diff options
| -rw-r--r-- | package/network/utils/iptables/Makefile | 66 | ||||
| -rw-r--r-- | package/network/utils/iptables/patches/001-extensions_format-security_fixes_in_libip.patch | 52 | ||||
| -rw-r--r-- | package/network/utils/iptables/patches/002-include_fix_build_with_kernel_headers_before_4_2.patch | 48 | ||||
| -rw-r--r-- | package/network/utils/iptables/patches/030-extensions-libxt_bpf-Fix-build-with-old-kernel-versi.patch | 40 | ||||
| -rw-r--r-- | package/network/utils/iptables/patches/101-remove-check-already.patch | 28 | ||||
| -rw-r--r-- | package/network/utils/iptables/patches/102-iptables-disable-modprobe.patch (renamed from package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch) | 4 | ||||
| -rw-r--r-- | package/network/utils/iptables/patches/103-optional-xml.patch (renamed from package/network/utils/iptables/patches/050-optional-xml.patch) | 10 | ||||
| -rw-r--r-- | package/network/utils/iptables/patches/600-shared-libext.patch | 62 | ||||
| -rw-r--r-- | package/network/utils/iptables/patches/700-disable-legacy-revisions.patch | 10 |
9 files changed, 204 insertions, 116 deletions
diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile index 4c5a581268..54fffc9d1e 100644 --- a/package/network/utils/iptables/Makefile +++ b/package/network/utils/iptables/Makefile @@ -9,13 +9,13 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=iptables -PKG_VERSION:=1.6.2 -PKG_RELEASE:=3 +PKG_VERSION:=1.8.2 +PKG_RELEASE:=1 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://git.netfilter.org/iptables -PKG_SOURCE_VERSION:=c16bdec15137b241586310d0e61bc88cc3726004 -PKG_MIRROR_HASH:=72e4bec94a56dd600097846c773e1074ff705e38f800ef221db646c064371a53 +PKG_SOURCE_VERSION:=bba6bc692b0e6137e13881a1f398c134822e9f83 +PKG_MIRROR_HASH:=23a61d2a23fc0d587029690ef2564625d78fba4b2d90117edaf5b9eaf55bb7f9 PKG_FIXUP:=autoreconf PKG_FLAGS:=nonshared @@ -106,17 +106,17 @@ IP firewall administration tool. endef -define Package/iptables-compat +define Package/iptables-nft $(call Package/iptables/Default) - TITLE:=IP firewall administration tool compat - DEPENDS:=iptables @IPTABLES_NFTABLES +libxtables-compat + TITLE:=IP firewall administration tool nft + DEPENDS:=iptables @IPTABLES_NFTABLES +libxtables-nft endef -define Package/iptables-compat/description -Extra iptables nftables compat binaries. - iptables-compat - iptables-compat-restore - iptables-compat-save +define Package/iptables-nft/description +Extra iptables nftables nft binaries. + iptables-nft + iptables-nft-restore + iptables-nft-save iptables-translate iptables-restore-translate endef @@ -453,17 +453,17 @@ $(call Package/iptables/Default) MENU:=1 endef -define Package/ip6tables-compat +define Package/ip6tables-nft $(call Package/iptables/Default) - DEPENDS:=ip6tables @IPTABLES_NFTABLES +libxtables-compat - TITLE:=IP firewall administration tool compat + DEPENDS:=ip6tables @IPTABLES_NFTABLES +libxtables-nft + TITLE:=IP firewall administration tool nft endef -define Package/ip6tables-compat/description -Extra ip6tables nftables compat binaries. - iptables-compat - iptables-compat-restore - iptables-compat-save +define Package/ip6tables-nft/description +Extra ip6tables nftables nft binaries. + iptables-nft + iptables-nft-restore + iptables-nft-save iptables-translate iptables-restore-translate endef @@ -494,7 +494,7 @@ $(call Package/iptables/Default) CATEGORY:=Libraries DEPENDS:=+libip4tc +libip6tc +libxtables ABI_VERSION:=$(PKG_VERSION) - TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub) + TITLE:=IPv4/IPv6 firewall - shared libiptc library (nf compatibility stub) endef define Package/libip4tc @@ -526,11 +526,11 @@ define Package/libxtables +IPTABLES_NFTABLES:libnftnl endef -define Package/libxtables-compat +define Package/libxtables-nft $(call Package/iptables/Default) SECTION:=libs CATEGORY:=Libraries - TITLE:=IPv4/IPv6 firewall - shared xtables compat library + TITLE:=IPv4/IPv6 firewall - shared xtables nft library ABI_VERSION:=$(PKG_VERSION) DEPENDS:=libxtables endef @@ -607,15 +607,15 @@ endef define Package/iptables/install $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-legacy-multi $(1)/usr/sbin/ $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/ $(INSTALL_DIR) $(1)/usr/lib/iptables endef -define Package/iptables-compat/install +define Package/iptables-nft/install $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-compat-multi $(1)/usr/sbin/ - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-compat{,-restore,-save} $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-nft-multi $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-nft{,-restore,-save} $(1)/usr/sbin/ $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore}-translate $(1)/usr/sbin/ endef @@ -624,9 +624,9 @@ define Package/ip6tables/install $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/ endef -define Package/ip6tables-compat/install +define Package/ip6tables-nft/install $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables-compat{,-restore,-save} $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables-nft{,-restore,-save} $(1)/usr/sbin/ $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore}-translate $(1)/usr/sbin/ endef @@ -653,7 +653,7 @@ define Package/libxtables/install $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/ endef -define Package/libxtables-compat/install +define Package/libxtables-nft/install $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_BUILD_DIR)/extensions/libiptext_*.so $(1)/usr/lib/ endef @@ -673,7 +673,7 @@ define BuildPlugin endef $(eval $(call BuildPackage,iptables)) -$(eval $(call BuildPackage,iptables-compat)) +$(eval $(call BuildPackage,iptables-nft)) $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m))) $(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m))) $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m))) @@ -697,11 +697,11 @@ $(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m))) $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m))) $(eval $(call BuildPlugin,iptables-mod-checksum,$(IPT_CHECKSUM-m))) $(eval $(call BuildPackage,ip6tables)) -$(eval $(call BuildPackage,ip6tables-compat)) +$(eval $(call BuildPackage,ip6tables-nft)) $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m))) $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m))) $(eval $(call BuildPackage,libiptc)) $(eval $(call BuildPackage,libip4tc)) $(eval $(call BuildPackage,libip6tc)) $(eval $(call BuildPackage,libxtables)) -$(eval $(call BuildPackage,libxtables-compat)) +$(eval $(call BuildPackage,libxtables-nft)) diff --git a/package/network/utils/iptables/patches/001-extensions_format-security_fixes_in_libip.patch b/package/network/utils/iptables/patches/001-extensions_format-security_fixes_in_libip.patch new file mode 100644 index 0000000000..9bd85ec139 --- /dev/null +++ b/package/network/utils/iptables/patches/001-extensions_format-security_fixes_in_libip.patch @@ -0,0 +1,52 @@ +From 907e429d7548157016cd51aba4adc5d0c7d9f816 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg@pld-linux.org> +Date: Wed, 14 Nov 2018 07:35:28 +0100 +Subject: extensions: format-security fixes in libip[6]t_icmp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") +introduced support for gcc feature to check format string against passed +argument. This commit adds missing bits to extenstions's libipt_icmp.c +and libip6t_icmp6.c that were causing build to fail. + +Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") +Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + extensions/libip6t_icmp6.c | 4 ++-- + extensions/libipt_icmp.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/extensions/libip6t_icmp6.c ++++ b/extensions/libip6t_icmp6.c +@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(str + type_name = icmp6_type_xlate(icmptype); + + if (type_name) { +- xt_xlate_add(xl, type_name); ++ xt_xlate_add(xl, "%s", type_name); + } else { + for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i) + if (icmpv6_codes[i].type == icmptype && +@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(str + break; + + if (i != ARRAY_SIZE(icmpv6_codes)) +- xt_xlate_add(xl, icmpv6_codes[i].name); ++ xt_xlate_add(xl, "%s", icmpv6_codes[i].name); + else + return 0; + } +--- a/extensions/libipt_icmp.c ++++ b/extensions/libipt_icmp.c +@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(str + if (icmp_codes[i].type == icmptype && + icmp_codes[i].code_min == code_min && + icmp_codes[i].code_max == code_max) { +- xt_xlate_add(xl, icmp_codes[i].name); ++ xt_xlate_add(xl, "%s", icmp_codes[i].name); + return 1; + } + } diff --git a/package/network/utils/iptables/patches/002-include_fix_build_with_kernel_headers_before_4_2.patch b/package/network/utils/iptables/patches/002-include_fix_build_with_kernel_headers_before_4_2.patch new file mode 100644 index 0000000000..13737cf7cd --- /dev/null +++ b/package/network/utils/iptables/patches/002-include_fix_build_with_kernel_headers_before_4_2.patch @@ -0,0 +1,48 @@ +From 8d9d7e4b9ef4c6e6abab2cf35c747d7ca36824bd Mon Sep 17 00:00:00 2001 +From: Baruch Siach <baruch@tkos.co.il> +Date: Fri, 16 Nov 2018 09:30:33 +0200 +Subject: include: fix build with kernel headers before 4.2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit 672accf1530 (include: update kernel netfilter header files) +updated linux/netfilter.h and brought with it the update from kernel +commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h +from netns headers). This triggers conflict of headers that is fixed in +kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with +netinet/in.h) included in kernel version 4.2. For earlier kernel headers +we need a workaround that prevents the headers conflict. + +Fixes the following build failure: + +In file included from .../sysroot/usr/include/netinet/ip.h:25:0, + from ../include/libiptc/ipt_kernel_headers.h:8, + from ../include/libiptc/libiptc.h:6, + from libip4tc.c:29: +.../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’ + IPPROTO_IP = 0, /* Dummy protocol for TCP */ + ^ +.../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here + IPPROTO_IP = 0, /* Dummy protocol for TCP. */ + ^~~~~~~~~~ + +Signed-off-by: Baruch Siach <baruch@tkos.co.il> +Signed-off-by: Florian Westphal <fw@strlen.de> +--- + include/linux/netfilter.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/netfilter.h ++++ b/include/linux/netfilter.h +@@ -3,8 +3,10 @@ + + #include <linux/types.h> + ++#ifndef _NETINET_IN_H + #include <linux/in.h> + #include <linux/in6.h> ++#endif + #include <limits.h> + + /* Responses from hook functions. */ diff --git a/package/network/utils/iptables/patches/030-extensions-libxt_bpf-Fix-build-with-old-kernel-versi.patch b/package/network/utils/iptables/patches/030-extensions-libxt_bpf-Fix-build-with-old-kernel-versi.patch deleted file mode 100644 index c825eee3a9..0000000000 --- a/package/network/utils/iptables/patches/030-extensions-libxt_bpf-Fix-build-with-old-kernel-versi.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a12326ad330c4f7cd8d2b6ae1c4fbcd952c378dc Mon Sep 17 00:00:00 2001 -From: Hauke Mehrtens <hauke@hauke-m.de> -Date: Mon, 26 Feb 2018 17:39:09 +0100 -Subject: [PATCH] extensions: libxt_bpf: Fix build with old kernel versions - -In kernel 3.18 the union bpf_attr does not have a pathname attribute and -BPF_OBJ_GET is also not defined in these versions. -This was added in Linux commit b2197755b263 ("bpf: add support for -persistent maps/progs"). Check for the BPF_FS_MAGIC define which was -also added in this Linux commit and only activate this code in case we -find that define. - -This fixes a build problem with Linux 3.18. -Netfilter bug: #1231 - -Fixes: f17f9ace8a8 ("extensions: libxt_bpf: support ebpf pinned objects") -Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> ---- - extensions/libxt_bpf.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/extensions/libxt_bpf.c -+++ b/extensions/libxt_bpf.c -@@ -22,6 +22,7 @@ - #include <linux/bpf.h> - #endif - -+#include <linux/magic.h> - #include <linux/unistd.h> - - #define BCODE_FILE_MAX_LEN_B 1024 -@@ -62,7 +63,7 @@ static const struct xt_option_entry bpf_ - - static int bpf_obj_get(const char *filepath) - { --#if defined HAVE_LINUX_BPF_H && defined __NR_bpf -+#if defined HAVE_LINUX_BPF_H && defined __NR_bpf && defined BPF_FS_MAGIC - union bpf_attr attr; - - memset(&attr, 0, sizeof(attr)); diff --git a/package/network/utils/iptables/patches/101-remove-check-already.patch b/package/network/utils/iptables/patches/101-remove-check-already.patch new file mode 100644 index 0000000000..f8d1bf44b6 --- /dev/null +++ b/package/network/utils/iptables/patches/101-remove-check-already.patch @@ -0,0 +1,28 @@ +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -887,12 +887,6 @@ static void xtables_check_options(const + + void xtables_register_match(struct xtables_match *me) + { +- if (me->next) { +- fprintf(stderr, "%s: match \"%s\" already registered\n", +- xt_params->program_name, me->name); +- exit(1); +- } +- + if (me->version == NULL) { + fprintf(stderr, "%s: match %s<%u> is missing a version\n", + xt_params->program_name, me->name, me->revision); +@@ -1080,12 +1074,6 @@ void xtables_register_matches(struct xta + + void xtables_register_target(struct xtables_target *me) + { +- if (me->next) { +- fprintf(stderr, "%s: target \"%s\" already registered\n", +- xt_params->program_name, me->name); +- exit(1); +- } +- + if (me->version == NULL) { + fprintf(stderr, "%s: target %s<%u> is missing a version\n", + xt_params->program_name, me->name, me->revision); diff --git a/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch b/package/network/utils/iptables/patches/102-iptables-disable-modprobe.patch index 4add4ea5f3..0866118440 100644 --- a/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch +++ b/package/network/utils/iptables/patches/102-iptables-disable-modprobe.patch @@ -1,6 +1,6 @@ --- a/libxtables/xtables.c +++ b/libxtables/xtables.c -@@ -355,6 +355,7 @@ static char *get_modprobe(void) +@@ -360,6 +360,7 @@ static char *get_modprobe(void) int xtables_insmod(const char *modname, const char *modprobe, bool quiet) { @@ -8,7 +8,7 @@ char *buf = NULL; char *argv[4]; int status; -@@ -395,6 +396,7 @@ int xtables_insmod(const char *modname, +@@ -394,6 +395,7 @@ int xtables_insmod(const char *modname, free(buf); if (WIFEXITED(status) && WEXITSTATUS(status) == 0) return 0; diff --git a/package/network/utils/iptables/patches/050-optional-xml.patch b/package/network/utils/iptables/patches/103-optional-xml.patch index b782bbf13a..2396037fdd 100644 --- a/package/network/utils/iptables/patches/050-optional-xml.patch +++ b/package/network/utils/iptables/patches/103-optional-xml.patch @@ -1,8 +1,8 @@ ---- a/iptables/xtables-multi.c -+++ b/iptables/xtables-multi.c -@@ -26,8 +26,10 @@ static const struct subcommand multi_sub - {"iptables-restore", iptables_restore_main}, - {"restore4", iptables_restore_main}, +--- a/iptables/xtables-legacy-multi.c ++++ b/iptables/xtables-legacy-multi.c +@@ -31,8 +31,10 @@ static const struct subcommand multi_sub + + #endif +#ifdef ENABLE_XML {"iptables-xml", iptables_xml_main}, diff --git a/package/network/utils/iptables/patches/600-shared-libext.patch b/package/network/utils/iptables/patches/600-shared-libext.patch index 6e08416f0e..e88c288be6 100644 --- a/package/network/utils/iptables/patches/600-shared-libext.patch +++ b/package/network/utils/iptables/patches/600-shared-libext.patch @@ -56,49 +56,49 @@ +++ b/iptables/Makefile.am @@ -8,7 +8,8 @@ BUILT_SOURCES = - xtables_multi_SOURCES = xtables-multi.c iptables-xml.c - xtables_multi_CFLAGS = ${AM_CFLAGS} --xtables_multi_LDADD = ../extensions/libext.a -+xtables_multi_LDADD = -+xtables_multi_LDFLAGS = -L../extensions/ -liptext + xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c + xtables_legacy_multi_CFLAGS = ${AM_CFLAGS} +-xtables_legacy_multi_LDADD = ../extensions/libext.a ++xtables_legacy_multi_LDADD = ++xtables_legacy_multi_LDFLAGS = -L../extensions/ -liptext if ENABLE_STATIC - xtables_multi_CFLAGS += -DALL_INCLUSIVE + xtables_legacy_multi_CFLAGS += -DALL_INCLUSIVE endif @@ -16,13 +17,15 @@ if ENABLE_IPV4 - xtables_multi_SOURCES += iptables-save.c iptables-restore.c \ + xtables_legacy_multi_SOURCES += iptables-save.c iptables-restore.c \ iptables-standalone.c iptables.c - xtables_multi_CFLAGS += -DENABLE_IPV4 --xtables_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a -+xtables_multi_LDADD += ../libiptc/libip4tc.la -+xtables_multi_LDFLAGS += -liptext4 + xtables_legacy_multi_CFLAGS += -DENABLE_IPV4 +-xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a ++xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ++xtables_legacy_multi_LDFLAGS += -liptext4 endif if ENABLE_IPV6 - xtables_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \ + xtables_legacy_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \ ip6tables-standalone.c ip6tables.c - xtables_multi_CFLAGS += -DENABLE_IPV6 --xtables_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a -+xtables_multi_LDADD += ../libiptc/libip6tc.la -+xtables_multi_LDFLAGS += -liptext6 + xtables_legacy_multi_CFLAGS += -DENABLE_IPV6 +-xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a ++xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ++xtables_legacy_multi_LDFLAGS += -liptext6 endif - xtables_multi_SOURCES += xshared.c - xtables_multi_LDADD += ../libxtables/libxtables.la -lm + xtables_legacy_multi_SOURCES += xshared.c + xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm @@ -32,7 +35,8 @@ if ENABLE_NFTABLES BUILT_SOURCES += xtables-config-parser.h - xtables_compat_multi_SOURCES = xtables-compat-multi.c iptables-xml.c - xtables_compat_multi_CFLAGS = ${AM_CFLAGS} --xtables_compat_multi_LDADD = ../extensions/libext.a ../extensions/libext_ebt.a -+xtables_compat_multi_LDADD = -+xtables_compat_multi_LDFLAGS = -L../extensions/ -liptext -liptext_ebt + xtables_nft_multi_SOURCES = xtables-nft-multi.c iptables-xml.c + xtables_nft_multi_CFLAGS = ${AM_CFLAGS} +-xtables_nft_multi_LDADD = ../extensions/libext.a ../extensions/libext_ebt.a ++xtables_nft_multi_LDADD = ++xtables_nft_multi_LDFLAGS = -L../extensions/ -liptext -liptext_ebt if ENABLE_STATIC - xtables_compat_multi_CFLAGS += -DALL_INCLUSIVE + xtables_nft_multi_CFLAGS += -DALL_INCLUSIVE endif -@@ -45,7 +49,8 @@ xtables_compat_multi_SOURCES += xtables- - getethertype.c nft-bridge.c \ +@@ -47,7 +51,8 @@ xtables_nft_multi_SOURCES += xtables-sav xtables-eb-standalone.c xtables-eb.c \ + xtables-eb-translate.c \ xtables-translate.c --xtables_compat_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ../extensions/libext4.a ../extensions/libext6.a ../extensions/libext_ebt.a ../extensions/libext_arpt.a -+xtables_compat_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} -+xtables_compat_multi_LDFLAGS += -liptext4 -liptext6 -liptext_arpt +-xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ../extensions/libext4.a ../extensions/libext6.a ../extensions/libext_ebt.a ../extensions/libext_arpt.a ++xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ++xtables_nft_multi_LDFLAGS += -liptext4 -liptext6 -liptext_arpt # yacc and lex generate dirty code - xtables_compat_multi-xtables-config-parser.o xtables_compat_multi-xtables-config-syntax.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls - xtables_compat_multi_SOURCES += xshared.c + xtables_nft_multi-xtables-config-parser.o xtables_nft_multi-xtables-config-syntax.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls + xtables_nft_multi_SOURCES += xshared.c diff --git a/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch index 6800ca5ece..328f3af18d 100644 --- a/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch +++ b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch @@ -1,6 +1,6 @@ --- a/extensions/libxt_conntrack.c +++ b/extensions/libxt_conntrack.c -@@ -1397,6 +1397,7 @@ static int conntrack3_mt6_xlate(struct x +@@ -1389,6 +1389,7 @@ static int conntrack3_mt6_xlate(struct x } static struct xtables_match conntrack_mt_reg[] = { @@ -8,7 +8,7 @@ { .version = XTABLES_VERSION, .name = "conntrack", -@@ -1472,6 +1473,7 @@ static struct xtables_match conntrack_mt +@@ -1464,6 +1465,7 @@ static struct xtables_match conntrack_mt .alias = conntrack_print_name_alias, .x6_options = conntrack2_mt_opts, }, @@ -16,7 +16,7 @@ { .version = XTABLES_VERSION, .name = "conntrack", -@@ -1504,6 +1506,7 @@ static struct xtables_match conntrack_mt +@@ -1496,6 +1498,7 @@ static struct xtables_match conntrack_mt .x6_options = conntrack3_mt_opts, .xlate = conntrack3_mt6_xlate, }, @@ -24,7 +24,7 @@ { .family = NFPROTO_UNSPEC, .name = "state", -@@ -1534,6 +1537,8 @@ static struct xtables_match conntrack_mt +@@ -1526,6 +1529,8 @@ static struct xtables_match conntrack_mt .x6_parse = state_ct23_parse, .x6_options = state_opts, }, @@ -33,7 +33,7 @@ { .family = NFPROTO_UNSPEC, .name = "state", -@@ -1563,6 +1568,7 @@ static struct xtables_match conntrack_mt +@@ -1555,6 +1560,7 @@ static struct xtables_match conntrack_mt .x6_parse = state_parse, .x6_options = state_opts, }, |