[openwrt/openwrt] netfilter: add kmod-nf-conntrack
LEDE Commits
lede-commits at lists.infradead.org
Sat Feb 18 08:13:24 PST 2023
hauke pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/144fa4d4e7c00df370924751f58781689cd333e7
commit 144fa4d4e7c00df370924751f58781689cd333e7
Author: Aviana Cruz <gwencroft at proton.me>
AuthorDate: Thu Feb 2 21:39:41 2023 +0800
netfilter: add kmod-nf-conntrack
There have been some demands for the `ct count` expression,
like https://forum.openwrt.org/t/22-03-2-unable-to-use-ct-count-nft-rules/146680.
This adds the required kernel modules for the expression to work.
Signed-off-by: Aviana Cruz <gwencroft at proton.me>
---
include/netfilter.mk | 7 ++++++-
package/kernel/linux/modules/netfilter.mk | 23 +++++++++++++++++++++++
2 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/include/netfilter.mk b/include/netfilter.mk
index a9c5133ae4..81488fe5c8 100644
--- a/include/netfilter.mk
+++ b/include/netfilter.mk
@@ -73,7 +73,6 @@ $(eval $(call nf_add,IPT_CONNTRACK,CONFIG_NETFILTER_XT_MATCH_CONNTRACK, $(P_XT)x
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_MATCH_CONNBYTES, $(P_XT)xt_connbytes))
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_MATCH_CONNLIMIT, $(P_XT)xt_connlimit))
-$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_CONNCOUNT, $(P_XT)nf_conncount))
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_CONNMARK, $(P_XT)xt_connmark))
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_MATCH_HELPER, $(P_XT)xt_helper))
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_MATCH_RECENT, $(P_XT)xt_recent))
@@ -278,6 +277,10 @@ $(eval $(call nf_add,NFNETLINK_LOG,CONFIG_NETFILTER_NETLINK_LOG, $(P_XT)nfnetlin
$(eval $(call nf_add,NFNETLINK_QUEUE,CONFIG_NETFILTER_NETLINK_QUEUE, $(P_XT)nfnetlink_queue))
+# conncount
+
+$(eval $(if $(NF_KMOD),$(call nf_add,NF_CONNCOUNT,CONFIG_NETFILTER_CONNCOUNT, $(P_XT)nf_conncount),))
+
#
# ebtables
#
@@ -352,6 +355,8 @@ $(eval $(if $(NF_KMOD),$(call nf_add,NFT_COMPAT,CONFIG_NFT_COMPAT, $(P_XT)nft_co
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_XFRM,CONFIG_NFT_XFRM, $(P_XT)nft_xfrm),))
+$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CONNLIMIT,CONFIG_NFT_CONNLIMIT, $(P_XT)nft_connlimit),))
+
# userland only
IPT_BUILTIN += $(NF_IPT-y) $(NF_IPT-m)
IPT_BUILTIN += $(IPT_CORE-y) $(IPT_CORE-m)
diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
index e6e2c9b637..1772545f25 100644
--- a/package/kernel/linux/modules/netfilter.mk
+++ b/package/kernel/linux/modules/netfilter.mk
@@ -39,6 +39,17 @@ endef
$(eval $(call KernelPackage,nf-reject6))
+define KernelPackage/nf-conncount
+ SUBMENU:=$(NF_MENU)
+ TITLE:=Netfilter conncount support
+ KCONFIG:=$(KCONFIG_NF_CONNCOUNT)
+ HIDDEN:=1
+ DEPENDS:=+kmod-nf-conntrack
+ FILES:=$(foreach mod,$(NF_CONNCOUNT-m),$(LINUX_DIR)/net/$(mod).ko)
+ AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNCOUNT-m)))
+endef
+
+$(eval $(call KernelPackage,nf-conncount))
define KernelPackage/nf-ipt
SUBMENU:=$(NF_MENU)
@@ -234,6 +245,7 @@ $(eval $(call KernelPackage,ipt-conntrack))
define KernelPackage/ipt-conntrack-extra
TITLE:=Extra connection tracking modules
+ DEPENDS:=+kmod-nf-conncount
KCONFIG:=$(KCONFIG_IPT_CONNTRACK_EXTRA)
FILES:=$(foreach mod,$(IPT_CONNTRACK_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK_EXTRA-m)))
@@ -1254,3 +1266,14 @@ define KernelPackage/nft-xfrm
endef
$(eval $(call KernelPackage,nft-xfrm))
+
+define KernelPackage/nft-connlimit
+ SUBMENU:=$(NF_MENU)
+ TITLE:=Netfilter nf_tables connlimit support
+ DEPENDS:=+kmod-nft-core +kmod-nf-conncount
+ FILES:=$(foreach mod,$(NFT_CONNLIMIT-m),$(LINUX_DIR)/net/$(mod).ko)
+ AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_CONNLIMIT-m)))
+ KCONFIG:=$(KCONFIG_NFT_CONNLIMIT)
+endef
+
+$(eval $(call KernelPackage,nft-connlimit))
More information about the lede-commits
mailing list