[OpenWrt-Devel] [PATCH] #9969: Add NFLOG and NFQUEUE targets for netfilter

Yousong Zhou yszhou4tech at gmail.com
Wed Aug 6 11:42:01 EDT 2014 

On Aug 6, 2014 10:55 PM, "Althaff Mohideen" <althaff_mohideen at yahoo.com>
wrote:
>
> I had just added  it through kernel_menuconfig today.
>
> ->Networking support
> -> Network Options
> -> Network packet filtering framework (Netfilter)
> -> Core Netfilter configuration
> -> Netfilter NFQUEUE over NFNETLINK interface (ACTIVATE) -> "NFQUEUE"
target support (ACTIVATE)
>
>
> This patch will indeed help in the future.
>
> Please advice (instruction) on how to include a patch for the people who
are using SDK to cross-compile.

According to the description on wiki [1] only userspace applications can be
modified and compiled with OpenWrt SDK.

[1] http://wiki.openwrt.org/doc/howto/obtain.firmware.sdk

Regards,

                yousong

>
> Thanking you ever much,
>
> Best Regards,
>
> Mohideen
>
>
>
> On Wednesday, August 6, 2014 1:58 PM, Yousong Zhou <yszhou4tech at gmail.com>
wrote:
>
>
> Hello,
>
> On 7 November 2013 00:47, Derek LaHousse <dlahouss at mtu.edu> wrote:
> > Hello, new developer here, open to advice
> >
> > https://dev.openwrt.org/ticket/9969
> >
> > Describe Changes:
> > The included patch creates a menu item for iptables targets NFLOG and
> > NFQUEUE.  NFLOG is the successor to ULOG, while NFQUEUE allows userspace
> > packet filtering.  Selecting the iptables target enables the kernel
> > modules necessary for netfilter to support these targets.
>
> I am using NFLOG target with this patch and it worked.  It would be
> great if this can be merged into OpenWrt.
>
>
> Regards.
>
>                 yousong
>
> >
> > Signed-off-by: Derek LaHousse <dlahouss at mtu.edu>
> > ---
> >
> > diff --git a/include/netfilter.mk b/include/netfilter.mk
> > index 305f28e..a8c0860 100644
> > --- a/include/netfilter.mk
> > +++ b/include/netfilter.mk
> > @@ -241,6 +241,21 @@ $(eval $(call
nf_add,IPT_TEE,CONFIG_NETFILTER_XT_TARGET_TEE, $(P_XT)xt_TEE))
> >
> >  $(eval $(call nf_add,IPT_U32,CONFIG_NETFILTER_XT_MATCH_U32,
(P_XT)xt_u32))
> >
> > +
> > +# netlink
> > +
> > +$(eval $(call nf_add,NFNETLINK,CONFIG_NETFILTER_NETLINK,
$(P_XT)nfnetlink))
> > +
> > +# nflog
> > +
> > +$(eval $(call nf_add,NFNETLINK_LOG,CONFIG_NETFILTER_NETLINK_LOG,
$(P_XT)nfnetlink_log))
> > +$(eval $(call nf_add,NFNETLINK_LOG,CONFIG_NETFILTER_XT_TARGET_NFLOG,
$(P_XT)xt_NFLOG))
> > +
> > +# nfqueue
> > +
> > +$(eval $(call nf_add,NFNETLINK_QUEUE,CONFIG_NETFILTER_NETLINK_QUEUE,
$(P_XT)nfnetlink_queue))
> > +$(eval $(call
nf_add,NFNETLINK_QUEUE,CONFIG_NETFILTER_XT_TARGET_NFQUEUE,
$(P_XT)xt_NFQUEUE))
> > +
> >  #
> >  # ebtables
> >  #
> > @@ -295,6 +310,9 @@ IPT_BUILTIN += $(IPT_NATHELPER_EXTRA-y)
> >  IPT_BUILTIN += $(IPT_ULOG-y)
> >  IPT_BUILTIN += $(IPT_DEBUG-y)
> >  IPT_BUILTIN += $(IPT_TPROXY-y)
> > +IPT_BUILTIN += $(NFNETLINK-y)
> > +IPT_BUILTIN += $(NFNETLINK_LOG-y)
> > +IPT_BUILTIN += $(NFNETLINK_QUEUE-y)
> >  IPT_BUILTIN += $(EBTABLES-y)
> >  IPT_BUILTIN += $(EBTABLES_IP4-y)
> >  IPT_BUILTIN += $(EBTABLES_IP6-y)
> > diff --git a/package/kernel/linux/modules/netfilter.mk
b/package/kernel/linux/modules/netfilter.mk
> > index 7509ced..9dc8ac4 100644
> > --- a/package/kernel/linux/modules/netfilter.mk
> > +++ b/package/kernel/linux/modules/netfilter.mk
> > @@ -515,10 +515,10 @@ $(eval $(call KernelPackage,ebtables-watchers))
> >  define KernelPackage/nfnetlink
> >    SUBMENU:=$(NF_MENU)
> >    TITLE:=Netlink-based userspace interface
> > -  DEPENDS:=+kmod-ipt-core
> > -  FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink.ko
> > -  KCONFIG:=CONFIG_NETFILTER_NETLINK
> > -  AUTOLOAD:=$(call AutoProbe,nfnetlink)
> > +  FILES:=$(foreach mod,$(NFNETLINK-m),$(LINUX_DIR)/net/$(mod).ko)
> > +  KCONFIG:=$(KCONFIG_NFNETLINK)
> > +  AUTOLOAD:=$(call AutoProbe,$(NFNETLINK-m))
> > +  $(call AddDepends/ipt)
> >  endef
> >
> >  define KernelPackage/nfnetlink/description
> > @@ -536,14 +536,16 @@ endef
> >
> >  define KernelPackage/nfnetlink-log
> >    TITLE:=Netfilter LOG over NFNETLINK interface
> > -  FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_log.ko
> > -  KCONFIG:=CONFIG_NETFILTER_NETLINK_LOG
> > -  AUTOLOAD:=$(call AutoProbe,nfnetlink_log)
> > +  FILES:=$(foreach mod,$(NFNETLINK_LOG-m),$(LINUX_DIR)/net/$(mod).ko)
> > +  KCONFIG:=$(KCONFIG_NFNETLINK_LOG)
> > +  AUTOLOAD:=$(call AutoLoad,45,$(notdir $(NFNETLINK_LOG-m)))
> >    $(call AddDepends/nfnetlink)
> >  endef
> >
> >  define KernelPackage/nfnetlink-log/description
> >  Kernel modules support for logging packets via NFNETLINK
> > + Includes:
> > + - NFLOG
> >  endef
> >
> >  $(eval $(call KernelPackage,nfnetlink-log))
> > @@ -551,14 +553,16 @@ $(eval $(call KernelPackage,nfnetlink-log))
> >
> >  define KernelPackage/nfnetlink-queue
> >    TITLE:=Netfilter QUEUE over NFNETLINK interface
> > -  FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_queue.ko
> > -  KCONFIG:=CONFIG_NETFILTER_NETLINK_QUEUE
> > -  AUTOLOAD:=$(call AutoProbe,nfnetlink_queue)
> > +  FILES:=$(foreach mod,$(NFNETLINK_QUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
> > +  KCONFIG:=$(KCONFIG_NFNETLINK_QUEUE)
> > +  AUTOLOAD:=$(call AutoLoad,45,$(notdir $(NFNETLINK_QUEUE-m)))
> >    $(call AddDepends/nfnetlink)
> >  endef
> >
> >  define KernelPackage/nfnetlink-queue/description
> >  Kernel modules support for queueing packets via NFNETLINK
> > + Includes:
> > + - NFQUEUE
> >  endef
> >
> >  $(eval $(call KernelPackage,nfnetlink-queue))
> > diff --git a/package/network/utils/iptables/Makefile
b/package/network/utils/iptables/Makefile
> > index 35dda06..ad98aa5 100644
> > --- a/package/network/utils/iptables/Makefile
> > +++ b/package/network/utils/iptables/Makefile
> > @@ -193,6 +193,32 @@ iptables extensions for user-space packet logging.
> >
> >  endef
> >
> > +define Package/iptables-mod-nflog
> > +$(call Package/iptables/Module, +kmod-nfnetlink-log)
> > +  TITLE:=Netfilter NFLOG target
> > +endef
> > +
> > +define Package/iptables-mod-nflog/description
> > + iptables extension for user-space logging via NFNETLINK.
> > +
> > + Includes:
> > +  - libxt_NFLOG
> > +
> > +endef
> > +
> > +define Package/iptables-mod-nfqueue
> > +$(call Package/iptables/Module, +kmod-nfnetlink-queue)
> > +  TITLE:=Netfilter NFQUEUE target
> > +endef
> > +
> > +define Package/iptables-mod-nfqueue/description
> > + iptables extension for user-space queuing via NFNETLINK.
> > +
> > + Includes:
> > +  - libxt_NFQUEUE
> > +
> > +endef
> > +
> >  define Package/iptables-mod-hashlimit
> >  $(call Package/iptables/Module, +kmod-ipt-hashlimit)
> >    TITLE:=hashlimit matching
> > @@ -457,6 +483,8 @@ $(eval $(call
BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
> >  $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
> >  $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
> >  $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
> > +$(eval $(call BuildPlugin,iptables-mod-nflog,$(NFNETLINK_LOG-m)))
> > +$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(NFNETLINK_QUEUE-m)))
> >  $(eval $(call BuildPackage,ip6tables))
> >  $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
> >  $(eval $(call BuildPackage,libiptc))
> > _______________________________________________
> > openwrt-devel mailing list
> > openwrt-devel at lists.openwrt.org
> > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20140806/bff37d40/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list