diff options
Diffstat (limited to 'package/network/utils/iptables/patches')
9 files changed, 565 insertions, 0 deletions
diff --git a/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch new file mode 100644 index 0000000..2b6c57e --- /dev/null +++ b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch @@ -0,0 +1,18 @@ +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -336,6 +336,7 @@ static char *get_modprobe(void) + + int xtables_insmod(const char *modname, const char *modprobe, bool quiet) + { ++#if 0 + char *buf = NULL; + char *argv[4]; + int status; +@@ -380,6 +381,7 @@ int xtables_insmod(const char *modname, + free(buf); + if (WIFEXITED(status) && WEXITSTATUS(status) == 0) + return 0; ++#endif + return -1; + } + diff --git a/package/network/utils/iptables/patches/030-no-libnfnetlink.patch b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch new file mode 100644 index 0000000..50542ac --- /dev/null +++ b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch @@ -0,0 +1,94 @@ +--- a/configure ++++ b/configure +@@ -12367,77 +12367,7 @@ fi + fi + + +-pkg_failed=no +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5 +-$as_echo_n "checking for libnfnetlink... " >&6; } +- +-if test -n "$libnfnetlink_CFLAGS"; then +- pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS" +- elif test -n "$PKG_CONFIG"; then +- if test -n "$PKG_CONFIG" && \ +- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5 +- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5 +- ac_status=$? +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; }; then +- pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null` +- test "x$?" != "x0" && pkg_failed=yes +-else +- pkg_failed=yes +-fi +- else +- pkg_failed=untried +-fi +-if test -n "$libnfnetlink_LIBS"; then +- pkg_cv_libnfnetlink_LIBS="$libnfnetlink_LIBS" +- elif test -n "$PKG_CONFIG"; then +- if test -n "$PKG_CONFIG" && \ +- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5 +- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5 +- ac_status=$? +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; }; then +- pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null` +- test "x$?" != "x0" && pkg_failed=yes +-else +- pkg_failed=yes +-fi +- else +- pkg_failed=untried +-fi +- +- +- +-if test $pkg_failed = yes; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- +-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then +- _pkg_short_errors_supported=yes +-else +- _pkg_short_errors_supported=no +-fi +- if test $_pkg_short_errors_supported = yes; then +- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1` +- else +- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1` +- fi +- # Put the nasty error message in config.log where it belongs +- echo "$libnfnetlink_PKG_ERRORS" >&5 +- +- nfnetlink=0 +-elif test $pkg_failed = untried; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- nfnetlink=0 +-else +- libnfnetlink_CFLAGS=$pkg_cv_libnfnetlink_CFLAGS +- libnfnetlink_LIBS=$pkg_cv_libnfnetlink_LIBS +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- nfnetlink=1 +-fi +- if test "$nfnetlink" = 1; then ++if false; then + HAVE_LIBNFNETLINK_TRUE= + HAVE_LIBNFNETLINK_FALSE='#' + else +--- a/configure.ac ++++ b/configure.ac +@@ -111,9 +111,7 @@ if test "x$enable_bpfc" = "xyes" || test + AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library required by bpf compiler or nfsynproxy tool)) + fi + +-PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0], +- [nfnetlink=1], [nfnetlink=0]) +-AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1]) ++AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false]) + + regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \ + -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \ diff --git a/package/network/utils/iptables/patches/050-optional-xml.patch b/package/network/utils/iptables/patches/050-optional-xml.patch new file mode 100644 index 0000000..11311dd --- /dev/null +++ b/package/network/utils/iptables/patches/050-optional-xml.patch @@ -0,0 +1,13 @@ +--- a/iptables/xtables-multi.c ++++ b/iptables/xtables-multi.c +@@ -22,8 +22,10 @@ static const struct subcommand multi_sub + {"iptables-restore", iptables_restore_main}, + {"restore4", iptables_restore_main}, + #endif ++#ifdef ENABLE_XML + {"iptables-xml", iptables_xml_main}, + {"xml", iptables_xml_main}, ++#endif + #ifdef ENABLE_IPV6 + {"ip6tables", ip6tables_main}, + {"main6", ip6tables_main}, diff --git a/package/network/utils/iptables/patches/100-bash-location.patch b/package/network/utils/iptables/patches/100-bash-location.patch new file mode 100644 index 0000000..02ee45b --- /dev/null +++ b/package/network/utils/iptables/patches/100-bash-location.patch @@ -0,0 +1,8 @@ +--- a/iptables/iptables-apply ++++ b/iptables/iptables-apply +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/usr/bin/env bash + # + # iptables-apply -- a safer way to update iptables remotely + # diff --git a/package/network/utils/iptables/patches/200-configurable_builtin.patch b/package/network/utils/iptables/patches/200-configurable_builtin.patch new file mode 100644 index 0000000..d35bc5a --- /dev/null +++ b/package/network/utils/iptables/patches/200-configurable_builtin.patch @@ -0,0 +1,60 @@ +--- a/extensions/GNUmakefile.in ++++ b/extensions/GNUmakefile.in +@@ -45,9 +45,24 @@ pfx_symlinks := NOTRACK state + pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod}) + pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod}) + pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod}) +-pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod}) +-pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod}) +-pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod}) ++ ++ifdef BUILTIN_MODULES ++pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod}) ++pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod}) ++pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod}) ++else ++@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod) ++@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod) ++@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod) ++endif ++ ++pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod)) ++pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod)) ++pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod)) ++ ++pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_static}) ++pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static}) ++pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static}) + pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks}) + pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod}) + pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) +@@ -58,11 +73,11 @@ pf6_solibs := $(patsubst %,libip6t_%. + # + targets := libext.a libext4.a libext6.a matches.man targets.man + targets_install := +-@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs} +-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} +-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs} +-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} +-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} ++libext_objs := ${pfx_objs} ++libext4_objs := ${pf4_objs} ++libext6_objs := ${pf6_objs} ++targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} ++targets_install := $(strip ${targets_install} ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}) + + .SECONDARY: + +@@ -126,9 +141,9 @@ libext4.a: initext4.o ${libext4_objs} + libext6.a: initext6.o ${libext6_objs} + ${AM_VERBOSE_AR} ${AR} crs $@ $^; + +-initext_func := $(addprefix xt_,${pfx_build_mod}) +-initext4_func := $(addprefix ipt_,${pf4_build_mod}) +-initext6_func := $(addprefix ip6t_,${pf6_build_mod}) ++initext_func := $(addprefix xt_,${pfx_build_static}) ++initext4_func := $(addprefix ipt_,${pf4_build_static}) ++initext6_func := $(addprefix ip6t_,${pf6_build_static}) + + .initext.dd: FORCE + @echo "${initext_func}" >$@.tmp; \ diff --git a/package/network/utils/iptables/patches/300-musl_fixes.patch b/package/network/utils/iptables/patches/300-musl_fixes.patch new file mode 100644 index 0000000..a78eda7 --- /dev/null +++ b/package/network/utils/iptables/patches/300-musl_fixes.patch @@ -0,0 +1,127 @@ +--- a/extensions/libip6t_ipv6header.c ++++ b/extensions/libip6t_ipv6header.c +@@ -10,6 +10,9 @@ on whether they contain certain headers + #include <netdb.h> + #include <xtables.h> + #include <linux/netfilter_ipv6/ip6t_ipv6header.h> ++#ifndef IPPROTO_HOPOPTS ++# define IPPROTO_HOPOPTS 0 ++#endif + + enum { + O_HEADER = 0, +--- a/extensions/libxt_TCPOPTSTRIP.c ++++ b/extensions/libxt_TCPOPTSTRIP.c +@@ -12,6 +12,21 @@ + #ifndef TCPOPT_MD5SIG + # define TCPOPT_MD5SIG 19 + #endif ++#ifndef TCPOPT_MAXSEG ++# define TCPOPT_MAXSEG 2 ++#endif ++#ifndef TCPOPT_WINDOW ++# define TCPOPT_WINDOW 3 ++#endif ++#ifndef TCPOPT_SACK_PERMITTED ++# define TCPOPT_SACK_PERMITTED 4 ++#endif ++#ifndef TCPOPT_SACK ++# define TCPOPT_SACK 5 ++#endif ++#ifndef TCPOPT_TIMESTAMP ++# define TCPOPT_TIMESTAMP 8 ++#endif + + enum { + O_STRIP_OPTION = 0, +--- a/include/libiptc/ipt_kernel_headers.h ++++ b/include/libiptc/ipt_kernel_headers.h +@@ -5,7 +5,6 @@ + + #include <limits.h> + +-#if defined(__GLIBC__) && __GLIBC__ == 2 + #include <netinet/ip.h> + #include <netinet/in.h> + #include <netinet/ip_icmp.h> +@@ -13,15 +12,4 @@ + #include <netinet/udp.h> + #include <net/if.h> + #include <sys/types.h> +-#else /* libc5 */ +-#include <sys/socket.h> +-#include <linux/ip.h> +-#include <linux/in.h> +-#include <linux/if.h> +-#include <linux/icmp.h> +-#include <linux/tcp.h> +-#include <linux/udp.h> +-#include <linux/types.h> +-#include <linux/in6.h> +-#endif + #endif +--- a/include/linux/netfilter_ipv4/ip_tables.h ++++ b/include/linux/netfilter_ipv4/ip_tables.h +@@ -16,6 +16,7 @@ + #define _IPTABLES_H + + #include <linux/types.h> ++#include <sys/types.h> + + #include <linux/netfilter_ipv4.h> + +--- a/iptables/ip6tables-restore.c ++++ b/iptables/ip6tables-restore.c +@@ -9,7 +9,7 @@ + */ + + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdbool.h> + #include <string.h> + #include <stdio.h> +--- a/iptables/ip6tables-save.c ++++ b/iptables/ip6tables-save.c +@@ -6,7 +6,7 @@ + * This code is distributed under the terms of GNU GPL v2 + */ + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdio.h> + #include <fcntl.h> + #include <stdlib.h> +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -6,7 +6,7 @@ + */ + + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdbool.h> + #include <string.h> + #include <stdio.h> +--- a/iptables/iptables-save.c ++++ b/iptables/iptables-save.c +@@ -6,7 +6,7 @@ + * + */ + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdio.h> + #include <fcntl.h> + #include <stdlib.h> +--- a/iptables/iptables-xml.c ++++ b/iptables/iptables-xml.c +@@ -7,7 +7,7 @@ + */ + + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <string.h> + #include <stdio.h> + #include <stdlib.h> diff --git a/package/network/utils/iptables/patches/500-add-xt_id-match.patch b/package/network/utils/iptables/patches/500-add-xt_id-match.patch new file mode 100644 index 0000000..94762f0 --- /dev/null +++ b/package/network/utils/iptables/patches/500-add-xt_id-match.patch @@ -0,0 +1,59 @@ +--- /dev/null ++++ b/extensions/libxt_id.c +@@ -0,0 +1,45 @@ ++/* Shared library add-on to iptables to add id match support. */ ++ ++#include <stdio.h> ++#include <xtables.h> ++#include <linux/netfilter/xt_id.h> ++ ++enum { ++ O_ID = 0, ++}; ++ ++static const struct xt_option_entry id_opts[] = { ++ { ++ .name = "id", ++ .id = O_ID, ++ .type = XTTYPE_UINT32, ++ .flags = XTOPT_MAND | XTOPT_PUT, ++ XTOPT_POINTER(struct xt_id_info, id) ++ }, ++ XTOPT_TABLEEND, ++}; ++ ++/* Saves the union ipt_matchinfo in parsable form to stdout. */ ++static void ++id_save(const void *ip, const struct xt_entry_match *match) ++{ ++ struct xt_id_info *idinfo = (void *)match->data; ++ ++ printf(" --id %lu", idinfo->id); ++} ++ ++static struct xtables_match id_match = { ++ .family = NFPROTO_UNSPEC, ++ .name = "id", ++ .version = XTABLES_VERSION, ++ .size = XT_ALIGN(sizeof(struct xt_id_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_id_info)), ++ .save = id_save, ++ .x6_parse = xtables_option_parse, ++ .x6_options = id_opts, ++}; ++ ++void _init(void) ++{ ++ xtables_register_match(&id_match); ++} +--- /dev/null ++++ b/include/linux/netfilter/xt_id.h +@@ -0,0 +1,8 @@ ++#ifndef _XT_ID_H ++#define _XT_ID_H ++ ++struct xt_id_info { ++ __u32 id; ++}; ++ ++#endif /* XT_ID_H */ diff --git a/package/network/utils/iptables/patches/600-shared-libext.patch b/package/network/utils/iptables/patches/600-shared-libext.patch new file mode 100644 index 0000000..92f5485 --- /dev/null +++ b/package/network/utils/iptables/patches/600-shared-libext.patch @@ -0,0 +1,78 @@ +Index: iptables-1.4.21/extensions/GNUmakefile.in +=================================================================== +--- iptables-1.4.21.orig/extensions/GNUmakefile.in ++++ iptables-1.4.21/extensions/GNUmakefile.in +@@ -71,7 +71,7 @@ pf6_solibs := $(patsubst %,libip6t_%. + # + # Building blocks + # +-targets := libext.a libext4.a libext6.a matches.man targets.man ++targets := libiptext.so libiptext4.so libiptext6.so matches.man targets.man + targets_install := + libext_objs := ${pfx_objs} + libext4_objs := ${pf4_objs} +@@ -96,7 +96,7 @@ clean: + distclean: clean + + init%.o: init%.c +- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init ${CFLAGS} -o $@ -c $<; ++ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; + + -include .*.d + +@@ -130,16 +130,16 @@ xt_statistic_LIBADD = -lm + # handling code in the Makefiles. + # + lib%.o: ${srcdir}/lib%.c +- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<; ++ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; + +-libext.a: initext.o ${libext_objs} +- ${AM_VERBOSE_AR} ${AR} crs $@ $^; ++libiptext.so: initext.o ${libext_objs} ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD}; + +-libext4.a: initext4.o ${libext4_objs} +- ${AM_VERBOSE_AR} ${AR} crs $@ $^; ++libiptext4.so: initext4.o ${libext4_objs} ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD}; + +-libext6.a: initext6.o ${libext6_objs} +- ${AM_VERBOSE_AR} ${AR} crs $@ $^; ++libiptext6.so: initext6.o ${libext6_objs} ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD}; + + initext_func := $(addprefix xt_,${pfx_build_static}) + initext4_func := $(addprefix ipt_,${pf4_build_static}) +Index: iptables-1.4.21/iptables/Makefile.am +=================================================================== +--- iptables-1.4.21.orig/iptables/Makefile.am ++++ iptables-1.4.21/iptables/Makefile.am +@@ -5,7 +5,8 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} - + + xtables_multi_SOURCES = xtables-multi.c iptables-xml.c + xtables_multi_CFLAGS = ${AM_CFLAGS} +-xtables_multi_LDADD = ../extensions/libext.a ++xtables_multi_LDADD = ++xtables_multi_LDFLAGS = -L../extensions/ -liptext + if ENABLE_STATIC + xtables_multi_CFLAGS += -DALL_INCLUSIVE + endif +@@ -13,13 +14,15 @@ if ENABLE_IPV4 + xtables_multi_SOURCES += iptables-save.c iptables-restore.c \ + iptables-standalone.c iptables.c + xtables_multi_CFLAGS += -DENABLE_IPV4 +-xtables_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a ++xtables_multi_LDADD += ../libiptc/libip4tc.la ++xtables_multi_LDFLAGS += -liptext4 + endif + if ENABLE_IPV6 + xtables_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \ + ip6tables-standalone.c ip6tables.c + xtables_multi_CFLAGS += -DENABLE_IPV6 +-xtables_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a ++xtables_multi_LDADD += ../libiptc/libip6tc.la ++xtables_multi_LDFLAGS += -liptext6 + endif + xtables_multi_SOURCES += xshared.c + xtables_multi_LDADD += ../libxtables/libxtables.la -lm diff --git a/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch new file mode 100644 index 0000000..342c3b0 --- /dev/null +++ b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch @@ -0,0 +1,108 @@ +Index: iptables-1.4.21/extensions/libxt_conntrack.c +=================================================================== +--- iptables-1.4.21.orig/extensions/libxt_conntrack.c ++++ iptables-1.4.21/extensions/libxt_conntrack.c +@@ -1157,6 +1157,7 @@ static void state_save(const void *ip, c + } + + static struct xtables_match conntrack_mt_reg[] = { ++#ifndef NO_LEGACY + { + .version = XTABLES_VERSION, + .name = "conntrack", +@@ -1232,6 +1233,7 @@ static struct xtables_match conntrack_mt + .alias = conntrack_print_name_alias, + .x6_options = conntrack2_mt_opts, + }, ++#endif + { + .version = XTABLES_VERSION, + .name = "conntrack", +@@ -1262,6 +1264,7 @@ static struct xtables_match conntrack_mt + .alias = conntrack_print_name_alias, + .x6_options = conntrack3_mt_opts, + }, ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "state", +@@ -1292,6 +1295,7 @@ static struct xtables_match conntrack_mt + .x6_parse = state_ct23_parse, + .x6_options = state_opts, + }, ++#endif + { + .family = NFPROTO_UNSPEC, + .name = "state", +@@ -1307,6 +1311,7 @@ static struct xtables_match conntrack_mt + .x6_parse = state_ct23_parse, + .x6_options = state_opts, + }, ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "state", +@@ -1320,6 +1325,7 @@ static struct xtables_match conntrack_mt + .x6_parse = state_parse, + .x6_options = state_opts, + }, ++#endif + }; + + void _init(void) +Index: iptables-1.4.21/extensions/libxt_CT.c +=================================================================== +--- iptables-1.4.21.orig/extensions/libxt_CT.c ++++ iptables-1.4.21/extensions/libxt_CT.c +@@ -290,6 +290,7 @@ static void notrack_ct2_tg_init(struct x + } + + static struct xtables_target ct_target_reg[] = { ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "CT", +@@ -315,6 +316,7 @@ static struct xtables_target ct_target_r + .x6_parse = ct_parse_v1, + .x6_options = ct_opts_v1, + }, ++#endif + { + .family = NFPROTO_UNSPEC, + .name = "CT", +@@ -329,6 +331,7 @@ static struct xtables_target ct_target_r + .x6_parse = ct_parse_v1, + .x6_options = ct_opts_v1, + }, ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "NOTRACK", +@@ -366,6 +369,7 @@ static struct xtables_target ct_target_r + .revision = 0, + .version = XTABLES_VERSION, + }, ++#endif + }; + + void _init(void) +Index: iptables-1.4.21/extensions/libxt_multiport.c +=================================================================== +--- iptables-1.4.21.orig/extensions/libxt_multiport.c ++++ iptables-1.4.21/extensions/libxt_multiport.c +@@ -469,6 +469,7 @@ static void multiport_save6_v1(const voi + } + + static struct xtables_match multiport_mt_reg[] = { ++#ifndef NO_LEGACY + { + .family = NFPROTO_IPV4, + .name = "multiport", +@@ -497,6 +498,7 @@ static struct xtables_match multiport_mt + .save = multiport_save6, + .x6_options = multiport_opts, + }, ++#endif + { + .family = NFPROTO_IPV4, + .name = "multiport", |