1 2# 3# Copyright (C) 2006-2010 OpenWrt.org 4# 5# This is free software, licensed under the GNU General Public License v2. 6# See /LICENSE for more information. 7# 8 9NF_MENU:=Netfilter Extensions 10NF_KMOD:=1 11include $(INCLUDE_DIR)/netfilter.mk 12 13define KernelPackage/ipt-core 14 SUBMENU:=$(NF_MENU) 15 TITLE:=Netfilter core 16 KCONFIG:= \ 17 CONFIG_NETFILTER=y \ 18 CONFIG_NETFILTER_ADVANCED=y \ 19 $(KCONFIG_IPT_CORE) 20 FILES:=$(foreach mod,$(IPT_CORE-m),$(LINUX_DIR)/net/$(mod).ko) 21 AUTOLOAD:=$(call AutoLoad,40,$(notdir $(IPT_CORE-m))) 22endef 23 24define KernelPackage/ipt-core/description 25 Netfilter core kernel modules 26 Includes: 27 - comment 28 - limit 29 - LOG 30 - mac 31 - multiport 32 - REJECT 33 - TCPMSS 34endef 35 36$(eval $(call KernelPackage,ipt-core)) 37 38 39define AddDepends/ipt 40 SUBMENU:=$(NF_MENU) 41 DEPENDS+= kmod-ipt-core $(1) 42endef 43 44 45define KernelPackage/ipt-conntrack 46 TITLE:=Basic connection tracking modules 47 KCONFIG:=$(KCONFIG_IPT_CONNTRACK) 48 FILES:=$(foreach mod,$(IPT_CONNTRACK-m),$(LINUX_DIR)/net/$(mod).ko) 49 AUTOLOAD:=$(call AutoLoad,41,$(notdir $(IPT_CONNTRACK-m))) 50 $(call AddDepends/ipt) 51endef 52 53define KernelPackage/ipt-conntrack/description 54 Netfilter (IPv4) kernel modules for connection tracking 55 Includes: 56 - conntrack 57 - defrag 58 - iptables_raw 59 - NOTRACK 60 - state 61endef 62 63$(eval $(call KernelPackage,ipt-conntrack)) 64 65 66define KernelPackage/ipt-conntrack-extra 67 TITLE:=Extra connection tracking modules 68 KCONFIG:=$(KCONFIG_IPT_CONNTRACK_EXTRA) 69 FILES:=$(foreach mod,$(IPT_CONNTRACK_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) 70 AUTOLOAD:=$(call AutoLoad,42,$(notdir $(IPT_CONNTRACK_EXTRA-m))) 71 $(call AddDepends/ipt,+kmod-ipt-conntrack) 72endef 73 74define KernelPackage/ipt-conntrack-extra/description 75 Netfilter (IPv4) extra kernel modules for connection tracking 76 Includes: 77 - connbytes 78 - connmark/CONNMARK 79 - conntrack 80 - helper 81 - recent 82endef 83 84$(eval $(call KernelPackage,ipt-conntrack-extra)) 85 86 87define KernelPackage/ipt-filter 88 TITLE:=Modules for packet content inspection 89 KCONFIG:=$(KCONFIG_IPT_FILTER) 90 FILES:=$(foreach mod,$(IPT_FILTER-m),$(LINUX_DIR)/net/$(mod).ko) 91 AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_FILTER-m))) 92 $(call AddDepends/ipt,+kmod-lib-textsearch) 93endef 94 95define KernelPackage/ipt-filter/description 96 Netfilter (IPv4) kernel modules for packet content inspection 97 Includes: 98 - layer7 99 - string 100endef 101 102$(eval $(call KernelPackage,ipt-filter)) 103 104 105define KernelPackage/ipt-ipopt 106 TITLE:=Modules for matching/changing IP packet options 107 KCONFIG:=$(KCONFIG_IPT_IPOPT) 108 FILES:=$(foreach mod,$(IPT_IPOPT-m),$(LINUX_DIR)/net/$(mod).ko) 109 AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_IPOPT-m))) 110 $(call AddDepends/ipt) 111endef 112 113define KernelPackage/ipt-ipopt/description 114 Netfilter (IPv4) modules for matching/changing IP packet options 115 Includes: 116 - CLASSIFY 117 - dscp/DSCP 118 - ecn/ECN 119 - hl/HL 120 - length 121 - mark/MARK 122 - statistic 123 - tcpmss 124 - time 125 - ttl/TTL 126 - unclean 127endef 128 129$(eval $(call KernelPackage,ipt-ipopt)) 130 131 132define KernelPackage/ipt-ipsec 133 TITLE:=Modules for matching IPSec packets 134 KCONFIG:=$(KCONFIG_IPT_IPSEC) 135 FILES:=$(foreach mod,$(IPT_IPSEC-m),$(LINUX_DIR)/net/$(mod).ko) 136 AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_IPSEC-m))) 137 $(call AddDepends/ipt) 138endef 139 140define KernelPackage/ipt-ipsec/description 141 Netfilter (IPv4) modules for matching IPSec packets 142 Includes: 143 - ah 144 - esp 145 - policy 146endef 147 148$(eval $(call KernelPackage,ipt-ipsec)) 149 150 151define KernelPackage/ipt-nat 152 TITLE:=Basic NAT targets 153 KCONFIG:=$(KCONFIG_IPT_NAT) 154 FILES:=$(foreach mod,$(IPT_NAT-m),$(LINUX_DIR)/net/$(mod).ko) 155 AUTOLOAD:=$(call AutoLoad,42,$(notdir $(IPT_NAT-m))) 156 $(call AddDepends/ipt,+kmod-ipt-conntrack) 157endef 158 159define KernelPackage/ipt-nat/description 160 Netfilter (IPv4) kernel modules for basic NAT targets 161 Includes: 162 - MASQUERADE 163endef 164 165$(eval $(call KernelPackage,ipt-nat)) 166 167 168define KernelPackage/ipt-nat-extra 169 TITLE:=Extra NAT targets 170 KCONFIG:=$(KCONFIG_IPT_NAT_EXTRA) 171 FILES:=$(foreach mod,$(IPT_NAT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) 172 AUTOLOAD:=$(call AutoLoad,43,$(notdir $(IPT_NAT_EXTRA-m))) 173 $(call AddDepends/ipt,+kmod-ipt-nat) 174endef 175 176define KernelPackage/ipt-nat-extra/description 177 Netfilter (IPv4) kernel modules for extra NAT targets 178 Includes: 179 - NETMAP 180 - REDIRECT 181endef 182 183$(eval $(call KernelPackage,ipt-nat-extra)) 184 185 186define KernelPackage/ipt-nathelper 187 TITLE:=Basic Conntrack and NAT helpers 188 KCONFIG:=$(KCONFIG_IPT_NATHELPER) 189 FILES:=$(foreach mod,$(IPT_NATHELPER-m),$(LINUX_DIR)/net/$(mod).ko) 190 AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_NATHELPER-m))) 191 $(call AddDepends/ipt,+kmod-ipt-nat) 192endef 193 194define KernelPackage/ipt-nathelper/description 195 Default Netfilter (IPv4) Conntrack and NAT helpers 196 Includes: 197 - ftp 198 - irc 199 - tftp 200endef 201 202$(eval $(call KernelPackage,ipt-nathelper)) 203 204 205define KernelPackage/ipt-nathelper-extra 206 TITLE:=Extra Conntrack and NAT helpers 207 KCONFIG:=$(KCONFIG_IPT_NATHELPER_EXTRA) 208 FILES:=$(foreach mod,$(IPT_NATHELPER_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) 209 AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_NATHELPER_EXTRA-m))) 210 $(call AddDepends/ipt,+kmod-ipt-nat +kmod-lib-textsearch) 211endef 212 213define KernelPackage/ipt-nathelper-extra/description 214 Extra Netfilter (IPv4) Conntrack and NAT helpers 215 Includes: 216 - amanda 217 - h323 218 - mms 219 - pptp 220 - proto_gre 221 - sip 222 - snmp_basic 223 - broadcast 224endef 225 226$(eval $(call KernelPackage,ipt-nathelper-extra)) 227 228 229define KernelPackage/ipt-queue 230 TITLE:=Module for user-space packet queueing 231 KCONFIG:=$(KCONFIG_IPT_QUEUE) 232 FILES:=$(foreach mod,$(IPT_QUEUE-m),$(LINUX_DIR)/net/$(mod).ko) 233 AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_QUEUE-m))) 234 $(call AddDepends/ipt) 235endef 236 237define KernelPackage/ipt-queue/description 238 Netfilter (IPv4) module for user-space packet queueing 239 Includes: 240 - QUEUE 241endef 242 243$(eval $(call KernelPackage,ipt-queue)) 244 245 246define KernelPackage/ipt-ulog 247 TITLE:=Module for user-space packet logging 248 KCONFIG:=$(KCONFIG_IPT_ULOG) 249 FILES:=$(foreach mod,$(IPT_ULOG-m),$(LINUX_DIR)/net/$(mod).ko) 250 AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_ULOG-m))) 251 $(call AddDepends/ipt) 252endef 253 254define KernelPackage/ipt-ulog/description 255 Netfilter (IPv4) module for user-space packet logging 256 Includes: 257 - ULOG 258endef 259 260$(eval $(call KernelPackage,ipt-ulog)) 261 262 263define KernelPackage/ipt-debug 264 TITLE:=Module for debugging/development 265 KCONFIG:=$(KCONFIG_IPT_DEBUG) 266 DEFAULT:=n 267 FILES:=$(foreach mod,$(IPT_DEBUG-m),$(LINUX_DIR)/net/$(mod).ko) 268 AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_DEBUG-m))) 269 $(call AddDepends/ipt) 270endef 271 272define KernelPackage/ipt-debug/description 273 Netfilter modules for debugging/development of the firewall 274 Includes: 275 - TRACE 276endef 277 278$(eval $(call KernelPackage,ipt-debug)) 279 280 281define KernelPackage/ipt-led 282 TITLE:=Module to trigger a LED with a Netfilter rule 283 KCONFIG:=$(KCONFIG_IPT_LED) 284 FILES:=$(foreach mod,$(IPT_LED-m),$(LINUX_DIR)/net/$(mod).ko) 285 AUTOLOAD:=$(call AutoLoad,61,$(notdir $(IPT_LED-m))) 286 $(call AddDepends/ipt) 287endef 288 289define KernelPackage/ipt-led/description 290 Netfilter target to trigger a LED when a network packet is matched. 291endef 292 293$(eval $(call KernelPackage,ipt-led)) 294 295define KernelPackage/ipt-tproxy 296 TITLE:=Transparent proxying support 297 DEPENDS+=+IPV6:kmod-ipv6 298 KCONFIG:= \ 299 CONFIG_NETFILTER_TPROXY \ 300 CONFIG_NETFILTER_XT_MATCH_SOCKET \ 301 CONFIG_NETFILTER_XT_TARGET_TPROXY 302 FILES:= \ 303 $(LINUX_DIR)/net/netfilter/nf_tproxy_core.ko \ 304 $(foreach mod,$(IPT_TPROXY-m),$(LINUX_DIR)/net/$(mod).ko) 305 AUTOLOAD:=$(call AutoLoad,50,$(notdir nf_tproxy_core $(IPT_TPROXY-m))) 306 $(call AddDepends/ipt) 307endef 308 309define KernelPackage/ipt-tproxy/description 310 Kernel modules for Transparent Proxying 311endef 312 313$(eval $(call KernelPackage,ipt-tproxy)) 314 315define KernelPackage/ipt-tee 316 TITLE:=TEE support 317 KCONFIG:= \ 318 CONFIG_NETFILTER_XT_TARGET_TEE 319 FILES:= \ 320 $(LINUX_DIR)/net/netfilter/xt_TEE.ko \ 321 $(foreach mod,$(IPT_TEE-m),$(LINUX_DIR)/net/$(mod).ko) 322 AUTOLOAD:=$(call AutoLoad,45,$(notdir nf_tee $(IPT_TEE-m))) 323 $(call AddDepends/ipt) 324endef 325 326define KernelPackage/ipt-tee/description 327 Kernel modules for TEE 328endef 329 330$(eval $(call KernelPackage,ipt-tee)) 331 332 333define KernelPackage/ipt-u32 334 TITLE:=U32 support 335 KCONFIG:= \ 336 CONFIG_NETFILTER_XT_MATCH_U32 337 FILES:= \ 338 $(LINUX_DIR)/net/netfilter/xt_u32.ko \ 339 $(foreach mod,$(IPT_U32-m),$(LINUX_DIR)/net/$(mod).ko) 340 AUTOLOAD:=$(call AutoLoad,45,$(notdir nf_tee $(IPT_U32-m))) 341 $(call AddDepends/ipt) 342endef 343 344define KernelPackage/ipt-u32/description 345 Kernel modules for U32 346endef 347 348$(eval $(call KernelPackage,ipt-u32)) 349 350define KernelPackage/ipt-mark2prio 351 TITLE:=mark2prio support 352 KCONFIG:= CONFIG_NETFILTER_XT_TARGET_MARK2PRIO 353 FILES:= $(LINUX_DIR)/net/netfilter/xt_mark2prio.ko 354 AUTOLOAD:=$(call AutoLoad,50,xt_mark2prio) 355 $(call AddDepends/ipt) 356endef 357 358define KernelPackage/ipt-mark2prio/description 359 Kernel modules for copying mark to priority 360endef 361 362$(eval $(call KernelPackage,ipt-mark2prio)) 363 364define KernelPackage/ipt-iprange 365 TITLE:=Module for matching ip ranges 366 KCONFIG:=$(KCONFIG_IPT_IPRANGE) 367 FILES:=$(foreach mod,$(IPT_IPRANGE-m),$(LINUX_DIR)/net/$(mod).ko) 368 AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_IPRANGE-m))) 369 $(call AddDepends/ipt) 370endef 371 372define KernelPackage/ipt-iprange/description 373 Netfilter (IPv4) module for matching ip ranges 374 Includes: 375 - iprange 376endef 377 378$(eval $(call KernelPackage,ipt-iprange)) 379 380 381define KernelPackage/ipt-extra 382 TITLE:=Extra modules 383 KCONFIG:=$(KCONFIG_IPT_EXTRA) 384 FILES:=$(foreach mod,$(IPT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) 385 AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_EXTRA-m))) 386 $(call AddDepends/ipt) 387endef 388 389define KernelPackage/ipt-extra/description 390 Other Netfilter (IPv4) kernel modules 391 Includes: 392 - owner 393 - physdev (if bridge support was enabled in kernel) 394 - pkttype 395 - quota 396endef 397 398$(eval $(call KernelPackage,ipt-extra)) 399 400 401define KernelPackage/ip6tables 402 SUBMENU:=$(NF_MENU) 403 TITLE:=IPv6 modules 404 DEPENDS:=+kmod-ipv6 405 KCONFIG:=$(KCONFIG_IPT_IPV6) 406 FILES:=$(foreach mod,$(IPT_IPV6-m),$(LINUX_DIR)/net/$(mod).ko) 407 AUTOLOAD:=$(call AutoLoad,49,$(notdir $(IPT_IPV6-m))) 408endef 409 410define KernelPackage/ip6tables/description 411 Netfilter IPv6 firewalling support 412endef 413 414$(eval $(call KernelPackage,ip6tables)) 415 416 417define KernelPackage/arptables 418 SUBMENU:=$(NF_MENU) 419 TITLE:=ARP firewalling modules 420 FILES:=$(LINUX_DIR)/net/ipv4/netfilter/arp*.ko 421 KCONFIG:=CONFIG_IP_NF_ARPTABLES \ 422 CONFIG_IP_NF_ARPFILTER \ 423 CONFIG_IP_NF_ARP_MANGLE 424 AUTOLOAD:=$(call AutoLoad,49,$(notdir $(patsubst %.ko,%,$(wildcard $(LINUX_DIR)/net/ipv4/netfilter/arp*.ko)))) 425endef 426 427define KernelPackage/arptables/description 428 Kernel modules for ARP firewalling 429endef 430 431$(eval $(call KernelPackage,arptables)) 432 433 434define KernelPackage/ebtables 435 SUBMENU:=$(NF_MENU) 436 TITLE:=Bridge firewalling modules 437 FILES:=$(foreach mod,$(EBTABLES-m),$(LINUX_DIR)/net/$(mod).ko) 438 KCONFIG:=CONFIG_BRIDGE_NETFILTER=y \ 439 $(KCONFIG_EBTABLES) 440 AUTOLOAD:=$(call AutoLoad,49,$(notdir $(EBTABLES-m))) 441endef 442 443define KernelPackage/ebtables/description 444 ebtables is a general, extensible frame/packet identification 445 framework. It provides you to do Ethernet 446 filtering/NAT/brouting on the Ethernet bridge. 447endef 448 449$(eval $(call KernelPackage,ebtables)) 450 451 452define AddDepends/ebtables 453 SUBMENU:=$(NF_MENU) 454 DEPENDS+=kmod-ebtables $(1) 455endef 456 457 458define KernelPackage/ebtables-ipv4 459 TITLE:=ebtables: IPv4 support 460 FILES:=$(foreach mod,$(EBTABLES_IP4-m),$(LINUX_DIR)/net/$(mod).ko) 461 KCONFIG:=$(KCONFIG_EBTABLES_IP4) 462 AUTOLOAD:=$(call AutoLoad,49,$(notdir $(EBTABLES_IP4-m))) 463 $(call AddDepends/ebtables) 464endef 465 466define KernelPackage/ebtables-ipv4/description 467 This option adds the IPv4 support to ebtables, which allows basic 468 IPv4 header field filtering, ARP filtering as well as SNAT, DNAT targets. 469endef 470 471$(eval $(call KernelPackage,ebtables-ipv4)) 472 473 474define KernelPackage/ebtables-ipv6 475 TITLE:=ebtables: IPv6 support 476 FILES:=$(foreach mod,$(EBTABLES_IP6-m),$(LINUX_DIR)/net/$(mod).ko) 477 KCONFIG:=$(KCONFIG_EBTABLES_IP6) 478 AUTOLOAD:=$(call AutoLoad,49,$(notdir $(EBTABLES_IP6-m))) 479 $(call AddDepends/ebtables) 480endef 481 482define KernelPackage/ebtables-ipv6/description 483 This option adds the IPv6 support to ebtables, which allows basic 484 IPv6 header field filtering and target support. 485endef 486 487$(eval $(call KernelPackage,ebtables-ipv6)) 488 489 490define KernelPackage/ebtables-watchers 491 TITLE:=ebtables: watchers support 492 FILES:=$(foreach mod,$(EBTABLES_WATCHERS-m),$(LINUX_DIR)/net/$(mod).ko) 493 KCONFIG:=$(KCONFIG_EBTABLES_WATCHERS) 494 AUTOLOAD:=$(call AutoLoad,49,$(notdir $(EBTABLES_WATCHERS-m))) 495 $(call AddDepends/ebtables) 496endef 497 498define KernelPackage/ebtables-watchers/description 499 This option adds the log watchers, that you can use in any rule 500 in any ebtables table. 501endef 502 503$(eval $(call KernelPackage,ebtables-watchers)) 504 505 506define KernelPackage/nfnetlink 507 SUBMENU:=$(NF_MENU) 508 TITLE:=Netlink-based userspace interface 509 DEPENDS:=+kmod-ipt-core 510 FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink.ko 511 KCONFIG:=CONFIG_NETFILTER_NETLINK 512 AUTOLOAD:=$(call AutoLoad,48,nfnetlink) 513endef 514 515define KernelPackage/nfnetlink/description 516 Kernel modules support for a netlink-based userspace interface 517endef 518 519$(eval $(call KernelPackage,nfnetlink)) 520 521 522define AddDepends/nfnetlink 523 SUBMENU:=$(NF_MENU) 524 DEPENDS+=+kmod-nfnetlink $(1) 525endef 526 527 528define KernelPackage/nfnetlink-log 529 TITLE:=Netfilter LOG over NFNETLINK interface 530 FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_log.ko 531 KCONFIG:=CONFIG_NETFILTER_NETLINK_LOG 532 AUTOLOAD:=$(call AutoLoad,48,nfnetlink_log) 533 $(call AddDepends/nfnetlink) 534endef 535 536define KernelPackage/nfnetlink-log/description 537 Kernel modules support for logging packets via NFNETLINK 538endef 539 540$(eval $(call KernelPackage,nfnetlink-log)) 541 542 543define KernelPackage/nfnetlink-queue 544 TITLE:=Netfilter QUEUE over NFNETLINK interface 545 FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_queue.ko 546 KCONFIG:=CONFIG_NETFILTER_NETLINK_QUEUE 547 AUTOLOAD:=$(call AutoLoad,48,nfnetlink_queue) 548 $(call AddDepends/nfnetlink) 549endef 550 551define KernelPackage/nfnetlink-queue/description 552 Kernel modules support for queueing packets via NFNETLINK 553endef 554 555$(eval $(call KernelPackage,nfnetlink-queue)) 556 557 558define KernelPackage/nf-conntrack-netlink 559 TITLE:=Connection tracking netlink interface 560 FILES:=$(LINUX_DIR)/net/netfilter/nf_conntrack_netlink.ko 561 KCONFIG:=CONFIG_NF_CT_NETLINK 562 AUTOLOAD:=$(call AutoLoad,49,nf_conntrack_netlink) 563 $(call AddDepends/nfnetlink,+kmod-ipt-conntrack) 564endef 565 566define KernelPackage/nf-conntrack-netlink/description 567 Kernel modules support for a netlink-based connection tracking 568 userspace interface 569endef 570 571$(eval $(call KernelPackage,nf-conntrack-netlink)) 572 573define KernelPackage/ipt-hashlimit 574 SUBMENU:=$(NF_MENU) 575 TITLE:=Netfilter hashlimit match 576 KCONFIG:=$(KCONFIG_IPT_HASHLIMIT) 577 FILES:=$(LINUX_DIR)/net/netfilter/xt_hashlimit.ko 578 AUTOLOAD:=$(call AutoLoad,50,xt_hashlimit) 579 $(call KernelPackage/ipt) 580endef 581 582define KernelPackage/ipt-hashlimit/description 583 Kernel modules support for the hashlimit bucket match module 584endef 585 586$(eval $(call KernelPackage,ipt-hashlimit)) 587