3 # Copyright (C) 2006-2010 OpenWrt.org
5 # This is free software, licensed under the GNU General Public License v2.
6 # See /LICENSE for more information.
9 NF_MENU:=Netfilter Extensions
11 include $(INCLUDE_DIR)/netfilter.mk
14 define KernelPackage/nf-reject
16 TITLE:=Netfilter IPv4 reject support
19 CONFIG_NETFILTER_ADVANCED=y \
21 FILES:=$(foreach mod,$(NF_REJECT-m),$(LINUX_DIR)/net/$(mod).ko)
22 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_REJECT-m)))
25 $(eval $(call KernelPackage,nf-reject))
28 define KernelPackage/nf-reject6
30 TITLE:=Netfilter IPv6 reject support
33 CONFIG_NETFILTER_ADVANCED=y \
36 FILES:=$(foreach mod,$(NF_REJECT6-m),$(LINUX_DIR)/net/$(mod).ko)
37 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_REJECT6-m)))
40 $(eval $(call KernelPackage,nf-reject6))
43 define KernelPackage/nf-ipt
46 KCONFIG:=$(KCONFIG_NF_IPT)
47 FILES:=$(foreach mod,$(NF_IPT-m),$(LINUX_DIR)/net/$(mod).ko)
48 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_IPT-m)))
51 $(eval $(call KernelPackage,nf-ipt))
54 define KernelPackage/nf-ipt6
57 KCONFIG:=$(KCONFIG_NF_IPT6)
58 FILES:=$(foreach mod,$(NF_IPT6-m),$(LINUX_DIR)/net/$(mod).ko)
59 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_IPT6-m)))
63 $(eval $(call KernelPackage,nf-ipt6))
67 define KernelPackage/ipt-core
70 KCONFIG:=$(KCONFIG_IPT_CORE)
71 FILES:=$(foreach mod,$(IPT_CORE-m),$(LINUX_DIR)/net/$(mod).ko)
72 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CORE-m)))
73 DEPENDS:=+kmod-nf-reject +kmod-nf-ipt
76 define KernelPackage/ipt-core/description
77 Netfilter core kernel modules
88 $(eval $(call KernelPackage,ipt-core))
91 define KernelPackage/nf-conntrack
93 TITLE:=Netfilter connection tracking
96 CONFIG_NETFILTER_ADVANCED=y \
97 CONFIG_NF_CONNTRACK_MARK=y \
98 CONFIG_NF_CONNTRACK_ZONES=y \
99 $(KCONFIG_NF_CONNTRACK)
100 FILES:=$(foreach mod,$(NF_CONNTRACK-m),$(LINUX_DIR)/net/$(mod).ko)
101 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNTRACK-m)))
104 define KernelPackage/nf-conntrack/install
105 $(INSTALL_DIR) $(1)/etc/sysctl.d
106 $(INSTALL_DATA) ./files/sysctl-nf-conntrack.conf $(1)/etc/sysctl.d/11-nf-conntrack.conf
109 $(eval $(call KernelPackage,nf-conntrack))
112 define KernelPackage/nf-conntrack6
114 TITLE:=Netfilter IPv6 connection tracking
115 KCONFIG:=$(KCONFIG_NF_CONNTRACK6)
116 DEPENDS:=@IPV6 +kmod-nf-conntrack
117 FILES:=$(foreach mod,$(NF_CONNTRACK6-m),$(LINUX_DIR)/net/$(mod).ko)
118 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNTRACK6-m)))
121 $(eval $(call KernelPackage,nf-conntrack6))
124 define KernelPackage/nf-nat
127 KCONFIG:=$(KCONFIG_NF_NAT)
128 DEPENDS:=+kmod-nf-conntrack
129 FILES:=$(foreach mod,$(NF_NAT-m),$(LINUX_DIR)/net/$(mod).ko)
130 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NAT-m)))
133 $(eval $(call KernelPackage,nf-nat))
136 define KernelPackage/nf-nat6
138 TITLE:=Netfilter IPV6-NAT
139 KCONFIG:=$(KCONFIG_NF_NAT6)
140 DEPENDS:=+kmod-nf-conntrack6 +kmod-nf-nat
141 FILES:=$(foreach mod,$(NF_NAT6-m),$(LINUX_DIR)/net/$(mod).ko)
142 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NAT6-m)))
145 $(eval $(call KernelPackage,nf-nat6))
148 define KernelPackage/nf-flow
150 TITLE:=Netfilter flowtable support
152 CONFIG_NETFILTER_INGRESS=y \
153 CONFIG_NF_FLOW_TABLE \
154 CONFIG_NF_FLOW_TABLE_HW
155 DEPENDS:=+kmod-nf-conntrack @!LINUX_3_18 @!LINUX_4_4 @!LINUX_4_9
157 $(LINUX_DIR)/net/netfilter/nf_flow_table.ko \
158 $(LINUX_DIR)/net/netfilter/nf_flow_table_hw.ko
159 AUTOLOAD:=$(call AutoProbe,nf_flow_table nf_flow_table_hw)
162 $(eval $(call KernelPackage,nf-flow))
165 define AddDepends/ipt
167 DEPENDS+= +kmod-ipt-core $(1)
171 define KernelPackage/ipt-conntrack
172 TITLE:=Basic connection tracking modules
173 KCONFIG:=$(KCONFIG_IPT_CONNTRACK)
174 FILES:=$(foreach mod,$(IPT_CONNTRACK-m),$(LINUX_DIR)/net/$(mod).ko)
175 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK-m)))
176 $(call AddDepends/ipt,+kmod-nf-conntrack)
179 define KernelPackage/ipt-conntrack/description
180 Netfilter (IPv4) kernel modules for connection tracking
189 $(eval $(call KernelPackage,ipt-conntrack))
192 define KernelPackage/ipt-conntrack-extra
193 TITLE:=Extra connection tracking modules
194 KCONFIG:=$(KCONFIG_IPT_CONNTRACK_EXTRA)
195 FILES:=$(foreach mod,$(IPT_CONNTRACK_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
196 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK_EXTRA-m)))
197 $(call AddDepends/ipt,+kmod-ipt-conntrack)
200 define KernelPackage/ipt-conntrack-extra/description
201 Netfilter (IPv4) extra kernel modules for connection tracking
210 $(eval $(call KernelPackage,ipt-conntrack-extra))
212 define KernelPackage/ipt-conntrack-label
213 TITLE:=Module for handling connection tracking labels
214 KCONFIG:=$(KCONFIG_IPT_CONNTRACK_LABEL)
215 FILES:=$(foreach mod,$(IPT_CONNTRACK_LABEL-m),$(LINUX_DIR)/net/$(mod).ko)
216 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK_LABEL-m)))
217 $(call AddDepends/ipt,+kmod-ipt-conntrack)
220 define KernelPackage/ipt-conntrack-label/description
221 Netfilter (IPv4) module for handling connection tracking labels
226 $(eval $(call KernelPackage,ipt-conntrack-label))
228 define KernelPackage/ipt-filter
229 TITLE:=Modules for packet content inspection
230 KCONFIG:=$(KCONFIG_IPT_FILTER)
231 FILES:=$(foreach mod,$(IPT_FILTER-m),$(LINUX_DIR)/net/$(mod).ko)
232 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_FILTER-m)))
233 $(call AddDepends/ipt,+kmod-lib-textsearch +kmod-ipt-conntrack)
236 define KernelPackage/ipt-filter/description
237 Netfilter (IPv4) kernel modules for packet content inspection
243 $(eval $(call KernelPackage,ipt-filter))
246 define KernelPackage/ipt-offload
247 TITLE:=Netfilter routing/NAT offload support
248 KCONFIG:=CONFIG_NETFILTER_XT_TARGET_FLOWOFFLOAD
249 FILES:=$(foreach mod,$(IPT_FLOW-m),$(LINUX_DIR)/net/$(mod).ko)
250 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_FLOW-m)))
251 $(call AddDepends/ipt,+kmod-nf-flow)
254 $(eval $(call KernelPackage,ipt-offload))
257 define KernelPackage/ipt-ipopt
258 TITLE:=Modules for matching/changing IP packet options
259 KCONFIG:=$(KCONFIG_IPT_IPOPT)
260 FILES:=$(foreach mod,$(IPT_IPOPT-m),$(LINUX_DIR)/net/$(mod).ko)
261 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_IPOPT-m)))
262 $(call AddDepends/ipt)
265 define KernelPackage/ipt-ipopt/description
266 Netfilter (IPv4) modules for matching/changing IP packet options
281 $(eval $(call KernelPackage,ipt-ipopt))
284 define KernelPackage/ipt-ipsec
285 TITLE:=Modules for matching IPSec packets
286 KCONFIG:=$(KCONFIG_IPT_IPSEC)
287 FILES:=$(foreach mod,$(IPT_IPSEC-m),$(LINUX_DIR)/net/$(mod).ko)
288 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_IPSEC-m)))
289 $(call AddDepends/ipt)
292 define KernelPackage/ipt-ipsec/description
293 Netfilter (IPv4) modules for matching IPSec packets
300 $(eval $(call KernelPackage,ipt-ipsec))
304 ipset/ip_set_bitmap_ip \
305 ipset/ip_set_bitmap_ipmac \
306 ipset/ip_set_bitmap_port \
307 ipset/ip_set_hash_ip \
308 ipset/ip_set_hash_ipmark \
309 ipset/ip_set_hash_ipport \
310 ipset/ip_set_hash_ipportip \
311 ipset/ip_set_hash_ipportnet \
312 ipset/ip_set_hash_mac \
313 ipset/ip_set_hash_netportnet \
314 ipset/ip_set_hash_net \
315 ipset/ip_set_hash_netnet \
316 ipset/ip_set_hash_netport \
317 ipset/ip_set_hash_netiface \
318 ipset/ip_set_list_set \
321 define KernelPackage/ipt-ipset
322 SUBMENU:=Netfilter Extensions
323 TITLE:=IPset netfilter modules
324 DEPENDS+= +kmod-ipt-core +kmod-nfnetlink
327 CONFIG_IP_SET_MAX=256 \
328 CONFIG_NETFILTER_XT_SET \
329 CONFIG_IP_SET_BITMAP_IP \
330 CONFIG_IP_SET_BITMAP_IPMAC \
331 CONFIG_IP_SET_BITMAP_PORT \
332 CONFIG_IP_SET_HASH_IP \
333 CONFIG_IP_SET_HASH_IPMARK \
334 CONFIG_IP_SET_HASH_IPPORT \
335 CONFIG_IP_SET_HASH_IPPORTIP \
336 CONFIG_IP_SET_HASH_IPPORTNET \
337 CONFIG_IP_SET_HASH_MAC \
338 CONFIG_IP_SET_HASH_NET \
339 CONFIG_IP_SET_HASH_NETNET \
340 CONFIG_IP_SET_HASH_NETIFACE \
341 CONFIG_IP_SET_HASH_NETPORT \
342 CONFIG_IP_SET_HASH_NETPORTNET \
343 CONFIG_IP_SET_LIST_SET \
344 CONFIG_NET_EMATCH_IPSET=n
345 FILES:=$(foreach mod,$(IPSET_MODULES),$(LINUX_DIR)/net/netfilter/$(mod).ko)
346 AUTOLOAD:=$(call AutoLoad,49,$(notdir $(IPSET_MODULES)))
348 $(eval $(call KernelPackage,ipt-ipset))
367 define KernelPackage/nf-ipvs
368 SUBMENU:=Netfilter Extensions
369 TITLE:=IP Virtual Server modules
370 DEPENDS:=@IPV6 +kmod-lib-crc32c +kmod-ipt-conntrack +kmod-nf-conntrack
373 CONFIG_IP_VS_IPV6=y \
374 CONFIG_IP_VS_DEBUG=n \
375 CONFIG_IP_VS_PROTO_TCP=y \
376 CONFIG_IP_VS_PROTO_UDP=y \
377 CONFIG_IP_VS_PROTO_AH_ESP=y \
378 CONFIG_IP_VS_PROTO_ESP=y \
379 CONFIG_IP_VS_PROTO_AH=y \
380 CONFIG_IP_VS_PROTO_SCTP=y \
381 CONFIG_IP_VS_TAB_BITS=12 \
394 CONFIG_IP_VS_SH_TAB_BITS=8 \
395 CONFIG_IP_VS_NFCT=y \
396 CONFIG_NETFILTER_XT_MATCH_IPVS
397 FILES:=$(foreach mod,$(IPVS_MODULES),$(LINUX_DIR)/net/netfilter/$(mod).ko)
398 $(call AddDepends/ipt,+kmod-ipt-conntrack,+kmod-nf-conntrack)
401 define KernelPackage/nf-ipvs/description
402 IPVS (IP Virtual Server) implements transport-layer load balancing inside
403 the Linux kernel so called Layer-4 switching.
406 $(eval $(call KernelPackage,nf-ipvs))
409 define KernelPackage/nf-ipvs-ftp
411 TITLE:=Virtual Server FTP protocol support
412 KCONFIG:=CONFIG_IP_VS_FTP
413 DEPENDS:=kmod-nf-ipvs +kmod-nf-nat +kmod-nf-nathelper
414 FILES:=$(LINUX_DIR)/net/netfilter/ipvs/ip_vs_ftp.ko
417 define KernelPackage/nf-ipvs-ftp/description
418 In the virtual server via Network Address Translation,
419 the IP address and port number of real servers cannot be sent to
420 clients in ftp connections directly, so FTP protocol helper is
421 required for tracking the connection and mangling it back to that of
425 $(eval $(call KernelPackage,nf-ipvs-ftp))
428 define KernelPackage/nf-ipvs-sip
430 TITLE:=Virtual Server SIP protocol support
431 KCONFIG:=CONFIG_IP_VS_PE_SIP
432 DEPENDS:=kmod-nf-ipvs +kmod-nf-nathelper-extra
433 FILES:=$(LINUX_DIR)/net/netfilter/ipvs/ip_vs_pe_sip.ko
436 define KernelPackage/nf-ipvs-sip/description
437 Allow persistence based on the SIP Call-ID
440 $(eval $(call KernelPackage,nf-ipvs-sip))
443 define KernelPackage/ipt-nat
444 TITLE:=Basic NAT targets
445 KCONFIG:=$(KCONFIG_IPT_NAT)
446 FILES:=$(foreach mod,$(IPT_NAT-m),$(LINUX_DIR)/net/$(mod).ko)
447 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NAT-m)))
448 $(call AddDepends/ipt,+kmod-nf-nat)
451 define KernelPackage/ipt-nat/description
452 Netfilter (IPv4) kernel modules for basic NAT targets
457 $(eval $(call KernelPackage,ipt-nat))
460 define KernelPackage/ipt-raw
461 TITLE:=Netfilter IPv4 raw table support
462 KCONFIG:=CONFIG_IP_NF_RAW
463 FILES:=$(LINUX_DIR)/net/ipv4/netfilter/iptable_raw.ko
464 AUTOLOAD:=$(call AutoProbe,iptable_raw)
465 $(call AddDepends/ipt)
468 $(eval $(call KernelPackage,ipt-raw))
471 define KernelPackage/ipt-raw6
472 TITLE:=Netfilter IPv6 raw table support
473 KCONFIG:=CONFIG_IP6_NF_RAW
474 FILES:=$(LINUX_DIR)/net/ipv6/netfilter/ip6table_raw.ko
475 AUTOLOAD:=$(call AutoProbe,ip6table_raw)
476 $(call AddDepends/ipt,+kmod-ip6tables)
479 $(eval $(call KernelPackage,ipt-raw6))
482 define KernelPackage/ipt-nat6
483 TITLE:=IPv6 NAT targets
484 KCONFIG:=$(KCONFIG_IPT_NAT6)
485 FILES:=$(foreach mod,$(IPT_NAT6-m),$(LINUX_DIR)/net/$(mod).ko)
486 AUTOLOAD:=$(call AutoLoad,43,$(notdir $(IPT_NAT6-m)))
487 $(call AddDepends/ipt,+kmod-nf-nat6)
488 $(call AddDepends/ipt,+kmod-ipt-conntrack)
489 $(call AddDepends/ipt,+kmod-ipt-nat)
490 $(call AddDepends/ipt,+kmod-ip6tables)
493 define KernelPackage/ipt-nat6/description
494 Netfilter (IPv6) kernel modules for NAT targets
497 $(eval $(call KernelPackage,ipt-nat6))
500 define KernelPackage/ipt-nat-extra
501 TITLE:=Extra NAT targets
502 KCONFIG:=$(KCONFIG_IPT_NAT_EXTRA)
503 FILES:=$(foreach mod,$(IPT_NAT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
504 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NAT_EXTRA-m)))
505 $(call AddDepends/ipt,+kmod-ipt-nat)
508 define KernelPackage/ipt-nat-extra/description
509 Netfilter (IPv4) kernel modules for extra NAT targets
515 $(eval $(call KernelPackage,ipt-nat-extra))
518 define KernelPackage/nf-nathelper
520 TITLE:=Basic Conntrack and NAT helpers
521 KCONFIG:=$(KCONFIG_NF_NATHELPER)
522 FILES:=$(foreach mod,$(NF_NATHELPER-m),$(LINUX_DIR)/net/$(mod).ko)
523 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NATHELPER-m)))
524 DEPENDS:=+kmod-nf-nat
527 define KernelPackage/nf-nathelper/description
528 Default Netfilter (IPv4) Conntrack and NAT helpers
533 $(eval $(call KernelPackage,nf-nathelper))
536 define KernelPackage/nf-nathelper-extra
538 TITLE:=Extra Conntrack and NAT helpers
539 KCONFIG:=$(KCONFIG_NF_NATHELPER_EXTRA)
540 FILES:=$(foreach mod,$(NF_NATHELPER_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
541 AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_NATHELPER_EXTRA-m)))
542 DEPENDS:=+kmod-nf-nat +kmod-lib-textsearch
545 define KernelPackage/nf-nathelper-extra/description
546 Extra Netfilter (IPv4) Conntrack and NAT helpers
560 $(eval $(call KernelPackage,nf-nathelper-extra))
563 define KernelPackage/ipt-ulog
564 TITLE:=Module for user-space packet logging
565 KCONFIG:=$(KCONFIG_IPT_ULOG)
566 FILES:=$(foreach mod,$(IPT_ULOG-m),$(LINUX_DIR)/net/$(mod).ko)
567 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_ULOG-m)))
568 $(call AddDepends/ipt)
571 define KernelPackage/ipt-ulog/description
572 Netfilter (IPv4) module for user-space packet logging
577 $(eval $(call KernelPackage,ipt-ulog))
580 define KernelPackage/ipt-nflog
581 TITLE:=Module for user-space packet logging
582 KCONFIG:=$(KCONFIG_IPT_NFLOG)
583 FILES:=$(foreach mod,$(IPT_NFLOG-m),$(LINUX_DIR)/net/$(mod).ko)
584 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NFLOG-m)))
585 $(call AddDepends/ipt,+kmod-nfnetlink-log)
588 define KernelPackage/ipt-nflog/description
589 Netfilter module for user-space packet logging
594 $(eval $(call KernelPackage,ipt-nflog))
597 define KernelPackage/ipt-nfqueue
598 TITLE:=Module for user-space packet queuing
599 KCONFIG:=$(KCONFIG_IPT_NFQUEUE)
600 FILES:=$(foreach mod,$(IPT_NFQUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
601 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NFQUEUE-m)))
602 $(call AddDepends/ipt,+kmod-nfnetlink-queue)
605 define KernelPackage/ipt-nfqueue/description
606 Netfilter module for user-space packet queuing
611 $(eval $(call KernelPackage,ipt-nfqueue))
614 define KernelPackage/ipt-debug
615 TITLE:=Module for debugging/development
616 KCONFIG:=$(KCONFIG_IPT_DEBUG)
617 FILES:=$(foreach mod,$(IPT_DEBUG-m),$(LINUX_DIR)/net/$(mod).ko)
618 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_DEBUG-m)))
619 $(call AddDepends/ipt,+kmod-ipt-raw +IPV6:kmod-ipt-raw6)
622 define KernelPackage/ipt-debug/description
623 Netfilter modules for debugging/development of the firewall
628 $(eval $(call KernelPackage,ipt-debug))
631 define KernelPackage/ipt-led
632 TITLE:=Module to trigger a LED with a Netfilter rule
633 KCONFIG:=$(KCONFIG_IPT_LED)
634 FILES:=$(foreach mod,$(IPT_LED-m),$(LINUX_DIR)/net/$(mod).ko)
635 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_LED-m)))
636 $(call AddDepends/ipt)
639 define KernelPackage/ipt-led/description
640 Netfilter target to trigger a LED when a network packet is matched.
643 $(eval $(call KernelPackage,ipt-led))
645 define KernelPackage/ipt-tproxy
646 TITLE:=Transparent proxying support
647 DEPENDS+=+kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +IPV6:kmod-ip6tables
649 CONFIG_NETFILTER_XT_MATCH_SOCKET \
650 CONFIG_NETFILTER_XT_TARGET_TPROXY
652 $(foreach mod,$(IPT_TPROXY-m),$(LINUX_DIR)/net/$(mod).ko)
653 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_TPROXY-m)))
654 $(call AddDepends/ipt)
657 define KernelPackage/ipt-tproxy/description
658 Kernel modules for Transparent Proxying
661 $(eval $(call KernelPackage,ipt-tproxy))
663 define KernelPackage/ipt-tee
665 DEPENDS:=+kmod-ipt-conntrack
667 CONFIG_NETFILTER_XT_TARGET_TEE
669 $(LINUX_DIR)/net/netfilter/xt_TEE.ko \
670 $(foreach mod,$(IPT_TEE-m),$(LINUX_DIR)/net/$(mod).ko)
671 AUTOLOAD:=$(call AutoProbe,$(notdir nf_tee $(IPT_TEE-m)))
672 $(call AddDepends/ipt)
675 define KernelPackage/ipt-tee/description
676 Kernel modules for TEE
679 $(eval $(call KernelPackage,ipt-tee))
682 define KernelPackage/ipt-u32
685 CONFIG_NETFILTER_XT_MATCH_U32
687 $(LINUX_DIR)/net/netfilter/xt_u32.ko \
688 $(foreach mod,$(IPT_U32-m),$(LINUX_DIR)/net/$(mod).ko)
689 AUTOLOAD:=$(call AutoProbe,$(notdir nf_tee $(IPT_U32-m)))
690 $(call AddDepends/ipt)
693 define KernelPackage/ipt-u32/description
694 Kernel modules for U32
697 $(eval $(call KernelPackage,ipt-u32))
699 define KernelPackage/ipt-checksum
700 TITLE:=CHECKSUM support
702 CONFIG_NETFILTER_XT_TARGET_CHECKSUM
704 $(LINUX_DIR)/net/netfilter/xt_CHECKSUM.ko \
705 $(foreach mod,$(IPT_CHECKSUM-m),$(LINUX_DIR)/net/$(mod).ko)
706 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CHECKSUM-m)))
707 $(call AddDepends/ipt)
710 define KernelPackage/ipt-checksum/description
711 Kernel modules for CHECKSUM fillin target
714 $(eval $(call KernelPackage,ipt-checksum))
717 define KernelPackage/ipt-iprange
718 TITLE:=Module for matching ip ranges
719 KCONFIG:=$(KCONFIG_IPT_IPRANGE)
720 FILES:=$(foreach mod,$(IPT_IPRANGE-m),$(LINUX_DIR)/net/$(mod).ko)
721 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_IPRANGE-m)))
722 $(call AddDepends/ipt)
725 define KernelPackage/ipt-iprange/description
726 Netfilter (IPv4) module for matching ip ranges
731 $(eval $(call KernelPackage,ipt-iprange))
733 define KernelPackage/ipt-cluster
734 TITLE:=Module for matching cluster
735 KCONFIG:=$(KCONFIG_IPT_CLUSTER)
736 FILES:=$(foreach mod,$(IPT_CLUSTER-m),$(LINUX_DIR)/net/$(mod).ko)
737 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CLUSTER-m)))
738 $(call AddDepends/ipt,+kmod-nf-conntrack)
741 define KernelPackage/ipt-cluster/description
742 Netfilter (IPv4/IPv6) module for matching cluster
743 This option allows you to build work-load-sharing clusters of
744 network servers/stateful firewalls without having a dedicated
745 load-balancing router/server/switch. Basically, this match returns
746 true when the packet must be handled by this cluster node. Thus,
747 all nodes see all packets and this match decides which node handles
748 what packets. The work-load sharing algorithm is based on source
751 This module is usable for ipv4 and ipv6.
753 To use it also enable iptables-mod-cluster
755 see `iptables -m cluster --help` for more information.
758 $(eval $(call KernelPackage,ipt-cluster))
760 define KernelPackage/ipt-clusterip
761 TITLE:=Module for CLUSTERIP
762 KCONFIG:=$(KCONFIG_IPT_CLUSTERIP)
763 FILES:=$(foreach mod,$(IPT_CLUSTERIP-m),$(LINUX_DIR)/net/$(mod).ko)
764 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CLUSTERIP-m)))
765 $(call AddDepends/ipt,+kmod-nf-conntrack)
768 define KernelPackage/ipt-clusterip/description
769 Netfilter (IPv4-only) module for CLUSTERIP
770 The CLUSTERIP target allows you to build load-balancing clusters of
771 network servers without having a dedicated load-balancing
772 router/server/switch.
774 To use it also enable iptables-mod-clusterip
776 see `iptables -j CLUSTERIP --help` for more information.
779 $(eval $(call KernelPackage,ipt-clusterip))
782 define KernelPackage/ipt-extra
784 KCONFIG:=$(KCONFIG_IPT_EXTRA)
785 FILES:=$(foreach mod,$(IPT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
786 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_EXTRA-m)))
787 $(call AddDepends/ipt)
790 define KernelPackage/ipt-extra/description
791 Other Netfilter (IPv4) kernel modules
799 $(eval $(call KernelPackage,ipt-extra))
802 define KernelPackage/ipt-physdev
803 TITLE:=physdev module
804 KCONFIG:=$(KCONFIG_IPT_PHYSDEV)
805 FILES:=$(foreach mod,$(IPT_PHYSDEV-m),$(LINUX_DIR)/net/$(mod).ko)
806 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_PHYSDEV-m)))
807 $(call AddDepends/ipt,+kmod-br-netfilter)
810 define KernelPackage/ipt-physdev/description
811 The iptables physdev kernel module
814 $(eval $(call KernelPackage,ipt-physdev))
817 define KernelPackage/ip6tables
820 DEPENDS:=+kmod-nf-reject6 +kmod-nf-ipt6 +kmod-ipt-core
821 KCONFIG:=$(KCONFIG_IPT_IPV6)
822 FILES:=$(foreach mod,$(IPT_IPV6-m),$(LINUX_DIR)/net/$(mod).ko)
823 AUTOLOAD:=$(call AutoLoad,42,$(notdir $(IPT_IPV6-m)))
826 define KernelPackage/ip6tables/description
827 Netfilter IPv6 firewalling support
830 $(eval $(call KernelPackage,ip6tables))
832 define KernelPackage/ip6tables-extra
834 TITLE:=Extra IPv6 modules
835 DEPENDS:=+kmod-ip6tables
836 KCONFIG:=$(KCONFIG_IPT_IPV6_EXTRA)
837 FILES:=$(foreach mod,$(IPT_IPV6_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
838 AUTOLOAD:=$(call AutoLoad,43,$(notdir $(IPT_IPV6_EXTRA-m)))
841 define KernelPackage/ip6tables-extra/description
842 Netfilter IPv6 extra header matching modules
845 $(eval $(call KernelPackage,ip6tables-extra))
847 ARP_MODULES = arp_tables arpt_mangle arptable_filter
848 define KernelPackage/arptables
850 TITLE:=ARP firewalling modules
851 DEPENDS:=+kmod-ipt-core
852 FILES:=$(LINUX_DIR)/net/ipv4/netfilter/arp*.ko
853 KCONFIG:=CONFIG_IP_NF_ARPTABLES \
854 CONFIG_IP_NF_ARPFILTER \
855 CONFIG_IP_NF_ARP_MANGLE
856 AUTOLOAD:=$(call AutoProbe,$(ARP_MODULES))
859 define KernelPackage/arptables/description
860 Kernel modules for ARP firewalling
863 $(eval $(call KernelPackage,arptables))
866 define KernelPackage/br-netfilter
868 TITLE:=Bridge netfilter support modules
869 DEPENDS:=+kmod-ipt-core
870 FILES:=$(LINUX_DIR)/net/bridge/br_netfilter.ko
871 KCONFIG:=CONFIG_BRIDGE_NETFILTER
872 AUTOLOAD:=$(call AutoProbe,br_netfilter)
875 define KernelPackage/br-netfilter/install
876 $(INSTALL_DIR) $(1)/etc/sysctl.d
877 $(INSTALL_DATA) ./files/sysctl-br-netfilter.conf $(1)/etc/sysctl.d/11-br-netfilter.conf
880 $(eval $(call KernelPackage,br-netfilter))
883 define KernelPackage/ebtables
885 TITLE:=Bridge firewalling modules
886 DEPENDS:=+kmod-ipt-core
887 FILES:=$(foreach mod,$(EBTABLES-m),$(LINUX_DIR)/net/$(mod).ko)
888 KCONFIG:=$(KCONFIG_EBTABLES)
889 AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES-m)))
892 define KernelPackage/ebtables/description
893 ebtables is a general, extensible frame/packet identification
894 framework. It provides you to do Ethernet
895 filtering/NAT/brouting on the Ethernet bridge.
898 $(eval $(call KernelPackage,ebtables))
901 define AddDepends/ebtables
903 DEPENDS+= +kmod-ebtables $(1)
907 define KernelPackage/ebtables-ipv4
908 TITLE:=ebtables: IPv4 support
909 FILES:=$(foreach mod,$(EBTABLES_IP4-m),$(LINUX_DIR)/net/$(mod).ko)
910 KCONFIG:=$(KCONFIG_EBTABLES_IP4)
911 AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES_IP4-m)))
912 $(call AddDepends/ebtables)
915 define KernelPackage/ebtables-ipv4/description
916 This option adds the IPv4 support to ebtables, which allows basic
917 IPv4 header field filtering, ARP filtering as well as SNAT, DNAT targets.
920 $(eval $(call KernelPackage,ebtables-ipv4))
923 define KernelPackage/ebtables-ipv6
924 TITLE:=ebtables: IPv6 support
925 FILES:=$(foreach mod,$(EBTABLES_IP6-m),$(LINUX_DIR)/net/$(mod).ko)
926 KCONFIG:=$(KCONFIG_EBTABLES_IP6)
927 AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES_IP6-m)))
928 $(call AddDepends/ebtables)
931 define KernelPackage/ebtables-ipv6/description
932 This option adds the IPv6 support to ebtables, which allows basic
933 IPv6 header field filtering and target support.
936 $(eval $(call KernelPackage,ebtables-ipv6))
939 define KernelPackage/ebtables-watchers
940 TITLE:=ebtables: watchers support
941 FILES:=$(foreach mod,$(EBTABLES_WATCHERS-m),$(LINUX_DIR)/net/$(mod).ko)
942 KCONFIG:=$(KCONFIG_EBTABLES_WATCHERS)
943 AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES_WATCHERS-m)))
944 $(call AddDepends/ebtables)
947 define KernelPackage/ebtables-watchers/description
948 This option adds the log watchers, that you can use in any rule
949 in any ebtables table.
952 $(eval $(call KernelPackage,ebtables-watchers))
955 define KernelPackage/nfnetlink
957 TITLE:=Netlink-based userspace interface
958 FILES:=$(foreach mod,$(NFNETLINK-m),$(LINUX_DIR)/net/$(mod).ko)
959 KCONFIG:=$(KCONFIG_NFNETLINK)
960 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK-m)))
963 define KernelPackage/nfnetlink/description
964 Kernel modules support for a netlink-based userspace interface
967 $(eval $(call KernelPackage,nfnetlink))
970 define AddDepends/nfnetlink
972 DEPENDS+=+kmod-nfnetlink $(1)
976 define KernelPackage/nfnetlink-log
977 TITLE:=Netfilter LOG over NFNETLINK interface
978 FILES:=$(foreach mod,$(NFNETLINK_LOG-m),$(LINUX_DIR)/net/$(mod).ko)
979 KCONFIG:=$(KCONFIG_NFNETLINK_LOG)
980 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK_LOG-m)))
981 $(call AddDepends/nfnetlink)
984 define KernelPackage/nfnetlink-log/description
985 Kernel modules support for logging packets via NFNETLINK
990 $(eval $(call KernelPackage,nfnetlink-log))
993 define KernelPackage/nfnetlink-queue
994 TITLE:=Netfilter QUEUE over NFNETLINK interface
995 FILES:=$(foreach mod,$(NFNETLINK_QUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
996 KCONFIG:=$(KCONFIG_NFNETLINK_QUEUE)
997 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK_QUEUE-m)))
998 $(call AddDepends/nfnetlink)
1001 define KernelPackage/nfnetlink-queue/description
1002 Kernel modules support for queueing packets via NFNETLINK
1007 $(eval $(call KernelPackage,nfnetlink-queue))
1010 define KernelPackage/nf-conntrack-netlink
1011 TITLE:=Connection tracking netlink interface
1012 FILES:=$(LINUX_DIR)/net/netfilter/nf_conntrack_netlink.ko
1013 KCONFIG:=CONFIG_NF_CT_NETLINK CONFIG_NF_CONNTRACK_EVENTS=y
1014 AUTOLOAD:=$(call AutoProbe,nf_conntrack_netlink)
1015 $(call AddDepends/nfnetlink,+kmod-ipt-conntrack)
1018 define KernelPackage/nf-conntrack-netlink/description
1019 Kernel modules support for a netlink-based connection tracking
1023 $(eval $(call KernelPackage,nf-conntrack-netlink))
1025 define KernelPackage/ipt-hashlimit
1027 TITLE:=Netfilter hashlimit match
1028 DEPENDS:=+kmod-ipt-core
1029 KCONFIG:=$(KCONFIG_IPT_HASHLIMIT)
1030 FILES:=$(LINUX_DIR)/net/netfilter/xt_hashlimit.ko
1031 AUTOLOAD:=$(call AutoProbe,xt_hashlimit)
1032 $(call KernelPackage/ipt)
1035 define KernelPackage/ipt-hashlimit/description
1036 Kernel modules support for the hashlimit bucket match module
1039 $(eval $(call KernelPackage,ipt-hashlimit))
1041 define KernelPackage/ipt-rpfilter
1043 TITLE:=Netfilter rpfilter match
1044 DEPENDS:=+kmod-ipt-core
1045 KCONFIG:=$(KCONFIG_IPT_RPFILTER)
1047 $(LINUX_DIR)/net/ipv4/netfilter/ipt_rpfilter.ko \
1048 $(LINUX_DIR)/net/ipv6/netfilter/ip6t_rpfilter.ko)
1049 AUTOLOAD:=$(call AutoProbe,ipt_rpfilter ip6t_rpfilter)
1050 $(call KernelPackage/ipt)
1053 define KernelPackage/ipt-rpfilter/description
1054 Kernel modules support for the Netfilter rpfilter match
1057 $(eval $(call KernelPackage,ipt-rpfilter))
1060 define KernelPackage/nft-core
1062 TITLE:=Netfilter nf_tables support
1063 DEPENDS:=+kmod-nfnetlink +kmod-nf-reject +kmod-nf-reject6 +kmod-nf-conntrack6
1064 FILES:=$(foreach mod,$(NFT_CORE-m),$(LINUX_DIR)/net/$(mod).ko)
1065 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_CORE-m)))
1067 CONFIG_NFT_COMPAT=n \
1068 CONFIG_NFT_QUEUE=n \
1072 define KernelPackage/nft-core/description
1073 Kernel module support for nftables
1076 $(eval $(call KernelPackage,nft-core))
1079 define KernelPackage/nft-arp
1081 TITLE:=Netfilter nf_tables ARP table support
1082 DEPENDS:=+kmod-nft-core
1083 FILES:=$(foreach mod,$(NFT_ARP-m),$(LINUX_DIR)/net/$(mod).ko)
1084 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_ARP-m)))
1085 KCONFIG:=$(KCONFIG_NFT_ARP)
1088 $(eval $(call KernelPackage,nft-arp))
1091 define KernelPackage/nft-bridge
1093 TITLE:=Netfilter nf_tables bridge table support
1094 DEPENDS:=+kmod-nft-core
1095 FILES:=$(foreach mod,$(NFT_BRIDGE-m),$(LINUX_DIR)/net/$(mod).ko)
1096 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_BRIDGE-m)))
1098 CONFIG_NF_LOG_BRIDGE=n \
1099 $(KCONFIG_NFT_BRIDGE)
1102 $(eval $(call KernelPackage,nft-bridge))
1105 define KernelPackage/nft-nat
1107 TITLE:=Netfilter nf_tables NAT support
1108 DEPENDS:=+kmod-nft-core +kmod-nf-nat
1109 FILES:=$(foreach mod,$(NFT_NAT-m),$(LINUX_DIR)/net/$(mod).ko)
1110 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_NAT-m)))
1111 KCONFIG:=$(KCONFIG_NFT_NAT)
1114 $(eval $(call KernelPackage,nft-nat))
1117 define KernelPackage/nft-offload
1119 TITLE:=Netfilter nf_tables routing/NAT offload support
1120 DEPENDS:=+kmod-nf-flow +kmod-nft-nat
1122 CONFIG_NF_FLOW_TABLE_INET \
1123 CONFIG_NF_FLOW_TABLE_IPV4 \
1124 CONFIG_NF_FLOW_TABLE_IPV6 \
1125 CONFIG_NFT_FLOW_OFFLOAD
1127 $(LINUX_DIR)/net/netfilter/nf_flow_table_inet.ko \
1128 $(LINUX_DIR)/net/ipv4/netfilter/nf_flow_table_ipv4.ko \
1129 $(LINUX_DIR)/net/ipv6/netfilter/nf_flow_table_ipv6.ko \
1130 $(LINUX_DIR)/net/netfilter/nft_flow_offload.ko
1131 AUTOLOAD:=$(call AutoProbe,nf_flow_table_inet nf_flow_table_ipv4 nf_flow_table_ipv6 nft_flow_offload)
1134 $(eval $(call KernelPackage,nft-offload))
1137 define KernelPackage/nft-nat6
1139 TITLE:=Netfilter nf_tables IPv6-NAT support
1140 DEPENDS:=+kmod-nft-nat +kmod-nf-nat6
1141 FILES:=$(foreach mod,$(NFT_NAT6-m),$(LINUX_DIR)/net/$(mod).ko)
1142 AUTOLOAD:=$(call AutoProbe,$(notdir $(NFT_NAT6-m)))
1143 KCONFIG:=$(KCONFIG_NFT_NAT6)
1146 $(eval $(call KernelPackage,nft-nat6))
1148 define KernelPackage/nft-netdev
1150 TITLE:=Netfilter nf_tables netdev support
1151 DEPENDS:=+kmod-nft-core
1153 CONFIG_NETFILTER_INGRESS=y \
1154 CONFIG_NF_TABLES_NETDEV \
1155 CONFIG_NF_DUP_NETDEV \
1156 CONFIG_NFT_DUP_NETDEV \
1157 CONFIG_NFT_FWD_NETDEV
1159 $(LINUX_DIR)/net/netfilter/nf_tables_netdev.ko \
1160 $(LINUX_DIR)/net/netfilter/nf_dup_netdev.ko \
1161 $(LINUX_DIR)/net/netfilter/nft_dup_netdev.ko \
1162 $(LINUX_DIR)/net/netfilter/nft_fwd_netdev.ko
1163 AUTOLOAD:=$(call AutoProbe,nf_tables_netdev nf_dup_netdev nft_dup_netdev nft_fwd_netdev)
1166 $(eval $(call KernelPackage,nft-netdev))