domenico/openwrt_NSS_ACW
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

iptables: rework ip(6)tables-nft dependencies

Browse Source 
according to iptables-nft man page,
"These tools use the libxtables framework extensions and hook to the nf_tables
kernel subsystem using the nft_compat module."

This means that to work, iptables-nft needs the same modules as
iptables legacy except the ip(6)table-{filter,mangle,nat,raw}
ip_tables, ip6tables.
When those modules are loaded iptables-nft-save output contains
"# Warning: iptables-legacy tables present, use iptables-legacy-save to see them"
But as long as it's empty it should not be a problem.

To have nft properly display the rules created by ip(6)tables-nft we need
all iptables targets and matches to be built as extension and not built-in
(/usr/lib/iptables/libip(6)t_*.so)

When switching a package to iptables-nft, you need to keep the
iptables-mod-* dependencies

This patch does minimal changes:
- remove the direct iptables-nft -> iptables dependency
- and more important add nft-compat dependency

The rule
iptables-nft -A OUTPUT -d 8.8.8.8 -m comment --comment "aaa" -j REJECT
becomes
table ip filter {
	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		ip daddr 8.8.8.8 # xt_comment counter packets 0 bytes 0 # xt_REJECT
	}
}

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
This commit is contained in:
Etienne Champetier
2022-01-26 14:33:52 -05:00
committed by Hauke Mehrtens
parent 1ebb8e3b6b
commit b0bd6599e8
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
package/network/utils/iptables/Makefile
View File

@@ -41,7 +41,7 @@ endef
define Package/iptables/Module
$(call Package/iptables/Default)
DEPENDS:=iptables $(1)
DEPENDS:=+iptables $(1)
endef
define Package/iptables
@@ -108,7 +108,7 @@ endef
define Package/iptables-nft
$(call Package/iptables/Default)
TITLE:=IP firewall administration tool nft
DEPENDS:=iptables @IPTABLES_NFTABLES +libxtables-nft
DEPENDS:=@IPTABLES_NFTABLES +libxtables-nft +libip4tc +IPV6:libip6tc +kmod-ipt-core +kmod-nft-compat
endef
define Package/iptables-nft/description
@@ -454,7 +454,7 @@ endef
define Package/ip6tables-nft
$(call Package/iptables/Default)
DEPENDS:=ip6tables @IPTABLES_NFTABLES +libxtables-nft
DEPENDS:=@IPV6 +kmod-ip6tables +iptables-nft
TITLE:=IP firewall administration tool nft
endef
@@ -522,7 +522,7 @@ define Package/libxtables-nft
CATEGORY:=Libraries
TITLE:=IPv4/IPv6 firewall - shared xtables nft library
ABI_VERSION:=12
DEPENDS:=libxtables
DEPENDS:=+libxtables
endef
TARGET_CPPFLAGS := \