Hej Fabian and Nico,
thank you so much Fabian for your patch. It saved my day.
I just wanted to raise the hand to be one them who also depend on the
xt_NFQUEUE kernel module. Please enable the xt_* modules in the official
OpenWrt source tree by default!
Thx and regards,
Rainer
PS: Here is a modified Version of Fabian's patch for the 19572 Revision:
Index: include/netfilter.mk
===================================================================
--- include/netfilter.mk (revision 19572)
+++ include/netfilter.mk (working copy)
@@ -298,6 +298,16 @@
$(eval $(call nf_add,IPT_ULOG,CONFIG_IP_NF_TARGET_ULOG, $(P_V4)ipt_ULOG))
+# nfnetfilter log
+
+$(eval $(call nf_add,NFNETLINK_LOG,CONFIG_NETFILTER_NETLINK_LOG,
$(P_XT)nfnetlink_log))
+$(eval $(call nf_add,NFNETLINK_LOG,CONFIG_NETFILTER_XT_TARGET_NFLOG,
$(P_XT)xt_NFLOG))
+
+# nfnetfilter queue
+
+$(eval $(call nf_add,NFNETLINK_QUEUE,CONFIG_NETFILTER_NETLINK_QUEUE,
$(P_XT)nfnetlink_queue))
+$(eval $(call nf_add,NFNETLINK_QUEUE,CONFIG_NETFILTER_XT_TARGET_NFQUEUE,
$(P_XT)xt_NFQUEUE))
+
# userland only
IPT_BUILTIN += $(IPT_CORE-y) $(IPT_CORE-m)
@@ -315,6 +325,8 @@
IPT_BUILTIN += $(IPT_NATHELPER-y)
IPT_BUILTIN += $(IPT_NATHELPER_EXTRA-y)
IPT_BUILTIN += $(IPT_ULOG-y)
+IPT_BUILTIN += $(NFNETLINK_LOG-y)
+IPT_BUILTIN += $(NFNETLINK_QUEUE-y)
IPT_BUILTIN += $(EBTABLES-y)
IPT_BUILTIN += $(EBTABLES_IP4-y)
IPT_BUILTIN += $(EBTALTES_IP6-y)
Index: package/iptables/Makefile
===================================================================
--- package/iptables/Makefile (revision 19572)
+++ package/iptables/Makefile (working copy)
@@ -248,6 +248,28 @@
TITLE:=IPv4/IPv6 firewall - shared xtables library
endef
+define Package/iptables-mod-nflog
+ $(call Package/iptables/Module, +kmod-nfnetlink-log)
+ TITLE:=NFLOG Target
+endef
+
+define Package/iptables-mod-nfqueue/description
+ iptables extensions for user-space packet logging via NFNETLINK.
+ Includes:
+ - libxt_NFLOG
+endef
+
+define Package/iptables-mod-nfqueue
+$(call Package/iptables/Module, +kmod-nfnetlink-queue)
+ TITLE:=NFQUEUE Target
+endef
+
+define Package/iptables-mod-nfqueue/description
+ iptables extensions for user-space packet queueing via NFNETLINK.
+ Includes:
+ - libxt_NFQUEUE
+endef
+
TARGET_CPPFLAGS := \
-I$(PKG_BUILD_DIR)/include \
@@ -374,6 +396,8 @@
$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
+$(eval $(call BuildPlugin,iptables-mod-nflog,$(NFNETLINK_LOG-m)))
+$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(NFNETLINK_QUEUE-m)))
$(eval $(call BuildPackage,ip6tables))
$(eval $(call BuildPackage,ip6tables-utils))
$(eval $(call BuildPackage,libiptc))
Index: package/kernel/modules/netfilter.mk
===================================================================
--- package/kernel/modules/netfilter.mk (revision 19572)
+++ package/kernel/modules/netfilter.mk (working copy)
@@ -447,13 +447,19 @@
define KernelPackage/nfnetlink-log
$(call KernelPackage/nfnetlink/Depends,)
TITLE:=Netfilter LOG over NFNETLINK interface
- FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_log.$(LINUX_KMOD_SUFFIX)
- KCONFIG:=CONFIG_NETFILTER_NETLINK_LOG
- AUTOLOAD:=$(call AutoLoad,48,nfnetlink_log)
+ # FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_log.$(LINUX_KMOD_SUFFIX)
+ # KCONFIG:=CONFIG_NETFILTER_NETLINK_LOG
+ # AUTOLOAD:=$(call AutoLoad,48,nfnetlink_log)
+ KCONFIG:=$(KCONFIG_NFNETLINK_LOG)
+ FILES:=$(foreach
mod,$(NFNETLINK_LOG-m),$(LINUX_DIR)/net/$(mod).$(LINUX_KMOD_SUFFIX))
+ AUTOLOAD:=$(call AutoLoad,49,$(notdir $(NFNETLINK_LOG-m)))
endef
define KernelPackage/nfnetlink-log/description
Kernel modules support for logging packets via NFNETLINK
+ Includes:
+ - nfnetlink_log
+ - xt_NFLOG
endef
$(eval $(call KernelPackage,nfnetlink-log))
@@ -462,13 +468,19 @@
define KernelPackage/nfnetlink-queue
$(call KernelPackage/nfnetlink/Depends,)
TITLE:=Netfilter QUEUE over NFNETLINK interface
- FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_queue.$(LINUX_KMOD_SUFFIX)
- KCONFIG:=CONFIG_NETFILTER_NETLINK_QUEUE
- AUTOLOAD:=$(call AutoLoad,48,nfnetlink_queue)
+ # FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_queue.$(LINUX_KMOD_SUFFIX)
+ # KCONFIG:=CONFIG_NETFILTER_NETLINK_QUEUE
+ # AUTOLOAD:=$(call AutoLoad,48,nfnetlink_queue)
+ KCONFIG:=$(KCONFIG_NFNETLINK_QUEUE)
+ FILES:=$(foreach
mod,$(NFNETLINK_QUEUE-m),$(LINUX_DIR)/net/$(mod).$(LINUX_KMOD_SUFFIX))
+ AUTOLOAD:=$(call AutoLoad,49,$(notdir $(NFNETLINK_QUEUE-m)))
endef
define KernelPackage/nfnetlink-queue/description
Kernel modules support for queueing packets via NFNETLINK
+ Includes:
+ - nfnetlink_queue
+ - xt_NFQUEUE
endef
$(eval $(call KernelPackage,nfnetlink-queue))
@@ -478,7 +490,9 @@
$(call KernelPackage/nfnetlink/Depends,+kmod-ipt-conntrack)
TITLE:=Connection tracking netlink interface
FILES:=$(LINUX_DIR)/net/netfilter/nf_conntrack_netlink.$(LINUX_KMOD_SUFFIX)
- KCONFIG:=CONFIG_NF_CT_NETLINK
+ # KCONFIG:=CONFIG_NF_CT_NETLINK
+ KCONFIG:=CONFIG_NF_CT_NETLINK \
+ CONFIG_NF_CONNTRACK_EVENTS=y
AUTOLOAD:=$(call AutoLoad,49,nf_conntrack_netlink)
endef
--
Dipl. Ing. (FH) Rainer Poisel
Institut für IT Sicherheitsforschung
Bereich Technologie
Fachhochschule St. Pölten GmbH
Matthias Corvinus-Straße 15, A-3100 St. Pölten
T: +43/2742/313 228 - 637
F: +43/2742/313 228 - 219
E: rpoi...@fhstp.ac.at
I: www.fhstp.ac.at
FN 146616m, LG St. Pölten, DVR 1028669F
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
