domenico/openwrt_NSS_ACW
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

netfilter: clean up dependencies of kernel modules

Browse Source 
The nf_reject_ipv4 and nf_reject_ipv6 modules are moved into separate
packages, as they are a common dependency of ip(6)tables and nftables. This
avoids a dependency of nftables on kmod-nf-ipt(6). Also, fewer iptables
modules depend on nf-conntrack(6) now.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
This commit is contained in:
Matthias Schiffer
2018-01-25 18:05:12 +01:00
parent aa66aa0c9a
commit e7e025426a
2 changed files with 43 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
include/netfilter.mk
View File

@@ -30,9 +30,10 @@ endef
# core # core
# kernel only # kernel only
$(eval $(if $(NF_KMOD),$(call nf_add,NF_REJECT,CONFIG_NF_REJECT_IPV4, $(P_V4)nf_reject_ipv4),))
$(eval $(if $(NF_KMOD),$(call nf_add,NF_IPT,CONFIG_IP_NF_IPTABLES, $(P_V4)ip_tables),)) $(eval $(if $(NF_KMOD),$(call nf_add,NF_IPT,CONFIG_IP_NF_IPTABLES, $(P_V4)ip_tables),))
$(eval $(if $(NF_KMOD),$(call nf_add,NF_IPT,CONFIG_NETFILTER_XTABLES, $(P_XT)x_tables),)) $(eval $(if $(NF_KMOD),$(call nf_add,NF_IPT,CONFIG_NETFILTER_XTABLES, $(P_XT)x_tables),))
$(eval $(if $(NF_KMOD),$(call nf_add,NF_IPT,CONFIG_NF_REJECT_IPV4, $(P_V4)nf_reject_ipv4),))
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_NETFILTER_XTABLES, $(P_XT)xt_tcpudp),)) $(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_NETFILTER_XTABLES, $(P_XT)xt_tcpudp),))
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_FILTER, $(P_V4)iptable_filter),)) $(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_FILTER, $(P_V4)iptable_filter),))
@@ -142,8 +143,9 @@ $(eval $(call nf_add,IPT_IPSEC,CONFIG_NETFILTER_XT_MATCH_POLICY, $(P_XT)xt_polic
# IPv6 # IPv6
# kernel only # kernel only
$(eval $(if $(NF_KMOD),$(call nf_add,NF_REJECT6,CONFIG_NF_REJECT_IPV6, $(P_V6)nf_reject_ipv6),))
$(eval $(if $(NF_KMOD),$(call nf_add,NF_IPT6,CONFIG_IP6_NF_IPTABLES, $(P_V6)ip6_tables),)) $(eval $(if $(NF_KMOD),$(call nf_add,NF_IPT6,CONFIG_IP6_NF_IPTABLES, $(P_V6)ip6_tables),))
$(eval $(if $(NF_KMOD),$(call nf_add,NF_IPT6,CONFIG_NF_REJECT_IPV6, $(P_V6)nf_reject_ipv6),))
$(eval $(if $(NF_KMOD),$(call nf_add,NF_CONNTRACK6,CONFIG_NF_DEFRAG_IPV6, $(P_V6)nf_defrag_ipv6),)) $(eval $(if $(NF_KMOD),$(call nf_add,NF_CONNTRACK6,CONFIG_NF_DEFRAG_IPV6, $(P_V6)nf_defrag_ipv6),))
$(eval $(if $(NF_KMOD),$(call nf_add,NF_CONNTRACK6,CONFIG_NF_CONNTRACK_IPV6, $(P_V6)nf_conntrack_ipv6),)) $(eval $(if $(NF_KMOD),$(call nf_add,NF_CONNTRACK6,CONFIG_NF_CONNTRACK_IPV6, $(P_V6)nf_conntrack_ipv6),))
@@ -345,7 +347,7 @@ $(eval $(if $(NF_KMOD),$(call nf_add,NFT_NAT6,CONFIG_NFT_REDIR_IPV6, $(P_V6)nft_
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_NAT6,CONFIG_NFT_CHAIN_NAT_IPV6, $(P_V6)nft_chain_nat_ipv6),)) $(eval $(if $(NF_KMOD),$(call nf_add,NFT_NAT6,CONFIG_NFT_CHAIN_NAT_IPV6, $(P_V6)nft_chain_nat_ipv6),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_NAT,CONFIG_NFT_MASQ, $(P_XT)nft_masq),)) $(eval $(if $(NF_KMOD),$(call nf_add,NFT_NAT,CONFIG_NFT_MASQ, $(P_XT)nft_masq),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_NAT,CONFIG_NFT_MASQ_IPV4, $(P_V4)nft_masq_ipv4),)) $(eval $(if $(NF_KMOD),$(call nf_add,NFT_NAT,CONFIG_NFT_MASQ_IPV4, $(P_V4)nft_masq_ipv4),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_NAT,CONFIG_NFT_MASQ_IPV6, $(P_V6)nft_masq_ipv6),)) $(eval $(if $(NF_KMOD),$(call nf_add,NFT_NAT6,CONFIG_NFT_MASQ_IPV6, $(P_V6)nft_masq_ipv6),))
# userland only # userland only
IPT_BUILTIN += $(NF_IPT-y) $(NF_IPT-m) IPT_BUILTIN += $(NF_IPT-y) $(NF_IPT-m)

53
package/kernel/linux/modules/netfilter.mk
View File

@@ -11,13 +11,39 @@ NF_KMOD:=1
include $(INCLUDE_DIR)/netfilter.mk include $(INCLUDE_DIR)/netfilter.mk
define KernelPackage/nf-reject
SUBMENU:=$(NF_MENU)
TITLE:=Netfilter IPv4 reject support
KCONFIG:= \
CONFIG_NETFILTER=y \
CONFIG_NETFILTER_ADVANCED=y \
$(KCONFIG_NF_REJECT)
FILES:=$(foreach mod,$(NF_REJECT-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_REJECT-m)))
endef
$(eval $(call KernelPackage,nf-reject))
define KernelPackage/nf-reject6
SUBMENU:=$(NF_MENU)
TITLE:=Netfilter IPv6 reject support
KCONFIG:= \
CONFIG_NETFILTER=y \
CONFIG_NETFILTER_ADVANCED=y \
$(KCONFIG_NF_REJECT6)
DEPENDS:=@IPV6
FILES:=$(foreach mod,$(NF_REJECT6-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_REJECT6-m)))
endef
$(eval $(call KernelPackage,nf-reject6))
define KernelPackage/nf-ipt define KernelPackage/nf-ipt
SUBMENU:=$(NF_MENU) SUBMENU:=$(NF_MENU)
TITLE:=Iptables core TITLE:=Iptables core
KCONFIG:= \ KCONFIG:=$(KCONFIG_NF_IPT)
CONFIG_NETFILTER=y \
CONFIG_NETFILTER_ADVANCED=y \
$(KCONFIG_NF_IPT)
FILES:=$(foreach mod,$(NF_IPT-m),$(LINUX_DIR)/net/$(mod).ko) FILES:=$(foreach mod,$(NF_IPT-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_IPT-m))) AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_IPT-m)))
endef endef
@@ -31,7 +57,7 @@ define KernelPackage/nf-ipt6
KCONFIG:=$(KCONFIG_NF_IPT6) KCONFIG:=$(KCONFIG_NF_IPT6)
FILES:=$(foreach mod,$(NF_IPT6-m),$(LINUX_DIR)/net/$(mod).ko) FILES:=$(foreach mod,$(NF_IPT6-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_IPT6-m))) AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_IPT6-m)))
DEPENDS:=+kmod-nf-ipt +kmod-nf-conntrack6 DEPENDS:=+kmod-nf-ipt
endef endef
$(eval $(call KernelPackage,nf-ipt6)) $(eval $(call KernelPackage,nf-ipt6))
@@ -44,7 +70,7 @@ define KernelPackage/ipt-core
KCONFIG:=$(KCONFIG_IPT_CORE) KCONFIG:=$(KCONFIG_IPT_CORE)
FILES:=$(foreach mod,$(IPT_CORE-m),$(LINUX_DIR)/net/$(mod).ko) FILES:=$(foreach mod,$(IPT_CORE-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CORE-m))) AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CORE-m)))
DEPENDS:=+kmod-nf-ipt DEPENDS:=+kmod-nf-reject +kmod-nf-ipt
endef endef
define KernelPackage/ipt-core/description define KernelPackage/ipt-core/description
@@ -94,7 +120,7 @@ define KernelPackage/nf-nat
SUBMENU:=$(NF_MENU) SUBMENU:=$(NF_MENU)
TITLE:=Netfilter NAT TITLE:=Netfilter NAT
KCONFIG:=$(KCONFIG_NF_NAT) KCONFIG:=$(KCONFIG_NF_NAT)
DEPENDS:=+kmod-nf-conntrack +kmod-nf-ipt DEPENDS:=+kmod-nf-conntrack
FILES:=$(foreach mod,$(NF_NAT-m),$(LINUX_DIR)/net/$(mod).ko) FILES:=$(foreach mod,$(NF_NAT-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NAT-m))) AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NAT-m)))
endef endef
@@ -106,7 +132,7 @@ define KernelPackage/nf-nat6
SUBMENU:=$(NF_MENU) SUBMENU:=$(NF_MENU)
TITLE:=Netfilter IPV6-NAT TITLE:=Netfilter IPV6-NAT
KCONFIG:=$(KCONFIG_NF_NAT6) KCONFIG:=$(KCONFIG_NF_NAT6)
DEPENDS:=+kmod-nf-conntrack6 +kmod-nf-ipt6 +kmod-nf-nat DEPENDS:=+kmod-nf-conntrack6 +kmod-nf-nat
FILES:=$(foreach mod,$(NF_NAT6-m),$(LINUX_DIR)/net/$(mod).ko) FILES:=$(foreach mod,$(NF_NAT6-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NAT6-m))) AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NAT6-m)))
endef endef
@@ -636,7 +662,7 @@ $(eval $(call KernelPackage,ipt-extra))
define KernelPackage/ip6tables define KernelPackage/ip6tables
SUBMENU:=$(NF_MENU) SUBMENU:=$(NF_MENU)
TITLE:=IPv6 modules TITLE:=IPv6 modules
DEPENDS:=+kmod-nf-ipt6 +kmod-ipt-core +kmod-ipt-conntrack DEPENDS:=+kmod-nf-reject6 +kmod-nf-ipt6 +kmod-ipt-core
KCONFIG:=$(KCONFIG_IPT_IPV6) KCONFIG:=$(KCONFIG_IPT_IPV6)
FILES:=$(foreach mod,$(IPT_IPV6-m),$(LINUX_DIR)/net/$(mod).ko) FILES:=$(foreach mod,$(IPT_IPV6-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoLoad,42,$(notdir $(IPT_IPV6-m))) AUTOLOAD:=$(call AutoLoad,42,$(notdir $(IPT_IPV6-m)))
@@ -875,12 +901,10 @@ $(eval $(call KernelPackage,ipt-rpfilter))
define KernelPackage/nft-core define KernelPackage/nft-core
SUBMENU:=$(NF_MENU) SUBMENU:=$(NF_MENU)
TITLE:=Netfilter nf_tables support TITLE:=Netfilter nf_tables support
DEPENDS:=+kmod-nfnetlink +kmod-nf-conntrack6 +kmod-nf-ipt +kmod-nf-ipt6 DEPENDS:=+kmod-nfnetlink +kmod-nf-reject +kmod-nf-reject6 +kmod-nf-conntrack6
FILES:=$(foreach mod,$(NFT_CORE-m),$(LINUX_DIR)/net/$(mod).ko) FILES:=$(foreach mod,$(NFT_CORE-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_CORE-m))) AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_CORE-m)))
KCONFIG:= \ KCONFIG:= \
CONFIG_NETFILTER=y \
CONFIG_NETFILTER_ADVANCED=y \
CONFIG_NFT_COMPAT=n \ CONFIG_NFT_COMPAT=n \
CONFIG_NFT_QUEUE=n \ CONFIG_NFT_QUEUE=n \
CONFIG_NF_TABLES_ARP=n \ CONFIG_NF_TABLES_ARP=n \
@@ -898,7 +922,7 @@ $(eval $(call KernelPackage,nft-core))
define KernelPackage/nft-nat define KernelPackage/nft-nat
SUBMENU:=$(NF_MENU) SUBMENU:=$(NF_MENU)
TITLE:=Netfilter nf_tables NAT support TITLE:=Netfilter nf_tables NAT support
DEPENDS:=+kmod-nft-core +kmod-nf-nat +kmod-nf-nat6 DEPENDS:=+kmod-nft-core +kmod-nf-nat
FILES:=$(foreach mod,$(NFT_NAT-m),$(LINUX_DIR)/net/$(mod).ko) FILES:=$(foreach mod,$(NFT_NAT-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_NAT-m))) AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_NAT-m)))
KCONFIG:=$(KCONFIG_NFT_NAT) KCONFIG:=$(KCONFIG_NFT_NAT)
@@ -910,11 +934,10 @@ $(eval $(call KernelPackage,nft-nat))
define KernelPackage/nft-nat6 define KernelPackage/nft-nat6
SUBMENU:=$(NF_MENU) SUBMENU:=$(NF_MENU)
TITLE:=Netfilter nf_tables IPv6-NAT support TITLE:=Netfilter nf_tables IPv6-NAT support
DEPENDS:=+kmod-nft-core +kmod-nf-nat6 DEPENDS:=+kmod-nft-nat +kmod-nf-nat6
FILES:=$(foreach mod,$(NFT_NAT6-m),$(LINUX_DIR)/net/$(mod).ko) FILES:=$(foreach mod,$(NFT_NAT6-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_NAT6-m))) AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_NAT6-m)))
KCONFIG:=$(KCONFIG_NFT_NAT6) KCONFIG:=$(KCONFIG_NFT_NAT6)
endef endef
$(eval $(call KernelPackage,nft-nat6)) $(eval $(call KernelPackage,nft-nat6))