2 # Copyright (C) 2006-2016 OpenWrt.org
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
8 include $(TOPDIR)/rules.mk
9 include $(INCLUDE_DIR)/kernel.mk
16 PKG_SOURCE_URL:=https://git.netfilter.org/iptables
17 PKG_SOURCE_VERSION:=7df66f1c13563cfbab75246b009ce36f69ee4487
18 PKG_MIRROR_HASH:=22f15ef41fd8e3724bedcee666b7b6a3491d2d038d580ef1fb032718dcb73f14
26 include $(INCLUDE_DIR)/package.mk
28 -include $(LINUX_DIR)/.config
29 include $(INCLUDE_DIR)/netfilter.mk
30 STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | mkhash md5)
34 define Package/iptables/Default
38 URL:=http://netfilter.org/
41 define Package/iptables/Module
42 $(call Package/iptables/Default)
43 DEPENDS:=iptables $(1)
46 define Package/iptables
47 $(call Package/iptables/Default)
48 TITLE:=IP firewall administration tool
50 DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
53 define Package/iptables/config
54 config IPTABLES_CONNLABEL
55 bool "Enable Connlabel support"
58 This enable connlabel support in iptables.
60 config IPTABLES_NFTABLES
61 bool "Enable Nftables support"
64 This enable nftables support in iptables.
67 define Package/iptables/description
68 IP firewall administration tool.
106 define Package/iptables-mod-conntrack-extra
107 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
108 TITLE:=Extra connection tracking extensions
111 define Package/iptables-mod-conntrack-extra/description
112 Extra iptables extensions for connection tracking.
126 define Package/iptables-mod-filter
127 $(call Package/iptables/Module, +kmod-ipt-filter)
128 TITLE:=Content inspection extensions
131 define Package/iptables-mod-filter/description
132 iptables extensions for packet content inspection.
133 Includes support for:
140 define Package/iptables-mod-ipopt
141 $(call Package/iptables/Module, +kmod-ipt-ipopt)
142 TITLE:=IP/Packet option extensions
145 define Package/iptables-mod-ipopt/description
146 iptables extensions for matching/changing IP packet options.
165 define Package/iptables-mod-ipsec
166 $(call Package/iptables/Module, +kmod-ipt-ipsec)
167 TITLE:=IPsec extensions
170 define Package/iptables-mod-ipsec/description
171 iptables extensions for matching ipsec traffic.
180 define Package/iptables-mod-nat-extra
181 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
182 TITLE:=Extra NAT extensions
185 define Package/iptables-mod-nat-extra/description
186 iptables extensions for extra NAT targets.
193 define Package/iptables-mod-ulog
194 $(call Package/iptables/Module, +kmod-ipt-ulog)
195 TITLE:=user-space packet logging
198 define Package/iptables-mod-ulog/description
199 iptables extensions for user-space packet logging.
206 define Package/iptables-mod-nflog
207 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
208 TITLE:=Netfilter NFLOG target
211 define Package/iptables-mod-nflog/description
212 iptables extension for user-space logging via NFNETLINK.
219 define Package/iptables-mod-nfqueue
220 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
221 TITLE:=Netfilter NFQUEUE target
224 define Package/iptables-mod-nfqueue/description
225 iptables extension for user-space queuing via NFNETLINK.
232 define Package/iptables-mod-hashlimit
233 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
234 TITLE:=hashlimit matching
237 define Package/iptables-mod-hashlimit/description
238 iptables extensions for hashlimit matching
245 define Package/iptables-mod-iprange
246 $(call Package/iptables/Module, +kmod-ipt-iprange)
247 TITLE:=IP range extension
250 define Package/iptables-mod-iprange/description
251 iptables extensions for matching ip ranges.
258 define Package/iptables-mod-cluster
259 $(call Package/iptables/Module, +kmod-ipt-cluster)
260 TITLE:=Match cluster extension
263 define Package/iptables-mod-cluster/description
264 iptables extensions for matching cluster.
266 Netfilter (IPv4/IPv6) module for matching cluster
267 This option allows you to build work-load-sharing clusters of
268 network servers/stateful firewalls without having a dedicated
269 load-balancing router/server/switch. Basically, this match returns
270 true when the packet must be handled by this cluster node. Thus,
271 all nodes see all packets and this match decides which node handles
272 what packets. The work-load sharing algorithm is based on source
275 This module is usable for ipv4 and ipv6.
277 If you select it, it enables kmod-ipt-cluster.
279 see `iptables -m cluster --help` for more information.
282 define Package/iptables-mod-clusterip
283 $(call Package/iptables/Module, +kmod-ipt-clusterip)
284 TITLE:=Clusterip extension
287 define Package/iptables-mod-clusterip/description
288 iptables extensions for CLUSTERIP.
289 The CLUSTERIP target allows you to build load-balancing clusters of
290 network servers without having a dedicated load-balancing
291 router/server/switch.
293 If you select it, it enables kmod-ipt-clusterip.
295 see `iptables -j CLUSTERIP --help` for more information.
298 define Package/iptables-mod-extra
299 $(call Package/iptables/Module, +kmod-ipt-extra)
300 TITLE:=Other extra iptables extensions
303 define Package/iptables-mod-extra/description
304 Other extra iptables extensions.
310 - physdev (if ebtables is enabled)
316 define Package/iptables-mod-led
317 $(call Package/iptables/Module, +kmod-ipt-led)
318 TITLE:=LED trigger iptables extension
321 define Package/iptables-mod-led/description
322 iptables extension for triggering a LED.
329 define Package/iptables-mod-tproxy
330 $(call Package/iptables/Module, +kmod-ipt-tproxy)
331 TITLE:=Transparent proxy iptables extensions
334 define Package/iptables-mod-tproxy/description
335 Transparent proxy iptables extensions.
345 define Package/iptables-mod-tee
346 $(call Package/iptables/Module, +kmod-ipt-tee)
347 TITLE:=TEE iptables extensions
350 define Package/iptables-mod-tee/description
351 TEE iptables extensions.
358 define Package/iptables-mod-u32
359 $(call Package/iptables/Module, +kmod-ipt-u32)
360 TITLE:=U32 iptables extensions
363 define Package/iptables-mod-u32/description
364 U32 iptables extensions.
371 define Package/ip6tables
372 $(call Package/iptables/Default)
373 DEPENDS:=@IPV6 +kmod-ip6tables +iptables
375 TITLE:=IPv6 firewall administration tool
380 define Package/ip6tables-extra
381 $(call Package/iptables/Default)
382 DEPENDS:=ip6tables +kmod-ip6tables-extra
383 TITLE:=IPv6 header matching modules
386 define Package/ip6tables-mod-extra/description
387 iptables header matching modules for IPv6
390 define Package/ip6tables-mod-nat
391 $(call Package/iptables/Default)
392 DEPENDS:=ip6tables +kmod-ipt-nat6
393 TITLE:=IPv6 NAT extensions
396 define Package/ip6tables-mod-nat/description
397 iptables extensions for IPv6-NAT targets.
400 define Package/libiptc
401 $(call Package/iptables/Default)
404 DEPENDS:=+libip4tc +libip6tc +libxtables
405 TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
408 define Package/libip4tc
409 $(call Package/iptables/Default)
412 TITLE:=IPv4 firewall - shared libiptc library
416 define Package/libip6tc
417 $(call Package/iptables/Default)
420 TITLE:=IPv6 firewall - shared libiptc library
424 define Package/libxtables
425 $(call Package/iptables/Default)
428 TITLE:=IPv4/IPv6 firewall - shared xtables library
430 +IPTABLES_CONNLABEL:libnetfilter-conntrack \
431 +IPTABLES_NFTABLES:libnfnetlink
435 -I$(PKG_BUILD_DIR)/include \
436 -I$(LINUX_DIR)/user_headers/include \
440 -I$(PKG_BUILD_DIR)/include \
441 -I$(LINUX_DIR)/user_headers/include \
442 -ffunction-sections -fdata-sections \
452 --with-kernel="$(LINUX_DIR)/user_headers" \
453 --with-xtlibdir=/usr/lib/iptables \
454 $(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
455 $(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \
456 $(if $(CONFIG_IPV6),,--disable-ipv6)
459 $(TARGET_CONFIGURE_OPTS) \
460 COPT_FLAGS="$(TARGET_CFLAGS)" \
461 KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
462 KBUILD_OUTPUT="$(LINUX_DIR)" \
463 BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
465 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
466 define Build/Configure/rebuild
467 $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
468 rm -f $(PKG_BUILD_DIR)/.config_*
469 rm -f $(PKG_BUILD_DIR)/.configured_*
470 touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
474 define Build/Configure
475 $(Build/Configure/rebuild)
476 $(Build/Configure/Default)
479 define Build/InstallDev
480 $(INSTALL_DIR) $(1)/usr/include
481 $(INSTALL_DIR) $(1)/usr/include/iptables
482 $(INSTALL_DIR) $(1)/usr/include/net/netfilter
484 # XXX: iptables header fixup, some headers are not installed by iptables anymore
485 $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
486 $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
487 $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
488 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
489 $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
491 $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
492 $(INSTALL_DIR) $(1)/usr/lib
493 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
494 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
495 $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
496 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
497 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
499 # XXX: needed by firewall3
500 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
503 define Package/iptables/install
504 $(INSTALL_DIR) $(1)/usr/sbin
505 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
506 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
507 $(INSTALL_DIR) $(1)/usr/lib/iptables
510 define Package/ip6tables/install
511 $(INSTALL_DIR) $(1)/usr/sbin
512 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
515 define Package/libiptc/install
516 $(INSTALL_DIR) $(1)/usr/lib
517 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
520 define Package/libip4tc/install
521 $(INSTALL_DIR) $(1)/usr/lib
522 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
523 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
526 define Package/libip6tc/install
527 $(INSTALL_DIR) $(1)/usr/lib
528 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
529 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
532 define Package/libxtables/install
533 $(INSTALL_DIR) $(1)/usr/lib
534 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
535 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
539 define Package/$(1)/install
540 $(INSTALL_DIR) $$(1)/usr/lib/iptables
541 for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
542 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
543 $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
549 $$(eval $$(call BuildPackage,$(1)))
552 $(eval $(call BuildPackage,iptables))
553 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
554 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
555 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
556 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
557 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
558 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
559 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
560 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
561 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
562 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
563 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
564 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
565 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
566 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
567 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
568 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
569 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
570 $(eval $(call BuildPackage,ip6tables))
571 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
572 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
573 $(eval $(call BuildPackage,libiptc))
574 $(eval $(call BuildPackage,libip4tc))
575 $(eval $(call BuildPackage,libip6tc))
576 $(eval $(call BuildPackage,libxtables))