ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2025-01-01 19:46:51 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

netfilter: move nf-log modules into separate packages

Browse Source 
Both legacy iptables and nftables require nf-log modules for rule logging,
so move them into a separate package both firewall implementations can
depend on.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit bea01fa57f)
This commit is contained in:
Jo-Philipp Wich 2022-04-12 13:38:23 +02:00 committed by Hauke Mehrtens
parent 688a59bd94
commit 204259356e
2 changed files with 32 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
include/netfilter.mk
View File

@ -48,8 +48,6 @@ $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_COMMENT, $(P_XT)xt_comme
$(eval $(call nf_add,IPT_CLUSTER,CONFIG_NETFILTER_XT_MATCH_CLUSTER, $(P_XT)xt_cluster)) $(eval $(call nf_add,IPT_CLUSTER,CONFIG_NETFILTER_XT_MATCH_CLUSTER, $(P_XT)xt_cluster))
$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_LOG, $(P_XT)xt_LOG)) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_LOG, $(P_XT)xt_LOG))
$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_LOG, $(P_XT)nf_log_common))
$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_LOG, $(P_V4)nf_log_ipv4))
$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_TCPMSS, $(P_XT)xt_TCPMSS)) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_TCPMSS, $(P_XT)xt_TCPMSS))
$(eval $(call nf_add,IPT_CORE,CONFIG_IP_NF_TARGET_REJECT, $(P_V4)ipt_REJECT)) $(eval $(call nf_add,IPT_CORE,CONFIG_IP_NF_TARGET_REJECT, $(P_V4)ipt_REJECT))
$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_TIME, $(P_XT)xt_time)) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_TIME, $(P_XT)xt_time))
@ -156,7 +154,6 @@ $(eval $(if $(NF_KMOD),$(call nf_add,NF_CONNTRACK,CONFIG_NF_DEFRAG_IPV6, $(P_V6)
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_IPV6,CONFIG_IP6_NF_FILTER, $(P_V6)ip6table_filter),)) $(eval $(if $(NF_KMOD),$(call nf_add,IPT_IPV6,CONFIG_IP6_NF_FILTER, $(P_V6)ip6table_filter),))
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_IPV6,CONFIG_IP6_NF_MANGLE, $(P_V6)ip6table_mangle),)) $(eval $(if $(NF_KMOD),$(call nf_add,IPT_IPV6,CONFIG_IP6_NF_MANGLE, $(P_V6)ip6table_mangle),))
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_IPV6,CONFIG_NF_LOG_IPV6, $(P_V6)nf_log_ipv6),))
$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_IPV6,CONFIG_IP6_NF_IPTABLES, ip6t_icmp6))) $(eval $(if $(NF_KMOD),,$(call nf_add,IPT_IPV6,CONFIG_IP6_NF_IPTABLES, ip6t_icmp6)))
@ -172,6 +169,12 @@ $(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_OPTS, $(P_V6)ip6t_hbh))
$(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_FRAG, $(P_V6)ip6t_frag)) $(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_FRAG, $(P_V6)ip6t_frag))
$(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_RT, $(P_V6)ip6t_rt)) $(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_RT, $(P_V6)ip6t_rt))
# log
$(eval $(call nf_add,NF_LOG,CONFIG_NF_LOG_COMMON, $(P_XT)nf_log_common))
$(eval $(call nf_add,NF_LOG,CONFIG_NF_LOG_IPV4, $(P_V4)nf_log_ipv4))
$(eval $(if $(NF_KMOD),$(call nf_add,NF_LOG6,CONFIG_NF_LOG_IPV6, $(P_V6)nf_log_ipv6),))
# nat # nat
# kernel only # kernel only

29
package/kernel/linux/modules/netfilter.mk
View File

@ -57,7 +57,7 @@ define KernelPackage/nf-ipt6
KCONFIG:=$(KCONFIG_NF_IPT6) KCONFIG:=$(KCONFIG_NF_IPT6)
FILES:=$(foreach mod,$(NF_IPT6-m),$(LINUX_DIR)/net/$(mod).ko) FILES:=$(foreach mod,$(NF_IPT6-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_IPT6-m))) AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_IPT6-m)))
DEPENDS:=+kmod-nf-ipt DEPENDS:=+kmod-nf-ipt +kmod-nf-log6
endef endef
$(eval $(call KernelPackage,nf-ipt6)) $(eval $(call KernelPackage,nf-ipt6))
@ -70,7 +70,7 @@ define KernelPackage/ipt-core
KCONFIG:=$(KCONFIG_IPT_CORE) KCONFIG:=$(KCONFIG_IPT_CORE)
FILES:=$(foreach mod,$(IPT_CORE-m),$(LINUX_DIR)/net/$(mod).ko) FILES:=$(foreach mod,$(IPT_CORE-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CORE-m))) AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CORE-m)))
DEPENDS:=+kmod-nf-reject +kmod-nf-ipt DEPENDS:=+kmod-nf-reject +kmod-nf-ipt +kmod-nf-log
endef endef
define KernelPackage/ipt-core/description define KernelPackage/ipt-core/description
@ -121,6 +121,29 @@ endef
$(eval $(call KernelPackage,nf-conntrack6)) $(eval $(call KernelPackage,nf-conntrack6))
define KernelPackage/nf-log
SUBMENU:=$(NF_MENU)
TITLE:=Netfilter Logging
KCONFIG:=$(KCONFIG_NF_LOG)
FILES:=$(foreach mod,$(NF_LOG-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_LOG-m)))
endef
$(eval $(call KernelPackage,nf-log))
define KernelPackage/nf-log6
SUBMENU:=$(NF_MENU)
TITLE:=Netfilter IPV6 Logging
KCONFIG:=$(KCONFIG_NF_LOG6)
DEPENDS:=@IPV6 +kmod-nf-log
FILES:=$(foreach mod,$(NF_LOG6-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_LOG6-m)))
endef
$(eval $(call KernelPackage,nf-log6))
define KernelPackage/nf-nat define KernelPackage/nf-nat
SUBMENU:=$(NF_MENU) SUBMENU:=$(NF_MENU)
TITLE:=Netfilter NAT TITLE:=Netfilter NAT
@ -1089,7 +1112,7 @@ $(eval $(call KernelPackage,ipt-rpfilter))
define KernelPackage/nft-core define KernelPackage/nft-core
SUBMENU:=$(NF_MENU) SUBMENU:=$(NF_MENU)
TITLE:=Netfilter nf_tables support TITLE:=Netfilter nf_tables support
DEPENDS:=+kmod-nfnetlink +kmod-nf-reject +IPV6:kmod-nf-reject6 +IPV6:kmod-nf-conntrack6 +kmod-nf-nat +kmod-lib-crc32c DEPENDS:=+kmod-nfnetlink +kmod-nf-reject +IPV6:kmod-nf-reject6 +IPV6:kmod-nf-conntrack6 +kmod-nf-nat +kmod-nf-log +IPV6:kmod-nf-log6 +kmod-lib-crc32c
FILES:=$(foreach mod,$(NFT_CORE-m),$(LINUX_DIR)/net/$(mod).ko) FILES:=$(foreach mod,$(NFT_CORE-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_CORE-m))) AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_CORE-m)))
KCONFIG:= \ KCONFIG:= \