├── Makefile
├── README.md
├── files
    └── Makefile
└── patches
    └── 000-printk.patch


/Makefile:
--------------------------------------------------------------------------------
 1 | #
 2 | # Copyright (C) 2018 Chion Tang <tech@chionlab.moe>
 3 | #
 4 | # This is free software, licensed under the GNU General Public License v2.
 5 | # See /LICENSE for more information.
 6 | #
 7 | 
 8 | include $(TOPDIR)/rules.mk
 9 | include $(INCLUDE_DIR)/kernel.mk
10 | 
11 | PKG_NAME:=fullconenat
12 | PKG_RELEASE:=1
13 | 
14 | PKG_SOURCE_DATE:=2018-12-15
15 | PKG_SOURCE_PROTO:=git
16 | PKG_SOURCE_URL:=https://github.com/Chion82/netfilter-full-cone-nat.git
17 | PKG_SOURCE_VERSION:=d4daedd0e25309e822577e92b96ae4c7184abe83
18 | 
19 | PKG_LICENSE:=GPL-2.0
20 | PKG_LICENSE_FILES:=LICENSE
21 | 
22 | include $(INCLUDE_DIR)/package.mk
23 | 
24 | define Package/iptables-mod-fullconenat
25 |   SUBMENU:=Firewall
26 |   SECTION:=net
27 |   CATEGORY:=Network
28 |   TITLE:=FULLCONENAT iptables extension
29 |   DEPENDS:=+iptables +kmod-ipt-fullconenat
30 |   MAINTAINER:=Chion Tang <tech@chionlab.moe>
31 | endef
32 | 
33 | define Package/iptables-mod-fullconenat/install
34 | 	$(INSTALL_DIR) $(1)/usr/lib/iptables
35 | 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/libipt_FULLCONENAT.so $(1)/usr/lib/iptables
36 | endef
37 | 
38 | define KernelPackage/ipt-fullconenat
39 |   SUBMENU:=Netfilter Extensions
40 |   TITLE:=FULLCONENAT netfilter module
41 |   DEPENDS:=+kmod-nf-ipt +kmod-nf-nat
42 |   MAINTAINER:=Chion Tang <tech@chionlab.moe>
43 |   KCONFIG:=CONFIG_NF_CONNTRACK_EVENTS=y CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y
44 |   FILES:=$(PKG_BUILD_DIR)/xt_FULLCONENAT.ko
45 | endef
46 | 
47 | include $(INCLUDE_DIR)/kernel-defaults.mk
48 | 
49 | define Build/Prepare
50 | 	$(call Build/Prepare/Default)
51 | 	$(CP) ./files/Makefile $(PKG_BUILD_DIR)/
52 | endef
53 | 
54 | define Build/Compile
55 | 	+$(MAKE) $(PKG_JOBS) -C "$(LINUX_DIR)" \
56 |         CROSS_COMPILE="$(TARGET_CROSS)" \
57 |         ARCH="$(LINUX_KARCH)" \
58 |         SUBDIRS="$(PKG_BUILD_DIR)" \
59 |         EXTRA_CFLAGS="$(BUILDFLAGS)" \
60 |         modules
61 | 	$(call Build/Compile/Default)
62 | endef
63 | 
64 | $(eval $(call BuildPackage,iptables-mod-fullconenat))
65 | $(eval $(call KernelPackage,ipt-fullconenat))
66 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## Netfilter and iptables extension for [FULLCONENAT](https://github.com/Chion82/netfilter-full-cone-nat) target ported to OpenWrt.
 2 | 
 3 | Compile
 4 | ---
 5 | ```
 6 | # cd to OpenWrt source path
 7 | # Clone this repo
 8 | git clone -b master --single-branch https://github.com/LGA1150/openwrt-fullconenat package/fullconenat
 9 | # Select Network -> Firewall -> iptables-mod-fullconenat
10 | make menuconfig
11 | # Compile
12 | make V=s
13 | ```
14 | 
15 | Usage
16 | ---
17 | You can apply [this patch](https://github.com/LGA1150/fullconenat-fw3-patch) to OpenWrt's Firewall3 (Recommended).
18 | 
19 | Or manually add the following rules to `/etc/firewall.user`
20 | ```
21 | iptables -t nat -A zone_wan_prerouting -j FULLCONENAT
22 | iptables -t nat -A zone_wan_postrouting -j FULLCONENAT
23 | ```
24 | 
25 | Workaround for conflicting with module `nf_conntrack_netlink`
26 | ---
27 | This module uses conntrack events to register a callback function. In the same netns, only one callback method can be registered, that causes conflicts with `nf_conntrack_netlink`, which also uses conntrack events. Qualcomm Shortcut FE has introduced a patch to allow multiple callbacks to be registered. To apply, put [this patch](https://github.com/coolsnowwolf/lede/blob/master/target/linux/generic/hack-4.14/952-net-conntrack-events-support-multiple-registrant.patch) into `target/linux/generic/hack-4.14`.
28 | 


--------------------------------------------------------------------------------
/files/Makefile:
--------------------------------------------------------------------------------
1 | libipt_FULLCONENAT.so: libipt_FULLCONENAT.o
2 | 	$(CC) -shared -lxtables -o $@ $^;
3 | libipt_FULLCONENAT.o: libipt_FULLCONENAT.c
4 | 	$(CC) ${CFLAGS} -fPIC -D_INIT=$*_init -c -o $@ $<;
5 | 
6 | obj-m += xt_FULLCONENAT.o
7 | 
8 | 


--------------------------------------------------------------------------------
/patches/000-printk.patch:
--------------------------------------------------------------------------------
 1 | diff --git a/xt_FULLCONENAT.c b/xt_FULLCONENAT.c
 2 | index 9e52eba..8658c5f 100644
 3 | --- a/xt_FULLCONENAT.c
 4 | +++ b/xt_FULLCONENAT.c
 5 | @@ -697,9 +697,11 @@ static struct xt_target tg_reg[] __read_mostly = {
 6 |  
 7 |  static int __init fullconenat_tg_init(void)
 8 |  {
 9 | +  printk(KERN_INFO "xt_FULLCONENAT: RFC3489 Full Cone NAT module\n"
10 | +	"xt_FULLCONENAT: Copyright (C) 2018 Chion Tang <tech@chionlab.moe>\n");
11 |    wq = create_singlethread_workqueue("xt_FULLCONENAT");
12 |    if (wq == NULL) {
13 | -    printk("xt_FULLCONENAT: warning: failed to create workqueue\n");
14 | +    printk(KERN_WARNING "xt_FULLCONENAT: warning: failed to create workqueue\n");
15 |    }
16 |  
17 |    return xt_register_targets(tg_reg, ARRAY_SIZE(tg_reg));
18 | 


--------------------------------------------------------------------------------