3 # Copyright (C) 2006-2010 OpenWrt.org
5 # This is free software, licensed under the GNU General Public License v2.
6 # See /LICENSE for more information.
9 NF_MENU:=Netfilter Extensions
11 include $(INCLUDE_DIR)/netfilter.mk
13 define KernelPackage/ipt-core
18 CONFIG_NETFILTER_ADVANCED=y \
20 FILES:=$(foreach mod,$(IPT_CORE-m),$(LINUX_DIR)/net/$(mod).ko)
21 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CORE-m)))
24 define KernelPackage/ipt-core/description
25 Netfilter core kernel modules
36 $(eval $(call KernelPackage,ipt-core))
41 DEPENDS+= +kmod-ipt-core $(1)
45 define KernelPackage/ipt-conntrack
46 TITLE:=Basic connection tracking modules
47 KCONFIG:=$(KCONFIG_IPT_CONNTRACK)
48 FILES:=$(foreach mod,$(IPT_CONNTRACK-m),$(LINUX_DIR)/net/$(mod).ko)
49 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK-m)))
50 $(call AddDepends/ipt)
53 define KernelPackage/ipt-conntrack/description
54 Netfilter (IPv4) kernel modules for connection tracking
63 $(eval $(call KernelPackage,ipt-conntrack))
66 define KernelPackage/ipt-conntrack-extra
67 TITLE:=Extra connection tracking modules
68 KCONFIG:=$(KCONFIG_IPT_CONNTRACK_EXTRA)
69 FILES:=$(foreach mod,$(IPT_CONNTRACK_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
70 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CONNTRACK_EXTRA-m)))
71 $(call AddDepends/ipt,+kmod-ipt-conntrack)
74 define KernelPackage/ipt-conntrack-extra/description
75 Netfilter (IPv4) extra kernel modules for connection tracking
84 $(eval $(call KernelPackage,ipt-conntrack-extra))
87 define KernelPackage/ipt-filter
88 TITLE:=Modules for packet content inspection
89 KCONFIG:=$(KCONFIG_IPT_FILTER)
90 FILES:=$(foreach mod,$(IPT_FILTER-m),$(LINUX_DIR)/net/$(mod).ko)
91 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_FILTER-m)))
92 $(call AddDepends/ipt,+kmod-lib-textsearch +kmod-ipt-conntrack)
95 define KernelPackage/ipt-filter/description
96 Netfilter (IPv4) kernel modules for packet content inspection
102 $(eval $(call KernelPackage,ipt-filter))
105 define KernelPackage/ipt-ipopt
106 TITLE:=Modules for matching/changing IP packet options
107 KCONFIG:=$(KCONFIG_IPT_IPOPT)
108 FILES:=$(foreach mod,$(IPT_IPOPT-m),$(LINUX_DIR)/net/$(mod).ko)
109 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_IPOPT-m)))
110 $(call AddDepends/ipt)
113 define KernelPackage/ipt-ipopt/description
114 Netfilter (IPv4) modules for matching/changing IP packet options
129 $(eval $(call KernelPackage,ipt-ipopt))
132 define KernelPackage/ipt-ipsec
133 TITLE:=Modules for matching IPSec packets
134 KCONFIG:=$(KCONFIG_IPT_IPSEC)
135 FILES:=$(foreach mod,$(IPT_IPSEC-m),$(LINUX_DIR)/net/$(mod).ko)
136 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_IPSEC-m)))
137 $(call AddDepends/ipt)
140 define KernelPackage/ipt-ipsec/description
141 Netfilter (IPv4) modules for matching IPSec packets
148 $(eval $(call KernelPackage,ipt-ipsec))
151 define KernelPackage/ipt-nat
152 TITLE:=Basic NAT targets
153 KCONFIG:=$(KCONFIG_IPT_NAT)
154 FILES:=$(foreach mod,$(IPT_NAT-m),$(LINUX_DIR)/net/$(mod).ko)
155 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NAT-m)))
156 $(call AddDepends/ipt,+kmod-ipt-conntrack)
159 define KernelPackage/ipt-nat/description
160 Netfilter (IPv4) kernel modules for basic NAT targets
165 $(eval $(call KernelPackage,ipt-nat))
168 define KernelPackage/ipt-nat6
169 TITLE:=IPv6 NAT targets
170 KCONFIG:=$(KCONFIG_IPT_NAT6)
171 FILES:=$(foreach mod,$(IPT_NAT6-m),$(LINUX_DIR)/net/$(mod).ko)
172 AUTOLOAD:=$(call AutoLoad,43,$(notdir $(IPT_NAT6-m)))
173 $(call AddDepends/ipt,+kmod-ipt-conntrack)
174 $(call AddDepends/ipt,+kmod-ipt-nat)
175 $(call AddDepends/ipt,+kmod-ip6tables)
178 define KernelPackage/ipt-nat6/description
179 Netfilter (IPv6) kernel modules for NAT targets
182 $(eval $(call KernelPackage,ipt-nat6))
185 define KernelPackage/ipt-nat-extra
186 TITLE:=Extra NAT targets
187 KCONFIG:=$(KCONFIG_IPT_NAT_EXTRA)
188 FILES:=$(foreach mod,$(IPT_NAT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
189 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NAT_EXTRA-m)))
190 $(call AddDepends/ipt,+kmod-ipt-nat)
193 define KernelPackage/ipt-nat-extra/description
194 Netfilter (IPv4) kernel modules for extra NAT targets
200 $(eval $(call KernelPackage,ipt-nat-extra))
203 define KernelPackage/ipt-nathelper
204 TITLE:=Basic Conntrack and NAT helpers
205 KCONFIG:=$(KCONFIG_IPT_NATHELPER)
206 FILES:=$(foreach mod,$(IPT_NATHELPER-m),$(LINUX_DIR)/net/$(mod).ko)
207 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NATHELPER-m)))
208 $(call AddDepends/ipt,+kmod-ipt-nat)
211 define KernelPackage/ipt-nathelper/description
212 Default Netfilter (IPv4) Conntrack and NAT helpers
219 $(eval $(call KernelPackage,ipt-nathelper))
222 define KernelPackage/ipt-nathelper-extra
223 TITLE:=Extra Conntrack and NAT helpers
224 KCONFIG:=$(KCONFIG_IPT_NATHELPER_EXTRA)
225 FILES:=$(foreach mod,$(IPT_NATHELPER_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
226 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NATHELPER_EXTRA-m)))
227 $(call AddDepends/ipt,+kmod-ipt-nat +kmod-lib-textsearch)
230 define KernelPackage/ipt-nathelper-extra/description
231 Extra Netfilter (IPv4) Conntrack and NAT helpers
243 $(eval $(call KernelPackage,ipt-nathelper-extra))
246 define KernelPackage/ipt-queue
247 TITLE:=Module for user-space packet queueing
248 KCONFIG:=$(KCONFIG_IPT_QUEUE)
250 FILES:=$(foreach mod,$(IPT_QUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
251 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_QUEUE-m)))
252 $(call AddDepends/ipt)
255 define KernelPackage/ipt-queue/description
256 Netfilter (IPv4) module for user-space packet queueing
261 $(eval $(call KernelPackage,ipt-queue))
264 define KernelPackage/ipt-ulog
265 TITLE:=Module for user-space packet logging
266 KCONFIG:=$(KCONFIG_IPT_ULOG)
267 FILES:=$(foreach mod,$(IPT_ULOG-m),$(LINUX_DIR)/net/$(mod).ko)
268 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_ULOG-m)))
269 $(call AddDepends/ipt)
272 define KernelPackage/ipt-ulog/description
273 Netfilter (IPv4) module for user-space packet logging
278 $(eval $(call KernelPackage,ipt-ulog))
281 define KernelPackage/ipt-debug
282 TITLE:=Module for debugging/development
283 KCONFIG:=$(KCONFIG_IPT_DEBUG)
285 FILES:=$(foreach mod,$(IPT_DEBUG-m),$(LINUX_DIR)/net/$(mod).ko)
286 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_DEBUG-m)))
287 $(call AddDepends/ipt)
290 define KernelPackage/ipt-debug/description
291 Netfilter modules for debugging/development of the firewall
296 $(eval $(call KernelPackage,ipt-debug))
299 define KernelPackage/ipt-led
300 TITLE:=Module to trigger a LED with a Netfilter rule
301 KCONFIG:=$(KCONFIG_IPT_LED)
302 FILES:=$(foreach mod,$(IPT_LED-m),$(LINUX_DIR)/net/$(mod).ko)
303 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_LED-m)))
304 $(call AddDepends/ipt)
307 define KernelPackage/ipt-led/description
308 Netfilter target to trigger a LED when a network packet is matched.
311 $(eval $(call KernelPackage,ipt-led))
313 define KernelPackage/ipt-tproxy
314 TITLE:=Transparent proxying support
315 DEPENDS+=+kmod-ipt-conntrack +IPV6:kmod-ipv6 +IPV6:kmod-ip6tables
317 CONFIG_NETFILTER_TPROXY \
318 CONFIG_NETFILTER_XT_MATCH_SOCKET \
319 CONFIG_NETFILTER_XT_TARGET_TPROXY
321 $(if $(call kernel_patchver_lt,3.12),$(LINUX_DIR)/net/netfilter/nf_tproxy_core.ko) \
322 $(foreach mod,$(IPT_TPROXY-m),$(LINUX_DIR)/net/$(mod).ko)
323 AUTOLOAD:=$(call AutoProbe,$(notdir nf_tproxy_core $(IPT_TPROXY-m)))
324 $(call AddDepends/ipt)
327 define KernelPackage/ipt-tproxy/description
328 Kernel modules for Transparent Proxying
331 $(eval $(call KernelPackage,ipt-tproxy))
333 define KernelPackage/ipt-tee
335 DEPENDS:=+kmod-ipt-conntrack +IPV6:kmod-ipv6
337 CONFIG_NETFILTER_XT_TARGET_TEE
339 $(LINUX_DIR)/net/netfilter/xt_TEE.ko \
340 $(foreach mod,$(IPT_TEE-m),$(LINUX_DIR)/net/$(mod).ko)
341 AUTOLOAD:=$(call AutoProbe,$(notdir nf_tee $(IPT_TEE-m)))
342 $(call AddDepends/ipt)
345 define KernelPackage/ipt-tee/description
346 Kernel modules for TEE
349 $(eval $(call KernelPackage,ipt-tee))
352 define KernelPackage/ipt-u32
355 CONFIG_NETFILTER_XT_MATCH_U32
357 $(LINUX_DIR)/net/netfilter/xt_u32.ko \
358 $(foreach mod,$(IPT_U32-m),$(LINUX_DIR)/net/$(mod).ko)
359 AUTOLOAD:=$(call AutoProbe,$(notdir nf_tee $(IPT_U32-m)))
360 $(call AddDepends/ipt)
363 define KernelPackage/ipt-u32/description
364 Kernel modules for U32
367 $(eval $(call KernelPackage,ipt-u32))
370 define KernelPackage/ipt-iprange
371 TITLE:=Module for matching ip ranges
372 KCONFIG:=$(KCONFIG_IPT_IPRANGE)
373 FILES:=$(foreach mod,$(IPT_IPRANGE-m),$(LINUX_DIR)/net/$(mod).ko)
374 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_IPRANGE-m)))
375 $(call AddDepends/ipt)
378 define KernelPackage/ipt-iprange/description
379 Netfilter (IPv4) module for matching ip ranges
384 $(eval $(call KernelPackage,ipt-iprange))
387 define KernelPackage/ipt-extra
389 KCONFIG:=$(KCONFIG_IPT_EXTRA)
390 FILES:=$(foreach mod,$(IPT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
391 AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_EXTRA-m)))
392 $(call AddDepends/ipt)
395 define KernelPackage/ipt-extra/description
396 Other Netfilter (IPv4) kernel modules
400 - physdev (if bridge support was enabled in kernel)
405 $(eval $(call KernelPackage,ipt-extra))
408 define KernelPackage/ip6tables
411 DEPENDS:=+kmod-ipv6 +kmod-ipt-core +kmod-ipt-conntrack
412 KCONFIG:=$(KCONFIG_IPT_IPV6)
413 FILES:=$(foreach mod,$(IPT_IPV6-m),$(LINUX_DIR)/net/$(mod).ko)
414 AUTOLOAD:=$(call AutoLoad,42,$(notdir $(IPT_IPV6-m)))
417 define KernelPackage/ip6tables/description
418 Netfilter IPv6 firewalling support
421 $(eval $(call KernelPackage,ip6tables))
423 define KernelPackage/ip6tables-extra
425 TITLE:=Extra IPv6 modules
426 DEPENDS:=+kmod-ip6tables
427 KCONFIG:=$(KCONFIG_IPT_IPV6_EXTRA)
428 FILES:=$(foreach mod,$(IPT_IPV6_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
429 AUTOLOAD:=$(call AutoLoad,43,$(notdir $(IPT_IPV6_EXTRA-m)))
432 define KernelPackage/ip6tables-extra/description
433 Netfilter IPv6 extra header matching modules
436 $(eval $(call KernelPackage,ip6tables-extra))
438 ARP_MODULES = arp_tables arpt_mangle arptable_filter
439 define KernelPackage/arptables
441 TITLE:=ARP firewalling modules
442 DEPENDS:=+kmod-ipt-core
443 FILES:=$(LINUX_DIR)/net/ipv4/netfilter/arp*.ko
444 KCONFIG:=CONFIG_IP_NF_ARPTABLES \
445 CONFIG_IP_NF_ARPFILTER \
446 CONFIG_IP_NF_ARP_MANGLE
447 AUTOLOAD:=$(call AutoProbe,$(ARP_MODULES))
450 define KernelPackage/arptables/description
451 Kernel modules for ARP firewalling
454 $(eval $(call KernelPackage,arptables))
457 define KernelPackage/ebtables
459 TITLE:=Bridge firewalling modules
460 DEPENDS:=+kmod-ipt-core +kmod-bridge
461 FILES:=$(foreach mod,$(EBTABLES-m),$(LINUX_DIR)/net/$(mod).ko)
462 KCONFIG:=CONFIG_BRIDGE_NETFILTER=y \
464 AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES-m)))
467 define KernelPackage/ebtables/description
468 ebtables is a general, extensible frame/packet identification
469 framework. It provides you to do Ethernet
470 filtering/NAT/brouting on the Ethernet bridge.
473 $(eval $(call KernelPackage,ebtables))
476 define AddDepends/ebtables
478 DEPENDS+=kmod-ebtables $(1)
482 define KernelPackage/ebtables-ipv4
483 TITLE:=ebtables: IPv4 support
484 FILES:=$(foreach mod,$(EBTABLES_IP4-m),$(LINUX_DIR)/net/$(mod).ko)
485 KCONFIG:=$(KCONFIG_EBTABLES_IP4)
486 AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES_IP4-m)))
487 $(call AddDepends/ebtables)
490 define KernelPackage/ebtables-ipv4/description
491 This option adds the IPv4 support to ebtables, which allows basic
492 IPv4 header field filtering, ARP filtering as well as SNAT, DNAT targets.
495 $(eval $(call KernelPackage,ebtables-ipv4))
498 define KernelPackage/ebtables-ipv6
499 TITLE:=ebtables: IPv6 support
500 FILES:=$(foreach mod,$(EBTABLES_IP6-m),$(LINUX_DIR)/net/$(mod).ko)
501 KCONFIG:=$(KCONFIG_EBTABLES_IP6)
502 AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES_IP6-m)))
503 $(call AddDepends/ebtables)
506 define KernelPackage/ebtables-ipv6/description
507 This option adds the IPv6 support to ebtables, which allows basic
508 IPv6 header field filtering and target support.
511 $(eval $(call KernelPackage,ebtables-ipv6))
514 define KernelPackage/ebtables-watchers
515 TITLE:=ebtables: watchers support
516 FILES:=$(foreach mod,$(EBTABLES_WATCHERS-m),$(LINUX_DIR)/net/$(mod).ko)
517 KCONFIG:=$(KCONFIG_EBTABLES_WATCHERS)
518 AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES_WATCHERS-m)))
519 $(call AddDepends/ebtables)
522 define KernelPackage/ebtables-watchers/description
523 This option adds the log watchers, that you can use in any rule
524 in any ebtables table.
527 $(eval $(call KernelPackage,ebtables-watchers))
530 define KernelPackage/nfnetlink
532 TITLE:=Netlink-based userspace interface
533 DEPENDS:=+kmod-ipt-core
534 FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink.ko
535 KCONFIG:=CONFIG_NETFILTER_NETLINK
536 AUTOLOAD:=$(call AutoProbe,nfnetlink)
539 define KernelPackage/nfnetlink/description
540 Kernel modules support for a netlink-based userspace interface
543 $(eval $(call KernelPackage,nfnetlink))
546 define AddDepends/nfnetlink
548 DEPENDS+=+kmod-nfnetlink $(1)
552 define KernelPackage/nfnetlink-log
553 TITLE:=Netfilter LOG over NFNETLINK interface
554 FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_log.ko
555 KCONFIG:=CONFIG_NETFILTER_NETLINK_LOG
556 AUTOLOAD:=$(call AutoProbe,nfnetlink_log)
557 $(call AddDepends/nfnetlink)
560 define KernelPackage/nfnetlink-log/description
561 Kernel modules support for logging packets via NFNETLINK
564 $(eval $(call KernelPackage,nfnetlink-log))
567 define KernelPackage/nfnetlink-queue
568 TITLE:=Netfilter QUEUE over NFNETLINK interface
569 FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_queue.ko
570 KCONFIG:=CONFIG_NETFILTER_NETLINK_QUEUE
571 AUTOLOAD:=$(call AutoProbe,nfnetlink_queue)
572 $(call AddDepends/nfnetlink)
575 define KernelPackage/nfnetlink-queue/description
576 Kernel modules support for queueing packets via NFNETLINK
579 $(eval $(call KernelPackage,nfnetlink-queue))
582 define KernelPackage/nf-conntrack-netlink
583 TITLE:=Connection tracking netlink interface
584 FILES:=$(LINUX_DIR)/net/netfilter/nf_conntrack_netlink.ko
585 KCONFIG:=CONFIG_NF_CT_NETLINK
586 AUTOLOAD:=$(call AutoProbe,nf_conntrack_netlink)
587 $(call AddDepends/nfnetlink,+kmod-ipt-conntrack)
590 define KernelPackage/nf-conntrack-netlink/description
591 Kernel modules support for a netlink-based connection tracking
595 $(eval $(call KernelPackage,nf-conntrack-netlink))
597 define KernelPackage/ipt-hashlimit
599 TITLE:=Netfilter hashlimit match
600 DEPENDS:=+kmod-ipt-core
601 KCONFIG:=$(KCONFIG_IPT_HASHLIMIT)
602 FILES:=$(LINUX_DIR)/net/netfilter/xt_hashlimit.ko
603 AUTOLOAD:=$(call AutoProbe,xt_hashlimit)
604 $(call KernelPackage/ipt)
607 define KernelPackage/ipt-hashlimit/description
608 Kernel modules support for the hashlimit bucket match module
611 $(eval $(call KernelPackage,ipt-hashlimit))