From 2f4d3b71aff1fa9d6dad837284fc352e5c3c2c25 Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Wed, 11 Apr 2018 13:14:00 +0200
Subject: [PATCH] Add patches to reduce iptables module dependencies

---
 ...tables-on-kmod-ebtables-to-selecting.patch |  23 ++++
 ...0075-kernel-unhide-kmod-br-netfilter.patch |  21 ++++
 ...s-do-not-depend-on-kmod-br-netfilter.patch |  22 ++++
 ...sdev-match-out-as-a-separate-package.patch | 114 ++++++++++++++++++
 4 files changed, 180 insertions(+)
 create mode 100644 patches/lede/0074-kernel-change-dependency-of-kmod-ebtables-on-kmod-ebtables-to-selecting.patch
 create mode 100644 patches/lede/0075-kernel-unhide-kmod-br-netfilter.patch
 create mode 100644 patches/lede/0076-kernel-kmod-ebtables-do-not-depend-on-kmod-br-netfilter.patch
 create mode 100644 patches/lede/0077-iptables-split-physdev-match-out-as-a-separate-package.patch

diff --git a/patches/lede/0074-kernel-change-dependency-of-kmod-ebtables-on-kmod-ebtables-to-selecting.patch b/patches/lede/0074-kernel-change-dependency-of-kmod-ebtables-on-kmod-ebtables-to-selecting.patch
new file mode 100644
index 00000000..6f9d915f
--- /dev/null
+++ b/patches/lede/0074-kernel-change-dependency-of-kmod-ebtables-on-kmod-ebtables-to-selecting.patch
@@ -0,0 +1,23 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Mon, 9 Apr 2018 18:51:57 +0200
+Subject: kernel: change dependency of kmod-ebtables-* on kmod-ebtables to selecting
+
+Non-selecting dependencies easily lead to Kconfig failures due to recursive
+dependencies. We hit such an issue in Gluon; the easiest fix is to make
+the dependency selecting.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
+index bb882363f3df4df733424ca6bba72badc96f06f8..c1d08a54037e6b33834566dac58308f64a427ecd 100644
+--- a/package/kernel/linux/modules/netfilter.mk
++++ b/package/kernel/linux/modules/netfilter.mk
+@@ -707,7 +707,7 @@ $(eval $(call KernelPackage,ebtables))
+ 
+ define AddDepends/ebtables
+   SUBMENU:=$(NF_MENU)
+-  DEPENDS+=kmod-ebtables $(1)
++  DEPENDS+= +kmod-ebtables $(1)
+ endef
+ 
+ 
diff --git a/patches/lede/0075-kernel-unhide-kmod-br-netfilter.patch b/patches/lede/0075-kernel-unhide-kmod-br-netfilter.patch
new file mode 100644
index 00000000..c08c7819
--- /dev/null
+++ b/patches/lede/0075-kernel-unhide-kmod-br-netfilter.patch
@@ -0,0 +1,21 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Mon, 9 Apr 2018 18:56:53 +0200
+Subject: kernel: unhide kmod-br-netfilter
+
+kmod-br-netfilter is not only a support module, but can be useful on its
+own, using the net.bridge.bridge-nf-call-* sysctls.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
+index c1d08a54037e6b33834566dac58308f64a427ecd..275147b8757a42c00de14502a072c8384a0526ab 100644
+--- a/package/kernel/linux/modules/netfilter.mk
++++ b/package/kernel/linux/modules/netfilter.mk
+@@ -672,7 +672,6 @@ $(eval $(call KernelPackage,arptables))
+ define KernelPackage/br-netfilter
+   SUBMENU:=$(NF_MENU)
+   TITLE:=Bridge netfilter support modules
+-  HIDDEN:=1
+   DEPENDS:=+kmod-ipt-core +kmod-bridge
+   FILES:=$(LINUX_DIR)/net/bridge/br_netfilter.ko
+   KCONFIG:=CONFIG_BRIDGE_NETFILTER
diff --git a/patches/lede/0076-kernel-kmod-ebtables-do-not-depend-on-kmod-br-netfilter.patch b/patches/lede/0076-kernel-kmod-ebtables-do-not-depend-on-kmod-br-netfilter.patch
new file mode 100644
index 00000000..472fe77c
--- /dev/null
+++ b/patches/lede/0076-kernel-kmod-ebtables-do-not-depend-on-kmod-br-netfilter.patch
@@ -0,0 +1,22 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Mon, 9 Apr 2018 19:01:56 +0200
+Subject: kernel: kmod-ebtables: do not depend on kmod-br-netfilter
+
+While ebtables can be combined with br-netfilter, there is no good reason
+to make it a dependency.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
+index 275147b8757a42c00de14502a072c8384a0526ab..34eefcd892b9e8b3157603fa47578d0afc65dc4b 100644
+--- a/package/kernel/linux/modules/netfilter.mk
++++ b/package/kernel/linux/modules/netfilter.mk
+@@ -689,7 +689,7 @@ $(eval $(call KernelPackage,br-netfilter))
+ define KernelPackage/ebtables
+   SUBMENU:=$(NF_MENU)
+   TITLE:=Bridge firewalling modules
+-  DEPENDS:=+kmod-ipt-core +kmod-bridge +kmod-br-netfilter
++  DEPENDS:=+kmod-ipt-core +kmod-bridge
+   FILES:=$(foreach mod,$(EBTABLES-m),$(LINUX_DIR)/net/$(mod).ko)
+   KCONFIG:=$(KCONFIG_EBTABLES)
+   AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES-m)))
diff --git a/patches/lede/0077-iptables-split-physdev-match-out-as-a-separate-package.patch b/patches/lede/0077-iptables-split-physdev-match-out-as-a-separate-package.patch
new file mode 100644
index 00000000..8d6c61d7
--- /dev/null
+++ b/patches/lede/0077-iptables-split-physdev-match-out-as-a-separate-package.patch
@@ -0,0 +1,114 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Mon, 9 Apr 2018 19:41:26 +0200
+Subject: iptables: split physdev match out as a separate package
+
+Split physdev match out of ipt-extra to allow installing ipt-extra without
+pulling in br-netfilter.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/include/netfilter.mk b/include/netfilter.mk
+index 39c8e7c90fab2ba14cd75c80d1e357dd23ae6a1b..79ae3d5343ed77b559f50f40bb8a73a33dd13314 100644
+--- a/include/netfilter.mk
++++ b/include/netfilter.mk
+@@ -89,12 +89,14 @@ $(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_CO
+ 
+ $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_ADDRTYPE, $(if $(NF_KMOD),$(P_XT)xt_addrtype,$(P_XT)ipt_addrtype)))
+ $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_OWNER, $(P_XT)xt_owner))
+-$(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_PHYSDEV, $(P_XT)xt_physdev))
+ $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_PKTTYPE, $(P_XT)xt_pkttype))
+ $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_QUOTA, $(P_XT)xt_quota))
+ 
+ #$(eval $(call nf_add,IPT_EXTRA,CONFIG_IP_NF_TARGET_ROUTE, $(P_V4)ipt_ROUTE))
+ 
++# physdev
++
++$(eval $(call nf_add,IPT_PHYSDEV,CONFIG_NETFILTER_XT_MATCH_PHYSDEV, $(P_XT)xt_physdev))
+ 
+ # filter
+ 
+@@ -347,6 +349,7 @@ IPT_BUILTIN += $(NF_CONNTRACK6-y)
+ IPT_BUILTIN += $(IPT_CONNTRACK-y)
+ IPT_BUILTIN += $(IPT_CONNTRACK_EXTRA-y)
+ IPT_BUILTIN += $(IPT_EXTRA-y)
++IPT_BUILTIN += $(IPT_PHYSDEV-y)
+ IPT_BUILTIN += $(IPT_FILTER-y)
+ IPT_BUILTIN += $(IPT_IPOPT-y)
+ IPT_BUILTIN += $(IPT_IPRANGE-y)
+diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
+index 34eefcd892b9e8b3157603fa47578d0afc65dc4b..a71904673ae53bffcc9fd88291520aacb4a4f8d7 100644
+--- a/package/kernel/linux/modules/netfilter.mk
++++ b/package/kernel/linux/modules/netfilter.mk
+@@ -604,7 +604,7 @@ define KernelPackage/ipt-extra
+   KCONFIG:=$(KCONFIG_IPT_EXTRA)
+   FILES:=$(foreach mod,$(IPT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
+   AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_EXTRA-m)))
+-  $(call AddDepends/ipt,+kmod-br-netfilter)
++  $(call AddDepends/ipt)
+ endef
+ 
+ define KernelPackage/ipt-extra/description
+@@ -612,7 +612,6 @@ define KernelPackage/ipt-extra/description
+  Includes:
+  - addrtype
+  - owner
+- - physdev (if bridge support was enabled in kernel)
+  - pkttype
+  - quota
+ endef
+@@ -620,6 +619,21 @@ endef
+ $(eval $(call KernelPackage,ipt-extra))
+ 
+ 
++define KernelPackage/ipt-physdev
++  TITLE:=physdev module
++  KCONFIG:=$(KCONFIG_IPT_PHYSDEV)
++  FILES:=$(foreach mod,$(IPT_PHYSDEV-m),$(LINUX_DIR)/net/$(mod).ko)
++  AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_PHYSDEV-m)))
++  $(call AddDepends/ipt,+kmod-br-netfilter)
++endef
++
++define KernelPackage/ipt-physdev/description
++ The iptables physdev kernel module
++endef
++
++$(eval $(call KernelPackage,ipt-physdev))
++
++
+ define KernelPackage/ip6tables
+   SUBMENU:=$(NF_MENU)
+   TITLE:=IPv6 modules
+diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
+index 9761ed1820b5c092292d25aef28f8f9a8ffa91a6..af5ed8c6245a9d52f5aea695e71b08ac6f3e6eca 100644
+--- a/package/network/utils/iptables/Makefile
++++ b/package/network/utils/iptables/Makefile
+@@ -321,12 +321,20 @@ Other extra iptables extensions.
+   - addrtype
+   - condition
+   - owner
+-  - physdev (if ebtables is enabled)
+   - pkttype
+   - quota
+ 
+ endef
+ 
++define Package/iptables-mod-physdev
++$(call Package/iptables/Module, +kmod-ipt-physdev)
++  TITLE:=physdev iptables extension
++endef
++
++define Package/iptables-mod-physdev/description
++The iptables physdev match.
++endef
++
+ define Package/iptables-mod-led
+ $(call Package/iptables/Module, +kmod-ipt-led)
+   TITLE:=LED trigger iptables extension
+@@ -561,6 +569,7 @@ endef
+ $(eval $(call BuildPackage,iptables))
+ $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
+ $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
++$(eval $(call BuildPlugin,iptables-mod-physdev,$(IPT_PHYSDEV-m)))
+ $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
+ $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
+ $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))