3 # Copyright (C) 2006-2010 OpenWrt.org
5 # This is free software, licensed under the GNU General Public License v2.
6 # See /LICENSE for more information.
9 NF_MENU:=Netfilter Extensions
11 include $(INCLUDE_DIR)/netfilter.mk
14 define KernelPackage/nf-reject
16 TITLE:=Netfilter IPv4 reject support
19 CONFIG_NETFILTER_ADVANCED=y \
21 FILES:=$(foreach mod,$(NF_REJECT-m),$(LINUX_DIR)/net/$(mod).ko)
22 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_REJECT-m)))
25 $(eval $(call KernelPackage,nf-reject))
28 define KernelPackage/nf-reject6
30 TITLE:=Netfilter IPv6 reject support
33 CONFIG_NETFILTER_ADVANCED=y \
36 FILES:=$(foreach mod,$(NF_REJECT6-m),$(LINUX_DIR)/net/$(mod).ko)
37 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_REJECT6-m)))
40 $(eval $(call KernelPackage,nf-reject6))
43 define KernelPackage/nf-ipt
46 KCONFIG:=$(KCONFIG_NF_IPT)
47 FILES:=$(foreach mod,$(NF_IPT-m),$(LINUX_DIR)/net/$(mod).ko)
48 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_IPT-m)))
51 $(eval $(call KernelPackage,nf-ipt))
54 define KernelPackage/nf-ipt6
57 KCONFIG:=$(KCONFIG_NF_IPT6)
58 FILES:=$(foreach mod,$(NF_IPT6-m),$(LINUX_DIR)/net/$(mod).ko)
59 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_IPT6-m)))
63 $(eval $(call KernelPackage,nf-ipt6))
67 define KernelPackage/ipt-core
70 KCONFIG:=$(KCONFIG_IPT_CORE)
71 FILES:=$(foreach mod,$(IPT_CORE-m),$(LINUX_DIR)/net/$(mod).ko)
72 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CORE-m)))
73 DEPENDS:=+kmod-nf-reject +kmod-nf-ipt
76 define KernelPackage/ipt-core/description
77 Netfilter core kernel modules
88 $(eval $(call KernelPackage,ipt-core))
91 define KernelPackage/nf-conntrack
93 TITLE:=Netfilter connection tracking
96 CONFIG_NETFILTER_ADVANCED=y \
97 CONFIG_NF_CONNTRACK_MARK=y \
98 CONFIG_NF_CONNTRACK_ZONES=y \
99 $(KCONFIG_NF_CONNTRACK)
100 FILES:=$(foreach mod,$(NF_CONNTRACK-m),$(LINUX_DIR)/net/$(mod).ko)
101 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNTRACK-m)))
104 define KernelPackage/nf-conntrack/install
105 $(INSTALL_DIR) $(1)/etc/sysctl.d
106 $(INSTALL_DATA) ./files/sysctl-nf-conntrack.conf $(1)/etc/sysctl.d/11-nf-conntrack.conf
109 $(eval $(call KernelPackage,nf-conntrack))
112 define KernelPackage/nf-conntrack6
114 TITLE:=Netfilter IPv6 connection tracking
115 KCONFIG:=$(KCONFIG_NF_CONNTRACK6)
116 DEPENDS:=@IPV6 +kmod-nf-conntrack
117 FILES:=$(foreach mod,$(NF_CONNTRACK6-m),$(LINUX_DIR)/net/$(mod).ko)
118 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNTRACK6-m)))
121 $(eval $(call KernelPackage,nf-conntrack6))
124 define KernelPackage/nf-nat
127 KCONFIG:=$(KCONFIG_NF_NAT)
128 DEPENDS:=+kmod-nf-conntrack
129 FILES:=$(foreach mod,$(NF_NAT-m),$(LINUX_DIR)/net/$(mod).ko)
130 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NAT-m)))
133 $(eval $(call KernelPackage,nf-nat))
136 define KernelPackage/nf-nat6
138 TITLE:=Netfilter IPV6-NAT
139 KCONFIG:=$(KCONFIG_NF_NAT6)
140 DEPENDS:=+kmod-nf-conntrack6 +kmod-nf-nat
141 FILES:=$(foreach mod,$(NF_NAT6-m),$(LINUX_DIR)/net/$(mod).ko)
142 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NAT6-m)))
145 $(eval $(call KernelPackage,nf-nat6))
148 define KernelPackage/nf-flow
150 TITLE:=Netfilter flowtable support
152 CONFIG_NETFILTER_INGRESS=y \
153 CONFIG_NF_FLOW_TABLE \
154 CONFIG_NF_FLOW_TABLE_HW
155 DEPENDS:=+kmod-nf-conntrack @!LINUX_3_18 @!LINUX_4_9
157 $(LINUX_DIR)/net/netfilter/nf_flow_table.ko \
158 $(LINUX_DIR)/net/netfilter/nf_flow_table_hw.ko
159 AUTOLOAD:=$(call AutoProbe,nf_flow_table nf_flow_table_hw)
162 $(eval $(call KernelPackage,nf-flow))
165 define AddDepends/ipt
167 DEPENDS+= +kmod-ipt-core $(1)
171 define KernelPackage/ipt-conntrack
172 TITLE:=Basic connection tracking modules
173 KCONFIG:=$(KCONFIG_IPT_CONNTRACK)
174 FILES:=$(foreach mod,$(IPT_CONNTRACK-m),$(LINUX_DIR)/net/$(mod).ko)
175 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK-m)))
176 $(call AddDepends/ipt,+kmod-nf-conntrack)
179 define KernelPackage/ipt-conntrack/description
180 Netfilter (IPv4) kernel modules for connection tracking
189 $(eval $(call KernelPackage,ipt-conntrack))
192 define KernelPackage/ipt-conntrack-extra
193 TITLE:=Extra connection tracking modules
194 KCONFIG:=$(KCONFIG_IPT_CONNTRACK_EXTRA)
195 FILES:=$(foreach mod,$(IPT_CONNTRACK_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
196 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK_EXTRA-m)))
197 $(call AddDepends/ipt,+kmod-ipt-conntrack)
200 define KernelPackage/ipt-conntrack-extra/description
201 Netfilter (IPv4) extra kernel modules for connection tracking
210 $(eval $(call KernelPackage,ipt-conntrack-extra))
212 define KernelPackage/ipt-conntrack-label
213 TITLE:=Module for handling connection tracking labels
214 KCONFIG:=$(KCONFIG_IPT_CONNTRACK_LABEL)
215 FILES:=$(foreach mod,$(IPT_CONNTRACK_LABEL-m),$(LINUX_DIR)/net/$(mod).ko)
216 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK_LABEL-m)))
217 $(call AddDepends/ipt,+kmod-ipt-conntrack)
220 define KernelPackage/ipt-conntrack-label/description
221 Netfilter (IPv4) module for handling connection tracking labels
226 $(eval $(call KernelPackage,ipt-conntrack-label))
228 define KernelPackage/ipt-filter
229 TITLE:=Modules for packet content inspection
230 KCONFIG:=$(KCONFIG_IPT_FILTER)
231 FILES:=$(foreach mod,$(IPT_FILTER-m),$(LINUX_DIR)/net/$(mod).ko)
232 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_FILTER-m)))
233 $(call AddDepends/ipt,+kmod-lib-textsearch +kmod-ipt-conntrack)
236 define KernelPackage/ipt-filter/description
237 Netfilter (IPv4) kernel modules for packet content inspection
243 $(eval $(call KernelPackage,ipt-filter))
246 define KernelPackage/ipt-offload
247 TITLE:=Netfilter routing/NAT offload support
248 KCONFIG:=CONFIG_NETFILTER_XT_TARGET_FLOWOFFLOAD
249 FILES:=$(foreach mod,$(IPT_FLOW-m),$(LINUX_DIR)/net/$(mod).ko)
250 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_FLOW-m)))
251 $(call AddDepends/ipt,+kmod-nf-flow)
254 $(eval $(call KernelPackage,ipt-offload))
257 define KernelPackage/ipt-ipopt
258 TITLE:=Modules for matching/changing IP packet options
259 KCONFIG:=$(KCONFIG_IPT_IPOPT)
260 FILES:=$(foreach mod,$(IPT_IPOPT-m),$(LINUX_DIR)/net/$(mod).ko)
261 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_IPOPT-m)))
262 $(call AddDepends/ipt)
265 define KernelPackage/ipt-ipopt/description
266 Netfilter (IPv4) modules for matching/changing IP packet options
281 $(eval $(call KernelPackage,ipt-ipopt))
284 define KernelPackage/ipt-ipsec
285 TITLE:=Modules for matching IPSec packets
286 KCONFIG:=$(KCONFIG_IPT_IPSEC)
287 FILES:=$(foreach mod,$(IPT_IPSEC-m),$(LINUX_DIR)/net/$(mod).ko)
288 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_IPSEC-m)))
289 $(call AddDepends/ipt)
292 define KernelPackage/ipt-ipsec/description
293 Netfilter (IPv4) modules for matching IPSec packets
300 $(eval $(call KernelPackage,ipt-ipsec))
304 ipset/ip_set_bitmap_ip \
305 ipset/ip_set_bitmap_ipmac \
306 ipset/ip_set_bitmap_port \
307 ipset/ip_set_hash_ip \
308 ipset/ip_set_hash_ipmark \
309 ipset/ip_set_hash_ipport \
310 ipset/ip_set_hash_ipportip \
311 ipset/ip_set_hash_ipportnet \
312 ipset/ip_set_hash_mac \
313 ipset/ip_set_hash_netportnet \
314 ipset/ip_set_hash_net \
315 ipset/ip_set_hash_netnet \
316 ipset/ip_set_hash_netport \
317 ipset/ip_set_hash_netiface \
318 ipset/ip_set_list_set \
321 define KernelPackage/ipt-ipset
322 SUBMENU:=Netfilter Extensions
323 TITLE:=IPset netfilter modules
324 DEPENDS+= +kmod-ipt-core +kmod-nfnetlink
327 CONFIG_IP_SET_MAX=256 \
328 CONFIG_NETFILTER_XT_SET \
329 CONFIG_IP_SET_BITMAP_IP \
330 CONFIG_IP_SET_BITMAP_IPMAC \
331 CONFIG_IP_SET_BITMAP_PORT \
332 CONFIG_IP_SET_HASH_IP \
333 CONFIG_IP_SET_HASH_IPMAC \
334 CONFIG_IP_SET_HASH_IPMARK \
335 CONFIG_IP_SET_HASH_IPPORT \
336 CONFIG_IP_SET_HASH_IPPORTIP \
337 CONFIG_IP_SET_HASH_IPPORTNET \
338 CONFIG_IP_SET_HASH_MAC \
339 CONFIG_IP_SET_HASH_NET \
340 CONFIG_IP_SET_HASH_NETNET \
341 CONFIG_IP_SET_HASH_NETIFACE \
342 CONFIG_IP_SET_HASH_NETPORT \
343 CONFIG_IP_SET_HASH_NETPORTNET \
344 CONFIG_IP_SET_LIST_SET \
345 CONFIG_NET_EMATCH_IPSET=n
346 FILES:=$(foreach mod,$(IPSET_MODULES),$(LINUX_DIR)/net/netfilter/$(mod).ko)
347 AUTOLOAD:=$(call AutoLoad,49,$(notdir $(IPSET_MODULES)))
349 $(eval $(call KernelPackage,ipt-ipset))
368 define KernelPackage/nf-ipvs
369 SUBMENU:=Netfilter Extensions
370 TITLE:=IP Virtual Server modules
371 DEPENDS:=@IPV6 +kmod-lib-crc32c +kmod-ipt-conntrack +kmod-nf-conntrack
374 CONFIG_IP_VS_IPV6=y \
375 CONFIG_IP_VS_DEBUG=n \
376 CONFIG_IP_VS_PROTO_TCP=y \
377 CONFIG_IP_VS_PROTO_UDP=y \
378 CONFIG_IP_VS_PROTO_AH_ESP=y \
379 CONFIG_IP_VS_PROTO_ESP=y \
380 CONFIG_IP_VS_PROTO_AH=y \
381 CONFIG_IP_VS_PROTO_SCTP=y \
382 CONFIG_IP_VS_TAB_BITS=12 \
395 CONFIG_IP_VS_SH_TAB_BITS=8 \
396 CONFIG_IP_VS_NFCT=y \
397 CONFIG_NETFILTER_XT_MATCH_IPVS
398 FILES:=$(foreach mod,$(IPVS_MODULES),$(LINUX_DIR)/net/netfilter/$(mod).ko)
399 $(call AddDepends/ipt,+kmod-ipt-conntrack,+kmod-nf-conntrack)
402 define KernelPackage/nf-ipvs/description
403 IPVS (IP Virtual Server) implements transport-layer load balancing inside
404 the Linux kernel so called Layer-4 switching.
407 $(eval $(call KernelPackage,nf-ipvs))
410 define KernelPackage/nf-ipvs-ftp
412 TITLE:=Virtual Server FTP protocol support
413 KCONFIG:=CONFIG_IP_VS_FTP
414 DEPENDS:=kmod-nf-ipvs +kmod-nf-nat +kmod-nf-nathelper
415 FILES:=$(LINUX_DIR)/net/netfilter/ipvs/ip_vs_ftp.ko
418 define KernelPackage/nf-ipvs-ftp/description
419 In the virtual server via Network Address Translation,
420 the IP address and port number of real servers cannot be sent to
421 clients in ftp connections directly, so FTP protocol helper is
422 required for tracking the connection and mangling it back to that of
426 $(eval $(call KernelPackage,nf-ipvs-ftp))
429 define KernelPackage/nf-ipvs-sip
431 TITLE:=Virtual Server SIP protocol support
432 KCONFIG:=CONFIG_IP_VS_PE_SIP
433 DEPENDS:=kmod-nf-ipvs +kmod-nf-nathelper-extra
434 FILES:=$(LINUX_DIR)/net/netfilter/ipvs/ip_vs_pe_sip.ko
437 define KernelPackage/nf-ipvs-sip/description
438 Allow persistence based on the SIP Call-ID
441 $(eval $(call KernelPackage,nf-ipvs-sip))
444 define KernelPackage/ipt-nat
445 TITLE:=Basic NAT targets
446 KCONFIG:=$(KCONFIG_IPT_NAT)
447 FILES:=$(foreach mod,$(IPT_NAT-m),$(LINUX_DIR)/net/$(mod).ko)
448 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NAT-m)))
449 $(call AddDepends/ipt,+kmod-nf-nat)
452 define KernelPackage/ipt-nat/description
453 Netfilter (IPv4) kernel modules for basic NAT targets
458 $(eval $(call KernelPackage,ipt-nat))
461 define KernelPackage/ipt-raw
462 TITLE:=Netfilter IPv4 raw table support
463 KCONFIG:=CONFIG_IP_NF_RAW
464 FILES:=$(LINUX_DIR)/net/ipv4/netfilter/iptable_raw.ko
465 AUTOLOAD:=$(call AutoProbe,iptable_raw)
466 $(call AddDepends/ipt)
469 $(eval $(call KernelPackage,ipt-raw))
472 define KernelPackage/ipt-raw6
473 TITLE:=Netfilter IPv6 raw table support
474 KCONFIG:=CONFIG_IP6_NF_RAW
475 FILES:=$(LINUX_DIR)/net/ipv6/netfilter/ip6table_raw.ko
476 AUTOLOAD:=$(call AutoProbe,ip6table_raw)
477 $(call AddDepends/ipt,+kmod-ip6tables)
480 $(eval $(call KernelPackage,ipt-raw6))
483 define KernelPackage/ipt-nat6
484 TITLE:=IPv6 NAT targets
485 KCONFIG:=$(KCONFIG_IPT_NAT6)
486 FILES:=$(foreach mod,$(IPT_NAT6-m),$(LINUX_DIR)/net/$(mod).ko)
487 AUTOLOAD:=$(call AutoLoad,43,$(notdir $(IPT_NAT6-m)))
488 $(call AddDepends/ipt,+kmod-nf-nat6)
489 $(call AddDepends/ipt,+kmod-ipt-conntrack)
490 $(call AddDepends/ipt,+kmod-ipt-nat)
491 $(call AddDepends/ipt,+kmod-ip6tables)
494 define KernelPackage/ipt-nat6/description
495 Netfilter (IPv6) kernel modules for NAT targets
498 $(eval $(call KernelPackage,ipt-nat6))
501 define KernelPackage/ipt-nat-extra
502 TITLE:=Extra NAT targets
503 KCONFIG:=$(KCONFIG_IPT_NAT_EXTRA)
504 FILES:=$(foreach mod,$(IPT_NAT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
505 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NAT_EXTRA-m)))
506 $(call AddDepends/ipt,+kmod-ipt-nat)
509 define KernelPackage/ipt-nat-extra/description
510 Netfilter (IPv4) kernel modules for extra NAT targets
516 $(eval $(call KernelPackage,ipt-nat-extra))
519 define KernelPackage/nf-nathelper
521 TITLE:=Basic Conntrack and NAT helpers
522 KCONFIG:=$(KCONFIG_NF_NATHELPER)
523 FILES:=$(foreach mod,$(NF_NATHELPER-m),$(LINUX_DIR)/net/$(mod).ko)
524 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NATHELPER-m)))
525 DEPENDS:=+kmod-nf-nat
528 define KernelPackage/nf-nathelper/description
529 Default Netfilter (IPv4) Conntrack and NAT helpers
534 $(eval $(call KernelPackage,nf-nathelper))
537 define KernelPackage/nf-nathelper-extra
539 TITLE:=Extra Conntrack and NAT helpers
540 KCONFIG:=$(KCONFIG_NF_NATHELPER_EXTRA)
541 FILES:=$(foreach mod,$(NF_NATHELPER_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
542 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NATHELPER_EXTRA-m)))
543 DEPENDS:=+kmod-nf-nat +kmod-lib-textsearch +kmod-ipt-raw +LINUX_4_19:kmod-asn1-decoder
546 define KernelPackage/nf-nathelper-extra/description
547 Extra Netfilter (IPv4) Conntrack and NAT helpers
561 $(eval $(call KernelPackage,nf-nathelper-extra))
564 define KernelPackage/ipt-ulog
565 TITLE:=Module for user-space packet logging
566 KCONFIG:=$(KCONFIG_IPT_ULOG)
567 FILES:=$(foreach mod,$(IPT_ULOG-m),$(LINUX_DIR)/net/$(mod).ko)
568 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_ULOG-m)))
569 $(call AddDepends/ipt)
572 define KernelPackage/ipt-ulog/description
573 Netfilter (IPv4) module for user-space packet logging
578 $(eval $(call KernelPackage,ipt-ulog))
581 define KernelPackage/ipt-nflog
582 TITLE:=Module for user-space packet logging
583 KCONFIG:=$(KCONFIG_IPT_NFLOG)
584 FILES:=$(foreach mod,$(IPT_NFLOG-m),$(LINUX_DIR)/net/$(mod).ko)
585 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NFLOG-m)))
586 $(call AddDepends/ipt,+kmod-nfnetlink-log)
589 define KernelPackage/ipt-nflog/description
590 Netfilter module for user-space packet logging
595 $(eval $(call KernelPackage,ipt-nflog))
598 define KernelPackage/ipt-nfqueue
599 TITLE:=Module for user-space packet queuing
600 KCONFIG:=$(KCONFIG_IPT_NFQUEUE)
601 FILES:=$(foreach mod,$(IPT_NFQUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
602 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NFQUEUE-m)))
603 $(call AddDepends/ipt,+kmod-nfnetlink-queue)
606 define KernelPackage/ipt-nfqueue/description
607 Netfilter module for user-space packet queuing
612 $(eval $(call KernelPackage,ipt-nfqueue))
615 define KernelPackage/ipt-debug
616 TITLE:=Module for debugging/development
617 KCONFIG:=$(KCONFIG_IPT_DEBUG)
618 FILES:=$(foreach mod,$(IPT_DEBUG-m),$(LINUX_DIR)/net/$(mod).ko)
619 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_DEBUG-m)))
620 $(call AddDepends/ipt,+kmod-ipt-raw +IPV6:kmod-ipt-raw6)
623 define KernelPackage/ipt-debug/description
624 Netfilter modules for debugging/development of the firewall
629 $(eval $(call KernelPackage,ipt-debug))
632 define KernelPackage/ipt-led
633 TITLE:=Module to trigger a LED with a Netfilter rule
634 KCONFIG:=$(KCONFIG_IPT_LED)
635 FILES:=$(foreach mod,$(IPT_LED-m),$(LINUX_DIR)/net/$(mod).ko)
636 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_LED-m)))
637 $(call AddDepends/ipt)
640 define KernelPackage/ipt-led/description
641 Netfilter target to trigger a LED when a network packet is matched.
644 $(eval $(call KernelPackage,ipt-led))
646 define KernelPackage/ipt-tproxy
647 TITLE:=Transparent proxying support
648 DEPENDS+=+kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +IPV6:kmod-ip6tables
650 CONFIG_NF_SOCKET_IPV4 \
651 CONFIG_NF_SOCKET_IPV6 \
652 CONFIG_NETFILTER_XT_MATCH_SOCKET \
653 CONFIG_NETFILTER_XT_TARGET_TPROXY
655 $(foreach mod,$(IPT_TPROXY-m),$(LINUX_DIR)/net/$(mod).ko)
656 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_TPROXY-m)))
657 $(call AddDepends/ipt)
660 define KernelPackage/ipt-tproxy/description
661 Kernel modules for Transparent Proxying
664 $(eval $(call KernelPackage,ipt-tproxy))
666 define KernelPackage/ipt-tee
668 DEPENDS:=+kmod-ipt-conntrack
670 CONFIG_NETFILTER_XT_TARGET_TEE
672 $(LINUX_DIR)/net/netfilter/xt_TEE.ko \
673 $(foreach mod,$(IPT_TEE-m),$(LINUX_DIR)/net/$(mod).ko)
674 AUTOLOAD:=$(call AutoProbe,$(notdir nf_tee $(IPT_TEE-m)))
675 $(call AddDepends/ipt)
678 define KernelPackage/ipt-tee/description
679 Kernel modules for TEE
682 $(eval $(call KernelPackage,ipt-tee))
685 define KernelPackage/ipt-u32
688 CONFIG_NETFILTER_XT_MATCH_U32
690 $(LINUX_DIR)/net/netfilter/xt_u32.ko \
691 $(foreach mod,$(IPT_U32-m),$(LINUX_DIR)/net/$(mod).ko)
692 AUTOLOAD:=$(call AutoProbe,$(notdir nf_tee $(IPT_U32-m)))
693 $(call AddDepends/ipt)
696 define KernelPackage/ipt-u32/description
697 Kernel modules for U32
700 $(eval $(call KernelPackage,ipt-u32))
702 define KernelPackage/ipt-checksum
703 TITLE:=CHECKSUM support
705 CONFIG_NETFILTER_XT_TARGET_CHECKSUM
707 $(LINUX_DIR)/net/netfilter/xt_CHECKSUM.ko \
708 $(foreach mod,$(IPT_CHECKSUM-m),$(LINUX_DIR)/net/$(mod).ko)
709 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CHECKSUM-m)))
710 $(call AddDepends/ipt)
713 define KernelPackage/ipt-checksum/description
714 Kernel modules for CHECKSUM fillin target
717 $(eval $(call KernelPackage,ipt-checksum))
720 define KernelPackage/ipt-iprange
721 TITLE:=Module for matching ip ranges
722 KCONFIG:=$(KCONFIG_IPT_IPRANGE)
723 FILES:=$(foreach mod,$(IPT_IPRANGE-m),$(LINUX_DIR)/net/$(mod).ko)
724 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_IPRANGE-m)))
725 $(call AddDepends/ipt)
728 define KernelPackage/ipt-iprange/description
729 Netfilter (IPv4) module for matching ip ranges
734 $(eval $(call KernelPackage,ipt-iprange))
736 define KernelPackage/ipt-cluster
737 TITLE:=Module for matching cluster
738 KCONFIG:=$(KCONFIG_IPT_CLUSTER)
739 FILES:=$(foreach mod,$(IPT_CLUSTER-m),$(LINUX_DIR)/net/$(mod).ko)
740 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CLUSTER-m)))
741 $(call AddDepends/ipt,+kmod-nf-conntrack)
744 define KernelPackage/ipt-cluster/description
745 Netfilter (IPv4/IPv6) module for matching cluster
746 This option allows you to build work-load-sharing clusters of
747 network servers/stateful firewalls without having a dedicated
748 load-balancing router/server/switch. Basically, this match returns
749 true when the packet must be handled by this cluster node. Thus,
750 all nodes see all packets and this match decides which node handles
751 what packets. The work-load sharing algorithm is based on source
754 This module is usable for ipv4 and ipv6.
756 To use it also enable iptables-mod-cluster
758 see `iptables -m cluster --help` for more information.
761 $(eval $(call KernelPackage,ipt-cluster))
763 define KernelPackage/ipt-clusterip
764 TITLE:=Module for CLUSTERIP
765 KCONFIG:=$(KCONFIG_IPT_CLUSTERIP)
766 FILES:=$(foreach mod,$(IPT_CLUSTERIP-m),$(LINUX_DIR)/net/$(mod).ko)
767 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CLUSTERIP-m)))
768 $(call AddDepends/ipt,+kmod-nf-conntrack)
771 define KernelPackage/ipt-clusterip/description
772 Netfilter (IPv4-only) module for CLUSTERIP
773 The CLUSTERIP target allows you to build load-balancing clusters of
774 network servers without having a dedicated load-balancing
775 router/server/switch.
777 To use it also enable iptables-mod-clusterip
779 see `iptables -j CLUSTERIP --help` for more information.
782 $(eval $(call KernelPackage,ipt-clusterip))
785 define KernelPackage/ipt-extra
787 KCONFIG:=$(KCONFIG_IPT_EXTRA)
788 FILES:=$(foreach mod,$(IPT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
789 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_EXTRA-m)))
790 $(call AddDepends/ipt)
793 define KernelPackage/ipt-extra/description
794 Other Netfilter (IPv4) kernel modules
802 $(eval $(call KernelPackage,ipt-extra))
805 define KernelPackage/ipt-physdev
806 TITLE:=physdev module
807 KCONFIG:=$(KCONFIG_IPT_PHYSDEV)
808 FILES:=$(foreach mod,$(IPT_PHYSDEV-m),$(LINUX_DIR)/net/$(mod).ko)
809 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_PHYSDEV-m)))
810 $(call AddDepends/ipt,+kmod-br-netfilter)
813 define KernelPackage/ipt-physdev/description
814 The iptables physdev kernel module
817 $(eval $(call KernelPackage,ipt-physdev))
820 define KernelPackage/ip6tables
823 DEPENDS:=+kmod-nf-reject6 +kmod-nf-ipt6 +kmod-ipt-core
824 KCONFIG:=$(KCONFIG_IPT_IPV6)
825 FILES:=$(foreach mod,$(IPT_IPV6-m),$(LINUX_DIR)/net/$(mod).ko)
826 AUTOLOAD:=$(call AutoLoad,42,$(notdir $(IPT_IPV6-m)))
829 define KernelPackage/ip6tables/description
830 Netfilter IPv6 firewalling support
833 $(eval $(call KernelPackage,ip6tables))
835 define KernelPackage/ip6tables-extra
837 TITLE:=Extra IPv6 modules
838 DEPENDS:=+kmod-ip6tables
839 KCONFIG:=$(KCONFIG_IPT_IPV6_EXTRA)
840 FILES:=$(foreach mod,$(IPT_IPV6_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
841 AUTOLOAD:=$(call AutoLoad,43,$(notdir $(IPT_IPV6_EXTRA-m)))
844 define KernelPackage/ip6tables-extra/description
845 Netfilter IPv6 extra header matching modules
848 $(eval $(call KernelPackage,ip6tables-extra))
850 ARP_MODULES = arp_tables arpt_mangle arptable_filter
851 define KernelPackage/arptables
853 TITLE:=ARP firewalling modules
854 DEPENDS:=+kmod-ipt-core
855 FILES:=$(LINUX_DIR)/net/ipv4/netfilter/arp*.ko
856 KCONFIG:=CONFIG_IP_NF_ARPTABLES \
857 CONFIG_IP_NF_ARPFILTER \
858 CONFIG_IP_NF_ARP_MANGLE
859 AUTOLOAD:=$(call AutoProbe,$(ARP_MODULES))
862 define KernelPackage/arptables/description
863 Kernel modules for ARP firewalling
866 $(eval $(call KernelPackage,arptables))
869 define KernelPackage/br-netfilter
871 TITLE:=Bridge netfilter support modules
872 DEPENDS:=+kmod-ipt-core
873 FILES:=$(LINUX_DIR)/net/bridge/br_netfilter.ko
874 KCONFIG:=CONFIG_BRIDGE_NETFILTER
875 AUTOLOAD:=$(call AutoProbe,br_netfilter)
878 define KernelPackage/br-netfilter/install
879 $(INSTALL_DIR) $(1)/etc/sysctl.d
880 $(INSTALL_DATA) ./files/sysctl-br-netfilter.conf $(1)/etc/sysctl.d/11-br-netfilter.conf
883 $(eval $(call KernelPackage,br-netfilter))
886 define KernelPackage/ebtables
888 TITLE:=Bridge firewalling modules
889 DEPENDS:=+kmod-ipt-core
890 FILES:=$(foreach mod,$(EBTABLES-m),$(LINUX_DIR)/net/$(mod).ko)
891 KCONFIG:=$(KCONFIG_EBTABLES)
892 AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES-m)))
895 define KernelPackage/ebtables/description
896 ebtables is a general, extensible frame/packet identification
897 framework. It provides you to do Ethernet
898 filtering/NAT/brouting on the Ethernet bridge.
901 $(eval $(call KernelPackage,ebtables))
904 define AddDepends/ebtables
906 DEPENDS+= +kmod-ebtables $(1)
910 define KernelPackage/ebtables-ipv4
911 TITLE:=ebtables: IPv4 support
912 FILES:=$(foreach mod,$(EBTABLES_IP4-m),$(LINUX_DIR)/net/$(mod).ko)
913 KCONFIG:=$(KCONFIG_EBTABLES_IP4)
914 AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES_IP4-m)))
915 $(call AddDepends/ebtables)
918 define KernelPackage/ebtables-ipv4/description
919 This option adds the IPv4 support to ebtables, which allows basic
920 IPv4 header field filtering, ARP filtering as well as SNAT, DNAT targets.
923 $(eval $(call KernelPackage,ebtables-ipv4))
926 define KernelPackage/ebtables-ipv6
927 TITLE:=ebtables: IPv6 support
928 FILES:=$(foreach mod,$(EBTABLES_IP6-m),$(LINUX_DIR)/net/$(mod).ko)
929 KCONFIG:=$(KCONFIG_EBTABLES_IP6)
930 AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES_IP6-m)))
931 $(call AddDepends/ebtables)
934 define KernelPackage/ebtables-ipv6/description
935 This option adds the IPv6 support to ebtables, which allows basic
936 IPv6 header field filtering and target support.
939 $(eval $(call KernelPackage,ebtables-ipv6))
942 define KernelPackage/ebtables-watchers
943 TITLE:=ebtables: watchers support
944 FILES:=$(foreach mod,$(EBTABLES_WATCHERS-m),$(LINUX_DIR)/net/$(mod).ko)
945 KCONFIG:=$(KCONFIG_EBTABLES_WATCHERS)
946 AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES_WATCHERS-m)))
947 $(call AddDepends/ebtables)
950 define KernelPackage/ebtables-watchers/description
951 This option adds the log watchers, that you can use in any rule
952 in any ebtables table.
955 $(eval $(call KernelPackage,ebtables-watchers))
958 define KernelPackage/nfnetlink
960 TITLE:=Netlink-based userspace interface
961 FILES:=$(foreach mod,$(NFNETLINK-m),$(LINUX_DIR)/net/$(mod).ko)
962 KCONFIG:=$(KCONFIG_NFNETLINK)
963 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK-m)))
966 define KernelPackage/nfnetlink/description
967 Kernel modules support for a netlink-based userspace interface
970 $(eval $(call KernelPackage,nfnetlink))
973 define AddDepends/nfnetlink
975 DEPENDS+=+kmod-nfnetlink $(1)
979 define KernelPackage/nfnetlink-log
980 TITLE:=Netfilter LOG over NFNETLINK interface
981 FILES:=$(foreach mod,$(NFNETLINK_LOG-m),$(LINUX_DIR)/net/$(mod).ko)
982 KCONFIG:=$(KCONFIG_NFNETLINK_LOG)
983 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK_LOG-m)))
984 $(call AddDepends/nfnetlink)
987 define KernelPackage/nfnetlink-log/description
988 Kernel modules support for logging packets via NFNETLINK
993 $(eval $(call KernelPackage,nfnetlink-log))
996 define KernelPackage/nfnetlink-queue
997 TITLE:=Netfilter QUEUE over NFNETLINK interface
998 FILES:=$(foreach mod,$(NFNETLINK_QUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
999 KCONFIG:=$(KCONFIG_NFNETLINK_QUEUE)
1000 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK_QUEUE-m)))
1001 $(call AddDepends/nfnetlink)
1004 define KernelPackage/nfnetlink-queue/description
1005 Kernel modules support for queueing packets via NFNETLINK
1010 $(eval $(call KernelPackage,nfnetlink-queue))
1013 define KernelPackage/nf-conntrack-netlink
1014 TITLE:=Connection tracking netlink interface
1015 FILES:=$(LINUX_DIR)/net/netfilter/nf_conntrack_netlink.ko
1016 KCONFIG:=CONFIG_NF_CT_NETLINK CONFIG_NF_CONNTRACK_EVENTS=y
1017 AUTOLOAD:=$(call AutoProbe,nf_conntrack_netlink)
1018 $(call AddDepends/nfnetlink,+kmod-ipt-conntrack)
1021 define KernelPackage/nf-conntrack-netlink/description
1022 Kernel modules support for a netlink-based connection tracking
1026 $(eval $(call KernelPackage,nf-conntrack-netlink))
1028 define KernelPackage/ipt-hashlimit
1030 TITLE:=Netfilter hashlimit match
1031 DEPENDS:=+kmod-ipt-core
1032 KCONFIG:=$(KCONFIG_IPT_HASHLIMIT)
1033 FILES:=$(LINUX_DIR)/net/netfilter/xt_hashlimit.ko
1034 AUTOLOAD:=$(call AutoProbe,xt_hashlimit)
1035 $(call KernelPackage/ipt)
1038 define KernelPackage/ipt-hashlimit/description
1039 Kernel modules support for the hashlimit bucket match module
1042 $(eval $(call KernelPackage,ipt-hashlimit))
1044 define KernelPackage/ipt-rpfilter
1046 TITLE:=Netfilter rpfilter match
1047 DEPENDS:=+kmod-ipt-core
1048 KCONFIG:=$(KCONFIG_IPT_RPFILTER)
1050 $(LINUX_DIR)/net/ipv4/netfilter/ipt_rpfilter.ko \
1051 $(LINUX_DIR)/net/ipv6/netfilter/ip6t_rpfilter.ko)
1052 AUTOLOAD:=$(call AutoProbe,ipt_rpfilter ip6t_rpfilter)
1053 $(call KernelPackage/ipt)
1056 define KernelPackage/ipt-rpfilter/description
1057 Kernel modules support for the Netfilter rpfilter match
1060 $(eval $(call KernelPackage,ipt-rpfilter))
1063 define KernelPackage/nft-core
1065 TITLE:=Netfilter nf_tables support
1066 DEPENDS:=+kmod-nfnetlink +kmod-nf-reject +kmod-nf-reject6 +kmod-nf-conntrack6
1067 FILES:=$(foreach mod,$(NFT_CORE-m),$(LINUX_DIR)/net/$(mod).ko)
1068 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_CORE-m)))
1070 CONFIG_NFT_COMPAT=n \
1071 CONFIG_NFT_QUEUE=n \
1075 define KernelPackage/nft-core/description
1076 Kernel module support for nftables
1079 $(eval $(call KernelPackage,nft-core))
1082 define KernelPackage/nft-arp
1084 TITLE:=Netfilter nf_tables ARP table support
1085 DEPENDS:=+kmod-nft-core
1086 FILES:=$(foreach mod,$(NFT_ARP-m),$(LINUX_DIR)/net/$(mod).ko)
1087 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_ARP-m)))
1088 KCONFIG:=$(KCONFIG_NFT_ARP)
1091 $(eval $(call KernelPackage,nft-arp))
1094 define KernelPackage/nft-bridge
1096 TITLE:=Netfilter nf_tables bridge table support
1097 DEPENDS:=+kmod-nft-core
1098 FILES:=$(foreach mod,$(NFT_BRIDGE-m),$(LINUX_DIR)/net/$(mod).ko)
1099 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_BRIDGE-m)))
1101 CONFIG_NF_LOG_BRIDGE=n \
1102 $(KCONFIG_NFT_BRIDGE)
1105 $(eval $(call KernelPackage,nft-bridge))
1108 define KernelPackage/nft-nat
1110 TITLE:=Netfilter nf_tables NAT support
1111 DEPENDS:=+kmod-nft-core +kmod-nf-nat
1112 FILES:=$(foreach mod,$(NFT_NAT-m),$(LINUX_DIR)/net/$(mod).ko)
1113 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_NAT-m)))
1114 KCONFIG:=$(KCONFIG_NFT_NAT)
1117 $(eval $(call KernelPackage,nft-nat))
1120 define KernelPackage/nft-offload
1122 TITLE:=Netfilter nf_tables routing/NAT offload support
1123 DEPENDS:=+kmod-nf-flow +kmod-nft-nat
1125 CONFIG_NF_FLOW_TABLE_INET \
1126 CONFIG_NF_FLOW_TABLE_IPV4 \
1127 CONFIG_NF_FLOW_TABLE_IPV6 \
1128 CONFIG_NFT_FLOW_OFFLOAD
1130 $(LINUX_DIR)/net/netfilter/nf_flow_table_inet.ko \
1131 $(LINUX_DIR)/net/ipv4/netfilter/nf_flow_table_ipv4.ko \
1132 $(LINUX_DIR)/net/ipv6/netfilter/nf_flow_table_ipv6.ko \
1133 $(LINUX_DIR)/net/netfilter/nft_flow_offload.ko
1134 AUTOLOAD:=$(call AutoProbe,nf_flow_table_inet nf_flow_table_ipv4 nf_flow_table_ipv6 nft_flow_offload)
1137 $(eval $(call KernelPackage,nft-offload))
1140 define KernelPackage/nft-nat6
1142 TITLE:=Netfilter nf_tables IPv6-NAT support
1143 DEPENDS:=+kmod-nft-nat +kmod-nf-nat6
1144 FILES:=$(foreach mod,$(NFT_NAT6-m),$(LINUX_DIR)/net/$(mod).ko)
1145 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_NAT6-m)))
1146 KCONFIG:=$(KCONFIG_NFT_NAT6)
1149 $(eval $(call KernelPackage,nft-nat6))
1151 define KernelPackage/nft-netdev
1153 TITLE:=Netfilter nf_tables netdev support
1154 DEPENDS:=+kmod-nft-core
1156 CONFIG_NETFILTER_INGRESS=y \
1157 CONFIG_NF_TABLES_NETDEV \
1158 CONFIG_NF_DUP_NETDEV \
1159 CONFIG_NFT_DUP_NETDEV \
1160 CONFIG_NFT_FWD_NETDEV
1162 $(LINUX_DIR)/net/netfilter/nf_tables_netdev.ko@lt4.17 \
1163 $(LINUX_DIR)/net/netfilter/nf_dup_netdev.ko \
1164 $(LINUX_DIR)/net/netfilter/nft_dup_netdev.ko \
1165 $(LINUX_DIR)/net/netfilter/nft_fwd_netdev.ko
1166 AUTOLOAD:=$(call AutoProbe,nf_tables_netdev nf_dup_netdev nft_dup_netdev nft_fwd_netdev)
1169 $(eval $(call KernelPackage,nft-netdev))
1172 define KernelPackage/nft-fib
1174 TITLE:=Netfilter nf_tables fib support
1175 DEPENDS:=+kmod-nft-core
1176 FILES:=$(foreach mod,$(NFT_FIB-m),$(LINUX_DIR)/net/$(mod).ko)
1177 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_FIB-m)))
1178 KCONFIG:=$(KCONFIG_NFT_FIB)
1181 $(eval $(call KernelPackage,nft-fib))