From d8748e537f11ab5f2b5e2ed25d94baa5ce353984 Mon Sep 17 00:00:00 2001 From: Alin Nastac Date: Fri, 16 Jun 2017 14:16:07 +0200 Subject: netfilter: add iptables-mod-rpfilter package Unlike /proc/sys/net/ipv4/conf/INTF/rp_filter flag, rule iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP prevents conntrack table to become full when a packet flood with randomly selected source IP addresses is received from the lan side. Signed-off-by: Alin Nastac --- package/kernel/linux/modules/netfilter.mk | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'package/kernel/linux') diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk index 6162dbc362..a34a9e4207 100644 --- a/package/kernel/linux/modules/netfilter.mk +++ b/package/kernel/linux/modules/netfilter.mk @@ -836,6 +836,24 @@ endef $(eval $(call KernelPackage,ipt-hashlimit)) +define KernelPackage/ipt-rpfilter + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter rpfilter match + DEPENDS:=+kmod-ipt-core + KCONFIG:=$(KCONFIG_IPT_RPFILTER) + FILES:=$(realpath \ + $(LINUX_DIR)/net/ipv4/netfilter/ipt_rpfilter.ko \ + $(LINUX_DIR)/net/ipv6/netfilter/ip6t_rpfilter.ko) + AUTOLOAD:=$(call AutoProbe,ipt_rpfilter ip6t_rpfilter) + $(call KernelPackage/ipt) +endef + +define KernelPackage/ipt-rpfilter/description + Kernel modules support for the Netfilter rpfilter match +endef + +$(eval $(call KernelPackage,ipt-rpfilter)) + define KernelPackage/nft-core SUBMENU:=$(NF_MENU) -- cgit v1.2.3