aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2014-08-01 22:49:47 +0000
committerJo-Philipp Wich <jow@openwrt.org>2014-08-01 22:49:47 +0000
commit1706a28205a498c7f189e340ad0280e638629e1a (patch)
tree572649d0f1e9c2c3bf1056b926e7a2d4362125c8
parent4faf46a77b7f1575958a370f0c8fbf48fabb5b7e (diff)
downloadmaster-187ad058-1706a28205a498c7f189e340ad0280e638629e1a.tar.gz
master-187ad058-1706a28205a498c7f189e340ad0280e638629e1a.tar.bz2
master-187ad058-1706a28205a498c7f189e340ad0280e638629e1a.zip
netfilter: introduce xt_id match
This commit implements a new netfilter match "xt_id" which can be used to attach unsigned 32bit IDs to iptables rules. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@41945 3c298f89-4303-0410-b956-a3cf2f4a3e73
-rw-r--r--include/netfilter.mk3
-rw-r--r--package/network/utils/iptables/patches/500-add-xt_id-match.patch59
-rw-r--r--target/linux/generic/patches-3.10/615-netfilter_add_xt_id_match.patch95
-rw-r--r--target/linux/generic/patches-3.13/615-netfilter_add_xt_id_match.patch95
-rw-r--r--target/linux/generic/patches-3.14/615-netfilter_add_xt_id_match.patch95
-rw-r--r--target/linux/generic/patches-3.3/615-netfilter_add_xt_id_match.patch95
-rw-r--r--target/linux/generic/patches-3.8/615-netfilter_add_xt_id_match.patch95
-rw-r--r--target/linux/generic/patches-3.9/615-netfilter_add_xt_id_match.patch95
8 files changed, 631 insertions, 1 deletions
diff --git a/include/netfilter.mk b/include/netfilter.mk
index 906eb0f085..7a6fea5768 100644
--- a/include/netfilter.mk
+++ b/include/netfilter.mk
@@ -36,12 +36,13 @@ $(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_FILTER, $(P_V4)iptabl
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_MANGLE, $(P_V4)iptable_mangle),))
# userland only
-$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CORE,CONFIG_IP_NF_IPTABLES, xt_standard ipt_icmp xt_tcp xt_udp xt_comment xt_set xt_SET)))
+$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CORE,CONFIG_IP_NF_IPTABLES, xt_standard ipt_icmp xt_tcp xt_udp xt_comment xt_id xt_set xt_SET)))
$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_LIMIT, $(P_XT)xt_limit))
$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_MAC, $(P_XT)xt_mac))
$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_MULTIPORT, $(P_XT)xt_multiport))
$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_COMMENT, $(P_XT)xt_comment))
+$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_ID, $(P_XT)xt_id))
$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_LOG, $(P_XT)xt_LOG, ge 3.4.0))
$(eval $(call nf_add,IPT_CORE,CONFIG_IP_NF_TARGET_LOG, $(P_V4)ipt_LOG, lt 3.4.0))
diff --git a/package/network/utils/iptables/patches/500-add-xt_id-match.patch b/package/network/utils/iptables/patches/500-add-xt_id-match.patch
new file mode 100644
index 0000000000..94762f0ab7
--- /dev/null
+++ b/package/network/utils/iptables/patches/500-add-xt_id-match.patch
@@ -0,0 +1,59 @@
+--- /dev/null
++++ b/extensions/libxt_id.c
+@@ -0,0 +1,45 @@
++/* Shared library add-on to iptables to add id match support. */
++
++#include <stdio.h>
++#include <xtables.h>
++#include <linux/netfilter/xt_id.h>
++
++enum {
++ O_ID = 0,
++};
++
++static const struct xt_option_entry id_opts[] = {
++ {
++ .name = "id",
++ .id = O_ID,
++ .type = XTTYPE_UINT32,
++ .flags = XTOPT_MAND | XTOPT_PUT,
++ XTOPT_POINTER(struct xt_id_info, id)
++ },
++ XTOPT_TABLEEND,
++};
++
++/* Saves the union ipt_matchinfo in parsable form to stdout. */
++static void
++id_save(const void *ip, const struct xt_entry_match *match)
++{
++ struct xt_id_info *idinfo = (void *)match->data;
++
++ printf(" --id %lu", idinfo->id);
++}
++
++static struct xtables_match id_match = {
++ .family = NFPROTO_UNSPEC,
++ .name = "id",
++ .version = XTABLES_VERSION,
++ .size = XT_ALIGN(sizeof(struct xt_id_info)),
++ .userspacesize = XT_ALIGN(sizeof(struct xt_id_info)),
++ .save = id_save,
++ .x6_parse = xtables_option_parse,
++ .x6_options = id_opts,
++};
++
++void _init(void)
++{
++ xtables_register_match(&id_match);
++}
+--- /dev/null
++++ b/include/linux/netfilter/xt_id.h
+@@ -0,0 +1,8 @@
++#ifndef _XT_ID_H
++#define _XT_ID_H
++
++struct xt_id_info {
++ __u32 id;
++};
++
++#endif /* XT_ID_H */
diff --git a/target/linux/generic/patches-3.10/615-netfilter_add_xt_id_match.patch b/target/linux/generic/patches-3.10/615-netfilter_add_xt_id_match.patch
new file mode 100644
index 0000000000..6fa94a3895
--- /dev/null
+++ b/target/linux/generic/patches-3.10/615-netfilter_add_xt_id_match.patch
@@ -0,0 +1,95 @@
+--- a/include/uapi/linux/netfilter/Kbuild
++++ b/include/uapi/linux/netfilter/Kbuild
+@@ -51,6 +51,7 @@ header-y += xt_ecn.h
+ header-y += xt_esp.h
+ header-y += xt_hashlimit.h
+ header-y += xt_helper.h
++header-y += xt_id.h
+ header-y += xt_iprange.h
+ header-y += xt_ipvs.h
+ header-y += xt_layer7.h
+--- /dev/null
++++ b/include/uapi/linux/netfilter/xt_id.h
+@@ -0,0 +1,8 @@
++#ifndef _XT_ID_H
++#define _XT_ID_H
++
++struct xt_id_info {
++ u32 id;
++};
++
++#endif /* XT_ID_H */
+--- a/net/netfilter/Kconfig
++++ b/net/netfilter/Kconfig
+@@ -989,6 +989,13 @@ config NETFILTER_XT_MATCH_HL
+ in the IPv6 header, or the time-to-live field in the IPv4
+ header of the packet.
+
++config NETFILTER_XT_MATCH_ID
++ tristate '"id" match support'
++ depends on NETFILTER_ADVANCED
++ ---help---
++ This option adds a `id' dummy-match, which allows you to put
++ numeric IDs into your iptables ruleset.
++
+ config NETFILTER_XT_MATCH_IPRANGE
+ tristate '"iprange" address range match support'
+ depends on NETFILTER_ADVANCED
+--- a/net/netfilter/Makefile
++++ b/net/netfilter/Makefile
+@@ -115,6 +115,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) +=
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
++obj-$(CONFIG_NETFILTER_XT_MATCH_ID) += xt_id.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_IPVS) += xt_ipvs.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
+--- /dev/null
++++ b/net/netfilter/xt_id.c
+@@ -0,0 +1,45 @@
++/*
++ * Implements a dummy match to allow attaching IDs to rules
++ *
++ * 2014-08-01 Jo-Philipp Wich <jow@openwrt.org>
++ */
++
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_id.h>
++
++MODULE_AUTHOR("Jo-Philipp Wich <jow@openwrt.org>");
++MODULE_DESCRIPTION("Xtables: No-op match which can be tagged with a 32bit ID");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_id");
++MODULE_ALIAS("ip6t_id");
++
++static bool
++id_mt(const struct sk_buff *skb, struct xt_action_param *par)
++{
++ /* We always match */
++ return true;
++}
++
++static struct xt_match id_mt_reg __read_mostly = {
++ .name = "id",
++ .revision = 0,
++ .family = NFPROTO_UNSPEC,
++ .match = id_mt,
++ .matchsize = sizeof(struct xt_id_info),
++ .me = THIS_MODULE,
++};
++
++static int __init id_mt_init(void)
++{
++ return xt_register_match(&id_mt_reg);
++}
++
++static void __exit id_mt_exit(void)
++{
++ xt_unregister_match(&id_mt_reg);
++}
++
++module_init(id_mt_init);
++module_exit(id_mt_exit);
diff --git a/target/linux/generic/patches-3.13/615-netfilter_add_xt_id_match.patch b/target/linux/generic/patches-3.13/615-netfilter_add_xt_id_match.patch
new file mode 100644
index 0000000000..44748a9afb
--- /dev/null
+++ b/target/linux/generic/patches-3.13/615-netfilter_add_xt_id_match.patch
@@ -0,0 +1,95 @@
+--- a/include/uapi/linux/netfilter/Kbuild
++++ b/include/uapi/linux/netfilter/Kbuild
+@@ -54,6 +54,7 @@ header-y += xt_ecn.h
+ header-y += xt_esp.h
+ header-y += xt_hashlimit.h
+ header-y += xt_helper.h
++header-y += xt_id.h
+ header-y += xt_iprange.h
+ header-y += xt_ipvs.h
+ header-y += xt_layer7.h
+--- /dev/null
++++ b/include/uapi/linux/netfilter/xt_id.h
+@@ -0,0 +1,8 @@
++#ifndef _XT_ID_H
++#define _XT_ID_H
++
++struct xt_id_info {
++ u32 id;
++};
++
++#endif /* XT_ID_H */
+--- a/net/netfilter/Kconfig
++++ b/net/netfilter/Kconfig
+@@ -1033,6 +1033,13 @@ config NETFILTER_XT_MATCH_HL
+ in the IPv6 header, or the time-to-live field in the IPv4
+ header of the packet.
+
++config NETFILTER_XT_MATCH_ID
++ tristate '"id" match support'
++ depends on NETFILTER_ADVANCED
++ ---help---
++ This option adds a `id' dummy-match, which allows you to put
++ numeric IDs into your iptables ruleset.
++
+ config NETFILTER_XT_MATCH_IPRANGE
+ tristate '"iprange" address range match support'
+ depends on NETFILTER_ADVANCED
+--- a/net/netfilter/Makefile
++++ b/net/netfilter/Makefile
+@@ -133,6 +133,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) +=
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
++obj-$(CONFIG_NETFILTER_XT_MATCH_ID) += xt_id.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_IPVS) += xt_ipvs.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
+--- /dev/null
++++ b/net/netfilter/xt_id.c
+@@ -0,0 +1,45 @@
++/*
++ * Implements a dummy match to allow attaching IDs to rules
++ *
++ * 2014-08-01 Jo-Philipp Wich <jow@openwrt.org>
++ */
++
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_id.h>
++
++MODULE_AUTHOR("Jo-Philipp Wich <jow@openwrt.org>");
++MODULE_DESCRIPTION("Xtables: No-op match which can be tagged with a 32bit ID");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_id");
++MODULE_ALIAS("ip6t_id");
++
++static bool
++id_mt(const struct sk_buff *skb, struct xt_action_param *par)
++{
++ /* We always match */
++ return true;
++}
++
++static struct xt_match id_mt_reg __read_mostly = {
++ .name = "id",
++ .revision = 0,
++ .family = NFPROTO_UNSPEC,
++ .match = id_mt,
++ .matchsize = sizeof(struct xt_id_info),
++ .me = THIS_MODULE,
++};
++
++static int __init id_mt_init(void)
++{
++ return xt_register_match(&id_mt_reg);
++}
++
++static void __exit id_mt_exit(void)
++{
++ xt_unregister_match(&id_mt_reg);
++}
++
++module_init(id_mt_init);
++module_exit(id_mt_exit);
diff --git a/target/linux/generic/patches-3.14/615-netfilter_add_xt_id_match.patch b/target/linux/generic/patches-3.14/615-netfilter_add_xt_id_match.patch
new file mode 100644
index 0000000000..ba7697074d
--- /dev/null
+++ b/target/linux/generic/patches-3.14/615-netfilter_add_xt_id_match.patch
@@ -0,0 +1,95 @@
+--- a/include/uapi/linux/netfilter/Kbuild
++++ b/include/uapi/linux/netfilter/Kbuild
+@@ -55,6 +55,7 @@ header-y += xt_ecn.h
+ header-y += xt_esp.h
+ header-y += xt_hashlimit.h
+ header-y += xt_helper.h
++header-y += xt_id.h
+ header-y += xt_ipcomp.h
+ header-y += xt_iprange.h
+ header-y += xt_ipvs.h
+--- /dev/null
++++ b/include/uapi/linux/netfilter/xt_id.h
+@@ -0,0 +1,8 @@
++#ifndef _XT_ID_H
++#define _XT_ID_H
++
++struct xt_id_info {
++ u32 id;
++};
++
++#endif /* XT_ID_H */
+--- a/net/netfilter/Kconfig
++++ b/net/netfilter/Kconfig
+@@ -1121,6 +1121,13 @@ config NETFILTER_XT_MATCH_IPCOMP
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++config NETFILTER_XT_MATCH_ID
++ tristate '"id" match support'
++ depends on NETFILTER_ADVANCED
++ ---help---
++ This option adds a `id' dummy-match, which allows you to put
++ numeric IDs into your iptables ruleset.
++
+ config NETFILTER_XT_MATCH_IPRANGE
+ tristate '"iprange" address range match support'
+ depends on NETFILTER_ADVANCED
+--- a/net/netfilter/Makefile
++++ b/net/netfilter/Makefile
+@@ -136,6 +136,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) +=
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
++obj-$(CONFIG_NETFILTER_XT_MATCH_ID) += xt_id.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_IPCOMP) += xt_ipcomp.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_IPVS) += xt_ipvs.o
+--- /dev/null
++++ b/net/netfilter/xt_id.c
+@@ -0,0 +1,45 @@
++/*
++ * Implements a dummy match to allow attaching IDs to rules
++ *
++ * 2014-08-01 Jo-Philipp Wich <jow@openwrt.org>
++ */
++
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_id.h>
++
++MODULE_AUTHOR("Jo-Philipp Wich <jow@openwrt.org>");
++MODULE_DESCRIPTION("Xtables: No-op match which can be tagged with a 32bit ID");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_id");
++MODULE_ALIAS("ip6t_id");
++
++static bool
++id_mt(const struct sk_buff *skb, struct xt_action_param *par)
++{
++ /* We always match */
++ return true;
++}
++
++static struct xt_match id_mt_reg __read_mostly = {
++ .name = "id",
++ .revision = 0,
++ .family = NFPROTO_UNSPEC,
++ .match = id_mt,
++ .matchsize = sizeof(struct xt_id_info),
++ .me = THIS_MODULE,
++};
++
++static int __init id_mt_init(void)
++{
++ return xt_register_match(&id_mt_reg);
++}
++
++static void __exit id_mt_exit(void)
++{
++ xt_unregister_match(&id_mt_reg);
++}
++
++module_init(id_mt_init);
++module_exit(id_mt_exit);
diff --git a/target/linux/generic/patches-3.3/615-netfilter_add_xt_id_match.patch b/target/linux/generic/patches-3.3/615-netfilter_add_xt_id_match.patch
new file mode 100644
index 0000000000..14fe61b12d
--- /dev/null
+++ b/target/linux/generic/patches-3.3/615-netfilter_add_xt_id_match.patch
@@ -0,0 +1,95 @@
+--- a/net/netfilter/Kconfig
++++ b/net/netfilter/Kconfig
+@@ -837,6 +837,13 @@ config NETFILTER_XT_MATCH_HL
+ in the IPv6 header, or the time-to-live field in the IPv4
+ header of the packet.
+
++config NETFILTER_XT_MATCH_ID
++ tristate '"id" match support'
++ depends on NETFILTER_ADVANCED
++ ---help---
++ This option adds a `id' dummy-match, which allows you to put
++ numeric IDs into your iptables ruleset.
++
+ config NETFILTER_XT_MATCH_IPRANGE
+ tristate '"iprange" address range match support'
+ depends on NETFILTER_ADVANCED
+--- a/net/netfilter/Makefile
++++ b/net/netfilter/Makefile
+@@ -86,6 +86,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) +=
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
++obj-$(CONFIG_NETFILTER_XT_MATCH_ID) += xt_id.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_IPVS) += xt_ipvs.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
+--- /dev/null
++++ b/net/netfilter/xt_id.c
+@@ -0,0 +1,45 @@
++/*
++ * Implements a dummy match to allow attaching IDs to rules
++ *
++ * 2014-08-01 Jo-Philipp Wich <jow@openwrt.org>
++ */
++
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_id.h>
++
++MODULE_AUTHOR("Jo-Philipp Wich <jow@openwrt.org>");
++MODULE_DESCRIPTION("Xtables: No-op match which can be tagged with a 32bit ID");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_id");
++MODULE_ALIAS("ip6t_id");
++
++static bool
++id_mt(const struct sk_buff *skb, struct xt_action_param *par)
++{
++ /* We always match */
++ return true;
++}
++
++static struct xt_match id_mt_reg __read_mostly = {
++ .name = "id",
++ .revision = 0,
++ .family = NFPROTO_UNSPEC,
++ .match = id_mt,
++ .matchsize = sizeof(struct xt_id_info),
++ .me = THIS_MODULE,
++};
++
++static int __init id_mt_init(void)
++{
++ return xt_register_match(&id_mt_reg);
++}
++
++static void __exit id_mt_exit(void)
++{
++ xt_unregister_match(&id_mt_reg);
++}
++
++module_init(id_mt_init);
++module_exit(id_mt_exit);
+--- a/include/linux/netfilter/Kbuild
++++ b/include/linux/netfilter/Kbuild
+@@ -47,6 +47,7 @@ header-y += xt_ecn.h
+ header-y += xt_esp.h
+ header-y += xt_hashlimit.h
+ header-y += xt_helper.h
++header-y += xt_id.h
+ header-y += xt_iprange.h
+ header-y += xt_ipvs.h
+ header-y += xt_layer7.h
+--- /dev/null
++++ b/include/linux/netfilter/xt_id.h
+@@ -0,0 +1,8 @@
++#ifndef _XT_ID_H
++#define _XT_ID_H
++
++struct xt_id_info {
++ u32 id;
++};
++
++#endif /* XT_ID_H */
diff --git a/target/linux/generic/patches-3.8/615-netfilter_add_xt_id_match.patch b/target/linux/generic/patches-3.8/615-netfilter_add_xt_id_match.patch
new file mode 100644
index 0000000000..2251a872da
--- /dev/null
+++ b/target/linux/generic/patches-3.8/615-netfilter_add_xt_id_match.patch
@@ -0,0 +1,95 @@
+--- a/include/uapi/linux/netfilter/Kbuild
++++ b/include/uapi/linux/netfilter/Kbuild
+@@ -49,6 +49,7 @@ header-y += xt_ecn.h
+ header-y += xt_esp.h
+ header-y += xt_hashlimit.h
+ header-y += xt_helper.h
++header-y += xt_id.h
+ header-y += xt_iprange.h
+ header-y += xt_ipvs.h
+ header-y += xt_layer7.h
+--- /dev/null
++++ b/include/uapi/linux/netfilter/xt_id.h
+@@ -0,0 +1,8 @@
++#ifndef _XT_ID_H
++#define _XT_ID_H
++
++struct xt_id_info {
++ u32 id;
++};
++
++#endif /* XT_ID_H */
+--- a/net/netfilter/Kconfig
++++ b/net/netfilter/Kconfig
+@@ -967,6 +967,13 @@ config NETFILTER_XT_MATCH_HL
+ in the IPv6 header, or the time-to-live field in the IPv4
+ header of the packet.
+
++config NETFILTER_XT_MATCH_ID
++ tristate '"id" match support'
++ depends on NETFILTER_ADVANCED
++ ---help---
++ This option adds a `id' dummy-match, which allows you to put
++ numeric IDs into your iptables ruleset.
++
+ config NETFILTER_XT_MATCH_IPRANGE
+ tristate '"iprange" address range match support'
+ depends on NETFILTER_ADVANCED
+--- a/net/netfilter/Makefile
++++ b/net/netfilter/Makefile
+@@ -112,6 +112,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) +=
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
++obj-$(CONFIG_NETFILTER_XT_MATCH_ID) += xt_id.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_IPVS) += xt_ipvs.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
+--- /dev/null
++++ b/net/netfilter/xt_id.c
+@@ -0,0 +1,45 @@
++/*
++ * Implements a dummy match to allow attaching IDs to rules
++ *
++ * 2014-08-01 Jo-Philipp Wich <jow@openwrt.org>
++ */
++
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_id.h>
++
++MODULE_AUTHOR("Jo-Philipp Wich <jow@openwrt.org>");
++MODULE_DESCRIPTION("Xtables: No-op match which can be tagged with a 32bit ID");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_id");
++MODULE_ALIAS("ip6t_id");
++
++static bool
++id_mt(const struct sk_buff *skb, struct xt_action_param *par)
++{
++ /* We always match */
++ return true;
++}
++
++static struct xt_match id_mt_reg __read_mostly = {
++ .name = "id",
++ .revision = 0,
++ .family = NFPROTO_UNSPEC,
++ .match = id_mt,
++ .matchsize = sizeof(struct xt_id_info),
++ .me = THIS_MODULE,
++};
++
++static int __init id_mt_init(void)
++{
++ return xt_register_match(&id_mt_reg);
++}
++
++static void __exit id_mt_exit(void)
++{
++ xt_unregister_match(&id_mt_reg);
++}
++
++module_init(id_mt_init);
++module_exit(id_mt_exit);
diff --git a/target/linux/generic/patches-3.9/615-netfilter_add_xt_id_match.patch b/target/linux/generic/patches-3.9/615-netfilter_add_xt_id_match.patch
new file mode 100644
index 0000000000..6fa94a3895
--- /dev/null
+++ b/target/linux/generic/patches-3.9/615-netfilter_add_xt_id_match.patch
@@ -0,0 +1,95 @@
+--- a/include/uapi/linux/netfilter/Kbuild
++++ b/include/uapi/linux/netfilter/Kbuild
+@@ -51,6 +51,7 @@ header-y += xt_ecn.h
+ header-y += xt_esp.h
+ header-y += xt_hashlimit.h
+ header-y += xt_helper.h
++header-y += xt_id.h
+ header-y += xt_iprange.h
+ header-y += xt_ipvs.h
+ header-y += xt_layer7.h
+--- /dev/null
++++ b/include/uapi/linux/netfilter/xt_id.h
+@@ -0,0 +1,8 @@
++#ifndef _XT_ID_H
++#define _XT_ID_H
++
++struct xt_id_info {
++ u32 id;
++};
++
++#endif /* XT_ID_H */
+--- a/net/netfilter/Kconfig
++++ b/net/netfilter/Kconfig
+@@ -989,6 +989,13 @@ config NETFILTER_XT_MATCH_HL
+ in the IPv6 header, or the time-to-live field in the IPv4
+ header of the packet.
+
++config NETFILTER_XT_MATCH_ID
++ tristate '"id" match support'
++ depends on NETFILTER_ADVANCED
++ ---help---
++ This option adds a `id' dummy-match, which allows you to put
++ numeric IDs into your iptables ruleset.
++
+ config NETFILTER_XT_MATCH_IPRANGE
+ tristate '"iprange" address range match support'
+ depends on NETFILTER_ADVANCED
+--- a/net/netfilter/Makefile
++++ b/net/netfilter/Makefile
+@@ -115,6 +115,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) +=
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
++obj-$(CONFIG_NETFILTER_XT_MATCH_ID) += xt_id.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_IPVS) += xt_ipvs.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
+--- /dev/null
++++ b/net/netfilter/xt_id.c
+@@ -0,0 +1,45 @@
++/*
++ * Implements a dummy match to allow attaching IDs to rules
++ *
++ * 2014-08-01 Jo-Philipp Wich <jow@openwrt.org>
++ */
++
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_id.h>
++
++MODULE_AUTHOR("Jo-Philipp Wich <jow@openwrt.org>");
++MODULE_DESCRIPTION("Xtables: No-op match which can be tagged with a 32bit ID");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_id");
++MODULE_ALIAS("ip6t_id");
++
++static bool
++id_mt(const struct sk_buff *skb, struct xt_action_param *par)
++{
++ /* We always match */
++ return true;
++}
++
++static struct xt_match id_mt_reg __read_mostly = {
++ .name = "id",
++ .revision = 0,
++ .family = NFPROTO_UNSPEC,
++ .match = id_mt,
++ .matchsize = sizeof(struct xt_id_info),
++ .me = THIS_MODULE,
++};
++
++static int __init id_mt_init(void)
++{
++ return xt_register_match(&id_mt_reg);
++}
++
++static void __exit id_mt_exit(void)
++{
++ xt_unregister_match(&id_mt_reg);
++}
++
++module_init(id_mt_init);
++module_exit(id_mt_exit);