aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/utils/iptables/Makefile
Commit message (Collapse)AuthorAgeFilesLines
* Revert "iptables: fix dependency for libip6tc on IPV6"Petr Štetiar2018-12-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch reverts commit 2dc1f54b1205094e7c6036cae6275d2c326bad3e as it breaks the build for me on x86-64 if I've IPV6 support disabled. Same config builds fine on `openwrt-18.06` branch at 55d078b2. $ grep IPV6 .config # CONFIG_KERNEL_IPV6 is not set # CONFIG_IPV6 is not set Build errors out on: Package libiptc is missing dependencies for the following libraries: libip6tc.so.0 Looking at iptables-1.6.2/libiptc/Makefile.am: libiptc_la_LIBADD = libip4tc.la libip6tc.la and to iptables-1.6.2/libiptc/libiptc.pc.in: Requires: libip4tc libip6tc It seems that libiptc needs v4/v6 libs, so v6 isn't optional. Cc: Rosy Song <rosysong@rosinson.com> Signed-off-by: Petr Štetiar <ynezz@true.cz> (backported from 1b4b942bcef8638a040788ab9ae94c66e38fd960)
* iptables: fix dependency for libip6tc on IPV6Rosy Song2018-12-181-2/+2
| | | | | Signed-off-by: Rosy Song <rosysong@rosinson.com> (backported from 2dc1f54b1205094e7c6036cae6275d2c326bad3e)
* netfilter: add bpf match supportAlin Nastac2018-12-181-0/+1
| | | | | | | | | | Add xt_bpf modules to {kmod-ipt,iptables-mod}-filter. Match using Linux Socket Filter. Expects a BPF program in decimal format. This is the format generated by the nfbpf_compile utility. Signed-off-by: Alin Nastac <alin.nastac@gmail.com> (backported from ab07ae2f27dd920cb7ba186d9f7ad2ccb1c980c4)
* iptables: set nonshared flagJohn Crispin2018-06-221-0/+1
| | | | | | | this makes sure that offloading support is properly included for v4.14 targets. Signed-off-by: John Crispin <john@phrozen.org> (cherry picked from commit ebe1216c7cd10357c3277fb25bae4e508d4b165a)
* iptables: split physdev match out as a separate packageMatthias Schiffer2018-04-091-1/+10
| | | | | | | Split physdev match out of ipt-extra to allow installing ipt-extra without pulling in br-netfilter. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* iptables: update to 1.6.2Ansuel Smith2018-02-231-4/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 459b6932 policy: add nft translation for simple policy none/strict use case 255e55b7 tests: xlate-test: no need to require superuser privileges 6990bbc5 extensions: hashlimit: remove space before burst in translation to nft 13ecaeb0 extensions: hashlimit: Rename 'flow table' keyword to meter c252a2b0 extensions: Add test for cluster nft translation bda1daa4 extensions: ip6t_{S,D}NAT: add more tests 88fa4543 extensions: ip6t_{S,D}NAT: multiple to-dst/to-src arguments not reported 64a0e098 extensions: libxt_cluster: Add translation to nft 6067208f extensions: add support for 'srh' match 0f387b07 extensions: hashlimit: fix incorrect burst in translations 1ffe6a74 extensions: libxt_hashlimit: Do not print default timeout and burst 27de281d extensions: Add macro _DEFAULT_SOURCE. 75364151 iptables: Remove const qualifier from struct option. 8b0da213 iptables: masquerade: add randomize-full support e64db006 iptables: patch to correct linker flag sequence 033eac81 extensions: libxt_tcpmss: Add test case for invalid ranges. 505bfa11 iptables: xtables-eb: Remove const qualifier from struct option a6d6821a iptables: extensions: Fix MARK target help 71de414c libxt_sctp: fix array out of range in print_chunk 1a32381a extensions: add tests for ipcomp protocol 4bd51770 tests: xlate: print output in same way as nft-test.py d0e3d95f libxt_recent: Remove ineffective checks for info->name 23e6ed71 libxt_TOS: add tests for translation infrastructure 9564595e Update .gitignore bebce197 iptables: iptables-compat translation for TCPMSS dbbab0aa extensions: libxt_tcpmss: Detect invalid ranges 0e958281 iptables-translate: add test file for TCPMSS extension de3c68b6 iptables-compat: do not allow to delete populated user define chains f4b80ce7 iptables: change large file support handling f5b46c2f iptables: Constify option struct 21ba5b38 ip{,6}tables-restore: Don't accept wait-interval without wait 60e0ffd3 ip{,6}tables-restore: Don't ignore missing wait-interval value af468b6e utils: Add a man page for nfnl_osf 1773dcaa utils: nfnl_osf: Fix synopsis in help text 895ce096 extensions: libxt_bpf: fix missing __NR_bpf declaration 3c633296 xtables-compat-restore: fix translation of mangle's OUTPUT 1c32e560 netfilter: xt_hashlimit: add rate match mode b5331f88 xtables-compat: fix memory leak when listing 91ae12e3 xtables-compat-restore: fix several memory leaks 79e1edd1 iptables-xml: Fix segfault on jump without a target c49a93f1 xtables-translate: fix double space before comment 79fa7cc2 libip6t_icmp6: xlate: remove leftover space 8e62f572 tests: xlate: generalize owner 8d994bcf iptables: Add file output option to iptables-save f8e5ebc5 iptables: Fix crash on malformed iptables-restore 80d8bfaa iptables: insist that the lock is held. c29d99c8 libxtables: Display weird character warning for wildcards 1fe96cfb tests: xlate: check if it is being run as root 3f92b259 tests: xlate: remove python 3.5 dependency d89dc47a iptables-restore/save: exit when given an unknown option 65801d02 iptables-restore.8: document -w/-W options 9cd3adbe iptables-restore/ip6tables-restore: add --version/-V argument 1ec1fb7a extensions: libxt_hashlimit: fix 64-bit printf formats 27f69f4a iptables: extensions: Remove typedef in struct. 340105fa tests: add regression tests for xtables-translate b669e184 extensions: libxt_TOS: Add translation to nft b2a84476 iptables: Remove unnecessary braces. 2963a8df iptables: Remove explicit static variables initalization. 1cf4ba6f iptables: Constify option struct 999eaa24 iptables-restore: support acquiring the lock. 6e2e169e iptables: remove duplicated argument parsing code 836846f0 iptables: move XT_LOCK_NAME from CFLAGS to config.h. b91af533 iptables: set the path of the lock file via a configure option. 0e94eb2e iptables-translate: print nft iff there are more expanded rules to print 48ad179b libxtables: abolish AI_CANONNAME 9f50bbdf libxtables: remove unnecessary nesting from host_to_ip(6)addr c6df55d6 iptables-translate: print nft command for each expand rules via dns names 82dacbb8 xtables-translate: Avoid querying the kernel 9f972f45 extensions: libxt_addrtype: Add translation to nft 2c8e251e utils: nfsynproxy: fix build with musl libc 9b8cb756 libiptc: don't set_changed() when checking rules with module jumps eb66632d extensions: libxt_hashlimit: Add translation to nft 72bb3dbf xshared: using the blocking file lock request when we wait indefinitely 24f81746 xshared: do not lock again and again if "-w" option is not specified fc3c3b4e libxt_hashlimit: add new unit test to catch kernel bug 516d9191 iptables: update pf.os Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
* iptables: Support building connlabel moduleKristian Evensen2018-02-131-0/+15
| | | | | | | | | | It is currently possible to enable connlabel-support in iptables. However, in order for connlabel to work properly, the kernel module must also be present. This patch adds support for building the connlabel-module, and selects it by default when connlabel-support is enabled. Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
* iptables: make kmod-ipt-debug part of default ALL buildYousong Zhou2018-01-261-2/+2
| | | | | | | | | The iptables TRACE target is only available in raw table that's why the dependency was moved from iptables-mod-trace into kmod-ipt-debug Fixes FS#1219 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* add PKG_CPE_ID ids to package and toolsAlexander Couzens2017-11-171-0/+1
| | | | | | | | | | | CPE ids helps to tracks CVE in packages. https://cpe.mitre.org/specification/ Thanks to swalker for CPE to package mapping and keep tracking CVEs. Acked-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* netfilter, iptables: add optional CHECKSUM moduleDenis Osvald2017-11-061-0/+10
| | | | Signed-off-by: Denis Osvald <denis.osvald@sartura.hr>
* iptables: Fix target TRACE issueMartin Wetterwald2017-10-271-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | The package kmod-ipt-debug builds the module xt_TRACE, which allows users to use '-j TRACE' as target in the chain PREROUTING of the table raw in iptables. The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so that this feature which is implemented deep inside the linux IP stack (for example in sk_buff) is compiled. But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which fails as this dynamic library is not present on the system. I created the package iptables-mod-trace which takes care of that, and target TRACE now works! https://dev.openwrt.org/ticket/16694 https://dev.openwrt.org/ticket/19661 Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com> [Jo-Philipp Wich: also remove trace extension from builtin extension list and depend on kmod-ipt-raw since its required for rules] Signed-off-by: Jo-Philipp Wich <jo@mein.io> Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
* netfilter: add iptables-mod-rpfilter packageAlin Nastac2017-07-111-0/+14
| | | | | | | | | Unlike /proc/sys/net/ipv4/conf/INTF/rp_filter flag, rule iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP prevents conntrack table to become full when a packet flood with randomly selected source IP addresses is received from the lan side. Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
* iptables: fix wrong depends for nftables support (FS#707)Ansuel Smith2017-04-221-1/+1
| | | | | | | The dep for the nftables support was wrong, if someone actually enable that option gain a compilation error. This fix this problem. Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
* iptables: set ABI_VERSION to force rebuild of dependent packagesFelix Fietkau2017-04-121-0/+4
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* iptables: bump to 1.6.1Ansuel Smith2017-04-121-9/+27
| | | | | | | | | Switch to git repo Removed musl patch Refreshed existing patch Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com> Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup]
* build: use mkhash to replace various quirky md5sum/openssl callsFelix Fietkau2017-01-051-1/+1
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* treewide: clean up download hashesFelix Fietkau2016-12-161-1/+1
| | | | | | Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* iptables: using external kernel tree should not alter patch behaviour.Felix Fietkau2016-02-071-4/+0
| | | | | | | | | iptables is the only exception in the package tree, causing patch behaviour to be inconsistent on this package. Signed-off-by: Rick van der Zwet <rick.vanderzwet@anywi.com> SVN-Revision: 48643
* iptables: improve iptables listing output of xt_id matchJo-Philipp Wich2016-01-241-2/+2
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 48478
* iptables: fix rebuild errors on configuration changesFelix Fietkau2016-01-181-0/+14
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48314
* iptables: reduce binary sizeJo-Philipp Wich2015-05-261-4/+9
| | | | | | | | | | | * drop unused lenient restore patch * instead of statically linking core extensions, build shared libraries for reuse in fw3 * strip outdated match revisions and aliases to trim down library size Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 45758
* iptables: remove layer7 leftovers (#19506)Felix Fietkau2015-04-171-6/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45481
* iptables: remove layer7 supportFelix Fietkau2015-04-131-1/+0
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45424
* iptables: revert r40916John Crispin2015-04-101-1/+1
| | | | | | | | it causes problems with newer iptables when ipv6 is disabled as iptc uncoditionally links ip6tc Signed-off-by: John Crispin <blogic@openwrt.org> SVN-Revision: 45350
* netfilter: Enable compiling iptables match clusterFelix Fietkau2014-11-031-0/+42
| | | | | | | | | | | | | | | | | | This patch adds the userspace and kernelspace for - match NETFILTER_XT_MATCH_CLUSTER This match can be used to deploy gateway and back-end load-sharing clusters. - target IP_NF_TARGET_CLUSTERIP This module allows you to configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them. Connections are statically distributed between the nodes in this cluster. This is used i.e. by strongswan-ha. Signed-off-by: Christian Scheele <cs@embedd.com> SVN-Revision: 43174
* license info - revert r43155John Crispin2014-11-031-3/+0
| | | | | | | | turns out that r43155 adds duplicate info. Signed-off-by: John Crispin <blogic@openwrt.org> SVN-Revision: 43167
* Add more license tags with SPDX identifiersJohn Crispin2014-11-031-0/+3
| | | | | | | | | | | | | | | | | | Note, that licensing stuff is a nightmare: many packages does not clearly state their licenses, and often multiple source files are simply copied together - each with different licensing information in the file headers. I tried hard to ensure, that the license information extracted into the OpenWRT's makefiles fit the "spirit" of the packages, e.g. such small packages which come without a dedicated source archive "inherites" the OpenWRT's own license in my opinion. However, I can not garantee that I always picked the correct information and/or did not miss license information. Signed-off-by: Michael Heimpold <mhei@heimpold.de> SVN-Revision: 43155
* Add a few SPDX tagsSteven Barth2014-11-021-0/+1
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 43151
* iptables: add kmod-ipt-nf* to dependency list of iptables-mod-nf*.Steven Barth2014-08-071-2/+2
| | | | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> SVN-Revision: 42034
* iptables: NFLOG and NFQUEUE targets' full supportSteven Barth2014-08-071-0/+28
| | | | | | | | | | | | | | | | NFLOG and NFQUEUE targets' full support for iptables. Includes all needed kernel modules (Xtables's and Netlink's) and userspace libraries. All added kernel modules can be individually disabled, all other new libraries get their own individual packages. Reported-by: Fabian Hugelshofer <hugelshofer2006@gmx.ch> Reported-by: Rainer Poisel <rainer.poisel@fhstp.ac.at> Reported-by: Derek LaHousse <dlahouss@mtu.edu> Signed-off-by: Guillaume Déflache <guillaume.deflache@ibwag.com> SVN-Revision: 42022
* iptables: pass --disable-ipv6 is CONFIG_IPV6 is unsetJo-Philipp Wich2014-07-021-1/+2
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 41458
* netfilter: split off header matching modules not used by the default config ↵Felix Fietkau2014-06-021-0/+11
| | | | | | | | (reduces rootfs size and memory usage) Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 40983
* iptables: Makefile: only build ip6tc, if IPv6 is enabledJohn Crispin2014-06-021-1/+1
| | | | | | | | when disabling ipv6, the iptables build breaks without a manul clean or this patch Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com> SVN-Revision: 40916
* iptables/netfilter: add connlimit to conntrack-extraSteven Barth2014-03-111-0/+1
| | | | SVN-Revision: 39878
* iptables: bump to 1.4.21Steven Barth2014-03-111-2/+2
| | | | SVN-Revision: 39877
* netfilter: Add IPv6-NAT support for kernel and ipt Thanks to Berni, Adam ↵Steven Barth2013-09-011-0/+12
| | | | | | Novak and Sedat Dilek for patches and inspiration SVN-Revision: 37866
* iptables: Update to 1.4.20Steven Barth2013-09-011-3/+3
| | | | SVN-Revision: 37865
* Bump iptables versionSteven Barth2013-07-151-1/+1
| | | | SVN-Revision: 37329
* iptables: install libext*.a into staging dirJo-Philipp Wich2013-06-061-0/+4
| | | | SVN-Revision: 36867
* iptables: bump to 1.4.19.1Steven Barth2013-05-291-3/+3
| | | | SVN-Revision: 36760
* netfilter: move time, mark, set matches and MARK, REDIRECT, SET targets into ↵Jo-Philipp Wich2013-05-211-21/+14
| | | | | | base iptables package - drop iptables-mod-ipset SVN-Revision: 36683
* iptables: use -ffunction-sections, -fdata-sections and --gc-sectionsJo-Philipp Wich2013-05-211-2/+6
| | | | SVN-Revision: 36680
* package: fold the IPv6 menu into NetworkFelix Fietkau2013-05-141-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 36634
* Fix install of iptables pkg-config files.Jo-Philipp Wich2013-05-021-1/+1
| | | | | | | | | | | libiptc.pc depends on libip[4|6]tc.pc, thus all of those need to be installed. Should fix collectd build and thus #13146; which should make collectd appear in snapshots again. Signed-off-by: Danny Baumann <dannybaumann@web.de> SVN-Revision: 36509
* iptables: don't use --enable-ipv6 if IPv6 is disabledSteven Barth2013-03-251-2/+1
| | | | SVN-Revision: 36125
* iptables: Add missing IPv6 builtin modulesSteven Barth2013-03-071-3/+3
| | | | SVN-Revision: 35898
* iptables: redo update to 1.4.18 with old linking-behaviourSteven Barth2013-03-061-18/+11
| | | | SVN-Revision: 35896
* Revert "iptables: update to 1.4.18" due to toolchain-issue: binaries cause ↵Steven Barth2013-03-061-11/+18
| | | | | | segfaults when stripped on ar71xx SVN-Revision: 35894
* iptables: update to 1.4.18Steven Barth2013-03-051-18/+11
| | | | SVN-Revision: 35892
* iptables: fix bad PKG_RELEASE in previous commitJo-Philipp Wich2013-02-111-1/+1
| | | | SVN-Revision: 35569