Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use iptables 1.4.14 with kernel 2.6.22 #7

Open
wants to merge 5 commits into
base: 374.43_2-update
Choose a base branch
from

Conversation

kjbracey2
Copy link

@kjbracey2 kjbracey2 commented Dec 13, 2021

These patches make IPv6 QoS work on routers using 2.6.22.

  • Backport xt_conntrack revision 1 from 2.6.25 into the 2.6.22 kernel to support IPv6.
  • Backport xt_MARK revision 2 from 2.6.25 into the 2.6.22 kernel to allow use of masks with standard iptables 1.4.14.
  • Make ip6t_REJECT local kernel change user-space compatible between 2.6.22 and 2.6.38
  • Use iptables 1.4.14 with older kernels.
  • Remove duplicate file that causes failure on MIPS builds (it lacks what I'm assuming is a workaround for old SDK C libraries)

@kjbracey2 kjbracey2 force-pushed the iptables-1.4 branch 2 times, most recently from 0f09ef8 to 6b08209 Compare December 15, 2021 09:08
@kjbracey2
Copy link
Author

Updated to incorporate a couple of later 2.6.25 bug fixes in xt_conntrack. I'd cherry-picked the initial commits, but not checked against the final release version. I've now crosschecked with the linux-stable 2.6.25.y and 2.6.36.y branches to ensure all relevant bits are in - doesn't seem there were any backport fixes.

Pull in kernel 2.6.25 code supporting xt_conntrack revision 1.

This provides IPv6 conntrack support for iptables-1.4.x, and hence IPv6
QoS support.
And adjust iptables (1.3.8) to match. This gives user-space
compatibility between kernel 2.6.22 and 2.6.38.
@kjbracey2
Copy link
Author

kjbracey2 commented Dec 19, 2021

Updated to include backport of xt_MARK rev 2. The 2.6.22 kernel and iptables were using hacked rev 0/1 to let this work (from commit df49fc2), but iptables-1.4.x doesn't know about this.

Giving the kernel rev 2 lets iptables-1.4.x use its standard rev 2 implementation, and avoids it being confused by the kernel's modified rev 0/1.

MARK revision 0 and revision 1's SET operations had been hacked to act
like revision 2 (AND+XOR), and iptables had been hacked to take
advantage of this, so that rules could use masks.

iptables-1.4.14 doesn't have this hack, so won't permit masks. It only
knows how to do them with revision 2. It also will be expecting revision
0 and 1 to work as normal.

Extend the kernel so it provides revision 2, allowing iptables-1.4.14's
standard support to work. This should also avoid potential problems with
its standard use of revision 0 and 1 being misinterpreted by the hacked
kernel - it will use revision 2.
File exists twice in iptables/xtoptions.c (old location as found in GPL)
and libxtables/xtoptions.c (new location for 1.4.14).

Delete from the old location, and incorporate the manual number
conversion fallback in the new location (which seems to be necessary in
the RT-N66U).
@kjbracey2
Copy link
Author

The point of all of this was to get IPv6 QoS working - the initial blocker was conntrack not working to implement the --ctstate ESTABLISHED,RELATED match.

Now this PR is doing the job, and updating a bunch of things to do it, but I've realised there are two much simpler approaches.

  1. Change the rule to -m state --state ESTABLISHED,RELATED. Unlike conntrack, this is present in the older kernel and iptables for IPv6, and does exactly the same thing.
  2. Remove the match altogether. It's not clear why you shouldn't just always do the --restore. The current Merlin code has removed it.

Not tested either of those though.

@tsjk
Copy link

tsjk commented Oct 14, 2022

Would hashlimit work with this patch?
And, is there a docker image somewhere that simplifies building a patched/updated ROM?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants