[openwrt/openwrt] iptables: Support building connlabel module
LEDE Commits
lede-commits at lists.infradead.org
Tue Feb 13 01:02:33 PST 2018
blogic pushed a commit to openwrt/openwrt.git, branch master:
https://git.lede-project.org/2d27ebbb9338c114b3b5403cd4eb6fc05ef1ed6a
commit 2d27ebbb9338c114b3b5403cd4eb6fc05ef1ed6a
Author: Kristian Evensen <kristian.evensen at gmail.com>
AuthorDate: Mon Jan 22 18:52:28 2018 +0100
iptables: Support building connlabel module
It is currently possible to enable connlabel-support in iptables.
However, in order for connlabel to work properly, the kernel module must
also be present. This patch adds support for building the
connlabel-module, and selects it by default when connlabel-support is
enabled.
Signed-off-by: Kristian Evensen <kristian.evensen at gmail.com>
---
include/netfilter.mk | 4 ++++
package/kernel/linux/modules/netfilter.mk | 15 +++++++++++++++
package/network/utils/iptables/Makefile | 15 +++++++++++++++
3 files changed, 34 insertions(+)
diff --git a/include/netfilter.mk b/include/netfilter.mk
index c99b6fb..bad599b 100644
--- a/include/netfilter.mk
+++ b/include/netfilter.mk
@@ -86,6 +86,10 @@ $(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_MATCH_RECENT, $(P_X
$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_CONNMARK, $(P_XT)xt_CONNMARK)))
+#conntrack-label
+
+$(eval $(call nf_add,IPT_CONNTRACK_LABEL,CONFIG_NETFILTER_XT_MATCH_CONNLABEL, $(P_XT)xt_connlabel))
+
# extra
$(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_ADDRTYPE, $(if $(NF_KMOD),$(P_XT)xt_addrtype,$(P_XT)ipt_addrtype)))
diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
index d44d2f8..82d5604 100644
--- a/package/kernel/linux/modules/netfilter.mk
+++ b/package/kernel/linux/modules/netfilter.mk
@@ -187,6 +187,21 @@ endef
$(eval $(call KernelPackage,ipt-conntrack-extra))
+define KernelPackage/ipt-conntrack-label
+ TITLE:=Module for handling connection tracking labels
+ KCONFIG:=$(KCONFIG_IPT_CONNTRACK_LABEL)
+ FILES:=$(foreach mod,$(IPT_CONNTRACK_LABEL-m),$(LINUX_DIR)/net/$(mod).ko)
+ AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK_LABEL-m)))
+ $(call AddDepends/ipt,+kmod-ipt-conntrack)
+endef
+
+define KernelPackage/ipt-conntrack-label/description
+ Netfilter (IPv4) module for handling connection tracking labels
+ Includes:
+ - connlabel
+endef
+
+$(eval $(call KernelPackage,ipt-conntrack-label))
define KernelPackage/ipt-filter
TITLE:=Modules for packet content inspection
diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
index 207676e..9c6abfb 100644
--- a/package/network/utils/iptables/Makefile
+++ b/package/network/utils/iptables/Makefile
@@ -124,6 +124,20 @@ Extra iptables extensions for connection tracking.
endef
+define Package/iptables-mod-conntrack-label
+$(call Package/iptables/Module, +kmod-ipt-conntrack-label @IPTABLES_CONNLABEL)
+ TITLE:=Connection tracking labeling extension
+ DEFAULT:=y if IPTABLES_CONNLABEL
+endef
+
+define Package/iptables-mod-conntrack-label/description
+Match and set label(s) on connection tracking entries
+
+ Matches:
+ - connlabel
+
+endef
+
define Package/iptables-mod-filter
$(call Package/iptables/Module, +kmod-ipt-filter)
TITLE:=Content inspection extensions
@@ -592,6 +606,7 @@ endef
$(eval $(call BuildPackage,iptables))
$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m)))
$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
More information about the lede-commits
mailing list