From 8df6cd005ce53a195d6f401d7fe10b9faab0e3dd Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 21 May 2013 12:58:15 +0000 Subject: [PATCH] netfilter: move time, mark, set matches and MARK, REDIRECT, SET targets into base iptables package - drop iptables-mod-ipset SVN-Revision: 36683 --- include/netfilter.mk | 22 ++++++++-------- package/network/utils/iptables/Makefile | 35 ++++++++++--------------- 2 files changed, 25 insertions(+), 32 deletions(-) diff --git a/include/netfilter.mk b/include/netfilter.mk index 15f1198abe..74c279bfbb 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -36,7 +36,7 @@ $(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_FILTER, $(P_V4)iptabl $(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_MANGLE, $(P_V4)iptable_mangle),)) # userland only -$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CORE,CONFIG_IP_NF_IPTABLES, xt_standard ipt_icmp xt_tcp xt_udp xt_comment))) +$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CORE,CONFIG_IP_NF_IPTABLES, xt_standard ipt_icmp xt_tcp xt_udp xt_comment xt_set xt_SET))) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_LIMIT, $(P_XT)xt_limit)) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_MAC, $(P_XT)xt_mac)) @@ -47,6 +47,14 @@ $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_LOG, $(P_XT)xt_LOG, ge $(eval $(call nf_add,IPT_CORE,CONFIG_IP_NF_TARGET_LOG, $(P_V4)ipt_LOG, lt 3.4.0)) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_TCPMSS, $(P_XT)xt_TCPMSS)) $(eval $(call nf_add,IPT_CORE,CONFIG_IP_NF_TARGET_REJECT, $(P_V4)ipt_REJECT)) +$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_TIME, $(P_XT)xt_time)) +$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_MARK, $(P_XT)xt_mark)) + +# kernel has xt_MARK.ko merged into xt_mark.ko, userspace is still separate +# kernel: xt_mark.ko +$(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_MARK, $(P_XT)xt_mark))) +# userland: xt_MARK.so +$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_MARK, $(P_XT)xt_MARK))) # conntrack @@ -97,21 +105,13 @@ $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_DSCP, $(P_XT)xt_dscp)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_TARGET_DSCP, $(P_XT)xt_DSCP)) $(eval $(call nf_add,IPT_HASHLIMIT,CONFIG_NETFILTER_XT_MATCH_HASHLIMIT, $(P_XT)xt_hashlimit)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_LENGTH, $(P_XT)xt_length)) -$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_MARK, $(P_XT)xt_mark)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_STATISTIC, $(P_XT)xt_statistic)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_TCPMSS, $(P_XT)xt_tcpmss)) -$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_TIME, $(P_XT)xt_time)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_TARGET_CLASSIFY, $(P_XT)xt_CLASSIFY)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_DSCP, $(P_V4)ipt_dscp)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_TARGET_ECN, $(P_V4)ipt_ECN)) -# kernel has xt_MARK.ko merged into xt_mark.ko, userspace is still separate -# kernel: xt_mark.ko -$(eval $(if $(NF_KMOD),$(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_TARGET_MARK, $(P_XT)xt_mark))) -# userland: xt_MARK.so -$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_TARGET_MARK, $(P_XT)xt_MARK))) - $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_ECN, $(P_XT)xt_ecn)) # userland only @@ -167,14 +167,14 @@ $(eval $(if $(NF_KMOD),$(call nf_add,IPT_NAT,CONFIG_NF_NAT, $(P_V4)nf_nat $(P_V4 $(eval $(if $(NF_KMOD),,$(call nf_add,IPT_NAT,CONFIG_NF_NAT, ipt_SNAT ipt_DNAT))) $(eval $(call nf_add,IPT_NAT,CONFIG_IP_NF_TARGET_MASQUERADE, $(P_V4)ipt_MASQUERADE)) +$(eval $(call nf_add,IPT_NAT,CONFIG_IP_NF_TARGET_REDIRECT, $(P_XT)xt_REDIRECT, ge 3.7.0)) +$(eval $(call nf_add,IPT_NAT,CONFIG_IP_NF_TARGET_REDIRECT, $(P_V4)ipt_REDIRECT, lt 3.7.0)) # nat-extra $(eval $(call nf_add,IPT_NAT_EXTRA,CONFIG_IP_NF_TARGET_NETMAP, $(P_XT)xt_NETMAP, ge 3.7.0)) $(eval $(call nf_add,IPT_NAT_EXTRA,CONFIG_IP_NF_TARGET_NETMAP, $(P_V4)ipt_NETMAP, lt 3.7.0)) -$(eval $(call nf_add,IPT_NAT_EXTRA,CONFIG_IP_NF_TARGET_REDIRECT, $(P_XT)xt_REDIRECT, ge 3.7.0)) -$(eval $(call nf_add,IPT_NAT_EXTRA,CONFIG_IP_NF_TARGET_REDIRECT, $(P_V4)ipt_REDIRECT, lt 3.7.0)) # nathelper diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile index a0ea7f7ce0..1b6a4cf79b 100644 --- a/package/network/utils/iptables/Makefile +++ b/package/network/utils/iptables/Makefile @@ -62,20 +62,34 @@ IP firewall administration tool. - tcp - udp - comment + - conntrack - limit - mac + - mark - multiport + - set + - state + - time Targets: - ACCEPT + - CT + - DNAT - DROP - REJECT - LOG + - MARK + - MASQUERADE + - REDIRECT + - SET + - SNAT - TCPMSS Tables: - filter - mangle + - nat + - raw endef @@ -125,10 +139,8 @@ iptables extensions for matching/changing IP packet options. - dscp - ecn - length - - mark - statistic - tcpmss - - time - unclean - hl @@ -136,7 +148,6 @@ iptables extensions for matching/changing IP packet options. - DSCP - CLASSIFY - ECN - - MARK - HL endef @@ -156,22 +167,6 @@ iptables extensions for matching ipsec traffic. endef -define Package/iptables-mod-ipset -$(call Package/iptables/Module,) - TITLE:=IPset iptables extensions -endef - -define Package/iptables-mod-ipset/description -IPset iptables extensions. - - Matches: - - set - - Targets: - - SET - -endef - define Package/iptables-mod-nat-extra $(call Package/iptables/Module, +kmod-ipt-nat-extra) TITLE:=Extra NAT extensions @@ -183,7 +178,6 @@ iptables extensions for extra NAT targets. Targets: - MIRROR - NETMAP - - REDIRECT endef define Package/iptables-mod-ulog @@ -440,7 +434,6 @@ $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m))) $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m),$(L7_INSTALL))) $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m))) $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m))) -$(eval $(call BuildPlugin,iptables-mod-ipset,ipt_set ipt_SET)) $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m))) $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m))) $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))