernel: kmod-ebtables: do not depend on kmod-br-netfilterMatthias Schiffer2018-04-091-1/+1
| | | | | | | While ebtables can be combined with br-netfilter, there is no good reason to make it a dependency. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* kernel: unhide kmod-br-netfilterMatthias Schiffer2018-04-091-1/+0
| | | | | | | kmod-br-netfilter is not only a support module, but can be useful on its own, using the net.bridge.bridge-nf-call-* sysctls. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* kernel: change dependency of kmod-ebtables-* on kmod-ebtables to selectingMatthias Schiffer2018-04-091-1/+1
| | | | | | | | Non-selecting dependencies easily lead to Kconfig failures due to recursive dependencies. We hit such an issue in Gluon; the easiest fix is to make the dependency selecting. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* kernel: add hardware offload patch for flow tables supportFelix Fietkau2018-04-051-2/+3
| | | | | | Supports offloading through VLAN, bridge and PPPoE devices as well Signed-off-by: Felix Fietkau <nbd@nbd.name>
* kernel: remove nf_flow_table hardware offload patch (it is not ready yet)Felix Fietkau2018-02-251-3/+2
| | | | | | | It also does not have any users yet. It will be addde back when the core API issues have been sorted out Signed-off-by: Felix Fietkau <nbd@nbd.name>
* netfilter: add a xt_FLOWOFFLOAD target for NAT/routing offload supportFelix Fietkau2018-02-211-1/+12
| | | | | | | | | | This makes it possible to add an iptables rule that offloads routing/NAT packet processing to a software fast path. This fast path is much quicker than running packets through the regular tables/chains. Requires Linux 4.14 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* kernel: backport netfilter NAT offload support to 4.14Felix Fietkau2018-02-211-0/+37
| | | | | | | | | This only works with nftables for now, iptables support will be added later. Includes a number of related upstream nftables improvements to simplify backporting follow-up changes Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Felix Fietkau <nbd@nbd.name>
* iptables: Support building connlabel moduleKristian Evensen2018-02-131-0/+15
| | | | | | | | | | It is currently possible to enable connlabel-support in iptables. However, in order for connlabel to work properly, the kernel module must also be present. This patch adds support for building the connlabel-module, and selects it by default when connlabel-support is enabled. Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
* netfilter: add missing dependency to kmod-ipt-tproxyMatthias Schiffer2018-01-311-1/+1
| | | | | Fixes: e7e025426a "netfilter: clean up dependencies of kernel modules" Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* netfilter: add packages for arp and bridge tables of nftablesMatthias Schiffer2018-01-311-2/+26
| | | | Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* netfilter: clean up dependencies of kernel modulesMatthias Schiffer2018-01-311-15/+38
| | | | | | | | | The nf_reject_ipv4 and nf_reject_ipv6 modules are moved into separate packages, as they are a common dependency of ip(6)tables and nftables. This avoids a dependency of nftables on kmod-nf-ipt(6). Also, fewer iptables modules depend on nf-conntrack(6) now. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-10 23:42:02 +0000