|
|
|
@ -21,29 +21,56 @@ define nf_add
|
|
|
|
|
endef
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# core
|
|
|
|
|
|
|
|
|
|
# kernel only
|
|
|
|
|
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_NETFILTER_XTABLES, $(P_XT)x_tables $(P_XT)xt_tcpudp),))
|
|
|
|
|
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_IPTABLES, $(P_V4)ip_tables),))
|
|
|
|
|
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_FILTER, $(P_V4)iptable_filter),))
|
|
|
|
|
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_MANGLE, $(P_V4)iptable_mangle),))
|
|
|
|
|
|
|
|
|
|
# userland only
|
|
|
|
|
$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CORE,CONFIG_IP_NF_IPTABLES, xt_standard ipt_icmp xt_tcp xt_udp)))
|
|
|
|
|
|
|
|
|
|
$(eval $(call nf_add,IPT_CORE,CONFIG_IP_NF_MATCH_LIMIT, $(P_V4)ipt_limit))
|
|
|
|
|
$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_LIMIT, $(P_XT)xt_limit))
|
|
|
|
|
$(eval $(call nf_add,IPT_CORE,CONFIG_IP_NF_MATCH_MAC, $(P_V4)ipt_mac))
|
|
|
|
|
$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_MAC, $(P_XT)xt_mac))
|
|
|
|
|
$(eval $(call nf_add,IPT_CORE,CONFIG_IP_NF_MATCH_MULTIPORT, $(P_V4)ipt_multiport))
|
|
|
|
|
$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_MULTIPORT, $(P_XT)xt_multiport))
|
|
|
|
|
|
|
|
|
|
$(eval $(call nf_add,IPT_CORE,CONFIG_IP_NF_TARGET_LOG, $(P_V4)ipt_LOG))
|
|
|
|
|
$(eval $(call nf_add,IPT_CORE,CONFIG_IP_NF_TARGET_TCPMSS, $(P_V4)ipt_TCPMSS))
|
|
|
|
|
$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_TCPMSS, $(P_XT)xt_TCPMSS))
|
|
|
|
|
$(eval $(call nf_add,IPT_CORE,CONFIG_IP_NF_TARGET_REJECT, $(P_V4)ipt_REJECT))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# conntrack
|
|
|
|
|
|
|
|
|
|
# kernel only
|
|
|
|
|
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_CONNTRACK,CONFIG_NF_CONNTRACK, $(P_XT)nf_conntrack),))
|
|
|
|
|
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_CONNTRACK,CONFIG_IP_NF_CONNTRACK, $(P_V4)ip_conntrack),))
|
|
|
|
|
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_CONNTRACK,CONFIG_NF_CONNTRACK_IPV4, $(P_V4)nf_conntrack_ipv4),))
|
|
|
|
|
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_IP_NF_MATCH_CONNBYTES, $(P_V4)ipt_connbytes))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_NETFILTER_XT_MATCH_CONNBYTES, $(P_XT)xt_connbytes))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_IP_NF_MATCH_CONNMARK, $(P_V4)ipt_connmark))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_NETFILTER_XT_MATCH_CONNMARK, $(P_XT)xt_connmark))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_IP_NF_MATCH_CONNTRACK, $(P_V4)ipt_conntrack))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_NETFILTER_XT_MATCH_CONNTRACK, $(P_XT)xt_conntrack))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_IP_NF_MATCH_HELPER, $(P_V4)ipt_helper))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_NETFILTER_XT_MATCH_HELPER, $(P_XT)xt_helper))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_IP_NF_MATCH_LIMIT, $(P_V4)ipt_limit))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_NETFILTER_XT_MATCH_LIMIT, $(P_XT)xt_limit))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_IP_NF_MATCH_RECENT, $(P_V4)ipt_recent))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_IP_NF_MATCH_STATE, $(P_V4)ipt_state))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_NETFILTER_XT_MATCH_STATE, $(P_XT)xt_state))
|
|
|
|
|
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_IP_NF_TARGET_CONNMARK, $(P_V4)ipt_CONNMARK))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_NETFILTER_XT_TARGET_CONNMARK, $(P_XT)xt_CONNMARK))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_NETFILTER_XT_TARGET_NOTRACK, $(P_XT)xt_NOTRACK))
|
|
|
|
|
|
|
|
|
|
# conntrack-extra
|
|
|
|
|
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_IP_NF_MATCH_CONNBYTES, $(P_V4)ipt_connbytes))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_MATCH_CONNBYTES, $(P_XT)xt_connbytes))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_IP_NF_MATCH_CONNMARK, $(P_V4)ipt_connmark))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_MATCH_CONNMARK, $(P_XT)xt_connmark))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_IP_NF_MATCH_CONNTRACK, $(P_V4)ipt_conntrack))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_MATCH_CONNTRACK, $(P_XT)xt_conntrack))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_IP_NF_MATCH_HELPER, $(P_V4)ipt_helper))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_MATCH_HELPER, $(P_XT)xt_helper))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_IP_NF_MATCH_RECENT, $(P_V4)ipt_recent))
|
|
|
|
|
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_IP_NF_TARGET_CONNMARK, $(P_V4)ipt_CONNMARK))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_TARGET_CONNMARK, $(P_XT)xt_CONNMARK))
|
|
|
|
|
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_TARGET_NOTRACK, $(P_XT)xt_NOTRACK))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# extra
|
|
|
|
@ -63,8 +90,6 @@ $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_QUOTA, $(P_XT)xt_quota)
|
|
|
|
|
$(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_TARGET_TARPIT, $(P_XT)xt_TARPIT))
|
|
|
|
|
$(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_TARGET_DELUDE, $(P_XT)xt_DELUDE))
|
|
|
|
|
$(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_TARGET_CHAOS, $(P_XT)xt_CHAOS))
|
|
|
|
|
$(eval $(call nf_add,IPT_EXTRA,CONFIG_IP_NF_TARGET_LOG, $(P_V4)ipt_LOG))
|
|
|
|
|
$(eval $(call nf_add,IPT_EXTRA,CONFIG_IP_NF_TARGET_REJECT, $(P_V4)ipt_REJECT))
|
|
|
|
|
#$(eval $(call nf_add,IPT_EXTRA,CONFIG_IP_NF_TARGET_ROUTE, $(P_V4)ipt_ROUTE))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -90,18 +115,13 @@ $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_TARGET_DSCP, $(P_XT)xt_DSCP))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_ECN, $(P_V4)ipt_ecn))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_LENGTH, $(P_V4)ipt_length))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_LENGTH, $(P_XT)xt_length))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_MAC, $(P_V4)ipt_mac))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_MAC, $(P_XT)xt_mac))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_MARK, $(P_V4)ipt_mark))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_MARK, $(P_XT)xt_mark))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_MULTIPORT, $(P_V4)ipt_multiport))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_MULTIPORT, $(P_XT)xt_multiport))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_STATISTIC, $(P_XT)xt_statistic))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TCPMSS, $(P_V4)ipt_tcpmss))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_TCPMSS, $(P_XT)xt_tcpmss))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TIME, $(P_V4)ipt_time))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_TIME, $(P_XT)xt_time))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TOS, $(P_V4)ipt_tos))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TTL, $(P_V4)ipt_ttl))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_UNCLEAN, $(P_V4)ipt_unclean))
|
|
|
|
|
|
|
|
|
@ -111,10 +131,17 @@ $(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_TARGET_DSCP, $(P_V4)ipt_DSCP))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_TARGET_ECN, $(P_V4)ipt_ECN))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_TARGET_MARK, $(P_V4)ipt_MARK))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_TARGET_MARK, $(P_XT)xt_MARK))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_TARGET_TCPMSS, $(P_V4)ipt_TCPMSS))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_TARGET_TCPMSS, $(P_XT)xt_TCPMSS))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_TARGET_TTL, $(P_V4)ipt_TTL))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_TARGET_TOS, $(P_V4)ipt_TOS))
|
|
|
|
|
|
|
|
|
|
# XXX: tos/TOS extensions have been merged in dscp/DSCP in linux 2.6.25, but not yet in iptables
|
|
|
|
|
ifeq ($(strip $(call CompareKernelPatchVer,$(KERNEL_PATCHVER),ge,2.6.25)),1)
|
|
|
|
|
# userland only
|
|
|
|
|
$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_DSCP, $(P_XT)xt_tos)))
|
|
|
|
|
$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_TARGET_DSCP, $(P_XT)xt_TOS)))
|
|
|
|
|
else
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TOS, $(P_V4)ipt_tos))
|
|
|
|
|
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_TARGET_TOS, $(P_V4)ipt_TOS))
|
|
|
|
|
endif
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# iprange
|
|
|
|
@ -180,16 +207,20 @@ $(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_TARGET_ROUTE, $(P_V6)ip6t_ROUTE))
|
|
|
|
|
|
|
|
|
|
# kernel only
|
|
|
|
|
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_NAT,CONFIG_IP_NF_NAT, $(P_V4)iptable_nat),))
|
|
|
|
|
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_NAT,CONFIG_NF_NAT,$(P_V4)nf_nat $(P_V4)iptable_nat),))
|
|
|
|
|
# userland only
|
|
|
|
|
$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_NAT,CONFIG_IP_NF_NAT, $(P_V4)ipt_SNAT $(P_V4)ipt_DNAT)))
|
|
|
|
|
$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_NAT,CONFIG_NF_NAT, $(P_V4)ipt_SNAT $(P_V4)ipt_DNAT)))
|
|
|
|
|
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_NAT,CONFIG_NF_NAT, $(P_V4)nf_nat $(P_V4)iptable_nat),))
|
|
|
|
|
|
|
|
|
|
# userland only
|
|
|
|
|
$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_NAT,CONFIG_NF_NAT, ipt_SNAT ipt_DNAT)))
|
|
|
|
|
$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_NAT,CONFIG_IP_NF_NAT, ipt_SNAT ipt_DNAT)))
|
|
|
|
|
|
|
|
|
|
$(eval $(call nf_add,IPT_NAT,CONFIG_IP_NF_TARGET_MASQUERADE, $(P_V4)ipt_MASQUERADE))
|
|
|
|
|
$(eval $(call nf_add,IPT_NAT,CONFIG_IP_NF_TARGET_MIRROR, $(P_V4)ipt_MIRROR))
|
|
|
|
|
$(eval $(call nf_add,IPT_NAT,CONFIG_IP_NF_TARGET_NETMAP, $(P_V4)ipt_NETMAP))
|
|
|
|
|
$(eval $(call nf_add,IPT_NAT,CONFIG_IP_NF_TARGET_REDIRECT, $(P_V4)ipt_REDIRECT))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# nat-extra
|
|
|
|
|
|
|
|
|
|
$(eval $(call nf_add,IPT_NAT_EXTRA,CONFIG_IP_NF_TARGET_MIRROR, $(P_V4)ipt_MIRROR))
|
|
|
|
|
$(eval $(call nf_add,IPT_NAT_EXTRA,CONFIG_IP_NF_TARGET_NETMAP, $(P_V4)ipt_NETMAP))
|
|
|
|
|
$(eval $(call nf_add,IPT_NAT_EXTRA,CONFIG_IP_NF_TARGET_REDIRECT, $(P_V4)ipt_REDIRECT))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# nathelper
|
|
|
|
@ -249,13 +280,9 @@ $(eval $(call nf_add,IPT_ULOG,CONFIG_IP_NF_TARGET_ULOG, $(P_V4)ipt_ULOG))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# userland only
|
|
|
|
|
IPT_BUILTIN := $(if $(NF_KMOD),,$(P_V4)ipt_standard)
|
|
|
|
|
IPT_BUILTIN += $(if $(NF_KMOD),,$(P_V4)ipt_icmp $(P_V4)ipt_tcp $(P_V4)ipt_udp)
|
|
|
|
|
|
|
|
|
|
IPT_BUILTIN += $(if $(NF_KMOD),,$(P_XT)xt_standard)
|
|
|
|
|
IPT_BUILTIN += $(if $(NF_KMOD),,$(P_XT)xt_icmp $(P_XT)xt_tcp $(P_XT)xt_udp)
|
|
|
|
|
|
|
|
|
|
IPT_BUILTIN += $(IPT_CORE-y) $(IPT_CORE-m)
|
|
|
|
|
IPT_BUILTIN += $(IPT_CONNTRACK-y)
|
|
|
|
|
IPT_BUILTIN += $(IPT_CONNTRACK_EXTRA-y)
|
|
|
|
|
IPT_BUILTIN += $(IPT_EXTRA-y)
|
|
|
|
|
IPT_BUILTIN += $(IPT_FILTER-y)
|
|
|
|
|
IPT_BUILTIN += $(IPT_IMQ-y)
|
|
|
|
@ -265,6 +292,7 @@ IPT_BUILTIN += $(IPT_IPSEC-y)
|
|
|
|
|
IPT_BUILTIN += $(IPT_IPSET-y)
|
|
|
|
|
IPT_BUILTIN += $(IPT_IPV6-y)
|
|
|
|
|
IPT_BUILTIN += $(IPT_NAT-y)
|
|
|
|
|
IPT_BUILTIN += $(IPT_NAT_EXTRA-y)
|
|
|
|
|
IPT_BUILTIN += $(IPT_NATHELPER-y)
|
|
|
|
|
IPT_BUILTIN += $(IPT_NATHELPER_EXTRA-y)
|
|
|
|
|
IPT_BUILTIN += $(IPT_ULOG-y)
|
|
|
|
|