[source] iptables: Fix target TRACE issue
LEDE Commits
lede-commits at lists.infradead.org
Thu Oct 26 17:31:40 PDT 2017
jow pushed a commit to source.git, branch master:
https://git.lede-project.org/378e1a4858b9c51e6fcf396adc602fd835280759
commit 378e1a4858b9c51e6fcf396adc602fd835280759
Author: Martin Wetterwald <martin.wetterwald at corp.ovh.com>
AuthorDate: Thu Jan 12 15:06:00 2017 +0100
iptables: Fix target TRACE issue
The package kmod-ipt-debug builds the module xt_TRACE, which allows
users to use '-j TRACE' as target in the chain PREROUTING of the table
raw in iptables.
The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so
that this feature which is implemented deep inside the linux IP stack
(for example in sk_buff) is compiled.
But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals
that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which
fails as this dynamic library is not present on the system.
I created the package iptables-mod-trace which takes care of that, and
target TRACE now works!
https://dev.openwrt.org/ticket/16694
https://dev.openwrt.org/ticket/19661
Signed-off-by: Martin Wetterwald <martin.wetterwald at corp.ovh.com>
[Jo-Philipp Wich: also remove trace extension from builtin extension list
and depend on kmod-ipt-raw since its required for rules]
Signed-off-by: Jo-Philipp Wich <jo at mein.io>
Tested-by: Enrico Mioso <mrkiko.rs at gmail.com>
---
include/netfilter.mk | 1 -
package/network/utils/iptables/Makefile | 15 +++++++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/include/netfilter.mk b/include/netfilter.mk
index 2d53758..1f5050b 100644
--- a/include/netfilter.mk
+++ b/include/netfilter.mk
@@ -366,7 +366,6 @@ IPT_BUILTIN += $(IPT_NAT_EXTRA-y)
IPT_BUILTIN += $(NF_NATHELPER-y)
IPT_BUILTIN += $(NF_NATHELPER_EXTRA-y)
IPT_BUILTIN += $(IPT_ULOG-y)
-IPT_BUILTIN += $(IPT_DEBUG-y)
IPT_BUILTIN += $(IPT_TPROXY-y)
IPT_BUILTIN += $(NFNETLINK-y)
IPT_BUILTIN += $(NFNETLINK_LOG-y)
diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
index 89f4354..133d98c 100644
--- a/package/network/utils/iptables/Makefile
+++ b/package/network/utils/iptables/Makefile
@@ -216,6 +216,20 @@ define Package/iptables-mod-nflog/description
endef
+define Package/iptables-mod-trace
+$(call Package/iptables/Module, +kmod-ipt-debug +kmod-ipt-raw)
+ TITLE:=Netfilter TRACE target
+endef
+
+define Package/iptables-mod-trace/description
+ iptables extension for TRACE target
+
+ Includes:
+ - libxt_TRACE
+
+endef
+
+
define Package/iptables-mod-nfqueue
$(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
TITLE:=Netfilter NFQUEUE target
@@ -584,6 +598,7 @@ $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
$(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
+$(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m)))
$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
$(eval $(call BuildPackage,ip6tables))
$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
More information about the lede-commits
mailing list