Commit Graph

79 Commits (b968a100483fbe18783e7152589854c72bbe6923)

Author SHA1 Message Date
Felix Fietkau f1d090bdc0 netfilter.mk: remove a few obsolete CompareKernelPatchVer calls
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27086 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-06-01 18:08:12 +00:00
Jo-Philipp Wich 55283cbc90 [netfilter] package u32 match and TEE target, patches by Maxim Uvarov
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26977 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-05-24 08:14:29 +00:00
Jo-Philipp Wich b457e4cfc9 firewall: allow local redirection of ports
Allow a redirect like:

config redirect
        option src 'wan'
        option dest 'lan'
        option src_dport '22001'
        option dest_port '22'
        option proto 'tcp'

note the absence of the "dest_ip" field, meaning to terminate the connection on the firewall itself.

This patch makes three changes:

(1) moves the conntrack module into the conntrack package (but not any of the conntrack_* helpers).
(2) fixes a bug where the wrong table is used when the "dest_ip" field is absent.
(3) accepts incoming connections on the destination port on the input_ZONE table, but only for DNATted
    connections.

In the above example,

ssh -p 22 root@myrouter

would fail from the outside, but:

ssh -p 22001 root@myrouter

would succeed.  This is handy if:

(1) you want to avoid ssh probes on your router, or
(2) you want to redirect incoming connections on port 22 to some machine inside your firewall, but
    still want to allow firewall access from outside.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26617 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-04-12 20:03:59 +00:00
Hauke Mehrtens 37398c1ebe iipt-debug: create bundle of netfilter modules for debugging
Add a bundle for including commonly useful modules for IPtables debugging and development.

For now, it just contains xt_TRACE.ko

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26567 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-04-09 23:23:46 +00:00
Florian Fainelli 632b914bba [package] add kmod-ipt-led
Netfilter LED target triggers blinkenlichten when a network packet hits
a rule.

LED target requires iptables 1.4.9 or higher

Signed-off-by: Łukasz Stelmach <stlman@poczta.fm>

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26451 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-04-03 18:30:37 +00:00
Felix Fietkau b7f394ff41 netfilter.mk: put ipv6 conntrack in the right package
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@25750 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-02-27 11:22:30 +00:00
Felix Fietkau 99a3d0399e netfilter: add missing modules for v6 conntrack (patch from #8940)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@25731 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-02-26 15:50:01 +00:00
Felix Fietkau d2c91f7f90 move nf_{conntrack,nat}_tftp to ipt-nathelper-extra, most people don't need this
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@25722 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-02-26 00:35:22 +00:00
Felix Fietkau d41be9f54b kernel: remove imq support, refresh patches
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@25641 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-02-21 02:06:51 +00:00
Jo-Philipp Wich e71b93670e [include] netfilter.mk: fix connmark packaging for Kernels >= 2.6.35, thanks Daniel Gimpelevich
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@24729 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-12-19 16:47:30 +00:00
Jo-Philipp Wich 94d6c4e9ca [include] netfilter: workaround a userspace/kernel mismatch on Linux 2.6.35 and later
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23521 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-10-18 20:39:07 +00:00
Alexandros C. Couloumbis 4ecd145ce0 finalize r22241 fixes
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22242 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-07-17 08:50:19 +00:00
Jo-Philipp Wich 881cdcaf36 [netfilter] package TPROXY target and module infrastructure
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21883 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-06-22 22:39:22 +00:00
Alexandros C. Couloumbis 15bd904bc2 include/netfilter.mk fix typo on r21795
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21796 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-06-14 14:51:51 +00:00
Alexandros C. Couloumbis 8c377e08fc include/netfilter.mk: add 2.6.35 kernel support
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21795 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-06-14 14:44:27 +00:00
Nicolas Thill fbb04a3462 netfilter: extension fixes (partially closes: #7045)
* add missing xt_owner (2.6)
 * enable ipt_quota (2.4), disabled in [8499] is building fine with recent iptables
 * add missing ipt_nat_tftp (2.4)
 * add missing nf_nat_amanda (2.6)


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@20693 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-04-04 12:35:06 +00:00
Nicolas Thill b163b3fcbc [cosmectic] include/netfilter.mk: move ebtables definitions at the end
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@20690 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-04-04 03:43:13 +00:00
Jo-Philipp Wich b3439cb770 [netfilter] properly package xt_comment.ko (#6742)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@19861 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-02-26 00:23:39 +00:00
Jo-Philipp Wich 7fc4138b4d [generic-2.4] netfilter: add support for raw table and NOTRACK target (#5504)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@19721 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-02-19 01:36:47 +00:00
Jo-Philipp Wich fd7b3cd30d [package] iptables: add comment match to the core package
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@18706 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-12-08 20:52:58 +00:00
Nicolas Thill a8542007a6 [kernel] netfilter: remove IPset leftovers missed from [17844]
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@18032 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-10-11 14:08:31 +00:00
Hauke Mehrtens e23971a4cf [ipset] Update ipset to version 3.2
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@17764 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-09-27 15:03:41 +00:00
Florian Fainelli 1c310fffc4 [package] split ebtables packages and modules into ebtables ipv4/6 and watchers (#5001)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@16980 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-07-25 19:47:48 +00:00
Florian Fainelli 3fade8b75b [package] fix ip6tables installation against ip6t_HL which has been merged in xt_HL since 2.6.29 (#5568)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@16964 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-07-24 11:52:30 +00:00
Felix Fietkau 01835c1b09 netfilter: move iptable_raw, xt_NOTRACK from conntrack-extra to conntrack
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@15854 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-05-14 21:46:33 +00:00
Hauke Mehrtens 76ea3a9194 [netfilter] ipt_TTL and ipt_ttl moved and were renamed in kernel 2.6.30
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@15851 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-05-14 19:01:38 +00:00
Jo-Philipp Wich baa285c07c [include] adept netfilter.mk to updated imq
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@15656 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-05-07 03:16:36 +00:00
Felix Fietkau 5bdd866100 get rid of $Id$ - it has never helped us and it has broken too many patches ;)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@15242 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-04-17 14:09:46 +00:00
Felix Fietkau c1760010a5 move iptable_raw to the conntrack-extra package
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@15175 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-04-09 19:42:52 +00:00
Nicolas Thill 9e612ac3d5 [kernel] accomodate netfilter module (xt_recent) name change in 2.6.28, add missing kconfig when xt_recent is enabled
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@15123 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-04-06 19:00:20 +00:00
Felix Fietkau e24e542063 remove support for ipp2p - it's unmaintained, broken, overmatching and undermatching => not that useful for QoS
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@14596 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-02-21 16:30:44 +00:00
Gabor Juhos ecf9b8d37d [kernel] netfilter: remove CHAOS, TARPIT and DELUDE references
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@14461 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-02-09 13:27:39 +00:00
Imre Kaloz 0ecdf5bae7 defrag needs to be loaded before conntrack_ipv4
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@13585 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-12-10 18:44:46 +00:00
Imre Kaloz f95dbee83f fix conntrack on 2.6.28
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@13582 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-12-10 16:00:04 +00:00
Nicolas Thill af6c34ae44 make the whole iptables/netfiter modular (closes: #3871, #3527)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12649 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-09-22 15:19:59 +00:00
Florian Fainelli 02b5de5e81 Package ip6t_limit and ip6t_frag for 2.4 kernels (#3760)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12276 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-08-11 06:38:48 +00:00
Nicolas Thill 076b3f4b98 cosmetic change: rename IPT_NAT_DEFAULT & IPT_NAT_EXTRA to IPT_NATHELPER & IPT_NATHELPER_EXTRA respectively, to better match package names
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@11073 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-05-08 11:32:46 +00:00
Gabor Juhos 9fe27ff705 [package] kmod-ipt-iprange: fix build error on .25
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@10992 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-04-30 15:42:10 +00:00
Gabor Juhos fd3378f1e1 update iptables to 1.4.0 (2.6 kernels only), refresh kernel patches
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@10843 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-04-15 06:11:23 +00:00
Florian Fainelli 2b186b56e3 layer7 filtering module is now xt_layer7 (#3268)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@10674 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-03-27 18:24:13 +00:00
Gabor Juhos 9c08fe97f0 [kernel] netfilter/ipset cleanups
* rename patches to follow our naming conventions
 * update ipset patches with revision 7096 of [https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng pom]
 * add CONFIG_IP_NF_SET_IPTREEMAP to default kernel configs
 * add ip_set_iptreemap to include/netfilter.mk
 * update kmod-ipt-ipset module description

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@9269 3c298f89-4303-0410-b956-a3cf2f4a3e73
2007-10-12 14:58:35 +00:00
Gabor Juhos 6958bdb20a add TARPIT support to netfilter/iptables
* netfilter: add the xt_TARPIT target module required by xt_CHAOS
 * include/netfilter.mk: reorder, xt_CHAOS depends on xt_TARPIT and xt_DELUDE
 * iptables: add libipt_TARPIT to the kmod-ipt-extra package, bump release number
 * original patchset can be found [http://tinyurl.com/2mjk2kx here]

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@9178 3c298f89-4303-0410-b956-a3cf2f4a3e73
2007-10-07 17:17:04 +00:00
Nicolas Thill 34e8faefa1 add ipv6 conntrack support (closes: #2192)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@8984 3c298f89-4303-0410-b956-a3cf2f4a3e73
2007-09-23 17:22:17 +00:00
Nicolas Thill effa8fa4fd add missing 2.6 conntrack/nat helpers, add 2.6 conntrack/nat helper for RTSP (closes: #2297, thanks to aorlinsk), sync 2.4 / 2.6 kconfigs.
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@8955 3c298f89-4303-0410-b956-a3cf2f4a3e73
2007-09-22 18:37:24 +00:00
Nicolas Thill 1458e2b378 cosmetic cleanup before more deep changes
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@8870 3c298f89-4303-0410-b956-a3cf2f4a3e73
2007-09-20 10:48:54 +00:00
Nicolas Thill 96e0e6c808 fix typo again (do i need some sleep?)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@8822 3c298f89-4303-0410-b956-a3cf2f4a3e73
2007-09-17 01:51:57 +00:00
Nicolas Thill 0edda384bb oops, fix typo
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@8816 3c298f89-4303-0410-b956-a3cf2f4a3e73
2007-09-16 22:41:24 +00:00
Nicolas Thill f8c8d4dc57 revert CONFIG_* symbols set m enforcement introduced in [8591], it can't work when symbols from different kernel versions are mixed in KCONFIG
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@8798 3c298f89-4303-0410-b956-a3cf2f4a3e73
2007-09-16 16:10:37 +00:00
Nicolas Thill 7437b1ce7d prevent include/netfilter.mk from being included multiple times
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@8781 3c298f89-4303-0410-b956-a3cf2f4a3e73
2007-09-15 16:19:26 +00:00
Florian Fainelli 14a051f2ed Package the statistics module for netfilter
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@8716 3c298f89-4303-0410-b956-a3cf2f4a3e73
2007-09-09 18:32:06 +00:00