From 4b241e98270ab83dcae8e678ee8066d65fdb44eb Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Mon, 2 Jun 2014 18:13:38 +0000 Subject: [PATCH] netfilter: split off header matching modules not used by the default config (reduces rootfs size and memory usage) Signed-off-by: Felix Fietkau SVN-Revision: 40983 --- include/netfilter.mk | 16 +++++++++------- package/kernel/linux/modules/netfilter.mk | 15 +++++++++++++++ package/network/utils/iptables/Makefile | 11 +++++++++++ 3 files changed, 35 insertions(+), 7 deletions(-) diff --git a/include/netfilter.mk b/include/netfilter.mk index 1ecbe02eab..906eb0f085 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -143,17 +143,19 @@ $(eval $(if $(NF_KMOD),$(call nf_add,IPT_IPV6,CONFIG_IP6_NF_RAW, $(P_V6)ip6table $(eval $(if $(NF_KMOD),,$(call nf_add,IPT_IPV6,CONFIG_IP6_NF_IPTABLES, ip6t_icmp6))) -$(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_MATCH_AH, $(P_V6)ip6t_ah)) -$(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_MATCH_EUI64, $(P_V6)ip6t_eui64)) -$(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_MATCH_FRAG, $(P_V6)ip6t_frag)) -$(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_MATCH_IPV6HEADER, $(P_V6)ip6t_ipv6header)) -$(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_MATCH_MH, $(P_V6)ip6t_mh)) -$(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_MATCH_OPTS, $(P_V6)ip6t_hbh)) -$(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_MATCH_RT, $(P_V6)ip6t_rt)) $(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_TARGET_LOG, $(P_V6)ip6t_LOG)) $(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_TARGET_REJECT, $(P_V6)ip6t_REJECT)) +# ipv6 extra +$(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_IPV6HEADER, $(P_V6)ip6t_ipv6header)) +$(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_AH, $(P_V6)ip6t_ah)) +$(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_MH, $(P_V6)ip6t_mh)) +$(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_EUI64, $(P_V6)ip6t_eui64)) +$(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_OPTS, $(P_V6)ip6t_hbh)) +$(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_FRAG, $(P_V6)ip6t_frag)) +$(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_RT, $(P_V6)ip6t_rt)) + # nat # kernel only diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk index 974cca717f..316df69f02 100644 --- a/package/kernel/linux/modules/netfilter.mk +++ b/package/kernel/linux/modules/netfilter.mk @@ -420,6 +420,21 @@ endef $(eval $(call KernelPackage,ip6tables)) +define KernelPackage/ip6tables-extra + SUBMENU:=$(NF_MENU) + TITLE:=Extra IPv6 modules + DEPENDS:=+kmod-ip6tables + KCONFIG:=$(KCONFIG_IPT_IPV6_EXTRA) + FILES:=$(foreach mod,$(IPT_IPV6_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoLoad,43,$(notdir $(IPT_IPV6_EXTRA-m))) +endef + +define KernelPackage/ip6tables-extra/description + Netfilter IPv6 extra header matching modules +endef + +$(eval $(call KernelPackage,ip6tables-extra)) + ARP_MODULES = arp_tables arpt_mangle arptable_filter define KernelPackage/arptables SUBMENU:=$(NF_MENU) diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile index 48b1879bd3..f6db428bcb 100644 --- a/package/network/utils/iptables/Makefile +++ b/package/network/utils/iptables/Makefile @@ -302,6 +302,16 @@ $(call Package/iptables/Default) endef +define Package/ip6tables-extra +$(call Package/iptables/Default) + DEPENDS:=ip6tables +kmod-ip6tables-extra + TITLE:=IPv6 header matching modules +endef + +define Package/ip6tables-mod-extra/description +iptables header matching modules for IPv6 +endef + define Package/ip6tables-mod-nat $(call Package/iptables/Default) DEPENDS:=ip6tables +kmod-ipt-nat6 @@ -459,6 +469,7 @@ $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m))) $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m))) $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m))) $(eval $(call BuildPackage,ip6tables)) +$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m))) $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m))) $(eval $(call BuildPackage,libiptc)) $(eval $(call BuildPackage,libip4tc))