| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
The ulog iptables target was removed with kernel 3.17, remove the kernel
and also the iptables package in OpenWrt too.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2a0284fb0325f07e79b9b4c58a7d280ba9999a39)
|
|
|
|
|
|
|
|
|
|
|
|
| |
The nft NAT packages for IPv4 and IPv6 were merged into the common
packages with kernel 5.1. The kmod-nft-nat6 package was empty in our
build, remove it.
Multiple kernel configuration options were also removed, remove them
from our generic kernel configuration too.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit b75425370d8de747457c137463bc4d15f6f44d00)
|
|
|
|
|
|
|
|
| |
Add the ipset/ip_set_hash_ipmac.ko file. The CONFIG_IP_SET_HASH_IPMAC
KConfig option is already set by the package.
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
(cherry picked from commit 6a2e9f3da6d0f0f3ae382db1e77a65c2f0e67d24)
|
|
|
|
|
|
|
| |
Add kmod-nft-xfrm package.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 9379bc2fcf905568ef329a121c8c8a11fc98b02c)
|
|
|
|
|
|
|
|
|
| |
Both legacy iptables and nftables require nf-log modules for rule logging,
so move them into a separate package both firewall implementations can
depend on.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit bea01fa57f5c9c333138bbbc5c9f83b9d7553fb5)
|
|
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
|
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
|
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
|
|
|
|
|
| |
This modules is required by iptables-nft
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
nf-nathelper-extra and nf-conntrack-netlink had iptables related
dependencies, yet, when looking for the respective kernel symbols and
checking it's dependencies it was confirmed that iptables wasn't
required and that these were either it's own moodule or tool independent
(nftables or iptables).
Correct these and make sure no unneeded extras are pulled in.
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
|
|
| |
This allows libnetfilter_queue to access connection tracking information
by requesting NFQA_CFG_F_CONNTRACK. Connection tracking information is
provided in the NFQA_CT attribute.
CONFIG_NETFILTER_NETLINK_GLUE_CT enables the interaction between
nf_queue and nf_conntrack_netlink. Without this option, trying to access
connection tracking information results in "Operation not supported".
Signed-off-by: Etan Kissling <etan_kissling@apple.com>
|
|
|
|
|
|
|
|
|
| |
This change adds the configuration option to build and include
the nft_queue kernel module, which allows traffic to be queued up
to userspace from an nftables rule
Tested-by: Sébastien Delafond sdelafond@gmail.com
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
|
|
|
|
|
|
|
| |
This removes switches dependent on kernel version 4.19 as well as
several packages/modules selected only for that version.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
|
|
| |
This reverts commit 7f94e2afcf090f751c9f7f7ea46e8ef8d93ee84b.
Package kmod-nft-core is missing dependencies for the following libraries:
nft_reject.ko
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
| |
Seeing the following:
ERROR: module '/home/philipp/lede/build_dir/target-x86_64_musl/linux-x86_64/linux-5.4.33/net/ipv4/netfilter/nft_reject_ipv4.ko' is missing.
modules/netfilter.mk:1068: recipe for target '/home/philipp/lede/bin/targets/x86/64/packages/kmod-nft-core_5.4.33-1_x86_64.ipk' failed
make[3]: *** [/home/philipp/lede/bin/targets/x86/64/packages/kmod-nft-core_5.4.33-1_x86_64.ipk] Error 1
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
|
|
|
|
|
|
|
|
|
| |
This removes switches dependent on kernel version 4.14 as well as
several packages/modules selected only for that version.
This also removes sched-cake-virtual, which is not required anymore
now that we have only one variant of cake.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPv6 modules should all depend on @IPV6, to avoid circular dependencies
problems, especially if they select a module that depends on IPV6 as
well. In theory, if a package A depends on IPV6, any package doing
'select A' (DEPENDS+= A) should also depend on IPV6; otherwise selecting
A will fail. Sometimes the build system is forgiving this, but
eventually, and unexpectedly, it may blow up on some other commit.
Alternatively one can conditionally add IPv6 dependencies only if
CONFIG_IPV6 is selected: (DEPENDS+= +IPV6:package6).
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
|
|
|
|
|
|
| |
In kernel 5.4 kmod-nf-core depends on kmod-nf-nat, add this missing
dependency.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is generally more desirable to use older kernel versions for
dependencies, as this will require less changes when newer kernels
are added (they will by default select the newer packages).
Since we currently only have two kernels (4.14 and 4.19) in master,
this patch applies this logic by converting all LINUX_4_19 symbols
to their inverted LINUX_4_14 equivalents.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
|
|
| |
After kernel 4.9 has been removed, this removes all (now obsolete)
kernel version switches that deal with versions before 4.14.
Package kmod-crypto-iv is empty now and thus removed entirely.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
| |
Less chance of missing out kconfig symbols at least
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
|
|
|
|
|
|
|
|
|
| |
No target is using kernel 3.18 anymore, remove all the generic
support for kernel 3.18.
The removed packages are depending on kernel 3.18 only and are not used on
any recent kernel.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 4.14.108 bump introduced a missing dependency when building
specific netfilters.
Thsi was not seen as the error does not occur on all targets.
Thanks to Jo-Philipp Wich for providing the fix
Fixes: af6c86dbe56e ("kernel: bump 4.14 to 4.14.108")
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This applies to kernel 4.10 and newer.
See https://github.com/torvalds/linux/commit/8db4c5be88f62ffd7a552f70687a10c614dc697b
The above commit added to kernel 4.10 added new dependency
for building the NETFILTER_XT_MATCH_SOCKET (xt_socket.ko)
module. The NF_SOCKET_IPVx options (both of them) need to
be enabled in order to build the NETFILTER_XT_MATCH_SOCKET
module. Without the change the module is not built.
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
|
|
|
|
|
| |
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
| |
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In mainline kernel commit 02c7b25e5f5 ("netfilter: nf_tables: build-in
filter chain type") all chain filters were merged into one file and into
one kernel module to save some memory. The code protected by these
configuration options CONFIG_NF_TABLES_BRIDGE, CONFIG_NF_TABLES_IPV4,
CONFIG_NF_TABLES_ARP, CONFIG_NF_TABLES_IPV6, CONFIG_NF_TABLES_NETDEV and
CONFIG_NF_TABLES_INET was merged into the nft_chain_filter.c file which
is now always compiled into the nf_tables.ko file.
This only happened in kernel 4.19 and OpenWrt has to select these as
modules in older kennel versions. Mark them as build-in in the kernel
4.19 specific kernel configuration file which will then not be
overwritten by the package specific settings which try to make them
modular again.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
|
|
|
|
|
| |
The asn1_decoder.ko module is needed by the kmod-nf-nathelper-extra
package in kernel 4.19, extract it and add the missing dependencies.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
As automatic helper assignment is disabled in recent Linux kernels,
explicit rules must be added to the raw table for each helper.
While commit f50a524 in the firewall3 project added a set of default
rules and other additional related functionality, both this and the
alternative manual methods of defining these rules require kmod-ipt-raw.
Signed-off-by: Steven Honson <steven@honson.id.au>
|
|
|
|
|
|
| |
Kernels 4.1 and 4.4 are not part of the tree anymore.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since kernel 4.14.75 commit ("netfilter: xt_cluster: add dependency on conntrack module")
a dependency is required on kmod-nf-conntrack.
It seems this was already present for kmod-ipt-clusterip
but not yet for kmod-ipt-cluster
Add it fixing a build error when including kmod-ipt-cluster:
Package kmod-ipt-cluster is missing dependencies for the following libraries:
nf_conntrack.ko
modules/netfilter.mk:665: recipe for target '/mnt/ramdisk/koen/firmware/builds/openwrt/bin/targets/cns3xxx/generic/packages/kmod-ipt-cluster_4.14.75-1_arm_mpcore_vfp.ipk' failed
make[3]: *** [/mnt/ramdisk/koen/firmware/builds/openwrt/bin/targets/cns3xxx/generic/packages/kmod-ipt-cluster_4.14.75-1_arm_mpcore_vfp.ipk] Error 1
make[3]: Leaving directory '/mnt/ramdisk/koen/firmware/builds/openwrt/package/kernel/linux'
Command exited with non-zero status 2
time: package/kernel/linux/compile#1.80#0.05#2.07
package/Makefile:107: recipe for target 'package/kernel/linux/compile' failed
make[2]: *** [package/kernel/linux/compile] Error 2
make[2]: Leaving directory '/mnt/ramdisk/koen/firmware/builds/openwrt'
package/Makefile:103: recipe for target '/mnt/ramdisk/koen/firmware/builds/openwrt/staging_dir/target-arm_mpcore+vfp_musl_eabi/stamp/.package_compile' failed
make[1]: *** [/mnt/ramdisk/koen/firmware/builds/openwrt/staging_dir/target-arm_mpcore+vfp_musl_eabi/stamp/.package_compile] Error 2
make[1]: Leaving directory '/mnt/ramdisk/koen/firmware/builds/openwrt'
/mnt/ramdisk/koen/firmware/builds/openwrt/include/toplevel.mk:216: recipe for target 'world' failed
make: *** [world] Error 2
Fixes: f983956a8b72 ("kernel: bump 4.14 to 4.14.75")
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.14.75&id=b969656b46626a674232c0eadf92a394b89df07c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPVS (IP Virtual Server) implements transport-layer load balancing inside
the Linux kernel, so called Layer-4 switching. IPVS running on a host acts
as a load balancer at the front of a cluster of real servers, it can direct
requests for TCP/UDP based services to the real servers, and makes services
of the real servers to appear as a virtual service on a single IP address.
This change adds the following kmod packages
- kmod-nf-ipvs
- kmod-nf-ipvs-ftp
- kmod-nf-ipvs-sip
Signed-off-by: Mauro Mozzarelli <mauro@ezplanet.org>
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
|
|
|
|
|
|
|
|
| |
This reverts commit 42a3c6465a230a4e03f2a185f4db5ac57b89f673.
The change was apparently never build-tested with all kmods enabled. I took
a brief look but found no simple way to untangle this, so revert it.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
| |
Signed-off-by: Rosy Song <rosysong@rosinson.com>
|
|
|
|
| |
Signed-off-by: Rosy Song <rosysong@rosinson.com>
|
|
|
|
|
|
|
|
|
| |
Add xt_bpf modules to {kmod-ipt,iptables-mod}-filter.
Match using Linux Socket Filter. Expects a BPF program in decimal
format. This is the format generated by the nfbpf_compile utility.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
|
|
|
|
|
|
|
| |
Avoid warnings when applying settings for uninstalled kmods. See also
FS#1073.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
|
|
|
|
|
| |
Split physdev match out of ipt-extra to allow installing ipt-extra without
pulling in br-netfilter.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
|
|
|
|
|
| |
While ebtables can be combined with br-netfilter, there is no good reason
to make it a dependency.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
|
|
|
|
|
| |
kmod-br-netfilter is not only a support module, but can be useful on its
own, using the net.bridge.bridge-nf-call-* sysctls.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
|
|
|
|
|
|
| |
Non-selecting dependencies easily lead to Kconfig failures due to recursive
dependencies. We hit such an issue in Gluon; the easiest fix is to make
the dependency selecting.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
|
|
|
|
| |
Supports offloading through VLAN, bridge and PPPoE devices as well
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
| |
It also does not have any users yet. It will be addde back when the core
API issues have been sorted out
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
|
| |
This makes it possible to add an iptables rule that offloads routing/NAT
packet processing to a software fast path. This fast path is much
quicker than running packets through the regular tables/chains.
Requires Linux 4.14
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
| |
This only works with nftables for now, iptables support will be added
later. Includes a number of related upstream nftables improvements to
simplify backporting follow-up changes
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
|
| |
It is currently possible to enable connlabel-support in iptables.
However, in order for connlabel to work properly, the kernel module must
also be present. This patch adds support for building the
connlabel-module, and selects it by default when connlabel-support is
enabled.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
|
|
|
|
|
| |
Fixes: e7e025426a "netfilter: clean up dependencies of kernel modules"
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
|
|
| |
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
|
|
|
|
|
|
|
| |
The nf_reject_ipv4 and nf_reject_ipv6 modules are moved into separate
packages, as they are a common dependency of ip(6)tables and nftables. This
avoids a dependency of nftables on kmod-nf-ipt(6). Also, fewer iptables
modules depend on nf-conntrack(6) now.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|