aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/utils/iptables
diff options
context:
space:
mode:
Diffstat (limited to 'package/network/utils/iptables')
-rw-r--r--package/network/utils/iptables/Makefile548
-rw-r--r--package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch18
-rw-r--r--package/network/utils/iptables/patches/030-no-libnfnetlink.patch94
-rw-r--r--package/network/utils/iptables/patches/050-optional-xml.patch13
-rw-r--r--package/network/utils/iptables/patches/100-bash-location.patch8
-rw-r--r--package/network/utils/iptables/patches/200-configurable_builtin.patch60
-rw-r--r--package/network/utils/iptables/patches/300-musl_fixes.patch127
-rw-r--r--package/network/utils/iptables/patches/500-add-xt_id-match.patch59
-rw-r--r--package/network/utils/iptables/patches/600-shared-libext.patch78
-rw-r--r--package/network/utils/iptables/patches/700-disable-legacy-revisions.patch108
10 files changed, 1113 insertions, 0 deletions
diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
new file mode 100644
index 0000000..626b252
--- /dev/null
+++ b/package/network/utils/iptables/Makefile
@@ -0,0 +1,548 @@
+#
+# Copyright (C) 2006-2013 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=iptables
+PKG_VERSION:=1.4.21
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
+ ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
+ ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
+ ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
+PKG_MD5SUM:=536d048c8e8eeebcd9757d0863ebb0c0
+
+PKG_FIXUP:=autoreconf
+PKG_INSTALL:=1
+PKG_BUILD_PARALLEL:=1
+PKG_LICENSE:=GPL-2.0
+
+ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"")
+PATCH_DIR:=
+endif
+
+include $(INCLUDE_DIR)/package.mk
+ifeq ($(DUMP),)
+ -include $(LINUX_DIR)/.config
+ include $(INCLUDE_DIR)/netfilter.mk
+ STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s)
+endif
+
+
+define Package/iptables/Default
+ SECTION:=net
+ CATEGORY:=Network
+ SUBMENU:=Firewall
+ URL:=http://netfilter.org/
+endef
+
+define Package/iptables/Module
+$(call Package/iptables/Default)
+ DEPENDS:=iptables $(1)
+endef
+
+define Package/iptables
+$(call Package/iptables/Default)
+ TITLE:=IP firewall administration tool
+ MENU:=1
+ DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
+endef
+
+define Package/iptables/description
+IP firewall administration tool.
+
+ Matches:
+ - icmp
+ - tcp
+ - udp
+ - comment
+ - conntrack
+ - limit
+ - mac
+ - mark
+ - multiport
+ - set
+ - state
+ - time
+
+ Targets:
+ - ACCEPT
+ - CT
+ - DNAT
+ - DROP
+ - REJECT
+ - LOG
+ - MARK
+ - MASQUERADE
+ - REDIRECT
+ - SET
+ - SNAT
+ - TCPMSS
+
+ Tables:
+ - filter
+ - mangle
+ - nat
+ - raw
+
+endef
+
+define Package/iptables-mod-conntrack-extra
+$(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
+ TITLE:=Extra connection tracking extensions
+endef
+
+define Package/iptables-mod-conntrack-extra/description
+Extra iptables extensions for connection tracking.
+
+ Matches:
+ - connbytes
+ - connlimit
+ - connmark
+ - recent
+ - helper
+
+ Targets:
+ - CONNMARK
+
+endef
+
+define Package/iptables-mod-filter
+$(call Package/iptables/Module, +kmod-ipt-filter)
+ TITLE:=Content inspection extensions
+endef
+
+define Package/iptables-mod-filter/description
+iptables extensions for packet content inspection.
+Includes support for:
+
+ Matches:
+ - string
+
+endef
+
+define Package/iptables-mod-ipopt
+$(call Package/iptables/Module, +kmod-ipt-ipopt)
+ TITLE:=IP/Packet option extensions
+endef
+
+define Package/iptables-mod-ipopt/description
+iptables extensions for matching/changing IP packet options.
+
+ Matches:
+ - dscp
+ - ecn
+ - length
+ - statistic
+ - tcpmss
+ - unclean
+ - hl
+
+ Targets:
+ - DSCP
+ - CLASSIFY
+ - ECN
+ - HL
+
+endef
+
+define Package/iptables-mod-ipsec
+$(call Package/iptables/Module, +kmod-ipt-ipsec)
+ TITLE:=IPsec extensions
+endef
+
+define Package/iptables-mod-ipsec/description
+iptables extensions for matching ipsec traffic.
+
+ Matches:
+ - ah
+ - esp
+ - policy
+
+endef
+
+define Package/iptables-mod-nat-extra
+$(call Package/iptables/Module, +kmod-ipt-nat-extra)
+ TITLE:=Extra NAT extensions
+endef
+
+define Package/iptables-mod-nat-extra/description
+iptables extensions for extra NAT targets.
+
+ Targets:
+ - MIRROR
+ - NETMAP
+endef
+
+define Package/iptables-mod-ulog
+$(call Package/iptables/Module, +kmod-ipt-ulog)
+ TITLE:=user-space packet logging
+endef
+
+define Package/iptables-mod-ulog/description
+iptables extensions for user-space packet logging.
+
+ Targets:
+ - ULOG
+
+endef
+
+define Package/iptables-mod-nflog
+$(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
+ TITLE:=Netfilter NFLOG target
+endef
+
+define Package/iptables-mod-nflog/description
+ iptables extension for user-space logging via NFNETLINK.
+
+ Includes:
+ - libxt_NFLOG
+
+endef
+
+define Package/iptables-mod-nfqueue
+$(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
+ TITLE:=Netfilter NFQUEUE target
+endef
+
+define Package/iptables-mod-nfqueue/description
+ iptables extension for user-space queuing via NFNETLINK.
+
+ Includes:
+ - libxt_NFQUEUE
+
+endef
+
+define Package/iptables-mod-hashlimit
+$(call Package/iptables/Module, +kmod-ipt-hashlimit)
+ TITLE:=hashlimit matching
+endef
+
+define Package/iptables-mod-hashlimit/description
+iptables extensions for hashlimit matching
+
+ Matches:
+ - hashlimit
+
+endef
+
+define Package/iptables-mod-iprange
+$(call Package/iptables/Module, +kmod-ipt-iprange)
+ TITLE:=IP range extension
+endef
+
+define Package/iptables-mod-iprange/description
+iptables extensions for matching ip ranges.
+
+ Matches:
+ - iprange
+
+endef
+
+define Package/iptables-mod-cluster
+$(call Package/iptables/Module, +kmod-ipt-cluster)
+ TITLE:=Match cluster extension
+endef
+
+define Package/iptables-mod-cluster/description
+iptables extensions for matching cluster.
+
+ Netfilter (IPv4/IPv6) module for matching cluster
+ This option allows you to build work-load-sharing clusters of
+ network servers/stateful firewalls without having a dedicated
+ load-balancing router/server/switch. Basically, this match returns
+ true when the packet must be handled by this cluster node. Thus,
+ all nodes see all packets and this match decides which node handles
+ what packets. The work-load sharing algorithm is based on source
+ address hashing.
+
+ This module is usable for ipv4 and ipv6.
+
+ If you select it, it enables kmod-ipt-cluster.
+
+ see `iptables -m cluster --help` for more information.
+endef
+
+define Package/iptables-mod-clusterip
+$(call Package/iptables/Module, +kmod-ipt-clusterip)
+ TITLE:=Clusterip extension
+endef
+
+define Package/iptables-mod-clusterip/description
+iptables extensions for CLUSTERIP.
+ The CLUSTERIP target allows you to build load-balancing clusters of
+ network servers without having a dedicated load-balancing
+ router/server/switch.
+
+ If you select it, it enables kmod-ipt-clusterip.
+
+ see `iptables -j CLUSTERIP --help` for more information.
+endef
+
+define Package/iptables-mod-extra
+$(call Package/iptables/Module, +kmod-ipt-extra)
+ TITLE:=Other extra iptables extensions
+endef
+
+define Package/iptables-mod-extra/description
+Other extra iptables extensions.
+
+ Matches:
+ - addrtype
+ - condition
+ - owner
+ - physdev (if ebtables is enabled)
+ - pkttype
+ - quota
+
+endef
+
+define Package/iptables-mod-led
+$(call Package/iptables/Module, +kmod-ipt-led)
+ TITLE:=LED trigger iptables extension
+endef
+
+define Package/iptables-mod-led/description
+iptables extension for triggering a LED.
+
+ Targets:
+ - LED
+
+endef
+
+define Package/iptables-mod-tproxy
+$(call Package/iptables/Module, +kmod-ipt-tproxy)
+ TITLE:=Transparent proxy iptables extensions
+endef
+
+define Package/iptables-mod-tproxy/description
+Transparent proxy iptables extensions.
+
+ Matches:
+ - socket
+
+ Targets:
+ - TPROXY
+
+endef
+
+define Package/iptables-mod-tee
+$(call Package/iptables/Module, +kmod-ipt-tee)
+ TITLE:=TEE iptables extensions
+endef
+
+define Package/iptables-mod-tee/description
+TEE iptables extensions.
+
+ Targets:
+ - TEE
+
+endef
+
+define Package/iptables-mod-u32
+$(call Package/iptables/Module, +kmod-ipt-u32)
+ TITLE:=U32 iptables extensions
+endef
+
+define Package/iptables-mod-u32/description
+U32 iptables extensions.
+
+ Matches:
+ - u32
+
+endef
+
+define Package/ip6tables
+$(call Package/iptables/Default)
+ DEPENDS:=@IPV6 +kmod-ip6tables +iptables
+ CATEGORY:=Network
+ TITLE:=IPv6 firewall administration tool
+ MENU:=1
+endef
+
+
+define Package/ip6tables-extra
+$(call Package/iptables/Default)
+ DEPENDS:=ip6tables +kmod-ip6tables-extra
+ TITLE:=IPv6 header matching modules
+endef
+
+define Package/ip6tables-mod-extra/description
+iptables header matching modules for IPv6
+endef
+
+define Package/ip6tables-mod-nat
+$(call Package/iptables/Default)
+ DEPENDS:=ip6tables +kmod-ipt-nat6
+ TITLE:=IPv6 NAT extensions
+endef
+
+define Package/ip6tables-mod-nat/description
+iptables extensions for IPv6-NAT targets.
+endef
+
+define Package/libiptc
+$(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ DEPENDS:=+libip4tc +libip6tc +libxtables
+ TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
+endef
+
+define Package/libip4tc
+$(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ TITLE:=IPv4 firewall - shared libiptc library
+ DEPENDS:=+libxtables
+endef
+
+define Package/libip6tc
+$(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ TITLE:=IPv6 firewall - shared libiptc library
+ DEPENDS:=+libxtables
+endef
+
+define Package/libxtables
+ $(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ TITLE:=IPv4/IPv6 firewall - shared xtables library
+endef
+
+TARGET_CPPFLAGS := \
+ -I$(PKG_BUILD_DIR)/include \
+ -I$(LINUX_DIR)/user_headers/include \
+ $(TARGET_CPPFLAGS)
+
+TARGET_CFLAGS += \
+ -I$(PKG_BUILD_DIR)/include \
+ -I$(LINUX_DIR)/user_headers/include \
+ -ffunction-sections -fdata-sections \
+ -DNO_LEGACY
+
+TARGET_LDFLAGS += \
+ -Wl,--gc-sections
+
+CONFIGURE_ARGS += \
+ --enable-shared \
+ --enable-devel \
+ --with-kernel="$(LINUX_DIR)/user_headers" \
+ --with-xtlibdir=/usr/lib/iptables \
+ --enable-static \
+ $(if $(CONFIG_IPV6),,--disable-ipv6)
+
+MAKE_FLAGS := \
+ $(TARGET_CONFIGURE_OPTS) \
+ COPT_FLAGS="$(TARGET_CFLAGS)" \
+ KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
+ KBUILD_OUTPUT="$(LINUX_DIR)" \
+ BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
+
+define Build/InstallDev
+ $(INSTALL_DIR) $(1)/usr/include
+ $(INSTALL_DIR) $(1)/usr/include/iptables
+ $(INSTALL_DIR) $(1)/usr/include/net/netfilter
+
+ # XXX: iptables header fixup, some headers are not installed by iptables anymore
+ $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
+ $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
+ $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
+ $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
+ $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
+
+ $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
+ $(INSTALL_DIR) $(1)/usr/lib
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
+ $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
+
+ # XXX: needed by firewall3
+ $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
+endef
+
+define Package/iptables/install
+ $(INSTALL_DIR) $(1)/usr/sbin
+ $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
+ $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
+ $(INSTALL_DIR) $(1)/usr/lib/iptables
+endef
+
+define Package/ip6tables/install
+ $(INSTALL_DIR) $(1)/usr/sbin
+ $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
+endef
+
+define Package/libiptc/install
+ $(INSTALL_DIR) $(1)/usr/lib
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
+endef
+
+define Package/libip4tc/install
+ $(INSTALL_DIR) $(1)/usr/lib
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
+ $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
+endef
+
+define Package/libip6tc/install
+ $(INSTALL_DIR) $(1)/usr/lib
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
+ $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
+endef
+
+define Package/libxtables/install
+ $(INSTALL_DIR) $(1)/usr/lib
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
+ $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
+endef
+
+define BuildPlugin
+ define Package/$(1)/install
+ $(INSTALL_DIR) $$(1)/usr/lib/iptables
+ for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
+ if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
+ fi; \
+ done
+ $(3)
+ endef
+
+ $$(eval $$(call BuildPackage,$(1)))
+endef
+
+$(eval $(call BuildPackage,iptables))
+$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
+$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
+$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
+$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
+$(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
+$(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
+$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
+$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
+$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
+$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
+$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
+$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
+$(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
+$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
+$(eval $(call BuildPackage,ip6tables))
+$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
+$(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
+$(eval $(call BuildPackage,libiptc))
+$(eval $(call BuildPackage,libip4tc))
+$(eval $(call BuildPackage,libip6tc))
+$(eval $(call BuildPackage,libxtables))
diff --git a/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch
new file mode 100644
index 0000000..2b6c57e
--- /dev/null
+++ b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch
@@ -0,0 +1,18 @@
+--- a/libxtables/xtables.c
++++ b/libxtables/xtables.c
+@@ -336,6 +336,7 @@ static char *get_modprobe(void)
+
+ int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
+ {
++#if 0
+ char *buf = NULL;
+ char *argv[4];
+ int status;
+@@ -380,6 +381,7 @@ int xtables_insmod(const char *modname,
+ free(buf);
+ if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
+ return 0;
++#endif
+ return -1;
+ }
+
diff --git a/package/network/utils/iptables/patches/030-no-libnfnetlink.patch b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch
new file mode 100644
index 0000000..50542ac
--- /dev/null
+++ b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch
@@ -0,0 +1,94 @@
+--- a/configure
++++ b/configure
+@@ -12367,77 +12367,7 @@ fi
+ fi
+
+
+-pkg_failed=no
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5
+-$as_echo_n "checking for libnfnetlink... " >&6; }
+-
+-if test -n "$libnfnetlink_CFLAGS"; then
+- pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS"
+- elif test -n "$PKG_CONFIG"; then
+- if test -n "$PKG_CONFIG" && \
+- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
+- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
+- ac_status=$?
+- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+- test $ac_status = 0; }; then
+- pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null`
+- test "x$?" != "x0" && pkg_failed=yes
+-else
+- pkg_failed=yes
+-fi
+- else
+- pkg_failed=untried
+-fi
+-if test -n "$libnfnetlink_LIBS"; then
+- pkg_cv_libnfnetlink_LIBS="$libnfnetlink_LIBS"
+- elif test -n "$PKG_CONFIG"; then
+- if test -n "$PKG_CONFIG" && \
+- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
+- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
+- ac_status=$?
+- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+- test $ac_status = 0; }; then
+- pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null`
+- test "x$?" != "x0" && pkg_failed=yes
+-else
+- pkg_failed=yes
+-fi
+- else
+- pkg_failed=untried
+-fi
+-
+-
+-
+-if test $pkg_failed = yes; then
+- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+-$as_echo "no" >&6; }
+-
+-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+- _pkg_short_errors_supported=yes
+-else
+- _pkg_short_errors_supported=no
+-fi
+- if test $_pkg_short_errors_supported = yes; then
+- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1`
+- else
+- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1`
+- fi
+- # Put the nasty error message in config.log where it belongs
+- echo "$libnfnetlink_PKG_ERRORS" >&5
+-
+- nfnetlink=0
+-elif test $pkg_failed = untried; then
+- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+-$as_echo "no" >&6; }
+- nfnetlink=0
+-else
+- libnfnetlink_CFLAGS=$pkg_cv_libnfnetlink_CFLAGS
+- libnfnetlink_LIBS=$pkg_cv_libnfnetlink_LIBS
+- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+-$as_echo "yes" >&6; }
+- nfnetlink=1
+-fi
+- if test "$nfnetlink" = 1; then
++if false; then
+ HAVE_LIBNFNETLINK_TRUE=
+ HAVE_LIBNFNETLINK_FALSE='#'
+ else
+--- a/configure.ac
++++ b/configure.ac
+@@ -111,9 +111,7 @@ if test "x$enable_bpfc" = "xyes" || test
+ AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library required by bpf compiler or nfsynproxy tool))
+ fi
+
+-PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
+- [nfnetlink=1], [nfnetlink=0])
+-AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1])
++AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false])
+
+ regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
+ -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
diff --git a/package/network/utils/iptables/patches/050-optional-xml.patch b/package/network/utils/iptables/patches/050-optional-xml.patch
new file mode 100644
index 0000000..11311dd
--- /dev/null
+++ b/package/network/utils/iptables/patches/050-optional-xml.patch
@@ -0,0 +1,13 @@
+--- a/iptables/xtables-multi.c
++++ b/iptables/xtables-multi.c
+@@ -22,8 +22,10 @@ static const struct subcommand multi_sub
+ {"iptables-restore", iptables_restore_main},
+ {"restore4", iptables_restore_main},
+ #endif
++#ifdef ENABLE_XML
+ {"iptables-xml", iptables_xml_main},
+ {"xml", iptables_xml_main},
++#endif
+ #ifdef ENABLE_IPV6
+ {"ip6tables", ip6tables_main},
+ {"main6", ip6tables_main},
diff --git a/package/network/utils/iptables/patches/100-bash-location.patch b/package/network/utils/iptables/patches/100-bash-location.patch
new file mode 100644
index 0000000..02ee45b
--- /dev/null
+++ b/package/network/utils/iptables/patches/100-bash-location.patch
@@ -0,0 +1,8 @@
+--- a/iptables/iptables-apply
++++ b/iptables/iptables-apply
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ #
+ # iptables-apply -- a safer way to update iptables remotely
+ #
diff --git a/package/network/utils/iptables/patches/200-configurable_builtin.patch b/package/network/utils/iptables/patches/200-configurable_builtin.patch
new file mode 100644
index 0000000..d35bc5a
--- /dev/null
+++ b/package/network/utils/iptables/patches/200-configurable_builtin.patch
@@ -0,0 +1,60 @@
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -45,9 +45,24 @@ pfx_symlinks := NOTRACK state
+ pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
+ pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod})
+ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
+-pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod})
+-pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod})
+-pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod})
++
++ifdef BUILTIN_MODULES
++pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod})
++pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod})
++pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod})
++else
++@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod)
++@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod)
++@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod)
++endif
++
++pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod))
++pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod))
++pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod))
++
++pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_static})
++pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static})
++pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static})
+ pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks})
+ pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod})
+ pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod})
+@@ -58,11 +73,11 @@ pf6_solibs := $(patsubst %,libip6t_%.
+ #
+ targets := libext.a libext4.a libext6.a matches.man targets.man
+ targets_install :=
+-@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
+-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
+-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
+-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++libext_objs := ${pfx_objs}
++libext4_objs := ${pf4_objs}
++libext6_objs := ${pf6_objs}
++targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++targets_install := $(strip ${targets_install} ${pfx_solibs} ${pf4_solibs} ${pf6_solibs})
+
+ .SECONDARY:
+
+@@ -126,9 +141,9 @@ libext4.a: initext4.o ${libext4_objs}
+ libext6.a: initext6.o ${libext6_objs}
+ ${AM_VERBOSE_AR} ${AR} crs $@ $^;
+
+-initext_func := $(addprefix xt_,${pfx_build_mod})
+-initext4_func := $(addprefix ipt_,${pf4_build_mod})
+-initext6_func := $(addprefix ip6t_,${pf6_build_mod})
++initext_func := $(addprefix xt_,${pfx_build_static})
++initext4_func := $(addprefix ipt_,${pf4_build_static})
++initext6_func := $(addprefix ip6t_,${pf6_build_static})
+
+ .initext.dd: FORCE
+ @echo "${initext_func}" >$@.tmp; \
diff --git a/package/network/utils/iptables/patches/300-musl_fixes.patch b/package/network/utils/iptables/patches/300-musl_fixes.patch
new file mode 100644
index 0000000..a78eda7
--- /dev/null
+++ b/package/network/utils/iptables/patches/300-musl_fixes.patch
@@ -0,0 +1,127 @@
+--- a/extensions/libip6t_ipv6header.c
++++ b/extensions/libip6t_ipv6header.c
+@@ -10,6 +10,9 @@ on whether they contain certain headers
+ #include <netdb.h>
+ #include <xtables.h>
+ #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
++#ifndef IPPROTO_HOPOPTS
++# define IPPROTO_HOPOPTS 0
++#endif
+
+ enum {
+ O_HEADER = 0,
+--- a/extensions/libxt_TCPOPTSTRIP.c
++++ b/extensions/libxt_TCPOPTSTRIP.c
+@@ -12,6 +12,21 @@
+ #ifndef TCPOPT_MD5SIG
+ # define TCPOPT_MD5SIG 19
+ #endif
++#ifndef TCPOPT_MAXSEG
++# define TCPOPT_MAXSEG 2
++#endif
++#ifndef TCPOPT_WINDOW
++# define TCPOPT_WINDOW 3
++#endif
++#ifndef TCPOPT_SACK_PERMITTED
++# define TCPOPT_SACK_PERMITTED 4
++#endif
++#ifndef TCPOPT_SACK
++# define TCPOPT_SACK 5
++#endif
++#ifndef TCPOPT_TIMESTAMP
++# define TCPOPT_TIMESTAMP 8
++#endif
+
+ enum {
+ O_STRIP_OPTION = 0,
+--- a/include/libiptc/ipt_kernel_headers.h
++++ b/include/libiptc/ipt_kernel_headers.h
+@@ -5,7 +5,6 @@
+
+ #include <limits.h>
+
+-#if defined(__GLIBC__) && __GLIBC__ == 2
+ #include <netinet/ip.h>
+ #include <netinet/in.h>
+ #include <netinet/ip_icmp.h>
+@@ -13,15 +12,4 @@
+ #include <netinet/udp.h>
+ #include <net/if.h>
+ #include <sys/types.h>
+-#else /* libc5 */
+-#include <sys/socket.h>
+-#include <linux/ip.h>
+-#include <linux/in.h>
+-#include <linux/if.h>
+-#include <linux/icmp.h>
+-#include <linux/tcp.h>
+-#include <linux/udp.h>
+-#include <linux/types.h>
+-#include <linux/in6.h>
+-#endif
+ #endif
+--- a/include/linux/netfilter_ipv4/ip_tables.h
++++ b/include/linux/netfilter_ipv4/ip_tables.h
+@@ -16,6 +16,7 @@
+ #define _IPTABLES_H
+
+ #include <linux/types.h>
++#include <sys/types.h>
+
+ #include <linux/netfilter_ipv4.h>
+
+--- a/iptables/ip6tables-restore.c
++++ b/iptables/ip6tables-restore.c
+@@ -9,7 +9,7 @@
+ */
+
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdbool.h>
+ #include <string.h>
+ #include <stdio.h>
+--- a/iptables/ip6tables-save.c
++++ b/iptables/ip6tables-save.c
+@@ -6,7 +6,7 @@
+ * This code is distributed under the terms of GNU GPL v2
+ */
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdio.h>
+ #include <fcntl.h>
+ #include <stdlib.h>
+--- a/iptables/iptables-restore.c
++++ b/iptables/iptables-restore.c
+@@ -6,7 +6,7 @@
+ */
+
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdbool.h>
+ #include <string.h>
+ #include <stdio.h>
+--- a/iptables/iptables-save.c
++++ b/iptables/iptables-save.c
+@@ -6,7 +6,7 @@
+ *
+ */
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdio.h>
+ #include <fcntl.h>
+ #include <stdlib.h>
+--- a/iptables/iptables-xml.c
++++ b/iptables/iptables-xml.c
+@@ -7,7 +7,7 @@
+ */
+
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <string.h>
+ #include <stdio.h>
+ #include <stdlib.h>
diff --git a/package/network/utils/iptables/patches/500-add-xt_id-match.patch b/package/network/utils/iptables/patches/500-add-xt_id-match.patch
new file mode 100644
index 0000000..94762f0
--- /dev/null
+++ b/package/network/utils/iptables/patches/500-add-xt_id-match.patch
@@ -0,0 +1,59 @@
+--- /dev/null
++++ b/extensions/libxt_id.c
+@@ -0,0 +1,45 @@
++/* Shared library add-on to iptables to add id match support. */
++
++#include <stdio.h>
++#include <xtables.h>
++#include <linux/netfilter/xt_id.h>
++
++enum {
++ O_ID = 0,
++};
++
++static const struct xt_option_entry id_opts[] = {
++ {
++ .name = "id",
++ .id = O_ID,
++ .type = XTTYPE_UINT32,
++ .flags = XTOPT_MAND | XTOPT_PUT,
++ XTOPT_POINTER(struct xt_id_info, id)
++ },
++ XTOPT_TABLEEND,
++};
++
++/* Saves the union ipt_matchinfo in parsable form to stdout. */
++static void
++id_save(const void *ip, const struct xt_entry_match *match)
++{
++ struct xt_id_info *idinfo = (void *)match->data;
++
++ printf(" --id %lu", idinfo->id);
++}
++
++static struct xtables_match id_match = {
++ .family = NFPROTO_UNSPEC,
++ .name = "id",
++ .version = XTABLES_VERSION,
++ .size = XT_ALIGN(sizeof(struct xt_id_info)),
++ .userspacesize = XT_ALIGN(sizeof(struct xt_id_info)),
++ .save = id_save,
++ .x6_parse = xtables_option_parse,
++ .x6_options = id_opts,
++};
++
++void _init(void)
++{
++ xtables_register_match(&id_match);
++}
+--- /dev/null
++++ b/include/linux/netfilter/xt_id.h
+@@ -0,0 +1,8 @@
++#ifndef _XT_ID_H
++#define _XT_ID_H
++
++struct xt_id_info {
++ __u32 id;
++};
++
++#endif /* XT_ID_H */
diff --git a/package/network/utils/iptables/patches/600-shared-libext.patch b/package/network/utils/iptables/patches/600-shared-libext.patch
new file mode 100644
index 0000000..92f5485
--- /dev/null
+++ b/package/network/utils/iptables/patches/600-shared-libext.patch
@@ -0,0 +1,78 @@
+Index: iptables-1.4.21/extensions/GNUmakefile.in
+===================================================================
+--- iptables-1.4.21.orig/extensions/GNUmakefile.in
++++ iptables-1.4.21/extensions/GNUmakefile.in
+@@ -71,7 +71,7 @@ pf6_solibs := $(patsubst %,libip6t_%.
+ #
+ # Building blocks
+ #
+-targets := libext.a libext4.a libext6.a matches.man targets.man
++targets := libiptext.so libiptext4.so libiptext6.so matches.man targets.man
+ targets_install :=
+ libext_objs := ${pfx_objs}
+ libext4_objs := ${pf4_objs}
+@@ -96,7 +96,7 @@ clean:
+ distclean: clean
+
+ init%.o: init%.c
+- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init ${CFLAGS} -o $@ -c $<;
++ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+
+ -include .*.d
+
+@@ -130,16 +130,16 @@ xt_statistic_LIBADD = -lm
+ # handling code in the Makefiles.
+ #
+ lib%.o: ${srcdir}/lib%.c
+- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<;
++ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+
+-libext.a: initext.o ${libext_objs}
+- ${AM_VERBOSE_AR} ${AR} crs $@ $^;
++libiptext.so: initext.o ${libext_objs}
++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
+
+-libext4.a: initext4.o ${libext4_objs}
+- ${AM_VERBOSE_AR} ${AR} crs $@ $^;
++libiptext4.so: initext4.o ${libext4_objs}
++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
+
+-libext6.a: initext6.o ${libext6_objs}
+- ${AM_VERBOSE_AR} ${AR} crs $@ $^;
++libiptext6.so: initext6.o ${libext6_objs}
++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
+
+ initext_func := $(addprefix xt_,${pfx_build_static})
+ initext4_func := $(addprefix ipt_,${pf4_build_static})
+Index: iptables-1.4.21/iptables/Makefile.am
+===================================================================
+--- iptables-1.4.21.orig/iptables/Makefile.am
++++ iptables-1.4.21/iptables/Makefile.am
+@@ -5,7 +5,8 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -
+
+ xtables_multi_SOURCES = xtables-multi.c iptables-xml.c
+ xtables_multi_CFLAGS = ${AM_CFLAGS}
+-xtables_multi_LDADD = ../extensions/libext.a
++xtables_multi_LDADD =
++xtables_multi_LDFLAGS = -L../extensions/ -liptext
+ if ENABLE_STATIC
+ xtables_multi_CFLAGS += -DALL_INCLUSIVE
+ endif
+@@ -13,13 +14,15 @@ if ENABLE_IPV4
+ xtables_multi_SOURCES += iptables-save.c iptables-restore.c \
+ iptables-standalone.c iptables.c
+ xtables_multi_CFLAGS += -DENABLE_IPV4
+-xtables_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a
++xtables_multi_LDADD += ../libiptc/libip4tc.la
++xtables_multi_LDFLAGS += -liptext4
+ endif
+ if ENABLE_IPV6
+ xtables_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \
+ ip6tables-standalone.c ip6tables.c
+ xtables_multi_CFLAGS += -DENABLE_IPV6
+-xtables_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a
++xtables_multi_LDADD += ../libiptc/libip6tc.la
++xtables_multi_LDFLAGS += -liptext6
+ endif
+ xtables_multi_SOURCES += xshared.c
+ xtables_multi_LDADD += ../libxtables/libxtables.la -lm
diff --git a/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch
new file mode 100644
index 0000000..342c3b0
--- /dev/null
+++ b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch
@@ -0,0 +1,108 @@
+Index: iptables-1.4.21/extensions/libxt_conntrack.c
+===================================================================
+--- iptables-1.4.21.orig/extensions/libxt_conntrack.c
++++ iptables-1.4.21/extensions/libxt_conntrack.c
+@@ -1157,6 +1157,7 @@ static void state_save(const void *ip, c
+ }
+
+ static struct xtables_match conntrack_mt_reg[] = {
++#ifndef NO_LEGACY
+ {
+ .version = XTABLES_VERSION,
+ .name = "conntrack",
+@@ -1232,6 +1233,7 @@ static struct xtables_match conntrack_mt
+ .alias = conntrack_print_name_alias,
+ .x6_options = conntrack2_mt_opts,
+ },
++#endif
+ {
+ .version = XTABLES_VERSION,
+ .name = "conntrack",
+@@ -1262,6 +1264,7 @@ static struct xtables_match conntrack_mt
+ .alias = conntrack_print_name_alias,
+ .x6_options = conntrack3_mt_opts,
+ },
++#ifndef NO_LEGACY
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "state",
+@@ -1292,6 +1295,7 @@ static struct xtables_match conntrack_mt
+ .x6_parse = state_ct23_parse,
+ .x6_options = state_opts,
+ },
++#endif
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "state",
+@@ -1307,6 +1311,7 @@ static struct xtables_match conntrack_mt
+ .x6_parse = state_ct23_parse,
+ .x6_options = state_opts,
+ },
++#ifndef NO_LEGACY
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "state",
+@@ -1320,6 +1325,7 @@ static struct xtables_match conntrack_mt
+ .x6_parse = state_parse,
+ .x6_options = state_opts,
+ },
++#endif
+ };
+
+ void _init(void)
+Index: iptables-1.4.21/extensions/libxt_CT.c
+===================================================================
+--- iptables-1.4.21.orig/extensions/libxt_CT.c
++++ iptables-1.4.21/extensions/libxt_CT.c
+@@ -290,6 +290,7 @@ static void notrack_ct2_tg_init(struct x
+ }
+
+ static struct xtables_target ct_target_reg[] = {
++#ifndef NO_LEGACY
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "CT",
+@@ -315,6 +316,7 @@ static struct xtables_target ct_target_r
+ .x6_parse = ct_parse_v1,
+ .x6_options = ct_opts_v1,
+ },
++#endif
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "CT",
+@@ -329,6 +331,7 @@ static struct xtables_target ct_target_r
+ .x6_parse = ct_parse_v1,
+ .x6_options = ct_opts_v1,
+ },
++#ifndef NO_LEGACY
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "NOTRACK",
+@@ -366,6 +369,7 @@ static struct xtables_target ct_target_r
+ .revision = 0,
+ .version = XTABLES_VERSION,
+ },
++#endif
+ };
+
+ void _init(void)
+Index: iptables-1.4.21/extensions/libxt_multiport.c
+===================================================================
+--- iptables-1.4.21.orig/extensions/libxt_multiport.c
++++ iptables-1.4.21/extensions/libxt_multiport.c
+@@ -469,6 +469,7 @@ static void multiport_save6_v1(const voi
+ }
+
+ static struct xtables_match multiport_mt_reg[] = {
++#ifndef NO_LEGACY
+ {
+ .family = NFPROTO_IPV4,
+ .name = "multiport",
+@@ -497,6 +498,7 @@ static struct xtables_match multiport_mt
+ .save = multiport_save6,
+ .x6_options = multiport_opts,
+ },
++#endif
+ {
+ .family = NFPROTO_IPV4,
+ .name = "multiport",