It is currently possible to enable connlabel-support in iptables. However, in order for connlabel to work properly, the kernel module must also be present. This patch adds support for building the connlabel-module, and selects it by default when connlabel-support is enabled.
Signed-off-by: Kristian Evensen <kristian.even...@gmail.com> --- include/netfilter.mk | 4 ++++ package/kernel/linux/modules/netfilter.mk | 15 +++++++++++++++ package/network/utils/iptables/Makefile | 15 +++++++++++++++ 3 files changed, 34 insertions(+) diff --git a/include/netfilter.mk b/include/netfilter.mk index 616425cb08..1f65513092 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -85,6 +85,10 @@ $(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_MATCH_RECENT, $(P_X $(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_CONNMARK, $(P_XT)xt_CONNMARK))) +#conntrack-label + +$(eval $(call nf_add,IPT_CONNTRACK_LABEL,CONFIG_NETFILTER_XT_MATCH_CONNLABEL, $(P_XT)xt_connlabel)) + # extra $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_ADDRTYPE, $(if $(NF_KMOD),$(P_XT)xt_addrtype,$(P_XT)ipt_addrtype))) diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk index f458457500..56a4860faa 100644 --- a/package/kernel/linux/modules/netfilter.mk +++ b/package/kernel/linux/modules/netfilter.mk @@ -161,6 +161,21 @@ endef $(eval $(call KernelPackage,ipt-conntrack-extra)) +define KernelPackage/ipt-conntrack-label + TITLE:=Module for handling connection tracking labels + KCONFIG:=$(KCONFIG_IPT_CONNTRACK_LABEL) + FILES:=$(foreach mod,$(IPT_CONNTRACK_LABEL-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK_LABEL-m))) + $(call AddDepends/ipt,+kmod-ipt-conntrack) +endef + +define KernelPackage/ipt-conntrack-label/description + Netfilter (IPv4) module for handling connection tracking labels + Includes: + - connlabel +endef + +$(eval $(call KernelPackage,ipt-conntrack-label)) define KernelPackage/ipt-filter TITLE:=Modules for packet content inspection diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile index e09c35c696..149b4fb047 100644 --- a/package/network/utils/iptables/Makefile +++ b/package/network/utils/iptables/Makefile @@ -124,6 +124,20 @@ Extra iptables extensions for connection tracking. endef +define Package/iptables-mod-conntrack-label +$(call Package/iptables/Module, +kmod-ipt-conntrack-label @IPTABLES_CONNLABEL) + TITLE:=Connection tracking labeling extension + DEFAULT:=y if IPTABLES_CONNLABEL +endef + +define Package/iptables-mod-conntrack-label/description +Match and set label(s) on connection tracking entries + + Matches: + - connlabel + +endef + define Package/iptables-mod-filter $(call Package/iptables/Module, +kmod-ipt-filter) TITLE:=Content inspection extensions @@ -592,6 +606,7 @@ endef $(eval $(call BuildPackage,iptables)) $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m))) +$(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m))) $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m))) $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m))) $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m))) -- 2.14.1 _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
