From: Nicolas Thill Date: Fri, 11 Nov 2005 03:41:43 +0000 (+0000) Subject: prepare for iptables split, build ipt_LOG and ipt_tcpmss as modules, add a kmod-ipt... X-Git-Tag: whiterussian_rc4~56 X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=dab39fb7a97d5c44b29d898def1330c3ab9b68bc;p=openwrt%2Fsvn-archive%2Fopenwrt.git prepare for iptables split, build ipt_LOG and ipt_tcpmss as modules, add a kmod-ipt-ulog package SVN-Revision: 2411 --- diff --git a/openwrt/target/linux/Config.in b/openwrt/target/linux/Config.in index 694ab1a080..d7d49e530c 100644 --- a/openwrt/target/linux/Config.in +++ b/openwrt/target/linux/Config.in @@ -54,69 +54,122 @@ config BR2_PACKAGE_KMOD_EBT help Kernel modules for bridge firewalling -config BR2_PACKAGE_KMOD_IPTABLES_V4_EXTRA - tristate "Extra modules for iptables" +config BR2_PACKAGE_KMOD_IPTABLES_EXTRA + tristate "Extra Netfilter modules for IPv4 firewalling (meta-package)" default m - select BR2_PACKAGE_KMOD_NAT_EXTRA - select BR2_PACKAGE_KMOD_QUEUE - select BR2_PACKAGE_KMOD_IPT_IPSEC - select BR2_PACKAGE_KMOD_IPT_IPOPT select BR2_PACKAGE_KMOD_IPT_CONNTRACK select BR2_PACKAGE_KMOD_IPT_FILTER + select BR2_PACKAGE_KMOD_IPT_IPOPT + select BR2_PACKAGE_KMOD_IPT_IPSEC select BR2_PACKAGE_KMOD_IPT_NAT + select BR2_PACKAGE_KMOD_IPT_NAT_EXTRA + select BR2_PACKAGE_KMOD_IPT_QUEUE + select BR2_PACKAGE_KMOD_IPT_ULOG select BR2_PACKAGE_KMOD_IPT_EXTRA help - Extra kernel modules for IPv4 firewalling (metapackage) + Extra Netfilter kernel modules for IPv4 firewalling (meta-package) + +config BR2_PACKAGE_KMOD_IPT_CONNTRACK + tristate "Netfilter modules for connection tracking" + default m + help + Netfilter (IPv4) kernel modules for connection tracking + + Includes: + * ipt_conntrack + * ipt_helper + * ipt_connmark/CONNMARK -config BR2_PACKAGE_KMOD_NAT_EXTRA - tristate "Extra NAT modules for iptables" +config BR2_PACKAGE_KMOD_IPT_FILTER + tristate "Netfilter modules for packet content inspection" default m help - Extra NAT kernel modules for special protocols + Netfilter (IPv4) kernel modules for packet content inspection + + Includes: + * ipt_ipp2p + * ipt_layer7 -config BR2_PACKAGE_KMOD_QUEUE - tristate "iptables module for user-space queueing" +config BR2_PACKAGE_KMOD_IPT_IPOPT + tristate "Netfilter modules for matching/changing IP packet options" default m help - iptables module for user-space queueing + Netfilter (IPv4) kernel modules for matching/changing IP packet options + + Includes: + * ipt_dscp/DSCP + * ipt_ecn/ECN + * ipt_length + * ipt_mac + * ipt_tos/TOS + * ipt_tcpmms + * ipt_ttl/TTL + * ipt_unclean config BR2_PACKAGE_KMOD_IPT_IPSEC - tristate "Extra iptables modules for matching IPSec" + tristate "Netfilter modules for matching IPsec packets" default m help - Extra iptables modules for matching special IPSec packets + Netfilter (IPv4) kernel modules for matching IPsec packets + + Includes: + * ipt_ah + * ipt_esp -config BR2_PACKAGE_KMOD_IPT_IPOPT - tristate "Extra iptables modules for matching IP packet options" +config BR2_PACKAGE_KMOD_IPT_NAT + tristate "Netfilter modules for different NAT targets" default m help - Extra iptables modules for matching IP packet options + Netfilter (IPv4) kernel modules for different NAT targets -config BR2_PACKAGE_KMOD_IPT_CONNTRACK - tristate "Extra iptables modules for conntrack matching" + Includes: + * ipt_REDIRECT + +config BR2_PACKAGE_KMOD_IPT_NAT_EXTRA + tristate "Extra Netfilter NAT modules for special protocols" default m help - Extra iptables modules for matching conntrack states/options + Extra Netfilter (IPv4) NAT kernel modules for special protocols + + Includes: + * ip_conntrack_amanda + * ip_conntrack_proto_gre + * ip_nat_proto_gre + * ip_conntrack_pptp + * ip_nat_pptp + * ip_nat_snmp_basic + * ip_conntrack_tftp -config BR2_PACKAGE_KMOD_IPT_FILTER - tristate "Extra iptables modules for content filtering" +config BR2_PACKAGE_KMOD_IPT_QUEUE + tristate "Netfilter module for user-space packet queueing" default m help - Extra iptables modules for filtering the contents of packets - Includes: ipp2p, layer7 + Netfilter (IPv4) module for user-space packet queueing + + Includes: + * ipt_QUEUE -config BR2_PACKAGE_KMOD_IPT_NAT - tristate "Extra iptables modules for NAT" +config BR2_PACKAGE_KMOD_IPT_ULOG + tristate "Netfilter module for user-space packet logging" default m help - Extra iptables modules for different NAT targets - (MIRROR, REDIRECT) + Netfilter (IPv4) module for user-space packet logging + + Includes: + * ipt_ULOG config BR2_PACKAGE_KMOD_IPT_EXTRA - tristate "Other extra iptables modules" + tristate "Other extra Netfilter modules" default m help - recent and owner match + Other extra Netfilter (IPv4) kernel modules + + Includes: + * ipt_limit + * ipt_owner + * ipt_physdev + * ipt_pkttype + * ipt_recent config BR2_PACKAGE_KMOD_IMQ tristate "Intermediate Queueing device" @@ -130,7 +183,7 @@ config BR2_PACKAGE_KMOD_IPV6 help Kernel modules for IPv6 protocol support -config BR2_PACKAGE_KMOD_IPTABLES_V6 +config BR2_PACKAGE_KMOD_IP6TABLES tristate "Kernel modules for ip6tables" default m depends BR2_PACKAGE_KMOD_IPV6 diff --git a/openwrt/target/linux/control/kmod-ipt-conntrack.control b/openwrt/target/linux/control/kmod-ipt-conntrack.control index 0531a52a15..3528ec4e0b 100644 --- a/openwrt/target/linux/control/kmod-ipt-conntrack.control +++ b/openwrt/target/linux/control/kmod-ipt-conntrack.control @@ -1,4 +1,4 @@ Package: kmod-ipt-conntrack Priority: optional Section: net -Description: Extra iptables modules for matching conntrack states/options +Description: Extra Netfilter (IPv4) kernel modules for connection tracking diff --git a/openwrt/target/linux/control/kmod-ipt-extra.control b/openwrt/target/linux/control/kmod-ipt-extra.control index e4f9bf7d35..d336cc3006 100644 --- a/openwrt/target/linux/control/kmod-ipt-extra.control +++ b/openwrt/target/linux/control/kmod-ipt-extra.control @@ -1,4 +1,4 @@ Package: kmod-ipt-extra Priority: optional Section: net -Description: Other extra iptables modules +Description: Other extra Netfilter (IPv4) kernel modules diff --git a/openwrt/target/linux/control/kmod-ipt-filter.control b/openwrt/target/linux/control/kmod-ipt-filter.control index 3115f292fa..8f5684d492 100644 --- a/openwrt/target/linux/control/kmod-ipt-filter.control +++ b/openwrt/target/linux/control/kmod-ipt-filter.control @@ -1,4 +1,4 @@ Package: kmod-ipt-filter Priority: optional Section: net -Description: Extra iptables modules for filtering the contents of packets +Description: Netfilter (IPv4) kernel modules for packet content inspection diff --git a/openwrt/target/linux/control/kmod-ipt-ipopt.control b/openwrt/target/linux/control/kmod-ipt-ipopt.control index c67f5e08ff..f0c9856d00 100644 --- a/openwrt/target/linux/control/kmod-ipt-ipopt.control +++ b/openwrt/target/linux/control/kmod-ipt-ipopt.control @@ -1,4 +1,4 @@ Package: kmod-ipt-ipopt Priority: optional Section: net -Description: Extra iptables modules for matching IP packet options +Description: Netfilter (IPv4) kernel modules for matching/changing IP packet options diff --git a/openwrt/target/linux/control/kmod-ipt-ipsec.control b/openwrt/target/linux/control/kmod-ipt-ipsec.control index c527e7673c..6baa3d4448 100644 --- a/openwrt/target/linux/control/kmod-ipt-ipsec.control +++ b/openwrt/target/linux/control/kmod-ipt-ipsec.control @@ -1,4 +1,4 @@ Package: kmod-ipt-ipsec Priority: optional Section: net -Description: Extra iptables modules for matching special IPSec packets +Description: Netfilter (IPv4) kernel modules for matching special IPsec packets diff --git a/openwrt/target/linux/control/kmod-ipt-nat-extra.control b/openwrt/target/linux/control/kmod-ipt-nat-extra.control new file mode 100644 index 0000000000..84b429453b --- /dev/null +++ b/openwrt/target/linux/control/kmod-ipt-nat-extra.control @@ -0,0 +1,4 @@ +Package: kmod-ipt-nat-extra +Priority: optional +Section: net +Description: Extra Netfilter (IPv4) NAT kernel modules for special protocols diff --git a/openwrt/target/linux/control/kmod-ipt-nat.control b/openwrt/target/linux/control/kmod-ipt-nat.control index bfec46e8ba..89fc8434b6 100644 --- a/openwrt/target/linux/control/kmod-ipt-nat.control +++ b/openwrt/target/linux/control/kmod-ipt-nat.control @@ -1,4 +1,4 @@ Package: kmod-ipt-nat Priority: optional Section: net -Description: Extra iptables modules for different NAT targets +Description: Netfilter (IPv4) kernel modules for different NAT targets diff --git a/openwrt/target/linux/control/kmod-ipt-queue.control b/openwrt/target/linux/control/kmod-ipt-queue.control new file mode 100644 index 0000000000..ba96eb5c20 --- /dev/null +++ b/openwrt/target/linux/control/kmod-ipt-queue.control @@ -0,0 +1,4 @@ +Package: kmod-ipt-queue +Priority: optional +Section: net +Description: Netfilter (IPv4) kernel module for user-space packet queuing diff --git a/openwrt/target/linux/control/kmod-ipt-ulog.control b/openwrt/target/linux/control/kmod-ipt-ulog.control new file mode 100644 index 0000000000..2ce0fdcae7 --- /dev/null +++ b/openwrt/target/linux/control/kmod-ipt-ulog.control @@ -0,0 +1,4 @@ +Package: kmod-ipt-ulog +Priority: optional +Section: net +Description: Netfilter (IPv4) kernel module for user-space packet logging diff --git a/openwrt/target/linux/control/kmod-nat-extra.control b/openwrt/target/linux/control/kmod-nat-extra.control deleted file mode 100644 index 6db5ff6b53..0000000000 --- a/openwrt/target/linux/control/kmod-nat-extra.control +++ /dev/null @@ -1,4 +0,0 @@ -Package: kmod-nat-extra -Priority: optional -Section: net -Description: Extra NAT kernel modules for special protocols diff --git a/openwrt/target/linux/control/kmod-queue.control b/openwrt/target/linux/control/kmod-queue.control deleted file mode 100644 index 0668c5180b..0000000000 --- a/openwrt/target/linux/control/kmod-queue.control +++ /dev/null @@ -1,4 +0,0 @@ -Package: kmod-queue -Priority: optional -Section: net -Description: iptables module for user-space queueing diff --git a/openwrt/target/linux/linux-2.4/Makefile b/openwrt/target/linux/linux-2.4/Makefile index 48b4549345..6e22e21aa5 100644 --- a/openwrt/target/linux/linux-2.4/Makefile +++ b/openwrt/target/linux/linux-2.4/Makefile @@ -58,37 +58,46 @@ endif include ../netfilter.mk # metapackage for compatibility ... -$(eval $(call KMOD_template,IPTABLES_V4_EXTRA,iptables-extra,\ -,,kmod-nat-extra kmod-queue kmod-ipt-ipsec kmod-ipt-ipopt kmod-ipt-conntrack kmod-ipt-filter kmod-ipt-nat kmod-ipt-extra)) - -$(eval $(call KMOD_template,NAT_EXTRA,nat-extra,\ - $(foreach mod,$(PKG_NAT_EXTRA-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ -,,,40,$(PKG_NAT_EXTRA-m))) -$(eval $(call KMOD_template,QUEUE,queue,\ - $(foreach mod,$(PKG_QUEUE-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ +$(eval $(call KMOD_template,IPTABLES_EXTRA,iptables-extra,\ +,,kmod-ipt-conntrack kmod-ipt-extra kmod-ipt-filter kmod-ipt-ipopt kmod-ipt-ipsec kmod-ipt-nat kmod-nat-extra kmod-queue)) + +$(eval $(call KMOD_template,IPT_CONNTRACK,ipt-conntrack,\ + $(foreach mod,$(IPKG_KMOD_IPT_CONNTRACK-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ )) -$(eval $(call KMOD_template,IPT_IPSEC,ipt-ipsec,\ - $(foreach mod,$(PKG_IPT_IPSEC-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ +$(eval $(call KMOD_template,IPT_EXTRA,ipt-extra,\ + $(foreach mod,$(IPKG_KMOD_IPT_EXTRA-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ )) -$(eval $(call KMOD_template,IPT_IPOPT,ipt-ipopt,\ - $(foreach mod,$(PKG_IPT_IPOPT-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ +$(eval $(call KMOD_template,IPT_FILTER,ipt-filter,\ + $(foreach mod,$(IPKG_KMOD_IPT_FILTER-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ )) -$(eval $(call KMOD_template,IPT_CONNTRACK,ipt-conntrack,\ - $(foreach mod,$(PKG_IPT_CONNTRACK-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ +$(eval $(call KMOD_template,IPT_IPOPT,ipt-ipopt,\ + $(foreach mod,$(IPKG_KMOD_IPT_IPOPT-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ )) -$(eval $(call KMOD_template,IPT_FILTER,ipt-filter,\ - $(foreach mod,$(PKG_IPT_FILTER-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ +$(eval $(call KMOD_template,IPT_IPSEC,ipt-ipsec,\ + $(foreach mod,$(IPKG_KMOD_IPT_IPSEC-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ )) $(eval $(call KMOD_template,IPT_NAT,ipt-nat,\ - $(foreach mod,$(PKG_IPT_NAT-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ + $(foreach mod,$(IPKG_KMOD_IPT_NAT-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ )) +$(eval $(call KMOD_template,IPT_NAT_EXTRA,ipt-nat-extra,\ + $(foreach mod,$(IPKG_KMOD_IPT_NAT_EXTRA-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ +,,,40,$(IPKG_KMOD_IPT_NAT_EXTRA-m))) +$(eval $(call KMOD_template,IPT_QUEUE,ipt-queue,\ + $(foreach mod,$(IPKG_KMOD_IPT_QUEUE-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ +)) +$(eval $(call KMOD_template,IPT_ULOG,ipt-ulog,\ + $(foreach mod,$(IPKG_KMOD_IPT_ULOG-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ +)) + $(eval $(call KMOD_template,IMQ,imq,\ $(MODULES_DIR)/kernel/net/*/netfilter/*IMQ* \ $(MODULES_DIR)/kernel/drivers/net/imq.o \ )) -$(eval $(call KMOD_template,IPT_EXTRA,ipt-extra,\ - $(foreach mod,$(PKG_IPT_EXTRA-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \ -)) + + +$(eval $(call KMOD_template,IP6TABLES,ip6tables,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip*.o \ +,CONFIG_IP6_IPT_IPTABLES,kmod-ipv6)) $(eval $(call KMOD_template,B44,b44,\ @@ -100,9 +109,6 @@ $(eval $(call KMOD_template,ARPT,arptables,\ $(eval $(call KMOD_template,EBT,ebtables,\ $(MODULES_DIR)/kernel/net/bridge/netfilter/*.o \ ,CONFIG_BRIDGE_NF_EBTABLES)) -$(eval $(call KMOD_template,IPTABLES_V6,ip6tables,\ - $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip*.o \ -,CONFIG_IP6_NF_IPTABLES,kmod-ipv6)) $(eval $(call KMOD_template,IPV6,ipv6,\ $(MODULES_DIR)/kernel/net/ipv6/ipv6.o \ ,CONFIG_IPV6,,20,ipv6)) diff --git a/openwrt/target/linux/linux-2.4/config/brcm b/openwrt/target/linux/linux-2.4/config/brcm index 6e74b6cd95..75c7f733e7 100644 --- a/openwrt/target/linux/linux-2.4/config/brcm +++ b/openwrt/target/linux/linux-2.4/config/brcm @@ -370,7 +370,7 @@ CONFIG_IP_NF_MATCH_DSCP=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_LENGTH=m CONFIG_IP_NF_MATCH_TTL=m -CONFIG_IP_NF_MATCH_TCPMSS=y +CONFIG_IP_NF_MATCH_TCPMSS=m CONFIG_IP_NF_MATCH_HELPER=m CONFIG_IP_NF_MATCH_STATE=y CONFIG_IP_NF_MATCH_CONNTRACK=m @@ -402,7 +402,7 @@ CONFIG_IP_NF_TARGET_DSCP=m CONFIG_IP_NF_TARGET_MARK=y CONFIG_IP_NF_TARGET_IMQ=m CONFIG_IP_NF_TARGET_CONNMARK=m -CONFIG_IP_NF_TARGET_LOG=y +CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=y diff --git a/openwrt/target/linux/netfilter.mk b/openwrt/target/linux/netfilter.mk index 59dd2d4557..a9aae1a87c 100644 --- a/openwrt/target/linux/netfilter.mk +++ b/openwrt/target/linux/netfilter.mk @@ -1,49 +1,136 @@ +# $Id$ -PKG_NAT_EXTRA-m := -PKG_NAT_EXTRA-$(CONFIG_IP_NF_AMANDA) += ip_conntrack_amanda -PKG_NAT_EXTRA-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp -PKG_NAT_EXTRA-$(CONFIG_IP_NF_CT_PROTO_GRE) += ip_conntrack_proto_gre -PKG_NAT_EXTRA-$(CONFIG_IP_NF_PPTP) += ip_conntrack_pptp -PKG_NAT_EXTRA-$(CONFIG_IP_NF_NAT_PROTO_GRE) += ip_nat_proto_gre -PKG_NAT_EXTRA-$(CONFIG_IP_NF_NAT_PPTP) += ip_nat_pptp -PKG_NAT_EXTRA-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic - -PKG_QUEUE-m := -PKG_QUEUE-$(CONFIG_IP_NF_QUEUE) += ip_queue - -PKG_IPT_IPSEC-m := -PKG_IPT_IPSEC-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah ipt_esp - -PKG_IPT_IPOPT-m := -PKG_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos -PKG_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl -PKG_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn -PKG_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp -PKG_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_length -PKG_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac -PKG_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean -PKG_IPT_IPOPT-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS -PKG_IPT_IPOPT-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL -PKG_IPT_IPOPT-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN -PKG_IPT_IPOPT-$(CONFIG_IP_NF_TARGET_DSCP) += ipt_DSCP - - -PKG_IPT_CONNTRACK-m := -PKG_IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack -PKG_IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark -PKG_IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper -PKG_IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit -PKG_IPT_CONNTRACK-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK - -PKG_IPT_FILTER-m := -PKG_IPT_FILTER-$(CONFIG_IP_NF_MATCH_IPP2P) += ipt_ipp2p -PKG_IPT_FILTER-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7 - -PKG_IPT_NAT-m := -PKG_IPT_NAT-$(CONFIG_IP_NF_TARGET_MIRROR) += ipt_MIRROR -PKG_IPT_NAT-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT - -PKG_IPT_EXTRA-m := -PKG_IPT_EXTRA-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent -PKG_IPT_EXTRA-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner -PKG_IPT_EXTRA-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev +# +# kernel modules +# + +IPKG_KMOD_IPT_CONNTRACK-m := +IPKG_KMOD_IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack +IPKG_KMOD_IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper +IPKG_KMOD_IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark +IPKG_KMOD_IPT_CONNTRACK-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK +IPKG_KMOD_IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state + +IPKG_KMOD_IPT_EXTRA-m := +IPKG_KMOD_IPT_EXTRA-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit +IPKG_KMOD_IPT_EXTRA-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG +IPKG_KMOD_IPT_EXTRA-$(CONFIG_IP_NF_MATCH_MULTIPORT) += multiport +IPKG_KMOD_IPT_EXTRA-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner +IPKG_KMOD_IPT_EXTRA-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev +IPKG_KMOD_IPT_EXTRA-$(CONFIG_IP_NF_MATCH_PKTTYPE) += ipt_pkttype +IPKG_KMOD_IPT_EXTRA-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent +IPKG_KMOD_IPT_EXTRA-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT + +IPKG_KMOD_IPT_FILTER-m := +IPKG_KMOD_IPT_FILTER-$(CONFIG_IP_NF_MATCH_IPP2P) += ipt_ipp2p +IPKG_KMOD_IPT_FILTER-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7 + +IPKG_KMOD_IPT_IPOPT-m := +IPKG_KMOD_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp +IPKG_KMOD_IPT_IPOPT-$(CONFIG_IP_NF_TARGET_DSCP) += ipt_DSCP +IPKG_KMOD_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn +IPKG_KMOD_IPT_IPOPT-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN +IPKG_KMOD_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_length +IPKG_KMOD_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac +IPKG_KMOD_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark +IPKG_KMOD_IPT_IPOPT-$(CONFIG_IP_NF_TARGET_MARK) += ipt_MARK +IPKG_KMOD_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss +IPKG_KMOD_IPT_IPOPT-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS +IPKG_KMOD_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos +IPKG_KMOD_IPT_IPOPT-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS +IPKG_KMOD_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl +IPKG_KMOD_IPT_IPOPT-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL +IPKG_KMOD_IPT_IPOPT-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean + +IPKG_KMOD_IPT_IPSEC-m := +IPKG_KMOD_IPT_IPSEC-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah ipt_esp + +IPKG_KMOD_IPT_NAT-m := +IPKG_KMOD_IPT_NAT-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE +IPKG_KMOD_IPT_NAT-$(CONFIG_IP_NF_TARGET_MIRROR) += ipt_MIRROR +IPKG_KMOD_IPT_NAT-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT + +IPKG_KMOD_IPT_NAT_EXTRA-m := +IPKG_KMOD_IPT_NAT_EXTRA-$(CONFIG_IP_NF_AMANDA) += ip_conntrack_amanda +IPKG_KMOD_IPT_NAT_EXTRA-$(CONFIG_IP_NF_CT_PROTO_GRE) += ip_conntrack_proto_gre +IPKG_KMOD_IPT_NAT_EXTRA-$(CONFIG_IP_NF_NAT_PROTO_GRE) += ip_nat_proto_gre +IPKG_KMOD_IPT_NAT_EXTRA-$(CONFIG_IP_NF_PPTP) += ip_conntrack_pptp +IPKG_KMOD_IPT_NAT_EXTRA-$(CONFIG_IP_NF_NAT_PPTP) += ip_nat_pptp +IPKG_KMOD_IPT_NAT_EXTRA-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic +IPKG_KMOD_IPT_NAT_EXTRA-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp + +IPKG_KMOD_IPT_QUEUE-m := +IPKG_KMOD_IPT_QUEUE-$(CONFIG_IP_NF_QUEUE) += ip_queue + +IPKG_KMOD_IPT_ULOG-m := +IPKG_KMOD_IPT_ULOG-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG + + +# +# iptables extensions +# + +IPKG_IPTABLES-y := ipt_standard +IPKG_IPTABLES-y := ipt_icmp ipt_tcp ipt_udp + +IPKG_IPTABLES_MOD_CONNTRACK-m := +IPKG_IPTABLES_MOD_CONNTRACK-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark +IPKG_IPTABLES_MOD_CONNTRACK-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK +IPKG_IPTABLES_MOD_CONNTRACK-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack +IPKG_IPTABLES_MOD_CONNTRACK-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper +IPKG_IPTABLES_MOD_CONNTRACK-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state + +IPKG_IPTABLES_MOD_EXTRA-m := +IPKG_IPTABLES_MOD_EXTRA-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit +IPKG_IPTABLES_MOD_EXTRA-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG +IPKG_IPTABLES_MOD_EXTRA-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport +IPKG_IPTABLES_MOD_EXTRA-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner +IPKG_IPTABLES_MOD_EXTRA-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev +IPKG_IPTABLES_MOD_EXTRA-$(CONFIG_IP_NF_MATCH_PKTTYPE) += ipt_pkttype +IPKG_IPTABLES_MOD_EXTRA-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent +IPKG_IPTABLES_MOD_EXTRA-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT + +IPKG_IPTABLES_MOD_FILTER-m := +IPKG_IPTABLES_MOD_FILTER-$(CONFIG_IP_NF_MATCH_IPP2P) += ipt_ipp2p +IPKG_IPTABLES_MOD_FILTER-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7 + +IPKG_IPTABLES_MOD_IMQ-m := +IPKG_IPTABLES_MOD_IMQ-$(CONFIG_IP_NF_TARGET_IMQ) += ipt_IMQ + +IPKG_IPTABLES_MOD_IPOPT-m := +IPKG_IPTABLES_MOD_IPOPT-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp +IPKG_IPTABLES_MOD_IPOPT-$(CONFIG_IP_NF_TARGET_DSCP) += ipt_DSCP +IPKG_IPTABLES_MOD_IPOPT-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn +IPKG_IPTABLES_MOD_IPOPT-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN +IPKG_IPTABLES_MOD_IPOPT-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_length +IPKG_IPTABLES_MOD_IPOPT-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac +IPKG_IPTABLES_MOD_IPOPT-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark +IPKG_IPTABLES_MOD_IPOPT-$(CONFIG_IP_NF_TARGET_MARK) += ipt_MARK +IPKG_IPTABLES_MOD_IPOPT-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss +IPKG_IPTABLES_MOD_IPOPT-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS +IPKG_IPTABLES_MOD_IPOPT-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos +IPKG_IPTABLES_MOD_IPOPT-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS +IPKG_IPTABLES_MOD_IPOPT-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl +IPKG_IPTABLES_MOD_IPOPT-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL +IPKG_IPTABLES_MOD_IPOPT-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean + +IPKG_IPTABLES_MOD_IPSEC-m := +IPKG_IPTABLES_MOD_IPSEC-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah ipt_esp + +IPKG_IPTABLES_MOD_NAT-m := +IPKG_IPTABLES_MOD_NAT-$(CONFIG_IP_NF_NAT) += ipt_SNAT ipt_DNAT +IPKG_IPTABLES_MOD_NAT-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE +IPKG_IPTABLES_MOD_NAT-$(CONFIG_IP_NF_TARGET_MIRROR) += ipt_MIRROR +IPKG_IPTABLES_MOD_NAT-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT + +IPKG_IPTABLES_MOD_ULOG-m := +IPKG_IPTABLES_MOD_ULOG-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG + +IPKG_IPTABLES-y += $(IPKG_IPTABLES_MOD_CONNTRACK-y) +IPKG_IPTABLES-y += $(IPKG_IPTABLES_MOD_EXTRA-y) +IPKG_IPTABLES-y += $(IPKG_IPTABLES_MOD_FILTER-y) +IPKG_IPTABLES-y += $(IPKG_IPTABLES_MOD_IMQ-y) +IPKG_IPTABLES-y += $(IPKG_IPTABLES_MOD_IPOPT-y) +IPKG_IPTABLES-y += $(IPKG_IPTABLES_MOD_IPSEC-y) +IPKG_IPTABLES-y += $(IPKG_IPTABLES_MOD_NAT-y) +IPKG_IPTABLES-y += $(IPKG_IPTABLES_MOD_ULOG-y)