aboutsummaryrefslogtreecommitdiffstats
path: root/package/kernel
diff options
context:
space:
mode:
authorAlin Nastac <alin.nastac@gmail.com>2017-06-16 14:16:07 +0200
committerHans Dedecker <dedeckeh@gmail.com>2017-07-11 22:09:57 +0200
commitd8748e537f11ab5f2b5e2ed25d94baa5ce353984 (patch)
tree8cdc9cb604c2d5ddfbd208f004c42553a55549dc /package/kernel
parenta35a27e8ef05b6536cf12b2938488be499859b76 (diff)
downloadupstream-d8748e537f11ab5f2b5e2ed25d94baa5ce353984.tar.gz
upstream-d8748e537f11ab5f2b5e2ed25d94baa5ce353984.tar.bz2
upstream-d8748e537f11ab5f2b5e2ed25d94baa5ce353984.zip
netfilter: add iptables-mod-rpfilter package
Unlike /proc/sys/net/ipv4/conf/INTF/rp_filter flag, rule iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP prevents conntrack table to become full when a packet flood with randomly selected source IP addresses is received from the lan side. Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Diffstat (limited to 'package/kernel')
-rw-r--r--package/kernel/linux/modules/netfilter.mk18
1 files changed, 18 insertions, 0 deletions
diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
index 6162dbc362..a34a9e4207 100644
--- a/package/kernel/linux/modules/netfilter.mk
+++ b/package/kernel/linux/modules/netfilter.mk
@@ -836,6 +836,24 @@ endef
$(eval $(call KernelPackage,ipt-hashlimit))
+define KernelPackage/ipt-rpfilter
+ SUBMENU:=$(NF_MENU)
+ TITLE:=Netfilter rpfilter match
+ DEPENDS:=+kmod-ipt-core
+ KCONFIG:=$(KCONFIG_IPT_RPFILTER)
+ FILES:=$(realpath \
+ $(LINUX_DIR)/net/ipv4/netfilter/ipt_rpfilter.ko \
+ $(LINUX_DIR)/net/ipv6/netfilter/ip6t_rpfilter.ko)
+ AUTOLOAD:=$(call AutoProbe,ipt_rpfilter ip6t_rpfilter)
+ $(call KernelPackage/ipt)
+endef
+
+define KernelPackage/ipt-rpfilter/description
+ Kernel modules support for the Netfilter rpfilter match
+endef
+
+$(eval $(call KernelPackage,ipt-rpfilter))
+
define KernelPackage/nft-core
SUBMENU:=$(NF_MENU)