iptables: Fix target TRACE issue
The package kmod-ipt-debug builds the module xt_TRACE, which allows users to use '-j TRACE' as target in the chain PREROUTING of the table raw in iptables. The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so that this feature which is implemented deep inside the linux IP stack (for example in sk_buff) is compiled. But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which fails as this dynamic library is not present on the system. I created the package iptables-mod-trace which takes care of that, and target TRACE now works! https://dev.openwrt.org/ticket/16694 https://dev.openwrt.org/ticket/19661 Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com> [Jo-Philipp Wich: also remove trace extension from builtin extension list and depend on kmod-ipt-raw since its required for rules] Signed-off-by: Jo-Philipp Wich <jo@mein.io> Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
This commit is contained in:
parent
56342ee2bc
commit
378e1a4858
2 changed files with 15 additions and 1 deletions
|
@ -366,7 +366,6 @@ IPT_BUILTIN += $(IPT_NAT_EXTRA-y)
|
||||||
IPT_BUILTIN += $(NF_NATHELPER-y)
|
IPT_BUILTIN += $(NF_NATHELPER-y)
|
||||||
IPT_BUILTIN += $(NF_NATHELPER_EXTRA-y)
|
IPT_BUILTIN += $(NF_NATHELPER_EXTRA-y)
|
||||||
IPT_BUILTIN += $(IPT_ULOG-y)
|
IPT_BUILTIN += $(IPT_ULOG-y)
|
||||||
IPT_BUILTIN += $(IPT_DEBUG-y)
|
|
||||||
IPT_BUILTIN += $(IPT_TPROXY-y)
|
IPT_BUILTIN += $(IPT_TPROXY-y)
|
||||||
IPT_BUILTIN += $(NFNETLINK-y)
|
IPT_BUILTIN += $(NFNETLINK-y)
|
||||||
IPT_BUILTIN += $(NFNETLINK_LOG-y)
|
IPT_BUILTIN += $(NFNETLINK_LOG-y)
|
||||||
|
|
|
@ -216,6 +216,20 @@ define Package/iptables-mod-nflog/description
|
||||||
|
|
||||||
endef
|
endef
|
||||||
|
|
||||||
|
define Package/iptables-mod-trace
|
||||||
|
$(call Package/iptables/Module, +kmod-ipt-debug +kmod-ipt-raw)
|
||||||
|
TITLE:=Netfilter TRACE target
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/iptables-mod-trace/description
|
||||||
|
iptables extension for TRACE target
|
||||||
|
|
||||||
|
Includes:
|
||||||
|
- libxt_TRACE
|
||||||
|
|
||||||
|
endef
|
||||||
|
|
||||||
|
|
||||||
define Package/iptables-mod-nfqueue
|
define Package/iptables-mod-nfqueue
|
||||||
$(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
|
$(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
|
||||||
TITLE:=Netfilter NFQUEUE target
|
TITLE:=Netfilter NFQUEUE target
|
||||||
|
@ -584,6 +598,7 @@ $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
|
||||||
$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
|
$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
|
||||||
$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
|
$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
|
||||||
$(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
|
$(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
|
||||||
|
$(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m)))
|
||||||
$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
|
$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
|
||||||
$(eval $(call BuildPackage,ip6tables))
|
$(eval $(call BuildPackage,ip6tables))
|
||||||
$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
|
$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
|
||||||
|
|
Loading…
Reference in a new issue