From 204259356e7d421b359d3a7c67ec662a5eaecf76 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 12 Apr 2022 13:38:23 +0200 Subject: [PATCH] netfilter: move nf-log modules into separate packages Both legacy iptables and nftables require nf-log modules for rule logging, so move them into a separate package both firewall implementations can depend on. Signed-off-by: Jo-Philipp Wich (cherry picked from commit bea01fa57f5c9c333138bbbc5c9f83b9d7553fb5) --- include/netfilter.mk | 9 ++++--- package/kernel/linux/modules/netfilter.mk | 29 ++++++++++++++++++++--- 2 files changed, 32 insertions(+), 6 deletions(-) diff --git a/include/netfilter.mk b/include/netfilter.mk index 2ef8f83e4c..20a5a52313 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -48,8 +48,6 @@ $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_COMMENT, $(P_XT)xt_comme $(eval $(call nf_add,IPT_CLUSTER,CONFIG_NETFILTER_XT_MATCH_CLUSTER, $(P_XT)xt_cluster)) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_LOG, $(P_XT)xt_LOG)) -$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_LOG, $(P_XT)nf_log_common)) -$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_LOG, $(P_V4)nf_log_ipv4)) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_TCPMSS, $(P_XT)xt_TCPMSS)) $(eval $(call nf_add,IPT_CORE,CONFIG_IP_NF_TARGET_REJECT, $(P_V4)ipt_REJECT)) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_TIME, $(P_XT)xt_time)) @@ -156,7 +154,6 @@ $(eval $(if $(NF_KMOD),$(call nf_add,NF_CONNTRACK,CONFIG_NF_DEFRAG_IPV6, $(P_V6) $(eval $(if $(NF_KMOD),$(call nf_add,IPT_IPV6,CONFIG_IP6_NF_FILTER, $(P_V6)ip6table_filter),)) $(eval $(if $(NF_KMOD),$(call nf_add,IPT_IPV6,CONFIG_IP6_NF_MANGLE, $(P_V6)ip6table_mangle),)) -$(eval $(if $(NF_KMOD),$(call nf_add,IPT_IPV6,CONFIG_NF_LOG_IPV6, $(P_V6)nf_log_ipv6),)) $(eval $(if $(NF_KMOD),,$(call nf_add,IPT_IPV6,CONFIG_IP6_NF_IPTABLES, ip6t_icmp6))) @@ -172,6 +169,12 @@ $(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_OPTS, $(P_V6)ip6t_hbh)) $(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_FRAG, $(P_V6)ip6t_frag)) $(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_RT, $(P_V6)ip6t_rt)) +# log + +$(eval $(call nf_add,NF_LOG,CONFIG_NF_LOG_COMMON, $(P_XT)nf_log_common)) +$(eval $(call nf_add,NF_LOG,CONFIG_NF_LOG_IPV4, $(P_V4)nf_log_ipv4)) +$(eval $(if $(NF_KMOD),$(call nf_add,NF_LOG6,CONFIG_NF_LOG_IPV6, $(P_V6)nf_log_ipv6),)) + # nat # kernel only diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk index 1707bf2d9f..1ebe40947a 100644 --- a/package/kernel/linux/modules/netfilter.mk +++ b/package/kernel/linux/modules/netfilter.mk @@ -57,7 +57,7 @@ define KernelPackage/nf-ipt6 KCONFIG:=$(KCONFIG_NF_IPT6) FILES:=$(foreach mod,$(NF_IPT6-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_IPT6-m))) - DEPENDS:=+kmod-nf-ipt + DEPENDS:=+kmod-nf-ipt +kmod-nf-log6 endef $(eval $(call KernelPackage,nf-ipt6)) @@ -70,7 +70,7 @@ define KernelPackage/ipt-core KCONFIG:=$(KCONFIG_IPT_CORE) FILES:=$(foreach mod,$(IPT_CORE-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CORE-m))) - DEPENDS:=+kmod-nf-reject +kmod-nf-ipt + DEPENDS:=+kmod-nf-reject +kmod-nf-ipt +kmod-nf-log endef define KernelPackage/ipt-core/description @@ -121,6 +121,29 @@ endef $(eval $(call KernelPackage,nf-conntrack6)) +define KernelPackage/nf-log + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter Logging + KCONFIG:=$(KCONFIG_NF_LOG) + FILES:=$(foreach mod,$(NF_LOG-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_LOG-m))) +endef + +$(eval $(call KernelPackage,nf-log)) + + +define KernelPackage/nf-log6 + SUBMENU:=$(NF_MENU) + TITLE:=Netfilter IPV6 Logging + KCONFIG:=$(KCONFIG_NF_LOG6) + DEPENDS:=@IPV6 +kmod-nf-log + FILES:=$(foreach mod,$(NF_LOG6-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_LOG6-m))) +endef + +$(eval $(call KernelPackage,nf-log6)) + + define KernelPackage/nf-nat SUBMENU:=$(NF_MENU) TITLE:=Netfilter NAT @@ -1089,7 +1112,7 @@ $(eval $(call KernelPackage,ipt-rpfilter)) define KernelPackage/nft-core SUBMENU:=$(NF_MENU) TITLE:=Netfilter nf_tables support - DEPENDS:=+kmod-nfnetlink +kmod-nf-reject +IPV6:kmod-nf-reject6 +IPV6:kmod-nf-conntrack6 +kmod-nf-nat +kmod-lib-crc32c + DEPENDS:=+kmod-nfnetlink +kmod-nf-reject +IPV6:kmod-nf-reject6 +IPV6:kmod-nf-conntrack6 +kmod-nf-nat +kmod-nf-log +IPV6:kmod-nf-log6 +kmod-lib-crc32c FILES:=$(foreach mod,$(NFT_CORE-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_CORE-m))) KCONFIG:= \ -- 2.30.2