[OpenWrt-Devel] [RFC 26/27] kernel: netfilter: Adapt merge ipv4/ipv6 masquerade code
Yousong Zhou
yszhou4tech at gmail.com
Thu Nov 29 21:15:12 EST 2018
On Fri, 30 Nov 2018 at 06:26, Hauke Mehrtens <hauke at hauke-m.de> wrote:
>
> On 11/28/18 6:53 AM, Yousong Zhou wrote:
> > On Wed, 28 Nov 2018 at 07:21, Hauke Mehrtens <hauke at hauke-m.de> wrote:
> >>
> >> In kernel commit 0168e8b361 ("netfilter: nat: merge ipv4/ipv6 masquerade
> >> code into main nat module") the CONFIG_NF_NAT_MASQUERADE_IPV4 and
> >> CONFIG_NF_NAT_MASQUERADE_IPV6 kernel configuration option were changed
> >> to bool and the code will not be compiled as a own module any more, but
> >> it will be integrated into nf_nat_ipv4.ko or nf_nat_ipv6.ko to save some
> >> memory.
> >>
> >> Activate these options as bool in the generic kernel 4.19 configuration
> >> only, to always build them into the nf_nat_ipv*.ko modules. The kmod
> >> file will still try to select them as module, but the generic
> >> configuration will not be overwritten.
> >>
> >> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
> >> ---
> >> include/netfilter.mk | 4 ++--
> >> target/linux/generic/config-4.19 | 4 ++--
> >> 2 files changed, 4 insertions(+), 4 deletions(-)
> >>
> >> diff --git a/include/netfilter.mk b/include/netfilter.mk
> >> index 2d232b5f5c..4b9cc20622 100644
> >> --- a/include/netfilter.mk
> >> +++ b/include/netfilter.mk
> >> @@ -187,10 +187,10 @@ $(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_RT, $(P_V6)ip6t_rt))
> >> $(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT, $(P_XT)nf_nat),))
> >> $(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT_REDIRECT, $(P_XT)nf_nat_redirect, ge 3.19.0),))
> >> $(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT_IPV4, $(P_V4)nf_nat_ipv4),))
> >> -$(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT_MASQUERADE_IPV4, $(P_V4)nf_nat_masquerade_ipv4),))
> >> +$(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT_MASQUERADE_IPV4, $(P_V4)nf_nat_masquerade_ipv4, lt 4.18),))
> >>
> >> $(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT6,CONFIG_NF_NAT_IPV6, $(P_V6)nf_nat_ipv6),))
> >> -$(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT6,CONFIG_NF_NAT_MASQUERADE_IPV6, $(P_V6)nf_nat_masquerade_ipv6),))
> >> +$(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT6,CONFIG_NF_NAT_MASQUERADE_IPV6, $(P_V6)nf_nat_masquerade_ipv6, lt 4.18),))
> >>
> >> $(eval $(if $(NF_KMOD),$(call nf_add,IPT_NAT,CONFIG_NETFILTER_XT_NAT, $(P_XT)xt_nat),))
> >> $(eval $(if $(NF_KMOD),$(call nf_add,IPT_NAT,CONFIG_IP_NF_NAT, $(P_V4)iptable_nat),))
> >> diff --git a/target/linux/generic/config-4.19 b/target/linux/generic/config-4.19
> >> index c197f58464..5dec53c0f3 100644
> >> --- a/target/linux/generic/config-4.19
> >> +++ b/target/linux/generic/config-4.19
> >> @@ -3352,8 +3352,8 @@ CONFIG_NF_CONNTRACK_PROCFS=y
> >> # CONFIG_NF_NAT_H323 is not set
> >> # CONFIG_NF_NAT_IPV6 is not set
> >> # CONFIG_NF_NAT_IRC is not set
> >> -# CONFIG_NF_NAT_MASQUERADE_IPV4 is not set
> >> -# CONFIG_NF_NAT_MASQUERADE_IPV6 is not set
> >> +CONFIG_NF_NAT_MASQUERADE_IPV4=y
> >> +CONFIG_NF_NAT_MASQUERADE_IPV6=y
> >
> > The ipv6 config option should be placed into config/Config-kernel.in,
> > so that it can depend on the state of CONFIG_KERNEL_IPV6 option.
>
> Hi yousong,
>
> The IPV6 version is only available if CONFIG_IPV6 is selected otherwise
> it is not possible to select it:
> kernel 4.19:
> https://elixir.bootlin.com/linux/v4.19.5/source/net/ipv6/netfilter/Kconfig#L121
> kernel 4.9:
> https://elixir.bootlin.com/linux/v4.9.141/source/net/ipv6/netfilter/Kconfig#L97
>
> This depends on the kernel version on kernel < 4.18 this should be build
> as a module.
>
> Would it be better to add some KConfig options which depend on kernel
> 4.19 near CONFIG_KERNEL_IPV6 ?
If this is a trend in the mainline to transform ipv6 options from
tristate to bool, then annotating them each in the build system will
become unwieldy sooner or later.
Thinking it again, the main concern seems to be that we can still
tweak out ipv6 from the build by disabling it with
CONFIG_KERNEL_IPV6=n. If this is still achievable with IPV6 options
in the kernel config presets, then I think it's fine to include them
there.
There are already several targets with IPV6 options explicitly
enabled. It's a bit odd and inconsistent.
➜ ~/git-repo/openwrt/openwrt git:(master) find target/linux -name
'config-*' | xargs ag -s IPV6 | grep =
target/linux/layerscape/armv8_64b/config-4.9:690:CONFIG_IPV6=y
target/linux/layerscape/armv8_64b/config-4.9:691:CONFIG_IPV6_SIT=y
target/linux/layerscape/armv8_32b/config-4.9:643:CONFIG_IPV6=y
target/linux/layerscape/armv8_32b/config-4.9:644:CONFIG_IPV6_MULTIPLE_TABLES=y
target/linux/layerscape/armv8_32b/config-4.9:645:CONFIG_IPV6_OPTIMISTIC_DAD=y
target/linux/layerscape/armv8_32b/config-4.9:646:CONFIG_IPV6_ROUTER_PREF=y
target/linux/layerscape/armv8_32b/config-4.9:647:CONFIG_IPV6_SIT=y
target/linux/cns3xxx/config-4.14:192:CONFIG_IPV6=y
target/linux/cns3xxx/config-4.14:193:CONFIG_IPV6_MROUTE=y
target/linux/cns3xxx/config-4.14:194:CONFIG_IPV6_MULTIPLE_TABLES=y
target/linux/cns3xxx/config-4.14:196:CONFIG_IPV6_SUBTREES=y
target/linux/cns3xxx/config-4.14:259:CONFIG_NF_CONNTRACK_IPV6=m
target/linux/cns3xxx/config-4.14:262:CONFIG_NF_DEFRAG_IPV6=m
target/linux/cns3xxx/config-4.14:265:CONFIG_NF_LOG_IPV6=m
target/linux/cns3xxx/config-4.14:272:CONFIG_NF_REJECT_IPV6=m
target/linux/generic/config-4.14:2049:CONFIG_IPV6_NDISC_NODETYPE=y
target/linux/generic/config-4.9:1915:CONFIG_IPV6_NDISC_NODETYPE=y
target/linux/generic/config-3.18:1609:CONFIG_IPV6_NDISC_NODETYPE=y
yousong
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list