summaryrefslogtreecommitdiffstats
path: root/package/iptables
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@openwrt.org>2012-10-10 12:32:29 +0000
committerFelix Fietkau <nbd@openwrt.org>2012-10-10 12:32:29 +0000
commit405e21d16731b2764ab82aaaadcf36a813b105f7 (patch)
treec6f9a8402389a5081519b91ce62c4a8cafcb8917 /package/iptables
parentd0ec348ded6f715b43b396b06ccb10599b37969d (diff)
downloadmaster-31e0f0ae-405e21d16731b2764ab82aaaadcf36a813b105f7.tar.gz
master-31e0f0ae-405e21d16731b2764ab82aaaadcf36a813b105f7.tar.bz2
master-31e0f0ae-405e21d16731b2764ab82aaaadcf36a813b105f7.zip
packages: sort network related packages into package/network/
SVN-Revision: 33688
Diffstat (limited to 'package/iptables')
-rw-r--r--package/iptables/Makefile475
-rw-r--r--package/iptables/files/l7/aim.pat28
-rw-r--r--package/iptables/files/l7/bittorrent.pat25
-rw-r--r--package/iptables/files/l7/edonkey.pat37
-rw-r--r--package/iptables/files/l7/fasttrack.pat23
-rw-r--r--package/iptables/files/l7/ftp.pat46
-rw-r--r--package/iptables/files/l7/gnutella.pat34
-rw-r--r--package/iptables/files/l7/http.pat28
-rw-r--r--package/iptables/files/l7/ident.pat15
-rw-r--r--package/iptables/files/l7/irc.pat20
-rw-r--r--package/iptables/files/l7/jabber.pat24
-rw-r--r--package/iptables/files/l7/msnmessenger.pat28
-rw-r--r--package/iptables/files/l7/ntp.pat17
-rw-r--r--package/iptables/files/l7/pop3.pat50
-rw-r--r--package/iptables/files/l7/smtp.pat40
-rw-r--r--package/iptables/files/l7/ssl.pat16
-rw-r--r--package/iptables/files/l7/vnc.pat23
-rw-r--r--package/iptables/patches/002-layer7_2.22.patch371
-rw-r--r--package/iptables/patches/009-table-alignment.patch11
-rw-r--r--package/iptables/patches/010-multiport-linux-2.4-compat.patch265
-rw-r--r--package/iptables/patches/011-recent-add-reap.patch116
-rw-r--r--package/iptables/patches/020-iptables-disable-modprobe.patch18
-rw-r--r--package/iptables/patches/030-no-libnfnetlink.patch92
-rw-r--r--package/iptables/patches/100-bash-location.patch16
-rw-r--r--package/iptables/patches/110-linux_3.2_compat.patch12
-rw-r--r--package/iptables/patches/200-configurable_builtin.patch56
26 files changed, 0 insertions, 1886 deletions
diff --git a/package/iptables/Makefile b/package/iptables/Makefile
deleted file mode 100644
index ff7d428215..0000000000
--- a/package/iptables/Makefile
+++ /dev/null
@@ -1,475 +0,0 @@
-#
-# Copyright (C) 2006-2012 OpenWrt.org
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-include $(TOPDIR)/rules.mk
-include $(INCLUDE_DIR)/kernel.mk
-
-PKG_NAME:=iptables
-PKG_VERSION:=1.4.10
-PKG_RELEASE:=4
-
-PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
-PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
- ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
- ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
- ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
-
-PKG_FIXUP:=autoreconf
-PKG_INSTALL:=1
-PKG_BUILD_PARALLEL:=1
-
-ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"")
-PATCH_DIR:=
-endif
-
-include $(INCLUDE_DIR)/package.mk
-ifeq ($(DUMP),)
- -include $(LINUX_DIR)/.config
- include $(INCLUDE_DIR)/netfilter.mk
- STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s)
-endif
-
-
-define Package/iptables/Default
- SECTION:=net
- CATEGORY:=Network
- SUBMENU:=Firewall
- URL:=http://netfilter.org/
-endef
-
-define Package/iptables/Module
-$(call Package/iptables/Default)
- DEPENDS:=iptables $(1)
-endef
-
-define Package/iptables
-$(call Package/iptables/Default)
- TITLE:=IPv4 firewall administration tool
- MENU:=1
- DEPENDS+= +kmod-ipt-core +libip4tc +libxtables
-endef
-
-define Package/iptables/description
-IPv4 firewall administration tool.
-
- Matches:
- - icmp
- - tcp
- - udp
- - comment
- - limit
- - mac
- - multiport
-
- Targets:
- - ACCEPT
- - DROP
- - REJECT
- - LOG
- - TCPMSS
-
- Tables:
- - filter
- - mangle
-
-endef
-
-define Package/iptables-mod-conntrack-extra
-$(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
- TITLE:=Extra connection tracking extensions
-endef
-
-define Package/iptables-mod-conntrack-extra/description
-Extra iptables extensions for connection tracking.
-
- Matches:
- - connbytes
- - connmark
- - recent
- - helper
-
- Targets:
- - CONNMARK
-
-endef
-
-define Package/iptables-mod-filter
-$(call Package/iptables/Module, +kmod-ipt-filter)
- TITLE:=Content inspection extensions
-endef
-
-define Package/iptables-mod-filter/description
-iptables extensions for packet content inspection.
-Includes support for:
-
- Matches:
- - layer7
- - string
-
-endef
-
-define Package/iptables-mod-ipopt
-$(call Package/iptables/Module, +kmod-ipt-ipopt)
- TITLE:=IP/Packet option extensions
-endef
-
-define Package/iptables-mod-ipopt/description
-iptables extensions for matching/changing IP packet options.
-
- Matches:
- - dscp
- - ecn
- - length
- - mark
- - statistic
- - tcpmss
- - time
- - unclean
- - hl
-
- Targets:
- - DSCP
- - CLASSIFY
- - ECN
- - MARK
- - HL
-
-endef
-
-define Package/iptables-mod-ipsec
-$(call Package/iptables/Module, +kmod-ipt-ipsec)
- TITLE:=IPsec extensions
-endef
-
-define Package/iptables-mod-ipsec/description
-iptables extensions for matching ipsec traffic.
-
- Matches:
- - ah
- - esp
- - policy
-
-endef
-
-define Package/iptables-mod-ipset
-$(call Package/iptables/Module,)
- TITLE:=IPset iptables extensions
-endef
-
-define Package/iptables-mod-ipset/description
-IPset iptables extensions.
-
- Matches:
- - set
-
- Targets:
- - SET
-
-endef
-
-define Package/iptables-mod-nat-extra
-$(call Package/iptables/Module, +kmod-ipt-nat-extra)
- TITLE:=Extra NAT extensions
-endef
-
-define Package/iptables-mod-nat-extra/description
-iptables extensions for extra NAT targets.
-
- Targets:
- - MIRROR
- - NETMAP
- - REDIRECT
-endef
-
-define Package/iptables-mod-ulog
-$(call Package/iptables/Module, +kmod-ipt-ulog)
- TITLE:=user-space packet logging
-endef
-
-define Package/iptables-mod-ulog/description
-iptables extensions for user-space packet logging.
-
- Targets:
- - ULOG
-
-endef
-
-define Package/iptables-mod-hashlimit
-$(call Package/iptables/Module, +kmod-ipt-hashlimit)
- TITLE:=hashlimit matching
-endef
-
-define Package/iptables-mod-hashlimit/description
-iptables extensions for hashlimit matching
-
- Matches:
- - hashlimit
-
-endef
-
-define Package/iptables-mod-iprange
-$(call Package/iptables/Module, +kmod-ipt-iprange)
- TITLE:=IP range extension
-endef
-
-define Package/iptables-mod-iprange/description
-iptables extensions for matching ip ranges.
-
- Matches:
- - iprange
-
-endef
-
-define Package/iptables-mod-extra
-$(call Package/iptables/Module, +kmod-ipt-extra)
- TITLE:=Other extra iptables extensions
-endef
-
-define Package/iptables-mod-extra/description
-Other extra iptables extensions.
-
- Matches:
- - condition
- - owner
- - physdev (if ebtables is enabled)
- - pkttype
- - quota
-
-endef
-
-define Package/iptables-mod-led
-$(call Package/iptables/Module, +kmod-ipt-led)
- TITLE:=LED trigger iptables extension
-endef
-
-define Package/iptables-mod-led/description
-iptables extension for triggering a LED.
-
- Targets:
- - LED
-
-endef
-
-define Package/iptables-mod-tproxy
-$(call Package/iptables/Module, +kmod-ipt-tproxy)
- TITLE:=Transparent proxy iptables extensions
-endef
-
-define Package/iptables-mod-tproxy/description
-Transparent proxy iptables extensions.
-
- Matches:
- - socket
-
- Targets:
- - TPROXY
-
-endef
-
-define Package/iptables-mod-tee
-$(call Package/iptables/Module, +kmod-ipt-tee)
- TITLE:=TEE iptables extensions
-endef
-
-define Package/iptables-mod-tee/description
-TEE iptables extensions.
-
- Targets:
- - TEE
-
-endef
-
-define Package/iptables-mod-u32
-$(call Package/iptables/Module, +kmod-ipt-u32)
- TITLE:=U32 iptables extensions
-endef
-
-define Package/iptables-mod-u32/description
-U32 iptables extensions.
-
- Matches:
- - u32
-
-endef
-
-define Package/ip6tables
-$(call Package/iptables/Default)
- DEPENDS:=+kmod-ip6tables +libip6tc +libxtables
- CATEGORY:=IPv6
- TITLE:=IPv6 firewall administration tool
- MENU:=1
-endef
-
-define Package/libiptc
-$(call Package/iptables/Default)
- SECTION:=libs
- CATEGORY:=Libraries
- DEPENDS:=+libip4tc +libip6tc
- TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
-endef
-
-define Package/libip4tc
-$(call Package/iptables/Default)
- SECTION:=libs
- CATEGORY:=Libraries
- TITLE:=IPv4 firewall - shared libiptc library
-endef
-
-define Package/libip6tc
-$(call Package/iptables/Default)
- SECTION:=libs
- CATEGORY:=Libraries
- TITLE:=IPv6 firewall - shared libiptc library
-endef
-
-define Package/libxtables
- $(call Package/iptables/Default)
- SECTION:=libs
- CATEGORY:=Libraries
- TITLE:=IPv4/IPv6 firewall - shared xtables library
-endef
-
-define Package/libipq
- $(call Package/iptables/Default)
- SECTION:=libs
- CATEGORY:=Libraries
- TITLE:=IPv4/IPv6 firewall - shared libipq library
-endef
-
-TARGET_CPPFLAGS := \
- -I$(PKG_BUILD_DIR)/include \
- -I$(LINUX_DIR)/user_headers/include \
- $(TARGET_CPPFLAGS)
-
-TARGET_CFLAGS += \
- -I$(PKG_BUILD_DIR)/include \
- -I$(LINUX_DIR)/user_headers/include
-
-CONFIGURE_ARGS += \
- --enable-shared \
- --enable-devel \
- $(if $(CONFIG_IPV6),--enable-ipv6,--disable-ipv6) \
- --enable-libipq \
- --with-kernel="$(LINUX_DIR)/user_headers" \
- --with-xtlibdir=/usr/lib/iptables \
- --enable-static
-
-MAKE_FLAGS := \
- $(TARGET_CONFIGURE_OPTS) \
- COPT_FLAGS="$(TARGET_CFLAGS)" \
- KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
- KBUILD_OUTPUT="$(LINUX_DIR)" \
- BUILTIN_MODULES="$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m)))"
-
-define Build/InstallDev
- $(INSTALL_DIR) $(1)/usr/include
- $(INSTALL_DIR) $(1)/usr/include/iptables
- $(INSTALL_DIR) $(1)/usr/include/net/netfilter
-
- # XXX: iptables header fixup, some headers are not installed by iptables anymore
- $(CP) $(PKG_BUILD_DIR)/include/net/netfilter/*.h $(1)/usr/include/net/netfilter/
- $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
- $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
- $(CP) $(PKG_BUILD_DIR)/include/libipq/libipq.h $(1)/usr/include/
- $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
- $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
-
- $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
- $(INSTALL_DIR) $(1)/usr/lib
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipq.so* $(1)/usr/lib/
- $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libiptc.pc $(1)/usr/lib/pkgconfig/
-endef
-
-define Package/iptables/install
- $(INSTALL_DIR) $(1)/usr/sbin
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(1)/usr/sbin/
- $(LN) iptables $(1)/usr/sbin/iptables-save
- $(LN) iptables $(1)/usr/sbin/iptables-restore
- $(INSTALL_DIR) $(1)/usr/lib/iptables
-endef
-
-define Package/ip6tables/install
- $(INSTALL_DIR) $(1)/usr/sbin
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables $(1)/usr/sbin/
- $(LN) ip6tables $(1)/usr/sbin/ip6tables-save
- $(LN) ip6tables $(1)/usr/sbin/ip6tables-restore
- $(INSTALL_DIR) $(1)/usr/lib/iptables
- (cd $(PKG_INSTALL_DIR)/usr/lib/iptables ; \
- $(CP) libip6t_*.so $(1)/usr/lib/iptables/ \
- )
-endef
-
-define Package/libiptc/install
- $(INSTALL_DIR) $(1)/usr/lib
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
-endef
-
-define Package/libip4tc/install
- $(INSTALL_DIR) $(1)/usr/lib
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
-endef
-
-define Package/libip6tc/install
- $(INSTALL_DIR) $(1)/usr/lib
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
-endef
-
-define Package/libxtables/install
- $(INSTALL_DIR) $(1)/usr/lib
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
-endef
-
-define Package/libipq/install
- $(INSTALL_DIR) $(1)/usr/lib
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipq.so* $(1)/usr/lib/
-endef
-
-define BuildPlugin
- define Package/$(1)/install
- $(INSTALL_DIR) $$(1)/usr/lib/iptables
- for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)); do \
- if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
- fi; \
- done
- $(3)
- endef
-
- $$(eval $$(call BuildPackage,$(1)))
-endef
-
-L7_INSTALL:=\
- $(INSTALL_DIR) $$(1)/etc/l7-protocols; \
- $(CP) files/l7/*.pat $$(1)/etc/l7-protocols/
-
-
-$(eval $(call BuildPackage,iptables))
-$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
-$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
-$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m),$(L7_INSTALL)))
-$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
-$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
-$(eval $(call BuildPlugin,iptables-mod-ipset,ipt_set ipt_SET))
-$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
-$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
-$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
-$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
-$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
-$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
-$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
-$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
-$(eval $(call BuildPackage,ip6tables))
-$(eval $(call BuildPackage,libiptc))
-$(eval $(call BuildPackage,libip4tc))
-$(eval $(call BuildPackage,libip6tc))
-$(eval $(call BuildPackage,libxtables))
-$(eval $(call BuildPackage,libipq))
diff --git a/package/iptables/files/l7/aim.pat b/package/iptables/files/l7/aim.pat
deleted file mode 100644
index 5c43930fd3..0000000000
--- a/package/iptables/files/l7/aim.pat
+++ /dev/null
@@ -1,28 +0,0 @@
-# AIM - AOL instant messenger (OSCAR and TOC)
-# Pattern attributes: good slow notsofast
-# Protocol groups: chat proprietary
-# Wiki: http://www.protocolinfo.org/wiki/AIM
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# Usually runs on port 5190
-#
-# This may also match ICQ traffic.
-#
-# This pattern has been tested and is believed to work well.
-
-aim
-# See http://gridley.res.carleton.edu/~straitm/final (and various other places)
-# The first bit matches OSCAR signon and data commands, but not sure what
-# \x03\x0b matches, but it works apparently.
-# The next three bits match various parts of the TOC signon process.
-# The third one is the magic number "*", then 0x01 for "signon", then up to four
-# bytes ("up to" because l7-filter strips out nulls) which contain a sequence
-# number (2 bytes) the data length (2 more) and 3 nulls (which don't count),
-# then 0x01 for the version number (not sure if there ever has been another
-# version)
-# The fourth one is a command string, followed by some stuff, then the
-# beginning of the "roasted" password
-
-# This pattern is too slow!
-
-^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x
diff --git a/package/iptables/files/l7/bittorrent.pat b/package/iptables/files/l7/bittorrent.pat
deleted file mode 100644
index 4a3ba88d58..0000000000
--- a/package/iptables/files/l7/bittorrent.pat
+++ /dev/null
@@ -1,25 +0,0 @@
-# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com
-# Pattern attributes: good slow594 notsofast undermatch
-# Protocol groups: p2p open_source
-# Wiki: http://www.protocolinfo.org/wiki/Bittorrent
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# This pattern has been tested and is believed to work well.
-# It will, however, not work on bittorrent streams that are encrypted, since
-# it's impossible to match (well) encrypted data.
-
-bittorrent
-
-# Does not attempt to match the HTTP download of the tracker
-# 0x13 is the length of "bittorrent protocol"
-# Second two bits match UDP wierdness
-# Next bit matches something Azureus does
-# Ditto on the next bit. Could also match on "user-agent: azureus", but that's in the next
-# packet and perhaps this will match multiple clients.
-# bitcomet-specific strings contributed by liangjun.
-
-# This is not a valid GNU basic regular expression (but that's ok).
-^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]
-
-# This pattern is "fast", but won't catch as much
-#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)
diff --git a/package/iptables/files/l7/edonkey.pat b/package/iptables/files/l7/edonkey.pat
deleted file mode 100644
index 75807f8ebb..0000000000
--- a/package/iptables/files/l7/edonkey.pat
+++ /dev/null
@@ -1,37 +0,0 @@
-# eDonkey2000 - P2P filesharing - http://edonkey2000.com and others
-# Pattern attributes: good veryfast fast overmatch
-# Protocol groups: p2p
-# Wiki: http://www.protocolinfo.org/wiki/EDonkey
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4
-# and a long time ago with something else.
-#
-# In addition to matching what you might expect, this matches much of
-# what eMule does when you tell it to only connect to the KAD network.
-# I don't quite know what to make of this.
-
-# Thanks to Matt Skidmore <fox AT woozle.org>
-
-edonkey
-
-# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6
-#
-# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5.
-# As of April 2006, I also see some \xe4.
-#
-# God this is a mess. What an irritating protocol.
-# This will match about 2% of streams with random data in them!
-# (But fortunately much fewer than 2% of streams that are other protocols.
-# You can test this with the data in ../testing/)
-
-^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$)
-
-# matches everything and too much
-# ^(\xe3|\xc5|\xd4)
-
-# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me.
-
-# bandwidtharbitrator uses
-# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey
-# no comments to explain what all the mush is, of course...
diff --git a/package/iptables/files/l7/fasttrack.pat b/package/iptables/files/l7/fasttrack.pat
deleted file mode 100644
index 6ed8ff1d13..0000000000
--- a/package/iptables/files/l7/fasttrack.pat
+++ /dev/null
@@ -1,23 +0,0 @@
-# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)
-# Pattern attributes: good slow notsofast
-# Protocol groups: p2p
-# Wiki: http://www.protocolinfo.org/wiki/Fasttrack
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# Tested with Kazaa Lite Resurrection 0.0.7.6F
-#
-# This appears to match the download connections well, but not the search
-# connections (I think they are encrypted :-( ).
-
-fasttrack
-# while this is a valid http request, this will be caught because
-# the http pattern matches the response (and therefore the next packet)
-# Even so, it's best to put this match earlier in the chain.
-# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup
-
-# This pattern is kinda slow, but not too bad.
-^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
-
-# This isn't much faster:
-#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
-
diff --git a/package/iptables/files/l7/ftp.pat b/package/iptables/files/l7/ftp.pat
deleted file mode 100644
index 44d97c467b..0000000000
--- a/package/iptables/files/l7/ftp.pat
+++ /dev/null
@@ -1,46 +0,0 @@
-# FTP - File Transfer Protocol - RFC 959
-# Pattern attributes: great notsofast fast
-# Protocol groups: document_retrieval ietf_internet_standard
-# Wiki: http://protocolinfo.org/wiki/FTP
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# Usually runs on port 21. Note that the data stream is on a dynamically
-# assigned port, which means that you will need the FTP connection
-# tracking module in your kernel to usefully match FTP data transfers.
-#
-# This pattern is well tested.
-#
-# Handles the first two things a server should say:
-#
-# First, the server says it's ready by sending "220". Most servers say
-# something after 220, even though they don't have to, and it usually
-# includes the string "ftp" (l7-filter is case insensitive). This
-# includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP
-# Server, and whatever ftp.microsoft.com uses. Almost all servers use only
-# ASCII printable characters between the "220" and the "FTP", but non-English
-# ones might use others.
-#
-# The next thing the server sends is a 331. All the above servers also
-# send something including "password" after this code. By default, we
-# do not match on this because it takes another packet and is more work
-# for regexec.
-
-ftp
-# by default, we allow only ASCII
-^220[\x09-\x0d -~]*ftp
-
-# This covers UTF-8 as well
-#^220[\x09-\x0d -~\x80-\xfd]*ftp
-
-# This allows any characters and is about 4x faster than either of the above
-# (which are about the same as each other)
-#^220.*ftp
-
-# This is much slower
-#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password
-
-# This pattern is more precise, but takes longer to match. (3 packets vs. 1)
-#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331
-
-# same as above, but slightly less precise and only takes 2 packets.
-#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a
diff --git a/package/iptables/files/l7/gnutella.pat b/package/iptables/files/l7/gnutella.pat
deleted file mode 100644
index 770ed43b36..0000000000
--- a/package/iptables/files/l7/gnutella.pat
+++ /dev/null
@@ -1,34 +0,0 @@
-# Gnutella - P2P filesharing
-# Pattern attributes: good notsofast notsofast
-# Protocol groups: p2p open_source
-# Wiki: http://www.protocolinfo.org/wiki/Gnutella
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# This should match both Gnutella and "Gnutella2" ("Mike's protocol")
-#
-# Various clients use this protocol including Mactella, Shareaza,
-# GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare.
-#
-# This is tested with gtk-gnutella and Shareaza.
-
-# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver
-# http://rfc-gnutella.sf.net/
-# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification
-# http://en.wikipedia.org/wiki/Shareaza
-
-gnutella
-
-# The first part matches UDP messages - All start with "GND", then have
-# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes
-# that can be anything, then a fragment number, which must start at 1.
-# The rest matches TCP first client message or first server message (in case
-# we can't see client messages). Some parts of this are empirical rather than
-# document based. Assumes version is between 0.0 and 2.9. (usually is
-# 0.4 or 0.6). I'm guessing at many of the user-agents.
-# The last bit is emprical and probably only matches Limewire.
-^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime)
-
-# Needlessly precise, at the expense of time
-#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime)
-
-
diff --git a/package/iptables/files/l7/http.pat b/package/iptables/files/l7/http.pat
deleted file mode 100644
index 5122310d2f..0000000000
--- a/package/iptables/files/l7/http.pat
+++ /dev/null
@@ -1,28 +0,0 @@
-# HTTP - HyperText Transfer Protocol - RFC 2616
-# Pattern attributes: great slow notsofast superset
-# Protocol groups: document_retrieval ietf_draft_standard
-# Wiki: http://protocolinfo.org/wiki/HTTP
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# Usually runs on port 80
-#
-# This pattern has been tested and is believed to work well.
-#
-# this intentionally catches the response from the server rather than
-# the request so that other protocols which use http (like kazaa) can be
-# caught based on specific http requests regardless of the ordering of
-# filters... also matches posts
-
-# Sites that serve really long cookies may break this by pushing the
-# server response too far away from the beginning of the connection. To
-# fix this, increase the kernel's data buffer length.
-
-http
-# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616)
-# As specified in rfc 2616 a status code is preceeded and followed by a
-# space.
-http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019]
-# A slightly faster version that might be good enough:
-#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019]
-# old pattern(s):
-#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/)
diff --git a/package/iptables/files/l7/ident.pat b/package/iptables/files/l7/ident.pat
deleted file mode 100644
index 3205e5e696..0000000000
--- a/package/iptables/files/l7/ident.pat
+++ /dev/null
@@ -1,15 +0,0 @@
-# Ident - Identification Protocol - RFC 1413
-# Pattern attributes: good fast fast
-# Protocol groups: networking ietf_proposed_standard
-# Wiki: http://www.protocolinfo.org/wiki/Ident
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# Usually runs on port 113
-#
-# This pattern is believed to work.
-
-ident
-# "number , numberCRLF" possibly without the CR and/or LF.
-# ^$ is appropriate because the first packet should never have anything
-# else in it.
-^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$
diff --git a/package/iptables/files/l7/irc.pat b/package/iptables/files/l7/irc.pat
deleted file mode 100644
index e25360cafb..0000000000
--- a/package/iptables/files/l7/irc.pat
+++ /dev/null
@@ -1,20 +0,0 @@
-# IRC - Internet Relay Chat - RFC 1459
-# Pattern attributes: great veryfast fast
-# Protocol groups: chat ietf_proposed_standard
-# Wiki: http://www.protocolinfo.org/wiki/IRC
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# Usually runs on port 6666 or 6667
-# Note that chat traffic runs on these ports, but IRC-DCC traffic (which
-# can use much more bandwidth) uses a dynamically assigned port, so you
-# must have the IRC connection tracking module in your kernel to classify
-# this.
-#
-# This pattern has been tested and is believed to work well.
-
-irc
-# First thing that happens is that the client sends NICK and USER, in
-# either order. This allows MIRC color codes (\x02-\x0d instead of
-# \x09-\x0d).
-^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a)
-
diff --git a/package/iptables/files/l7/jabber.pat b/package/iptables/files/l7/jabber.pat
deleted file mode 100644
index 7c328905ee..0000000000
--- a/package/iptables/files/l7/jabber.pat
+++ /dev/null
@@ -1,24 +0,0 @@
-# Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org
-# Pattern attributes: good notsofast notsofast
-# Protocol groups: chat ietf_proposed_standard
-# Wiki: http://www.protocolinfo.org/wiki/Jabber
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# This pattern has been tested with Gaim and Gabber. It is only tested
-# with non-SSL mode Jabber with no proxies.
-
-# Thanks to Jan Hudec for some improvements.
-
-# Jabber seems to take a long time to set up a connection. I'm
-# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets
-# is this:
-# <stream:stream to='12jabber.com' xmlns='jabber:client'
-# xmlns:stream='http://etherx.jabber.org/streams'><?xml
-# version='1.0'?><stream:stream
-# xmlns:stream='http://etherx.jabber.org/streams' id='3f73e951'
-# xmlns='jabber:client' from='12jabber.com'>
-#
-# No mention of my username or password yet, you'll note.
-
-jabber
-<stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=['"]jabber
diff --git a/package/iptables/files/l7/msnmessenger.pat b/package/iptables/files/l7/msnmessenger.pat
deleted file mode 100644
index 11dfc10be2..0000000000
--- a/package/iptables/files/l7/msnmessenger.pat
+++ /dev/null
@@ -1,28 +0,0 @@
-# MSN Messenger - Microsoft Network chat client
-# Pattern attributes: good slow notsofast
-# Protocol groups: chat proprietary
-# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# Usually uses TCP port 1863
-# http://www.hypothetic.org/docs/msn/index.php
-# http://msnpiki.msnfanatic.com/
-#
-# This pattern has been tested and is believed to work well.
-
-msnmessenger
-
-# First branch: login
-# ver: allow versions up to 99.
-# I've never seen a cvr other than cvr0. Maybe this will be trouble later?
-# Can't anchor at the beginning because sometimes this is encapsulated in
-# HTTP. But either way, the first packet ends like this.
-# Second/Third branches: accepting/sending a message
-# I will assume that these can also be encapsulated in HTTP, although I have
-# not checked. Example of each direction:
-# ANS 1 quadong@hotmail.com 1139803431.29427 17522047
-# USR 1 quadong@hotmail.com 530423708.968145.366138
-
-# Branches are written entirely separately for better performance.
-ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$
-
diff --git a/package/iptables/files/l7/ntp.pat b/package/iptables/files/l7/ntp.pat
deleted file mode 100644
index 760cfdbe59..0000000000
--- a/package/iptables/files/l7/ntp.pat
+++ /dev/null
@@ -1,17 +0,0 @@
-# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030
-# Pattern attributes: good fast fast overmatch
-# Protocol groups: time_synchronization ietf_draft_standard
-# Wiki: http://www.protocolinfo.org/wiki/NTP
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# This pattern is tested and is believed to work.
-
-# client|server
-# Requires the server's timestamp to be in the present or future (of 2005).
-# Tested with ntpdate on Linux.
-# Assumes version 2, 3 or 4.
-
-# Note that ntp packets are always 48 bytes, so you should match on that too.
-
-ntp
-^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff])
diff --git a/package/iptables/files/l7/pop3.pat b/package/iptables/files/l7/pop3.pat
deleted file mode 100644
index 3ae4c147bb..0000000000
--- a/package/iptables/files/l7/pop3.pat
+++ /dev/null
@@ -1,50 +0,0 @@
-# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939
-# Pattern attributes: great veryfast fast
-# Protocol groups: mail ietf_internet_standard
-# Wiki: http://www.protocolinfo.org/wiki/POP
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# This pattern has been tested somewhat.
-
-# this is a difficult protocol to match because of the relative lack of
-# distinguishing information. Read on.
-pop3
-
-# this the most conservative pattern. It should definitely work.
-#^(\+ok|-err)
-
-# this pattern assumes that the server says _something_ after +ok or -err
-# I think this is probably the way to go.
-^(\+ok |-err )
-
-# more that 90% of servers seem to say "pop" after "+ok", but not all.
-#^(\+ok .*pop)
-
-# Here's another tack. I think this is my second favorite.
-#^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command))
-
-# this matches the server saying "you have N messages that are M bytes",
-# which the client probably asks for early in the session (not tested)
-#\+ok [0-9]+ [0-9]+
-
-# some sample servers:
-# RFC example: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>
-# mail.dreamhost.com: +OK Hello there.
-# pop.carleton.edu: +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled)
-# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon>
-# *.email.umn.edu: +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu>
-# mail.yale.edu: +OK POP3 pantheon-po01 v2002.81 server ready
-# mail.gustavus.edu: +OK POP3 solen v2001.78 server ready
-# mail.reed.edu: +OK POP3 letra.reed.edu v2002.81 server ready
-# mail.bowdoin.edu: +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003))
-# pop.colby.edu: +OK Qpopper (version 4.0.5) at basalt starting.
-# mail.mac.com: +OK Netscape Messaging Multiplexor ready
-
-# various error strings:
-#-ERR Invalid command.
-#-ERR invalid command
-#-ERR unimplemented
-#-ERR Invalid command, try one of: USER name, PASS string, QUIT
-#-ERR Unknown AUTHORIZATION state command
-#-ERR Unrecognized command
-#-ERR Unknown command: "sadf'".
diff --git a/package/iptables/files/l7/smtp.pat b/package/iptables/files/l7/smtp.pat
deleted file mode 100644
index 2f5d1957f9..0000000000
--- a/package/iptables/files/l7/smtp.pat
+++ /dev/null
@@ -1,40 +0,0 @@
-# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869)
-# Pattern attributes: great notsofast fast
-# Protocol groups: mail ietf_internet_standard
-# Wiki: http://www.protocolinfo.org/wiki/SMTP
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# usually runs on port 25
-#
-# This pattern has been tested and is believed to work well.
-
-# As usual, no text is required after "220", but all known servers have some
-# there. It (almost?) always has string "smtp" in it. The RFC examples
-# does not, so we match those too, just in case anyone has copied them
-# literally.
-#
-# Some examples:
-# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3
-# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400
-# 220 mail.ut.caldera.com ESMTP
-# 220 persephone.pmail.gen.nz ESMTP server ready.
-# 220 smtp1.superb.net ESMTP
-# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready
-# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4
-# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500
-# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3)
-# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200
-# 220-mail.email-scan.com ESMTP
-# 220 smaug.dreamhost.com ESMTP
-# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648)
-# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT)
-# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700
-#
-# RFC examples:
-# 220 xyz.com Simple Mail Transfer Service Ready (RFC example)
-# 220 dbc.mtview.ca.us SMTP service ready
-
-smtp
-^220[\x09-\x0d -~]* (e?smtp|simple mail)
-userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail)
-userspace flags=REG_NOSUB REG_EXTENDED
diff --git a/package/iptables/files/l7/ssl.pat b/package/iptables/files/l7/ssl.pat
deleted file mode 100644
index ae30ee4400..0000000000
--- a/package/iptables/files/l7/ssl.pat
+++ /dev/null
@@ -1,16 +0,0 @@
-# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246
-# Pattern attributes: good notsofast fast superset
-# Protocol groups: secure ietf_proposed_standard
-# Wiki: http://www.protocolinfo.org/wiki/SSL
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# Usually runs on port 443
-#
-# This is a superset of validcertssl. For it to match, it must be first.
-#
-# This pattern has been tested and is believed to work well.
-
-ssl
-# Server Hello with certificate | Client Hello
-# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1
-^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)
diff --git a/package/iptables/files/l7/vnc.pat b/package/iptables/files/l7/vnc.pat
deleted file mode 100644
index 79d0ae8a28..0000000000
--- a/package/iptables/files/l7/vnc.pat
+++ /dev/null
@@ -1,23 +0,0 @@
-# VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer
-# Pattern attributes: great veryfast fast
-# Protocol groups: remote_access
-# Wiki: http://www.protocolinfo.org/wiki/VNC
-# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
-#
-# http://www.realvnc.com/documentation.html
-#
-# This pattern has been verified with vnc v3.3.7 on WinXP and Linux
-#
-# Thanks to Trevor Paskett <tpaskett AT cymphonix.com> for this pattern.
-
-vnc
-# Assumes single digit major and minor version numbers
-# This message should be all alone in the first packet, so ^$ is appropriate
-^rfb 00[1-9]\.00[0-9]\x0a$
-
-# This is a more restrictive version which assumes the version numbers
-# are ones actually in existance at the time of this writing, i.e. 3.3,
-# 3.7 and 3.8 (with some clients wrongly reporting 3.5). It should be
-# slightly faster, but probably not worth the extra maintenance.
-# ^rfb 003\.00[3578]\x0a$
-
diff --git a/package/iptables/patches/002-layer7_2.22.patch b/package/iptables/patches/002-layer7_2.22.patch
deleted file mode 100644
index ba4531e3f3..0000000000
--- a/package/iptables/patches/002-layer7_2.22.patch
+++ /dev/null
@@ -1,371 +0,0 @@
---- /dev/null
-+++ b/extensions/libxt_layer7.c
-@@ -0,0 +1,368 @@
-+/*
-+ Shared library add-on to iptables for layer 7 matching support.
-+
-+ By Matthew Strait <quadong@users.sf.net>, Oct 2003-Aug 2008.
-+
-+ http://l7-filter.sf.net
-+
-+ This program is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU General Public License
-+ as published by the Free Software Foundation; either version
-+ 2 of the License, or (at your option) any later version.
-+ http://www.gnu.org/licenses/gpl.txt
-+*/
-+
-+#define _GNU_SOURCE
-+#include <stdio.h>
-+#include <netdb.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <getopt.h>
-+#include <ctype.h>
-+#include <dirent.h>
-+
-+#include <xtables.h>
-+#include <linux/netfilter/xt_layer7.h>
-+
-+#define MAX_FN_LEN 256
-+
-+static char l7dir[MAX_FN_LEN] = "\0";
-+
-+/* Function which prints out usage message. */
-+static void help(void)
-+{
-+ printf(
-+ "layer7 match options:\n"
-+ " --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
-+ " (--l7dir must be specified before --l7proto if used)\n"
-+ "[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat\n");
-+}
-+
-+static const struct option opts[] = {
-+ { .name = "l7proto", .has_arg = 1, .val = 'p' },
-+ { .name = "l7dir", .has_arg = 1, .val = 'd' },
-+ { .name = NULL }
-+};
-+
-+/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
-+static int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
-+{
-+ FILE * f;
-+ char * line = NULL;
-+ size_t len = 0;
-+
-+ enum { protocol, pattern, done } datatype = protocol;
-+
-+ f = fopen(filename, "r");
-+
-+ if(!f)
-+ return 0;
-+
-+ while(getline(&line, &len, f) != -1)
-+ {
-+ if(strlen(line) < 2 || line[0] == '#')
-+ continue;
-+
-+ /* strip the pesky newline... */
-+ if(line[strlen(line) - 1] == '\n')
-+ line[strlen(line) - 1] = '\0';
-+
-+ if(datatype == protocol)
-+ {
-+ /* Ignore everything on the line beginning with the
-+ first space or tab . For instance, this allows the
-+ protocol line in http.pat to be "http " (or
-+ "http I am so cool") instead of just "http". */
-+ if(strchr(line, ' ')){
-+ char * space = strchr(line, ' ');
-+ space[0] = '\0';
-+ }
-+ if(strchr(line, '\t')){
-+ char * space = strchr(line, '\t');
-+ space[0] = '\0';
-+ }
-+
-+ /* sanity check. First non-comment non-blank
-+ line must be the same as the file name. */
-+ if(strcmp(line, protoname))
-+ xtables_error(OTHER_PROBLEM,
-+ "Protocol name (%s) doesn't match file name (%s). Bailing out\n",
-+ line, filename);
-+
-+ if(strlen(line) >= MAX_PROTOCOL_LEN)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Protocol name in %s too long!", filename);
-+ strncpy(info->protocol, line, MAX_PROTOCOL_LEN);
-+
-+ datatype = pattern;
-+ }
-+ else if(datatype == pattern)
-+ {
-+ if(strlen(line) >= MAX_PATTERN_LEN)
-+ xtables_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename);
-+ strncpy(info->pattern, line, MAX_PATTERN_LEN);
-+
-+ datatype = done;
-+ break;
-+ }
-+ else
-+ xtables_error(OTHER_PROBLEM, "Internal error");
-+ }
-+
-+ if(datatype != done)
-+ xtables_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename);
-+
-+ if(line) free(line);
-+ fclose(f);
-+
-+ return 1;
-+}
-+
-+static int hex2dec(char c)
-+{
-+ switch (c)
-+ {
-+ case '0' ... '9':
-+ return c - '0';
-+ case 'a' ... 'f':
-+ return c - 'a' + 10;
-+ case 'A' ... 'F':
-+ return c - 'A' + 10;
-+ default:
-+ xtables_error(OTHER_PROBLEM, "hex2dec: bad value!\n");
-+ return 0;
-+ }
-+}
-+
-+/* takes a string with \xHH escapes and returns one with the characters
-+they stand for */
-+static char * pre_process(char * s)
-+{
-+ char * result = malloc(strlen(s) + 1);
-+ int sindex = 0, rrindex = 0;
-+ while( sindex < strlen(s) )
-+ {
-+ if( sindex + 3 < strlen(s) &&
-+ s[sindex] == '\\' && s[sindex+1] == 'x' &&
-+ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) )
-+ {
-+ /* carefully remember to call tolower here... */
-+ result[rrindex] = tolower( hex2dec(s[sindex + 2])*16 +
-+ hex2dec(s[sindex + 3] ) );
-+
-+ switch ( result[rrindex] )
-+ {
-+ case 0x24:
-+ case 0x28:
-+ case 0x29:
-+ case 0x2a:
-+ case 0x2b:
-+ case 0x2e:
-+ case 0x3f:
-+ case 0x5b:
-+ case 0x5c:
-+ case 0x5d:
-+ case 0x5e:
-+ case 0x7c:
-+ fprintf(stderr,
-+ "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
-+ "I recommend that you write this as %c or \\%c, depending on what you meant.\n",
-+ result[rrindex], s[sindex + 2], s[sindex + 3], result[rrindex], result[rrindex]);
-+ break;
-+ case 0x00:
-+ fprintf(stderr,
-+ "Warning: null (\\x00) in layer7 regexp. A null terminates the regexp string!\n");
-+ break;
-+ default:
-+ break;
-+ }
-+
-+
-+ sindex += 3; /* 4 total */
-+ }
-+ else
-+ result[rrindex] = tolower(s[sindex]);
-+
-+ sindex++;
-+ rrindex++;
-+ }
-+ result[rrindex] = '\0';
-+
-+ return result;
-+}
-+
-+#define MAX_SUBDIRS 128
-+static char ** readl7dir(char * dirname)
-+{
-+ DIR * scratchdir;
-+ struct dirent ** namelist;
-+ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *));
-+
-+ int n, d = 1;
-+ subdirs[0] = "";
-+
-+ n = scandir(dirname, &namelist, 0, alphasort);
-+
-+ if (n < 0)
-+ {
-+ perror("scandir");
-+ xtables_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname);
-+ }
-+ else
-+ {
-+ while(n--)
-+ {
-+ char fulldirname[MAX_FN_LEN];
-+
-+ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name);
-+
-+ if((scratchdir = opendir(fulldirname)) != NULL)
-+ {
-+ closedir(scratchdir);
-+
-+ if(!strcmp(namelist[n]->d_name, ".") ||
-+ !strcmp(namelist[n]->d_name, ".."))
-+ /* do nothing */ ;
-+ else
-+ {
-+ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1);
-+ strcpy(subdirs[d], namelist[n]->d_name);
-+ d++;
-+ if(d >= MAX_SUBDIRS - 1)
-+ {
-+ fprintf(stderr,
-+ "Too many subdirectories, skipping the rest!\n");
-+ break;
-+ }
-+ }
-+ }
-+ free(namelist[n]);
-+ }
-+ free(namelist);
-+ }
-+
-+ subdirs[d] = NULL;
-+
-+ return subdirs;
-+}
-+
-+static void parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
-+{
-+ char filename[MAX_FN_LEN];
-+ char * dir = NULL;
-+ char ** subdirs;
-+ int n = 0, done = 0;
-+
-+ if(strlen(l7dir) > 0) dir = l7dir;
-+ else dir = "/etc/l7-protocols";
-+
-+ subdirs = readl7dir(dir);
-+
-+ while(subdirs[n] != NULL)
-+ {
-+ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
-+
-+ if(c > MAX_FN_LEN)
-+ xtables_error(OTHER_PROBLEM,
-+ "Filename beginning with %s is too long!\n", filename);
-+
-+ /* read in the pattern from the file */
-+ if(parse_protocol_file(filename, s, info)){
-+ done = 1;
-+ break;
-+ }
-+
-+ n++;
-+ }
-+
-+ if(!done)
-+ xtables_error(OTHER_PROBLEM,
-+ "Couldn't find a pattern definition file for %s.\n", s);
-+
-+ /* process \xHH escapes and tolower everything. (our regex lib has no
-+ case insensitivity option.) */
-+ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN);
-+}
-+
-+/* Function which parses command options; returns true if it ate an option */
-+static int parse(int c, char **argv, int invert, unsigned int *flags,
-+ const void *entry, struct xt_entry_match **match)
-+{
-+ struct xt_layer7_info *layer7info =
-+ (struct xt_layer7_info *)(*match)->data;
-+
-+ switch (c) {
-+ case 'p':
-+ parse_layer7_protocol(argv[optind-1], layer7info);
-+ if (invert)
-+ layer7info->invert = true;
-+ *flags = 1;
-+ break;
-+
-+ case 'd':
-+ if(strlen(argv[optind-1]) >= MAX_FN_LEN)
-+ xtables_error(PARAMETER_PROBLEM, "directory name too long\n");
-+
-+ strncpy(l7dir, argv[optind-1], MAX_FN_LEN);
-+
-+ *flags = 1;
-+ break;
-+
-+ default:
-+ return 0;
-+ }
-+
-+ return 1;
-+}
-+
-+/* Final check; must have specified --l7proto */
-+static void final_check(unsigned int flags)
-+{
-+ if (!flags)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "LAYER7 match: You must specify `--l7proto'");
-+}
-+
-+static void print_protocol(char s[], int invert, int numeric)
-+{
-+ fputs("l7proto ", stdout);
-+ if (invert) fputc('!', stdout);
-+ printf("%s ", s);
-+}
-+
-+/* Prints out the matchinfo. */
-+static void print(const void *ip,
-+ const struct xt_entry_match *match,
-+ int numeric)
-+{
-+ printf("LAYER7 ");
-+ print_protocol(((struct xt_layer7_info *)match->data)->protocol,
-+ ((struct xt_layer7_info *)match->data)->invert, numeric);
-+}
-+/* Saves the union ipt_matchinfo in parsable form to stdout. */
-+static void save(const void *ip, const struct xt_entry_match *match)
-+{
-+ const struct xt_layer7_info *info =
-+ (const struct xt_layer7_info*) match->data;
-+
-+ printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol);
-+}
-+
-+static struct xtables_match layer7 = {
-+ .family = AF_INET,
-+ .name = "layer7",
-+ .version = XTABLES_VERSION,
-+ .size = XT_ALIGN(sizeof(struct xt_layer7_info)),
-+ .userspacesize = XT_ALIGN(sizeof(struct xt_layer7_info)),
-+ .help = &help,
-+ .parse = &parse,
-+ .final_check = &final_check,
-+ .print = &print,
-+ .save = &save,
-+ .extra_opts = opts
-+};
-+
-+void _init(void)
-+{
-+ xtables_register_match(&layer7);
-+}
diff --git a/package/iptables/patches/009-table-alignment.patch b/package/iptables/patches/009-table-alignment.patch
deleted file mode 100644
index 53012ab320..0000000000
--- a/package/iptables/patches/009-table-alignment.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/libiptc/libiptc.c
-+++ b/libiptc/libiptc.c
-@@ -69,7 +69,7 @@ static const char *hooknames[] = {
- struct ipt_error_target
- {
- STRUCT_ENTRY_TARGET t;
-- char error[TABLE_MAXNAMELEN];
-+ char error[FUNCTION_MAXNAMELEN];
- };
-
- struct chain_head;
diff --git a/package/iptables/patches/010-multiport-linux-2.4-compat.patch b/package/iptables/patches/010-multiport-linux-2.4-compat.patch
deleted file mode 100644
index 3b35f7e3c6..0000000000
--- a/package/iptables/patches/010-multiport-linux-2.4-compat.patch
+++ /dev/null
@@ -1,265 +0,0 @@
---- a/extensions/libxt_multiport.c
-+++ b/extensions/libxt_multiport.c
-@@ -15,21 +15,6 @@
- #include <linux/netfilter/xt_multiport.h>
-
- /* Function which prints out usage message. */
--static void multiport_help(void)
--{
-- printf(
--"multiport match options:\n"
--" --source-ports port[,port,port...]\n"
--" --sports ...\n"
--" match source port(s)\n"
--" --destination-ports port[,port,port...]\n"
--" --dports ...\n"
--" match destination port(s)\n"
--" --ports port[,port,port]\n"
--" match both source and destination port(s)\n"
--" NOTE: this kernel does not support port ranges in multiport.\n");
--}
--
- static void multiport_help_v1(void)
- {
- printf(
-@@ -72,26 +57,6 @@ proto_to_name(u_int8_t proto)
- }
- }
-
--static unsigned int
--parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto)
--{
-- char *buffer, *cp, *next;
-- unsigned int i;
--
-- buffer = strdup(portstring);
-- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
--
-- for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
-- {
-- next=strchr(cp, ',');
-- if (next) *next++='\0';
-- ports[i] = xtables_parse_port(cp, proto);
-- }
-- if (cp) xtables_error(PARAMETER_PROBLEM, "too many ports specified");
-- free(buffer);
-- return i;
--}
--
- static void
- parse_multi_ports_v1(const char *portstring,
- struct xt_multiport_v1 *multiinfo,
-@@ -155,73 +120,6 @@ check_proto(u_int16_t pnum, u_int8_t inv
- /* Function which parses command options; returns true if it
- ate an option */
- static int
--__multiport_parse(int c, char **argv, int invert, unsigned int *flags,
-- struct xt_entry_match **match, u_int16_t pnum,
-- u_int8_t invflags)
--{
-- const char *proto;
-- struct xt_multiport *multiinfo
-- = (struct xt_multiport *)(*match)->data;
--
-- switch (c) {
-- case '1':
-- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-- proto = check_proto(pnum, invflags);
-- multiinfo->count = parse_multi_ports(optarg,
-- multiinfo->ports, proto);
-- multiinfo->flags = XT_MULTIPORT_SOURCE;
-- break;
--
-- case '2':
-- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-- proto = check_proto(pnum, invflags);
-- multiinfo->count = parse_multi_ports(optarg,
-- multiinfo->ports, proto);
-- multiinfo->flags = XT_MULTIPORT_DESTINATION;
-- break;
--
-- case '3':
-- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-- proto = check_proto(pnum, invflags);
-- multiinfo->count = parse_multi_ports(optarg,
-- multiinfo->ports, proto);
-- multiinfo->flags = XT_MULTIPORT_EITHER;
-- break;
--
-- default:
-- return 0;
-- }
--
-- if (invert)
-- xtables_error(PARAMETER_PROBLEM,
-- "multiport does not support invert");
--
-- if (*flags)
-- xtables_error(PARAMETER_PROBLEM,
-- "multiport can only have one option");
-- *flags = 1;
-- return 1;
--}
--
--static int
--multiport_parse(int c, char **argv, int invert, unsigned int *flags,
-- const void *e, struct xt_entry_match **match)
--{
-- const struct ipt_entry *entry = e;
-- return __multiport_parse(c, argv, invert, flags, match,
-- entry->ip.proto, entry->ip.invflags);
--}
--
--static int
--multiport_parse6(int c, char **argv, int invert, unsigned int *flags,
-- const void *e, struct xt_entry_match **match)
--{
-- const struct ip6t_entry *entry = e;
-- return __multiport_parse(c, argv, invert, flags, match,
-- entry->ipv6.proto, entry->ipv6.invflags);
--}
--
--static int
- __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags,
- struct xt_entry_match **match, u_int16_t pnum,
- u_int8_t invflags)
-@@ -314,55 +212,6 @@ print_port(u_int16_t port, u_int8_t prot
- }
-
- /* Prints out the matchinfo. */
--static void
--__multiport_print(const struct xt_entry_match *match, int numeric,
-- u_int16_t proto)
--{
-- const struct xt_multiport *multiinfo
-- = (const struct xt_multiport *)match->data;
-- unsigned int i;
--
-- printf("multiport ");
--
-- switch (multiinfo->flags) {
-- case XT_MULTIPORT_SOURCE:
-- printf("sports ");
-- break;
--
-- case XT_MULTIPORT_DESTINATION:
-- printf("dports ");
-- break;
--
-- case XT_MULTIPORT_EITHER:
-- printf("ports ");
-- break;
--
-- default:
-- printf("ERROR ");
-- break;
-- }
--
-- for (i=0; i < multiinfo->count; i++) {
-- printf("%s", i ? "," : "");
-- print_port(multiinfo->ports[i], proto, numeric);
-- }
-- printf(" ");
--}
--
--static void multiport_print(const void *ip_void,
-- const struct xt_entry_match *match, int numeric)
--{
-- const struct ipt_ip *ip = ip_void;
-- __multiport_print(match, numeric, ip->proto);
--}
--
--static void multiport_print6(const void *ip_void,
-- const struct xt_entry_match *match, int numeric)
--{
-- const struct ip6t_ip6 *ip = ip_void;
-- __multiport_print(match, numeric, ip->proto);
--}
--
- static void __multiport_print_v1(const struct xt_entry_match *match,
- int numeric, u_int16_t proto)
- {
-@@ -419,48 +268,6 @@ static void multiport_print6_v1(const vo
- }
-
- /* Saves the union ipt_matchinfo in parsable form to stdout. */
--static void __multiport_save(const struct xt_entry_match *match,
-- u_int16_t proto)
--{
-- const struct xt_multiport *multiinfo
-- = (const struct xt_multiport *)match->data;
-- unsigned int i;
--
-- switch (multiinfo->flags) {
-- case XT_MULTIPORT_SOURCE:
-- printf("--sports ");
-- break;
--
-- case XT_MULTIPORT_DESTINATION:
-- printf("--dports ");
-- break;
--
-- case XT_MULTIPORT_EITHER:
-- printf("--ports ");
-- break;
-- }
--
-- for (i=0; i < multiinfo->count; i++) {
-- printf("%s", i ? "," : "");
-- print_port(multiinfo->ports[i], proto, 1);
-- }
-- printf(" ");
--}
--
--static void multiport_save(const void *ip_void,
-- const struct xt_entry_match *match)
--{
-- const struct ipt_ip *ip = ip_void;
-- __multiport_save(match, ip->proto);
--}
--
--static void multiport_save6(const void *ip_void,
-- const struct xt_entry_match *match)
--{
-- const struct ip6t_ip6 *ip = ip_void;
-- __multiport_save(match, ip->proto);
--}
--
- static void __multiport_save_v1(const struct xt_entry_match *match,
- u_int16_t proto)
- {
-@@ -514,34 +321,6 @@ static struct xtables_match multiport_mt
- {
- .family = NFPROTO_IPV4,
- .name = "multiport",
-- .revision = 0,
-- .version = XTABLES_VERSION,
-- .size = XT_ALIGN(sizeof(struct xt_multiport)),
-- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
-- .help = multiport_help,
-- .parse = multiport_parse,
-- .final_check = multiport_check,
-- .print = multiport_print,
-- .save = multiport_save,
-- .extra_opts = multiport_opts,
-- },
-- {
-- .family = NFPROTO_IPV6,
-- .name = "multiport",
-- .revision = 0,
-- .version = XTABLES_VERSION,
-- .size = XT_ALIGN(sizeof(struct xt_multiport)),
-- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
-- .help = multiport_help,
-- .parse = multiport_parse6,
-- .final_check = multiport_check,
-- .print = multiport_print6,
-- .save = multiport_save6,
-- .extra_opts = multiport_opts,
-- },
-- {
-- .family = NFPROTO_IPV4,
-- .name = "multiport",
- .version = XTABLES_VERSION,
- .revision = 1,
- .size = XT_ALIGN(sizeof(struct xt_multiport_v1)),
diff --git a/package/iptables/patches/011-recent-add-reap.patch b/package/iptables/patches/011-recent-add-reap.patch
deleted file mode 100644
index 275265b99d..0000000000
--- a/package/iptables/patches/011-recent-add-reap.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001
-From: Tim Gardner <tim.gardner@canonical.com>
-Date: Mon, 1 Mar 2010 19:00:29 -0700
-Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation
-
-Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
----
- extensions/libxt_recent.c | 20 ++++++++++++++++++++
- extensions/libxt_recent.man | 5 +++++
- include/linux/netfilter/xt_recent.h | 7 +++++++
- 3 files changed, 32 insertions(+), 0 deletions(-)
-
---- a/extensions/libxt_recent.c
-+++ b/extensions/libxt_recent.c
-@@ -20,6 +20,7 @@ static const struct option recent_opts[]
- {.name = "name", .has_arg = true, .val = 208},
- {.name = "rsource", .has_arg = false, .val = 209},
- {.name = "rdest", .has_arg = false, .val = 210},
-+ {.name = "reap", .has_arg = false, .val = 211},
- XT_GETOPT_TABLEEND,
- };
-
-@@ -37,6 +38,7 @@ static void recent_help(void)
- " --hitcount hits For check and update commands above.\n"
- " Specifies that the match will only occur if source address seen hits times.\n"
- " May be used in conjunction with the seconds option.\n"
-+" --reap Remove entries that have expired. Can only be used with --seconds\n"
- " --rttl For check and update commands above.\n"
- " Specifies that the match will only occur if the source address and the TTL\n"
- " match between this packet and the one which was set.\n"
-@@ -63,6 +65,8 @@ static void recent_init(struct xt_entry_
- (XT_RECENT_SET | XT_RECENT_CHECK | \
- XT_RECENT_UPDATE | XT_RECENT_REMOVE)
-
-+#define XT_RECENT_SECONDS 1 << 31
-+
- static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_match **match)
- {
-@@ -104,6 +108,7 @@ static int recent_parse(int c, char **ar
-
- case 204:
- info->seconds = atoi(optarg);
-+ *flags |= XT_RECENT_SECONDS;
- break;
-
- case 205:
-@@ -139,6 +144,11 @@ static int recent_parse(int c, char **ar
- info->side = XT_RECENT_DEST;
- break;
-
-+ case 211:
-+ info->check_set |= XT_RECENT_REAP;
-+ *flags |= XT_RECENT_REAP;
-+ break;
-+
- default:
- return 0;
- }
-@@ -157,6 +167,12 @@ static void recent_check(unsigned int fl
- xtables_error(PARAMETER_PROBLEM,
- "recent: --rttl may only be used with --rcheck or "
- "--update");
-+ if ((flags & XT_RECENT_REAP) &&
-+ ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) ||
-+ (!(flags & XT_RECENT_SECONDS))))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "recent: --reap may only be used with --rcheck or "
-+ "--update and --seconds");
- }
-
- static void recent_print(const void *ip, const struct xt_entry_match *match,
-@@ -185,6 +201,8 @@ static void recent_print(const void *ip,
- printf("side: source ");
- if (info->side == XT_RECENT_DEST)
- printf("side: dest ");
-+ if (info->check_set & XT_RECENT_REAP)
-+ printf("reap ");
- }
-
- static void recent_save(const void *ip, const struct xt_entry_match *match)
-@@ -211,6 +229,8 @@ static void recent_save(const void *ip,
- printf("--rsource ");
- if (info->side == XT_RECENT_DEST)
- printf("--rdest ");
-+ if (info->check_set & XT_RECENT_REAP)
-+ printf("--reap ");
- }
-
- static struct xtables_match recent_mt_reg = {
---- a/extensions/libxt_recent.man
-+++ b/extensions/libxt_recent.man
-@@ -41,6 +41,11 @@ This option must be used in conjunction
- \fB\-\-update\fP. When used, this will narrow the match to only happen when the
- address is in the list and was seen within the last given number of seconds.
- .TP
-+\fB\-\-reap\fP \fIreap\fP
-+This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
-+will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
-+since the last packet was received.
-+.TP
- \fB\-\-hitcount\fP \fIhits\fP
- This option must be used in conjunction with one of \fB\-\-rcheck\fP or
- \fB\-\-update\fP. When used, this will narrow the match to only happen when the
---- a/include/linux/netfilter/xt_recent.h
-+++ b/include/linux/netfilter/xt_recent.h
-@@ -23,6 +23,9 @@ enum {
- #define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
- XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
-
-+/* Only allowed with --rcheck and --update */
-+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
-+
- struct xt_recent_mtinfo {
- __u32 seconds;
- __u32 hit_count;
diff --git a/package/iptables/patches/020-iptables-disable-modprobe.patch b/package/iptables/patches/020-iptables-disable-modprobe.patch
deleted file mode 100644
index 338962ffbe..0000000000
--- a/package/iptables/patches/020-iptables-disable-modprobe.patch
+++ /dev/null
@@ -1,18 +0,0 @@
---- a/xtables.c
-+++ b/xtables.c
-@@ -305,6 +305,7 @@ static char *get_modprobe(void)
-
- int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
- {
-+#if 0
- char *buf = NULL;
- char *argv[4];
- int status;
-@@ -348,6 +349,7 @@ int xtables_insmod(const char *modname,
- free(buf);
- if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
- return 0;
-+#endif
- return -1;
- }
-
diff --git a/package/iptables/patches/030-no-libnfnetlink.patch b/package/iptables/patches/030-no-libnfnetlink.patch
deleted file mode 100644
index cda9a7205b..0000000000
--- a/package/iptables/patches/030-no-libnfnetlink.patch
+++ /dev/null
@@ -1,92 +0,0 @@
---- a/configure
-+++ b/configure
-@@ -10917,75 +10917,7 @@ $as_echo "no" >&6; }
- fi
- fi
-
--pkg_failed=no
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5
--$as_echo_n "checking for libnfnetlink... " >&6; }
--
--if test -n "$libnfnetlink_CFLAGS"; then
-- pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS"
-- elif test -n "$PKG_CONFIG"; then
-- if test -n "$PKG_CONFIG" && \
-- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
-- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
-- ac_status=$?
-- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-- test $ac_status = 0; }; then
-- pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null`
--else
-- pkg_failed=yes
--fi
-- else
-- pkg_failed=untried
--fi
--if test -n "$libnfnetlink_LIBS"; then
-- pkg_cv_libnfnetlink_LIBS="$libnfnetlink_LIBS"
-- elif test -n "$PKG_CONFIG"; then
-- if test -n "$PKG_CONFIG" && \
-- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
-- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
-- ac_status=$?
-- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-- test $ac_status = 0; }; then
-- pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null`
--else
-- pkg_failed=yes
--fi
-- else
-- pkg_failed=untried
--fi
--
--
--
--if test $pkg_failed = yes; then
-- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--
--if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-- _pkg_short_errors_supported=yes
--else
-- _pkg_short_errors_supported=no
--fi
-- if test $_pkg_short_errors_supported = yes; then
-- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libnfnetlink >= 1.0" 2>&1`
-- else
-- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors "libnfnetlink >= 1.0" 2>&1`
-- fi
-- # Put the nasty error message in config.log where it belongs
-- echo "$libnfnetlink_PKG_ERRORS" >&5
--
-- nfnetlink=0
--elif test $pkg_failed = untried; then
-- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
-- nfnetlink=0
--else
-- libnfnetlink_CFLAGS=$pkg_cv_libnfnetlink_CFLAGS
-- libnfnetlink_LIBS=$pkg_cv_libnfnetlink_LIBS
-- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
--$as_echo "yes" >&6; }
-- nfnetlink=1
--fi
-- if test "$nfnetlink" = 1; then
-+if false; then
- HAVE_LIBNFNETLINK_TRUE=
- HAVE_LIBNFNETLINK_FALSE='#'
- else
---- a/configure.ac
-+++ b/configure.ac
-@@ -79,9 +79,7 @@ AM_CONDITIONAL([ENABLE_LARGEFILE], [test
- AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"])
- AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"])
-
--PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
-- [nfnetlink=1], [nfnetlink=0])
--AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1])
-+AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false])
-
- regular_CFLAGS="${largefile_cflags} \
- -D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
diff --git a/package/iptables/patches/100-bash-location.patch b/package/iptables/patches/100-bash-location.patch
deleted file mode 100644
index 818246e76b..0000000000
--- a/package/iptables/patches/100-bash-location.patch
+++ /dev/null
@@ -1,16 +0,0 @@
---- a/autogen.sh
-+++ b/autogen.sh
-@@ -1,4 +1,4 @@
--#!/bin/bash
-+#!/usr/bin/env bash
-
- autoreconf -fi;
- rm -Rf autom4te*.cache;
---- a/iptables-apply
-+++ b/iptables-apply
-@@ -1,4 +1,4 @@
--#!/bin/bash
-+#!/usr/bin/env bash
- #
- # iptables-apply -- a safer way to update iptables remotely
- #
diff --git a/package/iptables/patches/110-linux_3.2_compat.patch b/package/iptables/patches/110-linux_3.2_compat.patch
deleted file mode 100644
index 2cdd673d25..0000000000
--- a/package/iptables/patches/110-linux_3.2_compat.patch
+++ /dev/null
@@ -1,12 +0,0 @@
---- iptables-1.4.10/include/linux/types.h.orig 2011-11-07 00:08:33.000000000 +0100
-+++ iptables-1.4.10/include/linux/types.h 2011-11-07 00:09:25.000000000 +0100
-@@ -34,5 +34,9 @@
- typedef __u16 __bitwise __sum16;
- typedef __u32 __bitwise __wsum;
-
-+#define __aligned_u64 __u64 __attribute__((aligned(8)))
-+#define __aligned_be64 __be64 __attribute__((aligned(8)))
-+#define __aligned_le64 __le64 __attribute__((aligned(8)))
-+
- #endif /* __ASSEMBLY__ */
- #endif /* _LINUX_TYPES_H */
diff --git a/package/iptables/patches/200-configurable_builtin.patch b/package/iptables/patches/200-configurable_builtin.patch
deleted file mode 100644
index 9f9cc387c3..0000000000
--- a/package/iptables/patches/200-configurable_builtin.patch
+++ /dev/null
@@ -1,56 +0,0 @@
---- a/extensions/GNUmakefile.in
-+++ b/extensions/GNUmakefile.in
-@@ -40,9 +40,24 @@
- pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
- pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod})
- pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
--pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod})
--pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod})
--pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod})
-+
-+ifdef BUILTIN_MODULES
-+pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod})
-+pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod})
-+pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod})
-+else
-+@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod)
-+@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod)
-+@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod)
-+endif
-+
-+pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod))
-+pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod))
-+pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod))
-+
-+pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_static})
-+pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static})
-+pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static})
- pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
- pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod})
- pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod})
-@@ -54,10 +69,10 @@
- targets := libext4.a libext6.a matches4.man matches6.man \
- targets4.man targets6.man
- targets_install :=
--@ENABLE_STATIC_TRUE@ libext4_objs := ${pfx_objs} ${pf4_objs}
--@ENABLE_STATIC_TRUE@ libext6_objs := ${pfx_objs} ${pf6_objs}
--@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
--@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
-+libext4_objs := ${pfx_objs} ${pf4_objs}
-+libext6_objs := ${pfx_objs} ${pf6_objs}
-+targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
-+targets_install := $(strip ${targets_install} ${pfx_solibs} ${pf4_solibs} ${pf6_solibs})
-
- .SECONDARY:
-
-@@ -107,8 +122,8 @@
- libext6.a: initext6.o ${libext6_objs}
- ${AM_VERBOSE_AR} ${AR} crs $@ $^;
-
--initext_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ipt_,${pf4_build_mod})
--initext6_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ip6t_,${pf6_build_mod})
-+initext_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ipt_,${pf4_build_static})
-+initext6_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ip6t_,${pf6_build_static})
-
- .initext4.dd: FORCE
- @echo "${initext_func}" >$@.tmp; \