mtk-20170518/include/netfilter.mk, branch v17.01.5 MTK 20170518 : Mediatek SDK based on OpenWRT Barrier Breaker iptables: Fix target TRACE issue 2018-01-26T07:32:46+00:00 Martin Wetterwald martin.wetterwald@corp.ovh.com 2017-01-12T14:06:00+00:00 6ea9a702c5b6ff0866ae93241d6b2bdd80ead5e4 The package kmod-ipt-debug builds the module xt_TRACE, which allows users to use '-j TRACE' as target in the chain PREROUTING of the table raw in iptables. The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so that this feature which is implemented deep inside the linux IP stack (for example in sk_buff) is compiled. But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which fails as this dynamic library is not present on the system. I created the package iptables-mod-trace which takes care of that, and target TRACE now works! https://dev.openwrt.org/ticket/16694 https://dev.openwrt.org/ticket/19661 Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com> [Jo-Philipp Wich: also remove trace extension from builtin extension list and depend on kmod-ipt-raw since its required for rules] Signed-off-by: Jo-Philipp Wich <jo@mein.io> Tested-by: Enrico Mioso <mrkiko.rs@gmail.com> 
The package kmod-ipt-debug builds the module xt_TRACE, which allows
users to use '-j TRACE' as target in the chain PREROUTING of the table
raw in iptables.

The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so
that this feature which is implemented deep inside the linux IP stack
(for example in sk_buff) is compiled.

But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals
that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which
fails as this dynamic library is not present on the system.

I created the package iptables-mod-trace which takes care of that, and
target TRACE now works!

https://dev.openwrt.org/ticket/16694
https://dev.openwrt.org/ticket/19661

Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com>
[Jo-Philipp Wich: also remove trace extension from builtin extension list
                  and depend on kmod-ipt-raw since its required for rules]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
netfilter: add iptables-mod-rpfilter package 2017-12-13T15:23:38+00:00 Alin Nastac alin.nastac@gmail.com 2017-06-16T12:16:07+00:00 c86490605c5511e88093d3584dc9a277afcb9d6d Unlike /proc/sys/net/ipv4/conf/INTF/rp_filter flag, rule iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP prevents conntrack table to become full when a packet flood with randomly selected source IP addresses is received from the lan side. Signed-off-by: Alin Nastac <alin.nastac@gmail.com> (cherry picked from commit d8748e537f11ab5f2b5e2ed25d94baa5ce353984) 
Unlike /proc/sys/net/ipv4/conf/INTF/rp_filter flag, rule iptables -t raw
-I PREROUTING -m rpfilter --invert -j DROP prevents conntrack table to
become full when a packet flood with randomly selected source IP addresses
is received from the lan side.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
(cherry picked from commit d8748e537f11ab5f2b5e2ed25d94baa5ce353984)
kernel: netfilter: split out iptable_raw into a separate package 2016-12-14T11:13:14+00:00 Felix Fietkau nbd@nbd.name 2016-12-13T13:54:55+00:00 970dd4dd58c1f1c1b4cde69a732483aacdc0236a This will avoid loading it in the default configuration, which reduces image size a bit, and (more importantly) improves performance by avoiding some unnecessary netfilter hooks Signed-off-by: Felix Fietkau <nbd@nbd.name> 
This will avoid loading it in the default configuration, which reduces
image size a bit, and (more importantly) improves performance by
avoiding some unnecessary netfilter hooks

Signed-off-by: Felix Fietkau <nbd@nbd.name>
netfilter: drop proprietary xt_id match 2016-12-14T00:05:06+00:00 Jo-Philipp Wich jo@mein.io 2016-12-13T23:36:28+00:00 e2f8d200f598c67534c6292d732f7927b3609473 The xt_id match was used by the firewall3 package to track its own rules but the approach has been changed to use xt_comment instead now, so we can drop this nonstandard extension. Signed-off-by: Jo-Philipp Wich <jo@mein.io> 
The xt_id match was used by the firewall3 package to track its own rules but
the approach has been changed to use xt_comment instead now, so we can drop
this nonstandard extension.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
netfilter: fix file conflicts between kmod-ipt- and kmod-nft- packages 2016-09-30T21:32:05+00:00 Matthias Schiffer mschiffer@universe-factory.net 2016-09-30T21:28:21+00:00 cea09329e50f5766b6b44149aa17e4a681546bbb The nf_reject_* and nf_nat_masquerade_* modules are moved into the corresponding kmod-nf- packages. Appropriate dependencies are added to the kmod-nft- packages. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> 
The nf_reject_* and nf_nat_masquerade_* modules are moved into the
corresponding kmod-nf- packages. Appropriate dependencies are added to the
kmod-nft- packages.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
include/netfilter.mk: fix kmod-ipt-tee build with 4.3/4.4 2015-12-13T18:33:11+00:00 Felix Fietkau nbd@openwrt.org 2015-12-13T18:33:11+00:00 c0f4c9e0d82e7b8be4b81eaa9107517a9d9c9702 Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 47890 
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47890
netfilter.mk: fix redirect module locations for 3.19+ 2015-06-22T12:27:25+00:00 Jonas Gorski jogo@openwrt.org 2015-06-22T12:27:25+00:00 e9650d45572e4804077d4a8ed9cc555996349cad ntf_redir_ipvX is part of NAT support, so they should be in the appropriate nft-nat kmods. Since they depend on nf_nat_redirect, nf_nat_redirect should be part of nf-nat, not ipt-nat. Fixes nft-core gaining a missing dependency on nf_nat_redirect.ko. Signed-off-by: Jonas Gorski <jogo@openwrt.org> SVN-Revision: 46109 
ntf_redir_ipvX is part of NAT support, so they should be in the
appropriate nft-nat kmods. Since they depend on nf_nat_redirect,
nf_nat_redirect should be part of nf-nat, not ipt-nat.

Fixes nft-core gaining a missing dependency on nf_nat_redirect.ko.

Signed-off-by: Jonas Gorski <jogo@openwrt.org>

SVN-Revision: 46109
netfilter.mk: remove obsolete ip_nat_ftp related line 2015-04-20T13:36:25+00:00 Felix Fietkau nbd@openwrt.org 2015-04-20T13:36:25+00:00 3edc273a332b08773068e0e1c974ad40fe58b9b9 Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45516 
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45516
netfilter.mk: move IRC conntrack/nat helpers to kmod-nf-nathelper-extra 2015-04-20T13:36:02+00:00 Felix Fietkau nbd@openwrt.org 2015-04-20T13:36:02+00:00 391387eb69424b7cb40f473b8183e20d2d61a1d8 Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45515 
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45515
kernel: finally remove layer7 filter support 2015-04-13T22:23:14+00:00 Felix Fietkau nbd@openwrt.org 2015-04-13T22:23:14+00:00 d0ba3bb1e24702e472eee2f3a5b7f9e4646b8ff1 it has been non-functional for years and caused numerous memleaks and crashes for people that tried to enable it. it has no maintained upstream source, and it does not look like it's going to be fixed any time soon Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45423 
it has been non-functional for years and caused numerous memleaks and
crashes for people that tried to enable it.
it has no maintained upstream source, and it does not look like it's
going to be fixed any time soon

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45423