[OpenWrt-Devel] [PATCH v2] iptables: NFLOG and NFQUEUE targets' full support
Guillaume Déflache
guillaume.deflache at ibwag.com
Wed Aug 6 17:19:20 EDT 2014
NFLOG and NFQUEUE targets' full support for iptables.
Includes all needed kernel modules (Xtables's and Netlink's)
and userspace libraries.
All added kernel modules can be individually disabled,
all other new libraries get their own individual packages.
Reported-by: Fabian Hugelshofer <hugelshofer2006 at gmx.ch>
Reported-by: Rainer Poisel <rainer.poisel at fhstp.ac.at>
Reported-by: Derek LaHousse <dlahouss at mtu.edu>
Signed-off-by: Guillaume Déflache <guillaume.deflache at ibwag.com>
---
This patch merges and expands the work of:
- ddx0n which got initially submitted in 2011 as patch in ticket #9969
and completed with the kmod-ipt-nfqueue module by me
- Fabian Hugelshofer he initially submitted in 2008 as patch on openwrt-devel which...
- ...Rainer Poisel reworked and resend there in 2010 which...
- ...Derek LaHousse reworked and resend there in 2013 (!).
I hope all this work can be finally submitted.
Please be kind as this is my first OpenWrt patch!
The v2 of this patch uses modprobe to load all added kernel modules
and fixes a few bugs introduced by me on merging all patches
(e.g. same module installed by two different packages,
wrong configuration flag used in a few places).
include/netfilter.mk | 27 ++++++++++++++
package/kernel/linux/modules/netfilter.mk | 58 +++++++++++++++++++++++++------
package/network/utils/iptables/Makefile | 28 +++++++++++++++
3 files changed, 103 insertions(+), 10 deletions(-)
diff --git a/include/netfilter.mk b/include/netfilter.mk
index 7a6fea5..5caa02f 100644
--- a/include/netfilter.mk
+++ b/include/netfilter.mk
@@ -225,6 +225,16 @@ $(eval $(call nf_add,IPT_QUEUE,CONFIG_IP_NF_QUEUE, $(P_V4)ip_queue, lt 3.5.0))
$(eval $(call nf_add,IPT_ULOG,CONFIG_IP_NF_TARGET_ULOG, $(P_V4)ipt_ULOG))
+# nflog
+
+$(eval $(call nf_add,IPT_NFLOG,CONFIG_NETFILTER_XT_TARGET_NFLOG, $(P_XT)xt_NFLOG))
+
+
+# nfqueue
+
+$(eval $(call nf_add,IPT_NFQUEUE,CONFIG_NETFILTER_XT_TARGET_NFQUEUE, $(P_XT)xt_NFQUEUE))
+
+
# debugging
$(eval $(call nf_add,IPT_DEBUG,CONFIG_NETFILTER_XT_TARGET_TRACE, $(P_XT)xt_TRACE))
@@ -245,6 +255,19 @@ $(eval $(call nf_add,IPT_TEE,CONFIG_NETFILTER_XT_TARGET_TEE, $(P_XT)xt_TEE))
$(eval $(call nf_add,IPT_U32,CONFIG_NETFILTER_XT_MATCH_U32, $(P_XT)xt_u32))
+
+# netlink
+
+$(eval $(call nf_add,NFNETLINK,CONFIG_NETFILTER_NETLINK, $(P_XT)nfnetlink))
+
+# nflog
+
+$(eval $(call nf_add,NFNETLINK_LOG,CONFIG_NETFILTER_NETLINK_LOG, $(P_XT)nfnetlink_log))
+
+# nfqueue
+
+$(eval $(call nf_add,NFNETLINK_QUEUE,CONFIG_NETFILTER_NETLINK_QUEUE, $(P_XT)nfnetlink_queue))
+
#
# ebtables
#
@@ -279,6 +302,7 @@ $(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_SNAT, $(P_EBT)ebt_snat))
$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_LOG, $(P_EBT)ebt_log))
$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_ULOG, $(P_EBT)ebt_ulog))
$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_NFLOG, $(P_EBT)ebt_nflog))
+$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_NFQUEUE, $(P_EBT)ebt_nfqueue))
# userland only
@@ -299,6 +323,9 @@ IPT_BUILTIN += $(IPT_NATHELPER_EXTRA-y)
IPT_BUILTIN += $(IPT_ULOG-y)
IPT_BUILTIN += $(IPT_DEBUG-y)
IPT_BUILTIN += $(IPT_TPROXY-y)
+IPT_BUILTIN += $(NFNETLINK-y)
+IPT_BUILTIN += $(NFNETLINK_LOG-y)
+IPT_BUILTIN += $(NFNETLINK_QUEUE-y)
IPT_BUILTIN += $(EBTABLES-y)
IPT_BUILTIN += $(EBTABLES_IP4-y)
IPT_BUILTIN += $(EBTABLES_IP6-y)
diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
index 316df69..86cc5ae 100644
--- a/package/kernel/linux/modules/netfilter.mk
+++ b/package/kernel/linux/modules/netfilter.mk
@@ -278,6 +278,40 @@ endef
$(eval $(call KernelPackage,ipt-ulog))
+define KernelPackage/ipt-nflog
+ TITLE:=Module for user-space packet logging
+ KCONFIG:=$(KCONFIG_IPT_NFLOG)
+ FILES:=$(foreach mod,$(IPT_NFLOG-m),$(LINUX_DIR)/net/$(mod).ko)
+ AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NFLOG-m)))
+ $(call AddDepends/ipt,+kmod-nfnetlink-log)
+endef
+
+define KernelPackage/ipt-nflog/description
+ Netfilter module for user-space packet logging
+ Includes:
+ - NFLOG
+endef
+
+$(eval $(call KernelPackage,ipt-nflog))
+
+
+define KernelPackage/ipt-nfqueue
+ TITLE:=Module for user-space packet queuing
+ KCONFIG:=$(KCONFIG_IPT_NFQUEUE)
+ FILES:=$(foreach mod,$(IPT_NFQUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
+ AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NFQUEUE-m)))
+ $(call AddDepends/ipt,+kmod-nfnetlink-queue)
+endef
+
+define KernelPackage/ipt-nfqueue/description
+ Netfilter module for user-space packet queuing
+ Includes:
+ - NFQUEUE
+endef
+
+$(eval $(call KernelPackage,ipt-nfqueue))
+
+
define KernelPackage/ipt-debug
TITLE:=Module for debugging/development
KCONFIG:=$(KCONFIG_IPT_DEBUG)
@@ -530,10 +564,10 @@ $(eval $(call KernelPackage,ebtables-watchers))
define KernelPackage/nfnetlink
SUBMENU:=$(NF_MENU)
TITLE:=Netlink-based userspace interface
- DEPENDS:=+kmod-ipt-core
- FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink.ko
- KCONFIG:=CONFIG_NETFILTER_NETLINK
- AUTOLOAD:=$(call AutoProbe,nfnetlink)
+ FILES:=$(foreach mod,$(NFNETLINK-m),$(LINUX_DIR)/net/$(mod).ko)
+ KCONFIG:=$(KCONFIG_NFNETLINK)
+ AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK-m)))
+ $(call AddDepends/ipt)
endef
define KernelPackage/nfnetlink/description
@@ -551,14 +585,16 @@ endef
define KernelPackage/nfnetlink-log
TITLE:=Netfilter LOG over NFNETLINK interface
- FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_log.ko
- KCONFIG:=CONFIG_NETFILTER_NETLINK_LOG
- AUTOLOAD:=$(call AutoProbe,nfnetlink_log)
+ FILES:=$(foreach mod,$(NFNETLINK_LOG-m),$(LINUX_DIR)/net/$(mod).ko)
+ KCONFIG:=$(KCONFIG_NFNETLINK_LOG)
+ AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK_LOG-m)))
$(call AddDepends/nfnetlink)
endef
define KernelPackage/nfnetlink-log/description
Kernel modules support for logging packets via NFNETLINK
+ Includes:
+ - NFLOG
endef
$(eval $(call KernelPackage,nfnetlink-log))
@@ -566,14 +602,16 @@ $(eval $(call KernelPackage,nfnetlink-log))
define KernelPackage/nfnetlink-queue
TITLE:=Netfilter QUEUE over NFNETLINK interface
- FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_queue.ko
- KCONFIG:=CONFIG_NETFILTER_NETLINK_QUEUE
- AUTOLOAD:=$(call AutoProbe,nfnetlink_queue)
+ FILES:=$(foreach mod,$(NFNETLINK_QUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
+ KCONFIG:=$(KCONFIG_NFNETLINK_QUEUE)
+ AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK_QUEUE-m)))
$(call AddDepends/nfnetlink)
endef
define KernelPackage/nfnetlink-queue/description
Kernel modules support for queueing packets via NFNETLINK
+ Includes:
+ - NFQUEUE
endef
$(eval $(call KernelPackage,nfnetlink-queue))
diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
index 8266f14..bea2f1d 100644
--- a/package/network/utils/iptables/Makefile
+++ b/package/network/utils/iptables/Makefile
@@ -194,6 +194,32 @@ iptables extensions for user-space packet logging.
endef
+define Package/iptables-mod-nflog
+$(call Package/iptables/Module, +kmod-nfnetlink-log)
+ TITLE:=Netfilter NFLOG target
+endef
+
+define Package/iptables-mod-nflog/description
+ iptables extension for user-space logging via NFNETLINK.
+
+ Includes:
+ - libxt_NFLOG
+
+endef
+
+define Package/iptables-mod-nfqueue
+$(call Package/iptables/Module, +kmod-nfnetlink-queue)
+ TITLE:=Netfilter NFQUEUE target
+endef
+
+define Package/iptables-mod-nfqueue/description
+ iptables extension for user-space queuing via NFNETLINK.
+
+ Includes:
+ - libxt_NFQUEUE
+
+endef
+
define Package/iptables-mod-hashlimit
$(call Package/iptables/Module, +kmod-ipt-hashlimit)
TITLE:=hashlimit matching
@@ -469,6 +495,8 @@ $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
+$(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
+$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
$(eval $(call BuildPackage,ip6tables))
$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
$(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
---
Diese E-Mail ist frei von Viren und Malware, denn der avast! Antivirus Schutz ist aktiv.
http://www.avast.com
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list