How to Add a Netfilter Extension to the firmware
Some Netfilter Extension are not in the OpenWRT toolchain.
In this example we explain how to add the hashlimit Netfilter Extension to the OpenWRT firmware we are building.
To add an extension first edit the file include/netfilter.mk from your OpenWRT svn checkout
browse the file to the section #extra
Here each line adds a Netfilter extension when the kmod-netfilter-extra package is selected
To add the hashlimit kernel module we add this line:
$(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_HASHLIMIT, $(P_XT)xt_hashlimit))
Where CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is the symbol of the kernel module we are adding.
To find this name for another module get a recent Vanilla Kernel, browse the ncurses menus that appear after "make menuconfig" and when the module you are looking for is highlighetd select the "help" button. You will have a screen saying something like: Symbol: NETFILTER_XT_MATCH_HASHLIMIT
To find the right string where we have put xt_hashlimit we need to know the filename of the object created when we compile the module in the kernel. I did like this: I compiled the normal Kernel and then I went into "net/netfilter" to see the file name. In my case it was xt_hashlimit.o
So after all we just have to add 1 line to the file: include/netfilter.mk
Let's check if everything is ok:
make menuconfig
select "iptables-mod-extra" from "base-system -> iptables" select "kmod-ipt-extra" from "kernel-modules -> Netfilter Extensions"
compile now to see if there are no errors
make package/kernel-clean V=99 make package/kernel-compile V=99 make package/iptables-clean V=99 make package/iptables-compile V=99
if there are no errors you can compile the firmware with the "make" command