Hi all, To use the Netfilter NFLOG and NFQUEUE targets, kernel modules and iptables libraries xt_NFLOG and xt_NFQUEUE are needed. I added these to the corresponding Netfilter kernel packages and created new iptables module packages.
This patch also adds support for connection tracking events for module nf_ct_netlink. Changeset 15335 removes packages libnetfilter-conntrack, libnetfilter-log and libnetfilter-queue from 8.09 because the kernel modules do not exist in 8.09. Please consider reverting this change. I have been using these packages already before the kernel packages were added. Cheers, Fabian [PATCH] Extend Netfilter Netlink packages - Add kernel modules for NFLOG and NFQUEUE targets - Add packages for iptables NFLOG and NFQUEUE libraries - Enable connection tracking events for ctnetlink - Increase priority for the Netlink modules to 49 (nfnetlink is loaded at 48). - Update Copyright Signed-off-by: hugelshofer2...@gmx.ch Index: include/netfilter.mk =================================================================== --- include/netfilter.mk (revision 15354) +++ include/netfilter.mk (working copy) @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2008 OpenWrt.org +# Copyright (C) 2006-2009 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -275,6 +275,18 @@ $(eval $(call nf_add,IPT_ULOG,CONFIG_IP_NF_TARGET_ULOG, $(P_V4)ipt_ULOG)) +#nfnetfilter log + +$(eval $(call nf_add,NFNETLINK_LOG,CONFIG_NETFILTER_NETLINK_LOG, $(P_XT)nfnetlink_log)) +$(eval $(call nf_add,NFNETLINK_LOG,CONFIG_NETFILTER_XT_TARGET_NFLOG, $(P_XT)xt_NFLOG)) + + +# nfnetfilter queue + +$(eval $(call nf_add,NFNETLINK_QUEUE,CONFIG_NETFILTER_NETLINK_QUEUE, $(P_XT)nfnetlink_queue)) +$(eval $(call nf_add,NFNETLINK_QUEUE,CONFIG_NETFILTER_XT_TARGET_NFQUEUE, $(P_XT)xt_NFQUEUE)) + + # userland only IPT_BUILTIN += $(IPT_CORE-y) $(IPT_CORE-m) IPT_BUILTIN += $(IPT_CONNTRACK-y) @@ -292,5 +304,7 @@ IPT_BUILTIN += $(IPT_NATHELPER-y) IPT_BUILTIN += $(IPT_NATHELPER_EXTRA-y) IPT_BUILTIN += $(IPT_ULOG-y) +IPT_BUILTIN += $(NFNETLINK_LOG-y) +IPT_BUILTIN += $(NFNETLINK_QUEUE-y) endif # __inc_netfilter Index: package/iptables/Makefile =================================================================== --- package/iptables/Makefile (revision 15354) +++ package/iptables/Makefile (working copy) @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2008 OpenWrt.org +# Copyright (C) 2006-2009 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -217,6 +217,28 @@ TITLE:=IPset extension endef +define Package/iptables-mod-nflog +$(call Package/iptables/Module, +kmod-nfnetlink-log) + TITLE:=NFLOG Target +endef + +define Package/iptables-mod-nfqueue/description + iptables extensions for user-space packet logging via NFNETLINK. + Includes: + - libxt_NFLOG +endef + +define Package/iptables-mod-nfqueue +$(call Package/iptables/Module, +kmod-nfnetlink-queue) + TITLE:=NFQUEUE Target +endef + +define Package/iptables-mod-nfqueue/description + iptables extensions for user-space packet queueing via NFNETLINK. + Includes: + - libxt_NFQUEUE +endef + define Package/iptables-utils $(call Package/iptables/Module, ) TITLE:=iptables save and restore utilities @@ -339,5 +361,7 @@ $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m))) $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m))) $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m))) +$(eval $(call BuildPlugin,iptables-mod-nflog,$(NFNETLINK_LOG-m))) +$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(NFNETLINK_QUEUE-m))) $(eval $(call BuildPackage,ip6tables)) $(eval $(call BuildPackage,ip6tables-utils)) Index: package/kernel/modules/netfilter.mk =================================================================== --- package/kernel/modules/netfilter.mk (revision 15354) +++ package/kernel/modules/netfilter.mk (working copy) @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2008 OpenWrt.org +# Copyright (C) 2006-2009 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -417,13 +417,16 @@ SUBMENU:=$(NF_MENU) TITLE:=Netfilter LOG over NFNETLINK interface DEPENDS:=...@linux_2_6 +kmod-nfnetlink - FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_log.$(LINUX_KMOD_SUFFIX) - KCONFIG:=CONFIG_NETFILTER_NETLINK_LOG - AUTOLOAD:=$(call AutoLoad,48,nfnetlink_log) + KCONFIG:=$(KCONFIG_NFNETLINK_LOG) + FILES:=$(foreach mod,$(NFNETLINK_LOG-m),$(LINUX_DIR)/net/$(mod).$(LINUX_KMOD_SUFFIX)) + AUTOLOAD:=$(call AutoLoad,49,$(notdir $(NFNETLINK_LOG-m))) endef define KernelPackage/nfnetlink-log/description Kernel modules support for logging packets via NFNETLINK + Includes: + - nfnetlink_log + - xt_NFLOG endef $(eval $(call KernelPackage,nfnetlink-log)) @@ -433,13 +436,16 @@ SUBMENU:=$(NF_MENU) TITLE:=Netfilter QUEUE over NFNETLINK interface DEPENDS:=...@linux_2_6 +kmod-nfnetlink - FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_queue.$(LINUX_KMOD_SUFFIX) - KCONFIG:=CONFIG_NETFILTER_NETLINK_QUEUE - AUTOLOAD:=$(call AutoLoad,48,nfnetlink_queue) + KCONFIG:=$(KCONFIG_NFNETLINK_QUEUE) + FILES:=$(foreach mod,$(NFNETLINK_QUEUE-m),$(LINUX_DIR)/net/$(mod).$(LINUX_KMOD_SUFFIX)) + AUTOLOAD:=$(call AutoLoad,49,$(notdir $(NFNETLINK_QUEUE-m))) endef define KernelPackage/nfnetlink-queue/description Kernel modules support for queueing packets via NFNETLINK + Includes: + - nfnetlink_queue + - xt_NFQUEUE endef $(eval $(call KernelPackage,nfnetlink-queue)) @@ -450,7 +456,8 @@ TITLE:=Connection tracking netlink interface DEPENDS:=...@linux_2_6 +kmod-nfnetlink +kmod-ipt-conntrack FILES:=$(LINUX_DIR)/net/netfilter/nf_conntrack_netlink.$(LINUX_KMOD_SUFFIX) - KCONFIG:=CONFIG_NF_CT_NETLINK + KCONFIG:=CONFIG_NF_CT_NETLINK \ + CONFIG_NF_CONNTRACK_EVENTS=y AUTOLOAD:=$(call AutoLoad,49,nf_conntrack_netlink) endef _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
