From 2f4d3b71aff1fa9d6dad837284fc352e5c3c2c25 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer <mschiffer@universe-factory.net> Date: Wed, 11 Apr 2018 13:14:00 +0200 Subject: [PATCH] Add patches to reduce iptables module dependencies --- ...tables-on-kmod-ebtables-to-selecting.patch | 23 ++++ ...0075-kernel-unhide-kmod-br-netfilter.patch | 21 ++++ ...s-do-not-depend-on-kmod-br-netfilter.patch | 22 ++++ ...sdev-match-out-as-a-separate-package.patch | 114 ++++++++++++++++++ 4 files changed, 180 insertions(+) create mode 100644 patches/lede/0074-kernel-change-dependency-of-kmod-ebtables-on-kmod-ebtables-to-selecting.patch create mode 100644 patches/lede/0075-kernel-unhide-kmod-br-netfilter.patch create mode 100644 patches/lede/0076-kernel-kmod-ebtables-do-not-depend-on-kmod-br-netfilter.patch create mode 100644 patches/lede/0077-iptables-split-physdev-match-out-as-a-separate-package.patch diff --git a/patches/lede/0074-kernel-change-dependency-of-kmod-ebtables-on-kmod-ebtables-to-selecting.patch b/patches/lede/0074-kernel-change-dependency-of-kmod-ebtables-on-kmod-ebtables-to-selecting.patch new file mode 100644 index 000000000..6f9d915fb --- /dev/null +++ b/patches/lede/0074-kernel-change-dependency-of-kmod-ebtables-on-kmod-ebtables-to-selecting.patch @@ -0,0 +1,23 @@ +From: Matthias Schiffer <mschiffer@universe-factory.net> +Date: Mon, 9 Apr 2018 18:51:57 +0200 +Subject: kernel: change dependency of kmod-ebtables-* on kmod-ebtables to selecting + +Non-selecting dependencies easily lead to Kconfig failures due to recursive +dependencies. We hit such an issue in Gluon; the easiest fix is to make +the dependency selecting. + +Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> + +diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk +index bb882363f3df4df733424ca6bba72badc96f06f8..c1d08a54037e6b33834566dac58308f64a427ecd 100644 +--- a/package/kernel/linux/modules/netfilter.mk ++++ b/package/kernel/linux/modules/netfilter.mk +@@ -707,7 +707,7 @@ $(eval $(call KernelPackage,ebtables)) + + define AddDepends/ebtables + SUBMENU:=$(NF_MENU) +- DEPENDS+=kmod-ebtables $(1) ++ DEPENDS+= +kmod-ebtables $(1) + endef + + diff --git a/patches/lede/0075-kernel-unhide-kmod-br-netfilter.patch b/patches/lede/0075-kernel-unhide-kmod-br-netfilter.patch new file mode 100644 index 000000000..c08c78191 --- /dev/null +++ b/patches/lede/0075-kernel-unhide-kmod-br-netfilter.patch @@ -0,0 +1,21 @@ +From: Matthias Schiffer <mschiffer@universe-factory.net> +Date: Mon, 9 Apr 2018 18:56:53 +0200 +Subject: kernel: unhide kmod-br-netfilter + +kmod-br-netfilter is not only a support module, but can be useful on its +own, using the net.bridge.bridge-nf-call-* sysctls. + +Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> + +diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk +index c1d08a54037e6b33834566dac58308f64a427ecd..275147b8757a42c00de14502a072c8384a0526ab 100644 +--- a/package/kernel/linux/modules/netfilter.mk ++++ b/package/kernel/linux/modules/netfilter.mk +@@ -672,7 +672,6 @@ $(eval $(call KernelPackage,arptables)) + define KernelPackage/br-netfilter + SUBMENU:=$(NF_MENU) + TITLE:=Bridge netfilter support modules +- HIDDEN:=1 + DEPENDS:=+kmod-ipt-core +kmod-bridge + FILES:=$(LINUX_DIR)/net/bridge/br_netfilter.ko + KCONFIG:=CONFIG_BRIDGE_NETFILTER diff --git a/patches/lede/0076-kernel-kmod-ebtables-do-not-depend-on-kmod-br-netfilter.patch b/patches/lede/0076-kernel-kmod-ebtables-do-not-depend-on-kmod-br-netfilter.patch new file mode 100644 index 000000000..472fe77c1 --- /dev/null +++ b/patches/lede/0076-kernel-kmod-ebtables-do-not-depend-on-kmod-br-netfilter.patch @@ -0,0 +1,22 @@ +From: Matthias Schiffer <mschiffer@universe-factory.net> +Date: Mon, 9 Apr 2018 19:01:56 +0200 +Subject: kernel: kmod-ebtables: do not depend on kmod-br-netfilter + +While ebtables can be combined with br-netfilter, there is no good reason +to make it a dependency. + +Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> + +diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk +index 275147b8757a42c00de14502a072c8384a0526ab..34eefcd892b9e8b3157603fa47578d0afc65dc4b 100644 +--- a/package/kernel/linux/modules/netfilter.mk ++++ b/package/kernel/linux/modules/netfilter.mk +@@ -689,7 +689,7 @@ $(eval $(call KernelPackage,br-netfilter)) + define KernelPackage/ebtables + SUBMENU:=$(NF_MENU) + TITLE:=Bridge firewalling modules +- DEPENDS:=+kmod-ipt-core +kmod-bridge +kmod-br-netfilter ++ DEPENDS:=+kmod-ipt-core +kmod-bridge + FILES:=$(foreach mod,$(EBTABLES-m),$(LINUX_DIR)/net/$(mod).ko) + KCONFIG:=$(KCONFIG_EBTABLES) + AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES-m))) diff --git a/patches/lede/0077-iptables-split-physdev-match-out-as-a-separate-package.patch b/patches/lede/0077-iptables-split-physdev-match-out-as-a-separate-package.patch new file mode 100644 index 000000000..8d6c61d7b --- /dev/null +++ b/patches/lede/0077-iptables-split-physdev-match-out-as-a-separate-package.patch @@ -0,0 +1,114 @@ +From: Matthias Schiffer <mschiffer@universe-factory.net> +Date: Mon, 9 Apr 2018 19:41:26 +0200 +Subject: iptables: split physdev match out as a separate package + +Split physdev match out of ipt-extra to allow installing ipt-extra without +pulling in br-netfilter. + +Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> + +diff --git a/include/netfilter.mk b/include/netfilter.mk +index 39c8e7c90fab2ba14cd75c80d1e357dd23ae6a1b..79ae3d5343ed77b559f50f40bb8a73a33dd13314 100644 +--- a/include/netfilter.mk ++++ b/include/netfilter.mk +@@ -89,12 +89,14 @@ $(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_CO + + $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_ADDRTYPE, $(if $(NF_KMOD),$(P_XT)xt_addrtype,$(P_XT)ipt_addrtype))) + $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_OWNER, $(P_XT)xt_owner)) +-$(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_PHYSDEV, $(P_XT)xt_physdev)) + $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_PKTTYPE, $(P_XT)xt_pkttype)) + $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_QUOTA, $(P_XT)xt_quota)) + + #$(eval $(call nf_add,IPT_EXTRA,CONFIG_IP_NF_TARGET_ROUTE, $(P_V4)ipt_ROUTE)) + ++# physdev ++ ++$(eval $(call nf_add,IPT_PHYSDEV,CONFIG_NETFILTER_XT_MATCH_PHYSDEV, $(P_XT)xt_physdev)) + + # filter + +@@ -347,6 +349,7 @@ IPT_BUILTIN += $(NF_CONNTRACK6-y) + IPT_BUILTIN += $(IPT_CONNTRACK-y) + IPT_BUILTIN += $(IPT_CONNTRACK_EXTRA-y) + IPT_BUILTIN += $(IPT_EXTRA-y) ++IPT_BUILTIN += $(IPT_PHYSDEV-y) + IPT_BUILTIN += $(IPT_FILTER-y) + IPT_BUILTIN += $(IPT_IPOPT-y) + IPT_BUILTIN += $(IPT_IPRANGE-y) +diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk +index 34eefcd892b9e8b3157603fa47578d0afc65dc4b..a71904673ae53bffcc9fd88291520aacb4a4f8d7 100644 +--- a/package/kernel/linux/modules/netfilter.mk ++++ b/package/kernel/linux/modules/netfilter.mk +@@ -604,7 +604,7 @@ define KernelPackage/ipt-extra + KCONFIG:=$(KCONFIG_IPT_EXTRA) + FILES:=$(foreach mod,$(IPT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko) + AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_EXTRA-m))) +- $(call AddDepends/ipt,+kmod-br-netfilter) ++ $(call AddDepends/ipt) + endef + + define KernelPackage/ipt-extra/description +@@ -612,7 +612,6 @@ define KernelPackage/ipt-extra/description + Includes: + - addrtype + - owner +- - physdev (if bridge support was enabled in kernel) + - pkttype + - quota + endef +@@ -620,6 +619,21 @@ endef + $(eval $(call KernelPackage,ipt-extra)) + + ++define KernelPackage/ipt-physdev ++ TITLE:=physdev module ++ KCONFIG:=$(KCONFIG_IPT_PHYSDEV) ++ FILES:=$(foreach mod,$(IPT_PHYSDEV-m),$(LINUX_DIR)/net/$(mod).ko) ++ AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_PHYSDEV-m))) ++ $(call AddDepends/ipt,+kmod-br-netfilter) ++endef ++ ++define KernelPackage/ipt-physdev/description ++ The iptables physdev kernel module ++endef ++ ++$(eval $(call KernelPackage,ipt-physdev)) ++ ++ + define KernelPackage/ip6tables + SUBMENU:=$(NF_MENU) + TITLE:=IPv6 modules +diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile +index 9761ed1820b5c092292d25aef28f8f9a8ffa91a6..af5ed8c6245a9d52f5aea695e71b08ac6f3e6eca 100644 +--- a/package/network/utils/iptables/Makefile ++++ b/package/network/utils/iptables/Makefile +@@ -321,12 +321,20 @@ Other extra iptables extensions. + - addrtype + - condition + - owner +- - physdev (if ebtables is enabled) + - pkttype + - quota + + endef + ++define Package/iptables-mod-physdev ++$(call Package/iptables/Module, +kmod-ipt-physdev) ++ TITLE:=physdev iptables extension ++endef ++ ++define Package/iptables-mod-physdev/description ++The iptables physdev match. ++endef ++ + define Package/iptables-mod-led + $(call Package/iptables/Module, +kmod-ipt-led) + TITLE:=LED trigger iptables extension +@@ -561,6 +569,7 @@ endef + $(eval $(call BuildPackage,iptables)) + $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m))) + $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m))) ++$(eval $(call BuildPlugin,iptables-mod-physdev,$(IPT_PHYSDEV-m))) + $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m))) + $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m))) + $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m))) -- GitLab