aboutsummaryrefslogtreecommitdiffstats
path: root/package
diff options
context:
space:
mode:
authorEtienne Champetier <champetier.etienne@gmail.com>2022-01-26 14:33:52 -0500
committerHauke Mehrtens <hauke@hauke-m.de>2022-02-03 00:02:31 +0100
commitb0bd6599e840c443d8ccb8759315e4dd006fd6aa (patch)
treef684cd01faae702303d14b441329e4d0f5147dba /package
parent1ebb8e3b6be8ed070dcb466fc8d1631e5453df72 (diff)
downloadupstream-b0bd6599e840c443d8ccb8759315e4dd006fd6aa.tar.gz
upstream-b0bd6599e840c443d8ccb8759315e4dd006fd6aa.tar.bz2
upstream-b0bd6599e840c443d8ccb8759315e4dd006fd6aa.zip
iptables: rework ip(6)tables-nft dependencies
according to iptables-nft man page, "These tools use the libxtables framework extensions and hook to the nf_tables kernel subsystem using the nft_compat module." This means that to work, iptables-nft needs the same modules as iptables legacy except the ip(6)table-{filter,mangle,nat,raw} ip_tables, ip6tables. When those modules are loaded iptables-nft-save output contains "# Warning: iptables-legacy tables present, use iptables-legacy-save to see them" But as long as it's empty it should not be a problem. To have nft properly display the rules created by ip(6)tables-nft we need all iptables targets and matches to be built as extension and not built-in (/usr/lib/iptables/libip(6)t_*.so) When switching a package to iptables-nft, you need to keep the iptables-mod-* dependencies This patch does minimal changes: - remove the direct iptables-nft -> iptables dependency - and more important add nft-compat dependency The rule iptables-nft -A OUTPUT -d 8.8.8.8 -m comment --comment "aaa" -j REJECT becomes table ip filter { chain OUTPUT { type filter hook output priority filter; policy accept; ip daddr 8.8.8.8 # xt_comment counter packets 0 bytes 0 # xt_REJECT } } Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Diffstat (limited to 'package')
-rw-r--r--package/network/utils/iptables/Makefile8
1 files changed, 4 insertions, 4 deletions
diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
index 2ba30eeca8..853bff39c6 100644
--- a/package/network/utils/iptables/Makefile
+++ b/package/network/utils/iptables/Makefile
@@ -41,7 +41,7 @@ endef
define Package/iptables/Module
$(call Package/iptables/Default)
- DEPENDS:=iptables $(1)
+ DEPENDS:=+iptables $(1)
endef
define Package/iptables
@@ -108,7 +108,7 @@ endef
define Package/iptables-nft
$(call Package/iptables/Default)
TITLE:=IP firewall administration tool nft
- DEPENDS:=iptables @IPTABLES_NFTABLES +libxtables-nft
+ DEPENDS:=@IPTABLES_NFTABLES +libxtables-nft +libip4tc +IPV6:libip6tc +kmod-ipt-core +kmod-nft-compat
endef
define Package/iptables-nft/description
@@ -454,7 +454,7 @@ endef
define Package/ip6tables-nft
$(call Package/iptables/Default)
- DEPENDS:=ip6tables @IPTABLES_NFTABLES +libxtables-nft
+ DEPENDS:=@IPV6 +kmod-ip6tables +iptables-nft
TITLE:=IP firewall administration tool nft
endef
@@ -522,7 +522,7 @@ define Package/libxtables-nft
CATEGORY:=Libraries
TITLE:=IPv4/IPv6 firewall - shared xtables nft library
ABI_VERSION:=12
- DEPENDS:=libxtables
+ DEPENDS:=+libxtables
endef
TARGET_CPPFLAGS := \