Commit graph

114 commits

Author SHA1 Message Date
Imre Kaloz
3a9e3dfa95 netfilter: handle NFT_MASQ_IPV6
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>

SVN-Revision: 43966
2015-01-14 08:53:11 +00:00
Imre Kaloz
c3c00c4286 netfilter: handle nft_masq and nft_masq_ipv4
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>

SVN-Revision: 43950
2015-01-12 20:16:36 +00:00
Felix Fietkau
27f36718d3 kernel: add a patch to make netfilter conntrack cache routing information
Significantly improves routing / NAT performance

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 43587
2014-12-09 11:01:49 +00:00
John Crispin
6521f53c65 keernel: Fixed dependencies in netfilter modules introduced with 3.18 kernel
Building current trunk with 3.18 kernel fired some errors like 'missed
dependancy of module XXX from library kmod_YYY.ko'. These patch fixes 3
of such issues which are critical to have a successful build.

Signed-off-by: Alexey N Vinogradov <a.n.vinogradov@gmail.com>

SVN-Revision: 43318
2014-11-19 14:09:01 +00:00
Steven Barth
25a6d37e23 kernel: 3.18: Fix kmod-ipt-nat
The 3.18 kernel introduced new Kconfig options for the xt_nat and iptable_nat
kernel modules, that both belong to the ipt_nat kernel package.

Enable this new options.

Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>

SVN-Revision: 43212
2014-11-08 12:17:14 +00:00
Felix Fietkau
9a2cf10c33 netfilter: Enable compiling iptables match cluster
This patch adds the userspace and kernelspace for

- match NETFILTER_XT_MATCH_CLUSTER
  This match can be used to deploy gateway and back-end load-sharing clusters.
- target IP_NF_TARGET_CLUSTERIP
  This module allows you to configure a simple cluster of nodes
  that share a certain IP and MAC address
  without an explicit load balancer in front of them.
  Connections are statically distributed between the nodes in this cluster.

This is used i.e. by strongswan-ha.

Signed-off-by: Christian Scheele <cs@embedd.com>

SVN-Revision: 43174
2014-11-03 22:01:45 +00:00
Steven Barth
a294c670e5 netfilter: unbreak kmod-ipt-nat for <3.7
SVN-Revision: 42696
2014-09-29 05:24:32 +00:00
Steven Barth
aba8e9ceef netfilter: fix a typo in TTL-match module
SVN-Revision: 42611
2014-09-18 14:53:26 +00:00
Steven Barth
0e0efd4771 netfilter: remove redundant CONFIG_IP_NF_IPTABLES
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42599
2014-09-17 12:17:01 +00:00
Steven Barth
e4e5c31f87 Reorganize netfilter kernel modules and package nftables kernel support
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42596
2014-09-17 12:10:44 +00:00
Steven Barth
9f2a17103f iptables: NFLOG and NFQUEUE targets' full support
NFLOG and NFQUEUE targets' full support for iptables.

Includes all needed kernel modules (Xtables's and Netlink's)
 and userspace libraries.
All added kernel modules can be individually disabled,
 all other new libraries get their own individual packages.

Reported-by: Fabian Hugelshofer <hugelshofer2006@gmx.ch>
Reported-by: Rainer Poisel <rainer.poisel@fhstp.ac.at>
Reported-by: Derek LaHousse <dlahouss@mtu.edu>
Signed-off-by: Guillaume Déflache <guillaume.deflache@ibwag.com>

SVN-Revision: 42022
2014-08-07 04:42:22 +00:00
Jo-Philipp Wich
baa7c211f5 netfilter: introduce xt_id match
This commit implements a new netfilter match "xt_id" which can be used to
attach unsigned 32bit IDs to iptables rules.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 41945
2014-08-01 22:49:47 +00:00
Felix Fietkau
4b241e9827 netfilter: split off header matching modules not used by the default config (reduces rootfs size and memory usage)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 40983
2014-06-02 18:13:38 +00:00
Steven Barth
97ea9e3c2a iptables/netfilter: add connlimit to conntrack-extra
SVN-Revision: 39878
2014-03-11 14:58:00 +00:00
Steven Barth
2e2c4c2dd3 Fix IPv6 NAT breaking older kernels
SVN-Revision: 37891
2013-09-03 06:29:46 +00:00
Steven Barth
0a85c59040 netfilter: Add IPv6-NAT support for kernel and ipt Thanks to Berni, Adam Novak and Sedat Dilek for patches and inspiration
SVN-Revision: 37866
2013-09-01 17:59:48 +00:00
Luka Perkov
e5e83478a9 netfilter: fix typo
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 37821
2013-08-21 23:17:08 +00:00
Felix Fietkau
c404cd5bfa netfilter: remove use of obsolete compatibility config symbols for mark and connmark
fixes duplication of xt_mark and xt_connmark module entries

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 37344
2013-07-15 13:08:20 +00:00
Jo-Philipp Wich
8df6cd005c netfilter: move time, mark, set matches and MARK, REDIRECT, SET targets into base iptables package - drop iptables-mod-ipset
SVN-Revision: 36683
2013-05-21 12:58:15 +00:00
Steven Barth
ed083586aa netfilter: Fix typo in last commit
SVN-Revision: 35899
2013-03-07 09:30:52 +00:00
Steven Barth
62ea398cd8 iptables: Add missing IPv6 builtin modules
SVN-Revision: 35898
2013-03-07 08:48:41 +00:00
Gabor Juhos
b20cb26ed7 package/kernel: xt_NOTRACK has been removed in 3.7-rc1
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>

SVN-Revision: 35475
2013-02-04 10:02:52 +00:00
Jo-Philipp Wich
03a50b9087 netfilter.mk: add addrtype match to iptables-mod-extra (kmod-ipt-extra)
SVN-Revision: 35155
2013-01-14 16:12:56 +00:00
Florian Fainelli
3a57cd4929 netfilter: xt_NOTRACK is incorporated in xt_CT as of 3.8-rc3
Signed-off-by: Florian Fainelli <florian@openwrt.org>

SVN-Revision: 35087
2013-01-10 17:20:29 +00:00
John Crispin
b21458709a fix ipv4 nat on 3.7 by adding missing iptables modules
SVN-Revision: 34841
2012-12-22 10:17:29 +00:00
Gabor Juhos
cfc6489579 netfilter: fix module list for 3.7 kernel
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>

SVN-Revision: 34750
2012-12-18 14:50:42 +00:00
Jo-Philipp Wich
5ba9873914 netfilter.mk: extend nf_add macro to take a version dependency expression
- nf_add now takes an optional 4th argument which specifies a kernel version dependency, e.g. "lt 3.7.0"
	- remove CompareKernelPatchVer conditionals around nf_add invocations, use version depends instead
	- fixes xt_LOG.ko packaging with Linux 3.6.0 and later

SVN-Revision: 34681
2012-12-15 00:05:35 +00:00
Jo-Philipp Wich
8420783407 netfilter.mk: fix packaging of xt_LOG.ko, it moved between 3.3.8 and 3.6.x
SVN-Revision: 34625
2012-12-11 09:53:50 +00:00
Hauke Mehrtens
d648dad7fa kernel: fix loading of nf_nat_irc
nf_nat_irc depends on nf_conntrack_irc and it should be defined after that.
This fixes a problem introduced in r34247.

SVN-Revision: 34251
2012-11-18 21:18:37 +00:00
Imre Kaloz
935ca3f3eb add 3.7-rc6 support (patch 820 still has to be fixed)
SVN-Revision: 34247
2012-11-18 18:52:38 +00:00
Felix Fietkau
d406a5208f include/netfilter.mk: remove a few obsolete lines
SVN-Revision: 33518
2012-09-23 08:25:32 +00:00
Felix Fietkau
cfe79471d1 kmod-ipt-nathelper-extra: fix missing nf_conntrack_broadcast.ko
kmod-ipt-nathelper-extra is missing the package nf_conntrack_broadcast.ko

if it is not included into the kmod-ipt-nathelper-extra packge the modules
nf_conntrack_snmp and nf_nat_snmp_basic cant get loaded:

[   44.500000] nf_conntrack_snmp: Unknown symbol nf_conntrack_broadcast_help (err 0)
[   44.664000] nf_nat_snmp_basic: Unknown symbol nf_nat_snmp_hook (err 0)

Signed-off-by: Peter Wagner <tripolar@gmx.at>

SVN-Revision: 32434
2012-06-18 23:30:48 +00:00
Felix Fietkau
b4b60ab62f include/netfilter.mk: clean up, remove junk for old kernel versions
SVN-Revision: 32114
2012-06-07 16:30:48 +00:00
Jo-Philipp Wich
e6af9d374a fix ipt_ttl and ipt_TTL userspace library packaging
SVN-Revision: 30897
2012-03-12 02:07:22 +00:00
Jonas Gorski
c336de3d85 kernel: update module names and add new config symbols for linux 3.3
SVN-Revision: 29985
2012-02-02 08:23:44 +00:00
Jo-Philipp Wich
a529e3f09e add CT target and TTL/HL match+target
This patch adds the CT target for conntrack (enables manipulation of
conntrack events and supercedes NOTRACK) as well as the TTL/HL target and
match.

SVN-Revision: 29645
2012-01-04 02:52:54 +00:00
Jo-Philipp Wich
a788f199c9 remove current RTSP support
SVN-Revision: 29643
2012-01-04 00:29:29 +00:00
Jo-Philipp Wich
2ad90a1ec3 package CT target
SVN-Revision: 29609
2011-12-25 13:32:53 +00:00
Felix Fietkau
1027d262ef netfilter.mk: remove a few obsolete CompareKernelPatchVer calls
SVN-Revision: 27086
2011-06-01 18:08:12 +00:00
Jo-Philipp Wich
be906f6be5 package u32 match and TEE target, patches by Maxim Uvarov
SVN-Revision: 26977
2011-05-24 08:14:29 +00:00
Jo-Philipp Wich
a9977eca91 firewall: allow local redirection of ports
Allow a redirect like:

config redirect
        option src 'wan'
        option dest 'lan'
        option src_dport '22001'
        option dest_port '22'
        option proto 'tcp'

note the absence of the "dest_ip" field, meaning to terminate the connection on the firewall itself.

This patch makes three changes:

(1) moves the conntrack module into the conntrack package (but not any of the conntrack_* helpers).
(2) fixes a bug where the wrong table is used when the "dest_ip" field is absent.
(3) accepts incoming connections on the destination port on the input_ZONE table, but only for DNATted
    connections.

In the above example,

ssh -p 22 root@myrouter

would fail from the outside, but:

ssh -p 22001 root@myrouter

would succeed.  This is handy if:

(1) you want to avoid ssh probes on your router, or
(2) you want to redirect incoming connections on port 22 to some machine inside your firewall, but
    still want to allow firewall access from outside.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

SVN-Revision: 26617
2011-04-12 20:03:59 +00:00
Hauke Mehrtens
24c1caef5f iipt-debug: create bundle of netfilter modules for debugging
Add a bundle for including commonly useful modules for IPtables debugging and development.

For now, it just contains xt_TRACE.ko

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

SVN-Revision: 26567
2011-04-09 23:23:46 +00:00
Florian Fainelli
5959cd2850 add kmod-ipt-led
Netfilter LED target triggers blinkenlichten when a network packet hits
a rule.

LED target requires iptables 1.4.9 or higher

Signed-off-by: Łukasz Stelmach <stlman@poczta.fm>

SVN-Revision: 26451
2011-04-03 18:30:37 +00:00
Felix Fietkau
c864843cbf netfilter.mk: put ipv6 conntrack in the right package
SVN-Revision: 25750
2011-02-27 11:22:30 +00:00
Felix Fietkau
2d14f4e2f8 netfilter: add missing modules for v6 conntrack (patch from #8940)
SVN-Revision: 25731
2011-02-26 15:50:01 +00:00
Felix Fietkau
831e597d7c move nf_{conntrack,nat}_tftp to ipt-nathelper-extra, most people don't need this
SVN-Revision: 25722
2011-02-26 00:35:22 +00:00
Felix Fietkau
9dad83362d kernel: remove imq support, refresh patches
SVN-Revision: 25641
2011-02-21 02:06:51 +00:00
Jo-Philipp Wich
d2d990e41e netfilter.mk: fix connmark packaging for Kernels >= 2.6.35, thanks Daniel Gimpelevich
SVN-Revision: 24729
2010-12-19 16:47:30 +00:00
Jo-Philipp Wich
c32a125607 netfilter: workaround a userspace/kernel mismatch on Linux 2.6.35 and later
SVN-Revision: 23521
2010-10-18 20:39:07 +00:00
Alexandros C. Couloumbis
57d2e57b02 finalize r22241 fixes
SVN-Revision: 22242
2010-07-17 08:50:19 +00:00