diff options
| -rw-r--r-- | include/netfilter.mk | 40 | ||||
| -rw-r--r-- | package/kernel/modules/netfilter.mk | 57 |
2 files changed, 93 insertions, 4 deletions
diff --git a/include/netfilter.mk b/include/netfilter.mk index 63ab6dcf5..5a84b3284 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -12,6 +12,7 @@ ifeq ($(NF_KMOD),1) P_V4:=ipv4/netfilter/ P_V6:=ipv6/netfilter/ P_XT:=netfilter/ +P_EBT:=bridge/netfilter/ endif define nf_add @@ -28,6 +29,41 @@ $(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_IPTABLES, $(P_V4)ip_t $(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_FILTER, $(P_V4)iptable_filter),)) $(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_MANGLE, $(P_V4)iptable_mangle),)) +# +# ebtables +# + +$(eval $(if $(NF_KMOD),$(call nf_add,EBTABLES,CONFIG_BRIDGE_NF_EBTABLES, $(P_EBT)ebtables),)) + +# ebtables: tables +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_BROUTE, $(P_EBT)ebtable_broute)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_T_FILTER, $(P_EBT)ebtable_filter)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_T_NAT, $(P_EBT)ebtable_nat)) + +# ebtables: matches +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_802_3, $(P_EBT)ebt_802_3)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_AMONG, $(P_EBT)ebt_among)) +$(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_ARP, $(P_EBT)ebt_arp)) +$(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_IP, $(P_EBT)ebt_ip)) +$(eval $(call nf_add,EBTABLES_IP6,CONFIG_BRIDGE_EBT_IP6, $(P_EBT)ebt_ip6)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_LIMIT, $(P_EBT)ebt_limit)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_MARK, $(P_EBT)ebt_mark_m)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_PKTTYPE, $(P_EBT)ebt_pkttype)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_STP, $(P_EBT)ebt_stp)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_VLAN, $(P_EBT)ebt_vlan)) + +# targets +$(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_ARPREPLY, $(P_EBT)ebt_arpreply)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_MARK_T, $(P_EBT)ebt_mark)) +$(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_DNAT, $(P_EBT)ebt_dnat)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_REDIRECT, $(P_EBT)ebt_redirect)) +$(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_SNAT, $(P_EBT)ebt_snat)) + +# watchers +$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_LOG, $(P_EBT)ebt_log)) +$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_ULOG, $(P_EBT)ebt_ulog)) +$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_NFLOG, $(P_EBT)ebt_nflog)) + # userland only $(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CORE,CONFIG_IP_NF_IPTABLES, xt_standard ipt_icmp xt_tcp xt_udp))) @@ -297,5 +333,9 @@ IPT_BUILTIN += $(IPT_NAT_EXTRA-y) IPT_BUILTIN += $(IPT_NATHELPER-y) IPT_BUILTIN += $(IPT_NATHELPER_EXTRA-y) IPT_BUILTIN += $(IPT_ULOG-y) +IPT_BUILTIN += $(EBTABLES-y) +IPT_BUILTIN += $(EBTABLES_IP4-y) +IPT_BUILTIN += $(EBTALTES_IP6-y) +IPT_BUILTIN += $(EBTABLES_WATCHERS-y) endif # __inc_netfilter diff --git a/package/kernel/modules/netfilter.mk b/package/kernel/modules/netfilter.mk index 9409a697d..4a99d0f5f 100644 --- a/package/kernel/modules/netfilter.mk +++ b/package/kernel/modules/netfilter.mk @@ -387,18 +387,67 @@ define KernelPackage/ebtables SUBMENU:=$(NF_MENU) TITLE:=Bridge firewalling modules DEPENDS:=@LINUX_2_6 - FILES:=$(LINUX_DIR)/net/bridge/netfilter/*.$(LINUX_KMOD_SUFFIX) + FILES:=$(foreach mod,$(EBTABLES-m),$(LINUX_DIR)/net/$(mod).$(LINUX_KMOD_SUFFIX)) KCONFIG:=CONFIG_BRIDGE_NETFILTER=y \ - CONFIG_BRIDGE_NF_EBTABLES - AUTOLOAD:=$(call AutoLoad,49,$(notdir $(patsubst %.$(LINUX_KMOD_SUFFIX),%,ebtables.$(LINUX_KMOD_SUFFIX) $(wildcard $(LINUX_DIR)/net/bridge/netfilter/ebtable_*.$(LINUX_KMOD_SUFFIX)) $(wildcard $(LINUX_DIR)/net/bridge/netfilter/ebt_*.$(LINUX_KMOD_SUFFIX))))) + $(KCONFIG_EBTABLES) + AUTOLOAD:=$(call AutoLoad,49,$(notdir $(EBTABLES-m))) endef define KernelPackage/ebtables/description - Kernel modules for Ethernet Bridge firewalling + ebtables is a general, extensible frame/packet identification + framework. It provides you to do Ethernet + filtering/NAT/brouting on the Ethernet bridge. endef $(eval $(call KernelPackage,ebtables)) +define KernelPackage/ebtables-ipv4 + SUBMENU:=$(NF_MENU) + TITLE:=ebtables: IPv4 support + DEPENDS:= kmod-ebtables + FILES:=$(foreach mod,$(EBTABLES_IP4-m),$(LINUX_DIR)/net/$(mod).$(LINUX_KMOD_SUFFIX)) + KCONFIG:=$(KCONFIG_EBTABLES_IP4) + AUTOLOAD:=$(call AutoLoad,49,$(notdir $(EBTABLES_IP4-m))) +endef + +define KernelPackage/ebtables-ipv4/description + This option adds the IPv4 support to ebtables, which allows basic + IPv4 header field filtering, ARP filtering as well as SNAT, DNAT targets. +endef + +$(eval $(call KernelPackage,ebtables-ipv4)) + +define KernelPackage/ebtables-ipv6 + SUBMENU:=$(NF_MENU) + TITLE:=ebtables: IPv6 support + DEPENDS:= kmod-ebtables + FILES:=$(foreach mod,$(EBTABLES_IP6-m),$(LINUX_DIR)/net/$(mod).$(LINUX_KMOD_SUFFIX)) + KCONFIG:=$(KCONFIG_EBTABLES_IP6) + AUTOLOAD:=$(call AutoLoad,49,$(notdir $(EBTABLES_IP6-m))) +endef + +define KernelPackage/ebtables-ipv6/description + This option adds the IPv6 support to ebtables, which allows basic + IPv6 header field filtering and target support. +endef + +$(eval $(call KernelPackage,ebtables-ipv6)) + +define KernelPackage/ebtables-watchers + SUBMENU:=$(NF_MENU) + TITLE:=ebtables: watchers support + DEPENDS:= kmod-ebtables + FILES:=$(foreach mod,$(EBTABLES_WATCHERS-m),$(LINUX_DIR)/net/$(mod).$(LINUX_KMOD_SUFFIX)) + KCONFIG:=$(KCONFIG_EBTABLES_WATCHERS) + AUTOLOAD:=$(call AutoLoad,49,$(notdir $(EBTABLES_WATCHERS-m))) +endef + +define KernelPackage/ebtables-watchers/description + This option adds the log watchers, that you can use in any rule + in any ebtables table. +endef + +$(eval $(call KernelPackage,ebtables-watchers)) define KernelPackage/nfnetlink SUBMENU:=$(NF_MENU) |