iptables: Support building connlabel module

It is currently possible to enable connlabel-support in iptables.
However, in order for connlabel to work properly, the kernel module must
also be present. This patch adds support for building the
connlabel-module, and selects it by default when connlabel-support is
enabled.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
openwrt-18.06
Kristian Evensen 2018-01-22 18:52:28 +01:00 committed by John Crispin
parent f226e652f6
commit 2d27ebbb93
3 changed files with 34 additions and 0 deletions

View File

@ -86,6 +86,10 @@ $(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_MATCH_RECENT, $(P_X
$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_CONNMARK, $(P_XT)xt_CONNMARK))) $(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_CONNMARK, $(P_XT)xt_CONNMARK)))
#conntrack-label
$(eval $(call nf_add,IPT_CONNTRACK_LABEL,CONFIG_NETFILTER_XT_MATCH_CONNLABEL, $(P_XT)xt_connlabel))
# extra # extra
$(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_ADDRTYPE, $(if $(NF_KMOD),$(P_XT)xt_addrtype,$(P_XT)ipt_addrtype))) $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_ADDRTYPE, $(if $(NF_KMOD),$(P_XT)xt_addrtype,$(P_XT)ipt_addrtype)))

View File

@ -187,6 +187,21 @@ endef
$(eval $(call KernelPackage,ipt-conntrack-extra)) $(eval $(call KernelPackage,ipt-conntrack-extra))
define KernelPackage/ipt-conntrack-label
TITLE:=Module for handling connection tracking labels
KCONFIG:=$(KCONFIG_IPT_CONNTRACK_LABEL)
FILES:=$(foreach mod,$(IPT_CONNTRACK_LABEL-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK_LABEL-m)))
$(call AddDepends/ipt,+kmod-ipt-conntrack)
endef
define KernelPackage/ipt-conntrack-label/description
Netfilter (IPv4) module for handling connection tracking labels
Includes:
- connlabel
endef
$(eval $(call KernelPackage,ipt-conntrack-label))
define KernelPackage/ipt-filter define KernelPackage/ipt-filter
TITLE:=Modules for packet content inspection TITLE:=Modules for packet content inspection

View File

@ -124,6 +124,20 @@ Extra iptables extensions for connection tracking.
endef endef
define Package/iptables-mod-conntrack-label
$(call Package/iptables/Module, +kmod-ipt-conntrack-label @IPTABLES_CONNLABEL)
TITLE:=Connection tracking labeling extension
DEFAULT:=y if IPTABLES_CONNLABEL
endef
define Package/iptables-mod-conntrack-label/description
Match and set label(s) on connection tracking entries
Matches:
- connlabel
endef
define Package/iptables-mod-filter define Package/iptables-mod-filter
$(call Package/iptables/Module, +kmod-ipt-filter) $(call Package/iptables/Module, +kmod-ipt-filter)
TITLE:=Content inspection extensions TITLE:=Content inspection extensions
@ -592,6 +606,7 @@ endef
$(eval $(call BuildPackage,iptables)) $(eval $(call BuildPackage,iptables))
$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m))) $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
$(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m)))
$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m))) $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m))) $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m))) $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))