[OpenWrt-Devel] [PATCH] #9969: Add NFLOG and NFQUEUE targets for netfilter

Althaff Mohideen althaff_mohideen at yahoo.com
Wed Aug 6 10:55:00 EDT 2014 

I had just added  it through kernel_menuconfig today.

->Networking support
-> Network Options
-> Network packet filtering framework (Netfilter)
-> Core Netfilter configuration
-> Netfilter NFQUEUE over NFNETLINK interface (ACTIVATE) -> "NFQUEUE" target support (ACTIVATE)



This patch will indeed help in the future.

Please advice (instruction) on how to include a patch for the people who are using SDK to cross-compile.  
 
Thanking you ever much,
Best Regards,

Mohideen



On Wednesday, August 6, 2014 1:58 PM, Yousong Zhou <yszhou4tech at gmail.com> wrote:
 


Hello,

On 7 November 2013 00:47, Derek LaHousse <dlahouss at mtu.edu> wrote:
> Hello, new developer here, open to advice
>
> https://dev.openwrt.org/ticket/9969
>
> Describe Changes:
> The included patch creates a menu item for iptables targets NFLOG and
> NFQUEUE.  NFLOG is the successor to ULOG, while NFQUEUE allows userspace
> packet filtering.  Selecting the iptables target enables the kernel
> modules necessary for netfilter to support these targets.

I am using NFLOG target with this patch and it worked.  It would be
great if this can be merged into OpenWrt.


Regards.

                yousong

>
> Signed-off-by: Derek LaHousse <dlahouss at mtu.edu>
> ---
>
> diff --git a/include/netfilter.mk b/include/netfilter.mk
> index 305f28e..a8c0860 100644
> --- a/include/netfilter.mk
> +++ b/include/netfilter.mk
> @@ -241,6 +241,21 @@ $(eval $(call nf_add,IPT_TEE,CONFIG_NETFILTER_XT_TARGET_TEE, $(P_XT)xt_TEE))
>
>  $(eval $(call nf_add,IPT_U32,CONFIG_NETFILTER_XT_MATCH_U32, (P_XT)xt_u32))
>
> +
> +# netlink
> +
> +$(eval $(call nf_add,NFNETLINK,CONFIG_NETFILTER_NETLINK, $(P_XT)nfnetlink))
> +
> +# nflog
> +
> +$(eval $(call nf_add,NFNETLINK_LOG,CONFIG_NETFILTER_NETLINK_LOG, $(P_XT)nfnetlink_log))
> +$(eval $(call nf_add,NFNETLINK_LOG,CONFIG_NETFILTER_XT_TARGET_NFLOG, $(P_XT)xt_NFLOG))
> +
> +# nfqueue
> +
> +$(eval $(call nf_add,NFNETLINK_QUEUE,CONFIG_NETFILTER_NETLINK_QUEUE, $(P_XT)nfnetlink_queue))
> +$(eval $(call nf_add,NFNETLINK_QUEUE,CONFIG_NETFILTER_XT_TARGET_NFQUEUE, $(P_XT)xt_NFQUEUE))
> +
>  #
>  # ebtables
>  #
> @@ -295,6 +310,9 @@ IPT_BUILTIN += $(IPT_NATHELPER_EXTRA-y)
>  IPT_BUILTIN += $(IPT_ULOG-y)
>  IPT_BUILTIN += $(IPT_DEBUG-y)
>  IPT_BUILTIN += $(IPT_TPROXY-y)
> +IPT_BUILTIN += $(NFNETLINK-y)
> +IPT_BUILTIN += $(NFNETLINK_LOG-y)
> +IPT_BUILTIN += $(NFNETLINK_QUEUE-y)
>  IPT_BUILTIN += $(EBTABLES-y)
>  IPT_BUILTIN += $(EBTABLES_IP4-y)
>  IPT_BUILTIN += $(EBTABLES_IP6-y)
> diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
> index 7509ced..9dc8ac4 100644
> --- a/package/kernel/linux/modules/netfilter.mk
> +++ b/package/kernel/linux/modules/netfilter.mk
> @@ -515,10 +515,10 @@ $(eval $(call KernelPackage,ebtables-watchers))
>  define KernelPackage/nfnetlink
>    SUBMENU:=$(NF_MENU)
>    TITLE:=Netlink-based userspace interface
> -  DEPENDS:=+kmod-ipt-core
> -  FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink.ko
> -  KCONFIG:=CONFIG_NETFILTER_NETLINK
> -  AUTOLOAD:=$(call AutoProbe,nfnetlink)
> +  FILES:=$(foreach mod,$(NFNETLINK-m),$(LINUX_DIR)/net/$(mod).ko)
> +  KCONFIG:=$(KCONFIG_NFNETLINK)
> +  AUTOLOAD:=$(call AutoProbe,$(NFNETLINK-m))
> +  $(call AddDepends/ipt)
>  endef
>
>  define KernelPackage/nfnetlink/description
> @@ -536,14 +536,16 @@ endef
>
>  define KernelPackage/nfnetlink-log
>    TITLE:=Netfilter LOG over NFNETLINK interface
> -  FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_log.ko
> -  KCONFIG:=CONFIG_NETFILTER_NETLINK_LOG
> -  AUTOLOAD:=$(call AutoProbe,nfnetlink_log)
> +  FILES:=$(foreach mod,$(NFNETLINK_LOG-m),$(LINUX_DIR)/net/$(mod).ko)
> +  KCONFIG:=$(KCONFIG_NFNETLINK_LOG)
> +  AUTOLOAD:=$(call AutoLoad,45,$(notdir $(NFNETLINK_LOG-m)))
>    $(call AddDepends/nfnetlink)
>  endef
>
>  define KernelPackage/nfnetlink-log/description
>   Kernel modules support for logging packets via NFNETLINK
> + Includes:
> + - NFLOG
>  endef
>
>  $(eval $(call KernelPackage,nfnetlink-log))
> @@ -551,14 +553,16 @@ $(eval $(call KernelPackage,nfnetlink-log))
>
>  define KernelPackage/nfnetlink-queue
>    TITLE:=Netfilter QUEUE over NFNETLINK interface
> -  FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_queue.ko
> -  KCONFIG:=CONFIG_NETFILTER_NETLINK_QUEUE
> -  AUTOLOAD:=$(call AutoProbe,nfnetlink_queue)
> +  FILES:=$(foreach mod,$(NFNETLINK_QUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
> +  KCONFIG:=$(KCONFIG_NFNETLINK_QUEUE)
> +  AUTOLOAD:=$(call AutoLoad,45,$(notdir $(NFNETLINK_QUEUE-m)))
>    $(call AddDepends/nfnetlink)
>  endef
>
>  define KernelPackage/nfnetlink-queue/description
>   Kernel modules support for queueing packets via NFNETLINK
> + Includes:
> + - NFQUEUE
>  endef
>
>  $(eval $(call KernelPackage,nfnetlink-queue))
> diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
> index 35dda06..ad98aa5 100644
> --- a/package/network/utils/iptables/Makefile
> +++ b/package/network/utils/iptables/Makefile
> @@ -193,6 +193,32 @@ iptables extensions for user-space packet logging.
>
>  endef
>
> +define Package/iptables-mod-nflog
> +$(call Package/iptables/Module, +kmod-nfnetlink-log)
> +  TITLE:=Netfilter NFLOG target
> +endef
> +
> +define Package/iptables-mod-nflog/description
> + iptables extension for user-space logging via NFNETLINK.
> +
> + Includes:
> +  - libxt_NFLOG
> +
> +endef
> +
> +define Package/iptables-mod-nfqueue
> +$(call Package/iptables/Module, +kmod-nfnetlink-queue)
> +  TITLE:=Netfilter NFQUEUE target
> +endef
> +
> +define Package/iptables-mod-nfqueue/description
> + iptables extension for user-space queuing via NFNETLINK.
> +
> + Includes:
> +  - libxt_NFQUEUE
> +
> +endef
> +
>  define Package/iptables-mod-hashlimit
>  $(call Package/iptables/Module, +kmod-ipt-hashlimit)
>    TITLE:=hashlimit matching
> @@ -457,6 +483,8 @@ $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
>  $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
>  $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
>  $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
> +$(eval $(call BuildPlugin,iptables-mod-nflog,$(NFNETLINK_LOG-m)))
> +$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(NFNETLINK_QUEUE-m)))
>  $(eval $(call BuildPackage,ip6tables))
>  $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
>  $(eval $(call BuildPackage,libiptc))
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20140806/5b4838fd/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list