diff options
Diffstat (limited to 'package/network/utils/iptables')
10 files changed, 1113 insertions, 0 deletions
diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile new file mode 100644 index 0000000..626b252 --- /dev/null +++ b/package/network/utils/iptables/Makefile @@ -0,0 +1,548 @@ +# +# Copyright (C) 2006-2013 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk +include $(INCLUDE_DIR)/kernel.mk + +PKG_NAME:=iptables +PKG_VERSION:=1.4.21 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \ + ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \ + ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \ + ftp://ftp.no.netfilter.org/pub/netfilter/iptables/ +PKG_MD5SUM:=536d048c8e8eeebcd9757d0863ebb0c0 + +PKG_FIXUP:=autoreconf +PKG_INSTALL:=1 +PKG_BUILD_PARALLEL:=1 +PKG_LICENSE:=GPL-2.0 + +ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"") +PATCH_DIR:= +endif + +include $(INCLUDE_DIR)/package.mk +ifeq ($(DUMP),) + -include $(LINUX_DIR)/.config + include $(INCLUDE_DIR)/netfilter.mk + STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s) +endif + + +define Package/iptables/Default + SECTION:=net + CATEGORY:=Network + SUBMENU:=Firewall + URL:=http://netfilter.org/ +endef + +define Package/iptables/Module +$(call Package/iptables/Default) + DEPENDS:=iptables $(1) +endef + +define Package/iptables +$(call Package/iptables/Default) + TITLE:=IP firewall administration tool + MENU:=1 + DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables +endef + +define Package/iptables/description +IP firewall administration tool. + + Matches: + - icmp + - tcp + - udp + - comment + - conntrack + - limit + - mac + - mark + - multiport + - set + - state + - time + + Targets: + - ACCEPT + - CT + - DNAT + - DROP + - REJECT + - LOG + - MARK + - MASQUERADE + - REDIRECT + - SET + - SNAT + - TCPMSS + + Tables: + - filter + - mangle + - nat + - raw + +endef + +define Package/iptables-mod-conntrack-extra +$(call Package/iptables/Module, +kmod-ipt-conntrack-extra) + TITLE:=Extra connection tracking extensions +endef + +define Package/iptables-mod-conntrack-extra/description +Extra iptables extensions for connection tracking. + + Matches: + - connbytes + - connlimit + - connmark + - recent + - helper + + Targets: + - CONNMARK + +endef + +define Package/iptables-mod-filter +$(call Package/iptables/Module, +kmod-ipt-filter) + TITLE:=Content inspection extensions +endef + +define Package/iptables-mod-filter/description +iptables extensions for packet content inspection. +Includes support for: + + Matches: + - string + +endef + +define Package/iptables-mod-ipopt +$(call Package/iptables/Module, +kmod-ipt-ipopt) + TITLE:=IP/Packet option extensions +endef + +define Package/iptables-mod-ipopt/description +iptables extensions for matching/changing IP packet options. + + Matches: + - dscp + - ecn + - length + - statistic + - tcpmss + - unclean + - hl + + Targets: + - DSCP + - CLASSIFY + - ECN + - HL + +endef + +define Package/iptables-mod-ipsec +$(call Package/iptables/Module, +kmod-ipt-ipsec) + TITLE:=IPsec extensions +endef + +define Package/iptables-mod-ipsec/description +iptables extensions for matching ipsec traffic. + + Matches: + - ah + - esp + - policy + +endef + +define Package/iptables-mod-nat-extra +$(call Package/iptables/Module, +kmod-ipt-nat-extra) + TITLE:=Extra NAT extensions +endef + +define Package/iptables-mod-nat-extra/description +iptables extensions for extra NAT targets. + + Targets: + - MIRROR + - NETMAP +endef + +define Package/iptables-mod-ulog +$(call Package/iptables/Module, +kmod-ipt-ulog) + TITLE:=user-space packet logging +endef + +define Package/iptables-mod-ulog/description +iptables extensions for user-space packet logging. + + Targets: + - ULOG + +endef + +define Package/iptables-mod-nflog +$(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog) + TITLE:=Netfilter NFLOG target +endef + +define Package/iptables-mod-nflog/description + iptables extension for user-space logging via NFNETLINK. + + Includes: + - libxt_NFLOG + +endef + +define Package/iptables-mod-nfqueue +$(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue) + TITLE:=Netfilter NFQUEUE target +endef + +define Package/iptables-mod-nfqueue/description + iptables extension for user-space queuing via NFNETLINK. + + Includes: + - libxt_NFQUEUE + +endef + +define Package/iptables-mod-hashlimit +$(call Package/iptables/Module, +kmod-ipt-hashlimit) + TITLE:=hashlimit matching +endef + +define Package/iptables-mod-hashlimit/description +iptables extensions for hashlimit matching + + Matches: + - hashlimit + +endef + +define Package/iptables-mod-iprange +$(call Package/iptables/Module, +kmod-ipt-iprange) + TITLE:=IP range extension +endef + +define Package/iptables-mod-iprange/description +iptables extensions for matching ip ranges. + + Matches: + - iprange + +endef + +define Package/iptables-mod-cluster +$(call Package/iptables/Module, +kmod-ipt-cluster) + TITLE:=Match cluster extension +endef + +define Package/iptables-mod-cluster/description +iptables extensions for matching cluster. + + Netfilter (IPv4/IPv6) module for matching cluster + This option allows you to build work-load-sharing clusters of + network servers/stateful firewalls without having a dedicated + load-balancing router/server/switch. Basically, this match returns + true when the packet must be handled by this cluster node. Thus, + all nodes see all packets and this match decides which node handles + what packets. The work-load sharing algorithm is based on source + address hashing. + + This module is usable for ipv4 and ipv6. + + If you select it, it enables kmod-ipt-cluster. + + see `iptables -m cluster --help` for more information. +endef + +define Package/iptables-mod-clusterip +$(call Package/iptables/Module, +kmod-ipt-clusterip) + TITLE:=Clusterip extension +endef + +define Package/iptables-mod-clusterip/description +iptables extensions for CLUSTERIP. + The CLUSTERIP target allows you to build load-balancing clusters of + network servers without having a dedicated load-balancing + router/server/switch. + + If you select it, it enables kmod-ipt-clusterip. + + see `iptables -j CLUSTERIP --help` for more information. +endef + +define Package/iptables-mod-extra +$(call Package/iptables/Module, +kmod-ipt-extra) + TITLE:=Other extra iptables extensions +endef + +define Package/iptables-mod-extra/description +Other extra iptables extensions. + + Matches: + - addrtype + - condition + - owner + - physdev (if ebtables is enabled) + - pkttype + - quota + +endef + +define Package/iptables-mod-led +$(call Package/iptables/Module, +kmod-ipt-led) + TITLE:=LED trigger iptables extension +endef + +define Package/iptables-mod-led/description +iptables extension for triggering a LED. + + Targets: + - LED + +endef + +define Package/iptables-mod-tproxy +$(call Package/iptables/Module, +kmod-ipt-tproxy) + TITLE:=Transparent proxy iptables extensions +endef + +define Package/iptables-mod-tproxy/description +Transparent proxy iptables extensions. + + Matches: + - socket + + Targets: + - TPROXY + +endef + +define Package/iptables-mod-tee +$(call Package/iptables/Module, +kmod-ipt-tee) + TITLE:=TEE iptables extensions +endef + +define Package/iptables-mod-tee/description +TEE iptables extensions. + + Targets: + - TEE + +endef + +define Package/iptables-mod-u32 +$(call Package/iptables/Module, +kmod-ipt-u32) + TITLE:=U32 iptables extensions +endef + +define Package/iptables-mod-u32/description +U32 iptables extensions. + + Matches: + - u32 + +endef + +define Package/ip6tables +$(call Package/iptables/Default) + DEPENDS:=@IPV6 +kmod-ip6tables +iptables + CATEGORY:=Network + TITLE:=IPv6 firewall administration tool + MENU:=1 +endef + + +define Package/ip6tables-extra +$(call Package/iptables/Default) + DEPENDS:=ip6tables +kmod-ip6tables-extra + TITLE:=IPv6 header matching modules +endef + +define Package/ip6tables-mod-extra/description +iptables header matching modules for IPv6 +endef + +define Package/ip6tables-mod-nat +$(call Package/iptables/Default) + DEPENDS:=ip6tables +kmod-ipt-nat6 + TITLE:=IPv6 NAT extensions +endef + +define Package/ip6tables-mod-nat/description +iptables extensions for IPv6-NAT targets. +endef + +define Package/libiptc +$(call Package/iptables/Default) + SECTION:=libs + CATEGORY:=Libraries + DEPENDS:=+libip4tc +libip6tc +libxtables + TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub) +endef + +define Package/libip4tc +$(call Package/iptables/Default) + SECTION:=libs + CATEGORY:=Libraries + TITLE:=IPv4 firewall - shared libiptc library + DEPENDS:=+libxtables +endef + +define Package/libip6tc +$(call Package/iptables/Default) + SECTION:=libs + CATEGORY:=Libraries + TITLE:=IPv6 firewall - shared libiptc library + DEPENDS:=+libxtables +endef + +define Package/libxtables + $(call Package/iptables/Default) + SECTION:=libs + CATEGORY:=Libraries + TITLE:=IPv4/IPv6 firewall - shared xtables library +endef + +TARGET_CPPFLAGS := \ + -I$(PKG_BUILD_DIR)/include \ + -I$(LINUX_DIR)/user_headers/include \ + $(TARGET_CPPFLAGS) + +TARGET_CFLAGS += \ + -I$(PKG_BUILD_DIR)/include \ + -I$(LINUX_DIR)/user_headers/include \ + -ffunction-sections -fdata-sections \ + -DNO_LEGACY + +TARGET_LDFLAGS += \ + -Wl,--gc-sections + +CONFIGURE_ARGS += \ + --enable-shared \ + --enable-devel \ + --with-kernel="$(LINUX_DIR)/user_headers" \ + --with-xtlibdir=/usr/lib/iptables \ + --enable-static \ + $(if $(CONFIG_IPV6),,--disable-ipv6) + +MAKE_FLAGS := \ + $(TARGET_CONFIGURE_OPTS) \ + COPT_FLAGS="$(TARGET_CFLAGS)" \ + KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \ + KBUILD_OUTPUT="$(LINUX_DIR)" \ + BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))" + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(INSTALL_DIR) $(1)/usr/include/iptables + $(INSTALL_DIR) $(1)/usr/include/net/netfilter + + # XXX: iptables header fixup, some headers are not installed by iptables anymore + $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/ + $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/ + $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/ + $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/ + $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/ + + $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/ + + # XXX: needed by firewall3 + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/ +endef + +define Package/iptables/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/usr/lib/iptables +endef + +define Package/ip6tables/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/ +endef + +define Package/libiptc/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/ +endef + +define Package/libip4tc/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/ + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/ +endef + +define Package/libip6tc/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/ + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/ +endef + +define Package/libxtables/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/ + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/ +endef + +define BuildPlugin + define Package/$(1)/install + $(INSTALL_DIR) $$(1)/usr/lib/iptables + for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \ + if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \ + fi; \ + done + $(3) + endef + + $$(eval $$(call BuildPackage,$(1))) +endef + +$(eval $(call BuildPackage,iptables)) +$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m))) +$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m))) +$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m))) +$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m))) +$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m))) +$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m))) +$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m))) +$(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m))) +$(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m))) +$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m))) +$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m))) +$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m))) +$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m))) +$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m))) +$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m))) +$(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m))) +$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m))) +$(eval $(call BuildPackage,ip6tables)) +$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m))) +$(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m))) +$(eval $(call BuildPackage,libiptc)) +$(eval $(call BuildPackage,libip4tc)) +$(eval $(call BuildPackage,libip6tc)) +$(eval $(call BuildPackage,libxtables)) diff --git a/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch new file mode 100644 index 0000000..2b6c57e --- /dev/null +++ b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch @@ -0,0 +1,18 @@ +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -336,6 +336,7 @@ static char *get_modprobe(void) + + int xtables_insmod(const char *modname, const char *modprobe, bool quiet) + { ++#if 0 + char *buf = NULL; + char *argv[4]; + int status; +@@ -380,6 +381,7 @@ int xtables_insmod(const char *modname, + free(buf); + if (WIFEXITED(status) && WEXITSTATUS(status) == 0) + return 0; ++#endif + return -1; + } + diff --git a/package/network/utils/iptables/patches/030-no-libnfnetlink.patch b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch new file mode 100644 index 0000000..50542ac --- /dev/null +++ b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch @@ -0,0 +1,94 @@ +--- a/configure ++++ b/configure +@@ -12367,77 +12367,7 @@ fi + fi + + +-pkg_failed=no +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5 +-$as_echo_n "checking for libnfnetlink... " >&6; } +- +-if test -n "$libnfnetlink_CFLAGS"; then +- pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS" +- elif test -n "$PKG_CONFIG"; then +- if test -n "$PKG_CONFIG" && \ +- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5 +- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5 +- ac_status=$? +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; }; then +- pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null` +- test "x$?" != "x0" && pkg_failed=yes +-else +- pkg_failed=yes +-fi +- else +- pkg_failed=untried +-fi +-if test -n "$libnfnetlink_LIBS"; then +- pkg_cv_libnfnetlink_LIBS="$libnfnetlink_LIBS" +- elif test -n "$PKG_CONFIG"; then +- if test -n "$PKG_CONFIG" && \ +- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5 +- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5 +- ac_status=$? +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; }; then +- pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null` +- test "x$?" != "x0" && pkg_failed=yes +-else +- pkg_failed=yes +-fi +- else +- pkg_failed=untried +-fi +- +- +- +-if test $pkg_failed = yes; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- +-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then +- _pkg_short_errors_supported=yes +-else +- _pkg_short_errors_supported=no +-fi +- if test $_pkg_short_errors_supported = yes; then +- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1` +- else +- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1` +- fi +- # Put the nasty error message in config.log where it belongs +- echo "$libnfnetlink_PKG_ERRORS" >&5 +- +- nfnetlink=0 +-elif test $pkg_failed = untried; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- nfnetlink=0 +-else +- libnfnetlink_CFLAGS=$pkg_cv_libnfnetlink_CFLAGS +- libnfnetlink_LIBS=$pkg_cv_libnfnetlink_LIBS +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- nfnetlink=1 +-fi +- if test "$nfnetlink" = 1; then ++if false; then + HAVE_LIBNFNETLINK_TRUE= + HAVE_LIBNFNETLINK_FALSE='#' + else +--- a/configure.ac ++++ b/configure.ac +@@ -111,9 +111,7 @@ if test "x$enable_bpfc" = "xyes" || test + AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library required by bpf compiler or nfsynproxy tool)) + fi + +-PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0], +- [nfnetlink=1], [nfnetlink=0]) +-AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1]) ++AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false]) + + regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \ + -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \ diff --git a/package/network/utils/iptables/patches/050-optional-xml.patch b/package/network/utils/iptables/patches/050-optional-xml.patch new file mode 100644 index 0000000..11311dd --- /dev/null +++ b/package/network/utils/iptables/patches/050-optional-xml.patch @@ -0,0 +1,13 @@ +--- a/iptables/xtables-multi.c ++++ b/iptables/xtables-multi.c +@@ -22,8 +22,10 @@ static const struct subcommand multi_sub + {"iptables-restore", iptables_restore_main}, + {"restore4", iptables_restore_main}, + #endif ++#ifdef ENABLE_XML + {"iptables-xml", iptables_xml_main}, + {"xml", iptables_xml_main}, ++#endif + #ifdef ENABLE_IPV6 + {"ip6tables", ip6tables_main}, + {"main6", ip6tables_main}, diff --git a/package/network/utils/iptables/patches/100-bash-location.patch b/package/network/utils/iptables/patches/100-bash-location.patch new file mode 100644 index 0000000..02ee45b --- /dev/null +++ b/package/network/utils/iptables/patches/100-bash-location.patch @@ -0,0 +1,8 @@ +--- a/iptables/iptables-apply ++++ b/iptables/iptables-apply +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/usr/bin/env bash + # + # iptables-apply -- a safer way to update iptables remotely + # diff --git a/package/network/utils/iptables/patches/200-configurable_builtin.patch b/package/network/utils/iptables/patches/200-configurable_builtin.patch new file mode 100644 index 0000000..d35bc5a --- /dev/null +++ b/package/network/utils/iptables/patches/200-configurable_builtin.patch @@ -0,0 +1,60 @@ +--- a/extensions/GNUmakefile.in ++++ b/extensions/GNUmakefile.in +@@ -45,9 +45,24 @@ pfx_symlinks := NOTRACK state + pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod}) + pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod}) + pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod}) +-pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod}) +-pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod}) +-pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod}) ++ ++ifdef BUILTIN_MODULES ++pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod}) ++pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod}) ++pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod}) ++else ++@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod) ++@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod) ++@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod) ++endif ++ ++pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod)) ++pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod)) ++pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod)) ++ ++pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_static}) ++pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static}) ++pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static}) + pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks}) + pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod}) + pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) +@@ -58,11 +73,11 @@ pf6_solibs := $(patsubst %,libip6t_%. + # + targets := libext.a libext4.a libext6.a matches.man targets.man + targets_install := +-@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs} +-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} +-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs} +-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} +-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} ++libext_objs := ${pfx_objs} ++libext4_objs := ${pf4_objs} ++libext6_objs := ${pf6_objs} ++targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} ++targets_install := $(strip ${targets_install} ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}) + + .SECONDARY: + +@@ -126,9 +141,9 @@ libext4.a: initext4.o ${libext4_objs} + libext6.a: initext6.o ${libext6_objs} + ${AM_VERBOSE_AR} ${AR} crs $@ $^; + +-initext_func := $(addprefix xt_,${pfx_build_mod}) +-initext4_func := $(addprefix ipt_,${pf4_build_mod}) +-initext6_func := $(addprefix ip6t_,${pf6_build_mod}) ++initext_func := $(addprefix xt_,${pfx_build_static}) ++initext4_func := $(addprefix ipt_,${pf4_build_static}) ++initext6_func := $(addprefix ip6t_,${pf6_build_static}) + + .initext.dd: FORCE + @echo "${initext_func}" >$@.tmp; \ diff --git a/package/network/utils/iptables/patches/300-musl_fixes.patch b/package/network/utils/iptables/patches/300-musl_fixes.patch new file mode 100644 index 0000000..a78eda7 --- /dev/null +++ b/package/network/utils/iptables/patches/300-musl_fixes.patch @@ -0,0 +1,127 @@ +--- a/extensions/libip6t_ipv6header.c ++++ b/extensions/libip6t_ipv6header.c +@@ -10,6 +10,9 @@ on whether they contain certain headers + #include <netdb.h> + #include <xtables.h> + #include <linux/netfilter_ipv6/ip6t_ipv6header.h> ++#ifndef IPPROTO_HOPOPTS ++# define IPPROTO_HOPOPTS 0 ++#endif + + enum { + O_HEADER = 0, +--- a/extensions/libxt_TCPOPTSTRIP.c ++++ b/extensions/libxt_TCPOPTSTRIP.c +@@ -12,6 +12,21 @@ + #ifndef TCPOPT_MD5SIG + # define TCPOPT_MD5SIG 19 + #endif ++#ifndef TCPOPT_MAXSEG ++# define TCPOPT_MAXSEG 2 ++#endif ++#ifndef TCPOPT_WINDOW ++# define TCPOPT_WINDOW 3 ++#endif ++#ifndef TCPOPT_SACK_PERMITTED ++# define TCPOPT_SACK_PERMITTED 4 ++#endif ++#ifndef TCPOPT_SACK ++# define TCPOPT_SACK 5 ++#endif ++#ifndef TCPOPT_TIMESTAMP ++# define TCPOPT_TIMESTAMP 8 ++#endif + + enum { + O_STRIP_OPTION = 0, +--- a/include/libiptc/ipt_kernel_headers.h ++++ b/include/libiptc/ipt_kernel_headers.h +@@ -5,7 +5,6 @@ + + #include <limits.h> + +-#if defined(__GLIBC__) && __GLIBC__ == 2 + #include <netinet/ip.h> + #include <netinet/in.h> + #include <netinet/ip_icmp.h> +@@ -13,15 +12,4 @@ + #include <netinet/udp.h> + #include <net/if.h> + #include <sys/types.h> +-#else /* libc5 */ +-#include <sys/socket.h> +-#include <linux/ip.h> +-#include <linux/in.h> +-#include <linux/if.h> +-#include <linux/icmp.h> +-#include <linux/tcp.h> +-#include <linux/udp.h> +-#include <linux/types.h> +-#include <linux/in6.h> +-#endif + #endif +--- a/include/linux/netfilter_ipv4/ip_tables.h ++++ b/include/linux/netfilter_ipv4/ip_tables.h +@@ -16,6 +16,7 @@ + #define _IPTABLES_H + + #include <linux/types.h> ++#include <sys/types.h> + + #include <linux/netfilter_ipv4.h> + +--- a/iptables/ip6tables-restore.c ++++ b/iptables/ip6tables-restore.c +@@ -9,7 +9,7 @@ + */ + + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdbool.h> + #include <string.h> + #include <stdio.h> +--- a/iptables/ip6tables-save.c ++++ b/iptables/ip6tables-save.c +@@ -6,7 +6,7 @@ + * This code is distributed under the terms of GNU GPL v2 + */ + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdio.h> + #include <fcntl.h> + #include <stdlib.h> +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -6,7 +6,7 @@ + */ + + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdbool.h> + #include <string.h> + #include <stdio.h> +--- a/iptables/iptables-save.c ++++ b/iptables/iptables-save.c +@@ -6,7 +6,7 @@ + * + */ + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdio.h> + #include <fcntl.h> + #include <stdlib.h> +--- a/iptables/iptables-xml.c ++++ b/iptables/iptables-xml.c +@@ -7,7 +7,7 @@ + */ + + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <string.h> + #include <stdio.h> + #include <stdlib.h> diff --git a/package/network/utils/iptables/patches/500-add-xt_id-match.patch b/package/network/utils/iptables/patches/500-add-xt_id-match.patch new file mode 100644 index 0000000..94762f0 --- /dev/null +++ b/package/network/utils/iptables/patches/500-add-xt_id-match.patch @@ -0,0 +1,59 @@ +--- /dev/null ++++ b/extensions/libxt_id.c +@@ -0,0 +1,45 @@ ++/* Shared library add-on to iptables to add id match support. */ ++ ++#include <stdio.h> ++#include <xtables.h> ++#include <linux/netfilter/xt_id.h> ++ ++enum { ++ O_ID = 0, ++}; ++ ++static const struct xt_option_entry id_opts[] = { ++ { ++ .name = "id", ++ .id = O_ID, ++ .type = XTTYPE_UINT32, ++ .flags = XTOPT_MAND | XTOPT_PUT, ++ XTOPT_POINTER(struct xt_id_info, id) ++ }, ++ XTOPT_TABLEEND, ++}; ++ ++/* Saves the union ipt_matchinfo in parsable form to stdout. */ ++static void ++id_save(const void *ip, const struct xt_entry_match *match) ++{ ++ struct xt_id_info *idinfo = (void *)match->data; ++ ++ printf(" --id %lu", idinfo->id); ++} ++ ++static struct xtables_match id_match = { ++ .family = NFPROTO_UNSPEC, ++ .name = "id", ++ .version = XTABLES_VERSION, ++ .size = XT_ALIGN(sizeof(struct xt_id_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_id_info)), ++ .save = id_save, ++ .x6_parse = xtables_option_parse, ++ .x6_options = id_opts, ++}; ++ ++void _init(void) ++{ ++ xtables_register_match(&id_match); ++} +--- /dev/null ++++ b/include/linux/netfilter/xt_id.h +@@ -0,0 +1,8 @@ ++#ifndef _XT_ID_H ++#define _XT_ID_H ++ ++struct xt_id_info { ++ __u32 id; ++}; ++ ++#endif /* XT_ID_H */ diff --git a/package/network/utils/iptables/patches/600-shared-libext.patch b/package/network/utils/iptables/patches/600-shared-libext.patch new file mode 100644 index 0000000..92f5485 --- /dev/null +++ b/package/network/utils/iptables/patches/600-shared-libext.patch @@ -0,0 +1,78 @@ +Index: iptables-1.4.21/extensions/GNUmakefile.in +=================================================================== +--- iptables-1.4.21.orig/extensions/GNUmakefile.in ++++ iptables-1.4.21/extensions/GNUmakefile.in +@@ -71,7 +71,7 @@ pf6_solibs := $(patsubst %,libip6t_%. + # + # Building blocks + # +-targets := libext.a libext4.a libext6.a matches.man targets.man ++targets := libiptext.so libiptext4.so libiptext6.so matches.man targets.man + targets_install := + libext_objs := ${pfx_objs} + libext4_objs := ${pf4_objs} +@@ -96,7 +96,7 @@ clean: + distclean: clean + + init%.o: init%.c +- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init ${CFLAGS} -o $@ -c $<; ++ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; + + -include .*.d + +@@ -130,16 +130,16 @@ xt_statistic_LIBADD = -lm + # handling code in the Makefiles. + # + lib%.o: ${srcdir}/lib%.c +- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<; ++ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; + +-libext.a: initext.o ${libext_objs} +- ${AM_VERBOSE_AR} ${AR} crs $@ $^; ++libiptext.so: initext.o ${libext_objs} ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD}; + +-libext4.a: initext4.o ${libext4_objs} +- ${AM_VERBOSE_AR} ${AR} crs $@ $^; ++libiptext4.so: initext4.o ${libext4_objs} ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD}; + +-libext6.a: initext6.o ${libext6_objs} +- ${AM_VERBOSE_AR} ${AR} crs $@ $^; ++libiptext6.so: initext6.o ${libext6_objs} ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD}; + + initext_func := $(addprefix xt_,${pfx_build_static}) + initext4_func := $(addprefix ipt_,${pf4_build_static}) +Index: iptables-1.4.21/iptables/Makefile.am +=================================================================== +--- iptables-1.4.21.orig/iptables/Makefile.am ++++ iptables-1.4.21/iptables/Makefile.am +@@ -5,7 +5,8 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} - + + xtables_multi_SOURCES = xtables-multi.c iptables-xml.c + xtables_multi_CFLAGS = ${AM_CFLAGS} +-xtables_multi_LDADD = ../extensions/libext.a ++xtables_multi_LDADD = ++xtables_multi_LDFLAGS = -L../extensions/ -liptext + if ENABLE_STATIC + xtables_multi_CFLAGS += -DALL_INCLUSIVE + endif +@@ -13,13 +14,15 @@ if ENABLE_IPV4 + xtables_multi_SOURCES += iptables-save.c iptables-restore.c \ + iptables-standalone.c iptables.c + xtables_multi_CFLAGS += -DENABLE_IPV4 +-xtables_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a ++xtables_multi_LDADD += ../libiptc/libip4tc.la ++xtables_multi_LDFLAGS += -liptext4 + endif + if ENABLE_IPV6 + xtables_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \ + ip6tables-standalone.c ip6tables.c + xtables_multi_CFLAGS += -DENABLE_IPV6 +-xtables_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a ++xtables_multi_LDADD += ../libiptc/libip6tc.la ++xtables_multi_LDFLAGS += -liptext6 + endif + xtables_multi_SOURCES += xshared.c + xtables_multi_LDADD += ../libxtables/libxtables.la -lm diff --git a/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch new file mode 100644 index 0000000..342c3b0 --- /dev/null +++ b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch @@ -0,0 +1,108 @@ +Index: iptables-1.4.21/extensions/libxt_conntrack.c +=================================================================== +--- iptables-1.4.21.orig/extensions/libxt_conntrack.c ++++ iptables-1.4.21/extensions/libxt_conntrack.c +@@ -1157,6 +1157,7 @@ static void state_save(const void *ip, c + } + + static struct xtables_match conntrack_mt_reg[] = { ++#ifndef NO_LEGACY + { + .version = XTABLES_VERSION, + .name = "conntrack", +@@ -1232,6 +1233,7 @@ static struct xtables_match conntrack_mt + .alias = conntrack_print_name_alias, + .x6_options = conntrack2_mt_opts, + }, ++#endif + { + .version = XTABLES_VERSION, + .name = "conntrack", +@@ -1262,6 +1264,7 @@ static struct xtables_match conntrack_mt + .alias = conntrack_print_name_alias, + .x6_options = conntrack3_mt_opts, + }, ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "state", +@@ -1292,6 +1295,7 @@ static struct xtables_match conntrack_mt + .x6_parse = state_ct23_parse, + .x6_options = state_opts, + }, ++#endif + { + .family = NFPROTO_UNSPEC, + .name = "state", +@@ -1307,6 +1311,7 @@ static struct xtables_match conntrack_mt + .x6_parse = state_ct23_parse, + .x6_options = state_opts, + }, ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "state", +@@ -1320,6 +1325,7 @@ static struct xtables_match conntrack_mt + .x6_parse = state_parse, + .x6_options = state_opts, + }, ++#endif + }; + + void _init(void) +Index: iptables-1.4.21/extensions/libxt_CT.c +=================================================================== +--- iptables-1.4.21.orig/extensions/libxt_CT.c ++++ iptables-1.4.21/extensions/libxt_CT.c +@@ -290,6 +290,7 @@ static void notrack_ct2_tg_init(struct x + } + + static struct xtables_target ct_target_reg[] = { ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "CT", +@@ -315,6 +316,7 @@ static struct xtables_target ct_target_r + .x6_parse = ct_parse_v1, + .x6_options = ct_opts_v1, + }, ++#endif + { + .family = NFPROTO_UNSPEC, + .name = "CT", +@@ -329,6 +331,7 @@ static struct xtables_target ct_target_r + .x6_parse = ct_parse_v1, + .x6_options = ct_opts_v1, + }, ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "NOTRACK", +@@ -366,6 +369,7 @@ static struct xtables_target ct_target_r + .revision = 0, + .version = XTABLES_VERSION, + }, ++#endif + }; + + void _init(void) +Index: iptables-1.4.21/extensions/libxt_multiport.c +=================================================================== +--- iptables-1.4.21.orig/extensions/libxt_multiport.c ++++ iptables-1.4.21/extensions/libxt_multiport.c +@@ -469,6 +469,7 @@ static void multiport_save6_v1(const voi + } + + static struct xtables_match multiport_mt_reg[] = { ++#ifndef NO_LEGACY + { + .family = NFPROTO_IPV4, + .name = "multiport", +@@ -497,6 +498,7 @@ static struct xtables_match multiport_mt + .save = multiport_save6, + .x6_options = multiport_opts, + }, ++#endif + { + .family = NFPROTO_IPV4, + .name = "multiport", |