2 # Copyright (C) 2006-2016 OpenWrt.org
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
8 include $(TOPDIR)/rules.mk
9 include $(INCLUDE_DIR)/kernel.mk
16 PKG_SOURCE_URL:=https://git.netfilter.org/iptables
17 PKG_SOURCE_VERSION:=c16bdec15137b241586310d0e61bc88cc3726004
18 PKG_MIRROR_HASH:=72e4bec94a56dd600097846c773e1074ff705e38f800ef221db646c064371a53
25 PKG_CPE_ID:=cpe:/a:netfilter_core_team:iptables
27 include $(INCLUDE_DIR)/package.mk
29 -include $(LINUX_DIR)/.config
30 include $(INCLUDE_DIR)/netfilter.mk
31 STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | mkhash md5)
35 define Package/iptables/Default
39 URL:=http://netfilter.org/
42 define Package/iptables/Module
43 $(call Package/iptables/Default)
44 DEPENDS:=iptables $(1)
47 define Package/iptables
48 $(call Package/iptables/Default)
49 TITLE:=IP firewall administration tool
51 DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
54 define Package/iptables/config
55 config IPTABLES_CONNLABEL
56 bool "Enable Connlabel support"
59 This enable connlabel support in iptables.
61 config IPTABLES_NFTABLES
62 bool "Enable Nftables support"
65 This enable nftables support in iptables.
68 define Package/iptables/description
69 IP firewall administration tool.
108 define Package/iptables-mod-conntrack-extra
109 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
110 TITLE:=Extra connection tracking extensions
113 define Package/iptables-mod-conntrack-extra/description
114 Extra iptables extensions for connection tracking.
128 define Package/iptables-mod-conntrack-label
129 $(call Package/iptables/Module, +kmod-ipt-conntrack-label @IPTABLES_CONNLABEL)
130 TITLE:=Connection tracking labeling extension
131 DEFAULT:=y if IPTABLES_CONNLABEL
134 define Package/iptables-mod-conntrack-label/description
135 Match and set label(s) on connection tracking entries
142 define Package/iptables-mod-filter
143 $(call Package/iptables/Module, +kmod-ipt-filter)
144 TITLE:=Content inspection extensions
147 define Package/iptables-mod-filter/description
148 iptables extensions for packet content inspection.
149 Includes support for:
156 define Package/iptables-mod-ipopt
157 $(call Package/iptables/Module, +kmod-ipt-ipopt)
158 TITLE:=IP/Packet option extensions
161 define Package/iptables-mod-ipopt/description
162 iptables extensions for matching/changing IP packet options.
181 define Package/iptables-mod-ipsec
182 $(call Package/iptables/Module, +kmod-ipt-ipsec)
183 TITLE:=IPsec extensions
186 define Package/iptables-mod-ipsec/description
187 iptables extensions for matching ipsec traffic.
196 define Package/iptables-mod-nat-extra
197 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
198 TITLE:=Extra NAT extensions
201 define Package/iptables-mod-nat-extra/description
202 iptables extensions for extra NAT targets.
209 define Package/iptables-mod-ulog
210 $(call Package/iptables/Module, +kmod-ipt-ulog)
211 TITLE:=user-space packet logging
214 define Package/iptables-mod-ulog/description
215 iptables extensions for user-space packet logging.
222 define Package/iptables-mod-nflog
223 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
224 TITLE:=Netfilter NFLOG target
227 define Package/iptables-mod-nflog/description
228 iptables extension for user-space logging via NFNETLINK.
235 define Package/iptables-mod-trace
236 $(call Package/iptables/Module, +kmod-ipt-debug)
237 TITLE:=Netfilter TRACE target
240 define Package/iptables-mod-trace/description
241 iptables extension for TRACE target
249 define Package/iptables-mod-nfqueue
250 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
251 TITLE:=Netfilter NFQUEUE target
254 define Package/iptables-mod-nfqueue/description
255 iptables extension for user-space queuing via NFNETLINK.
262 define Package/iptables-mod-hashlimit
263 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
264 TITLE:=hashlimit matching
267 define Package/iptables-mod-hashlimit/description
268 iptables extensions for hashlimit matching
275 define Package/iptables-mod-rpfilter
276 $(call Package/iptables/Module, +kmod-ipt-rpfilter)
277 TITLE:=rpfilter iptables extension
280 define Package/iptables-mod-rpfilter/description
281 iptables extensions for reverse path filter test on a packet
288 define Package/iptables-mod-iprange
289 $(call Package/iptables/Module, +kmod-ipt-iprange)
290 TITLE:=IP range extension
293 define Package/iptables-mod-iprange/description
294 iptables extensions for matching ip ranges.
301 define Package/iptables-mod-cluster
302 $(call Package/iptables/Module, +kmod-ipt-cluster)
303 TITLE:=Match cluster extension
306 define Package/iptables-mod-cluster/description
307 iptables extensions for matching cluster.
309 Netfilter (IPv4/IPv6) module for matching cluster
310 This option allows you to build work-load-sharing clusters of
311 network servers/stateful firewalls without having a dedicated
312 load-balancing router/server/switch. Basically, this match returns
313 true when the packet must be handled by this cluster node. Thus,
314 all nodes see all packets and this match decides which node handles
315 what packets. The work-load sharing algorithm is based on source
318 This module is usable for ipv4 and ipv6.
320 If you select it, it enables kmod-ipt-cluster.
322 see `iptables -m cluster --help` for more information.
325 define Package/iptables-mod-clusterip
326 $(call Package/iptables/Module, +kmod-ipt-clusterip)
327 TITLE:=Clusterip extension
330 define Package/iptables-mod-clusterip/description
331 iptables extensions for CLUSTERIP.
332 The CLUSTERIP target allows you to build load-balancing clusters of
333 network servers without having a dedicated load-balancing
334 router/server/switch.
336 If you select it, it enables kmod-ipt-clusterip.
338 see `iptables -j CLUSTERIP --help` for more information.
341 define Package/iptables-mod-extra
342 $(call Package/iptables/Module, +kmod-ipt-extra)
343 TITLE:=Other extra iptables extensions
346 define Package/iptables-mod-extra/description
347 Other extra iptables extensions.
358 define Package/iptables-mod-physdev
359 $(call Package/iptables/Module, +kmod-ipt-physdev)
360 TITLE:=physdev iptables extension
363 define Package/iptables-mod-physdev/description
364 The iptables physdev match.
367 define Package/iptables-mod-led
368 $(call Package/iptables/Module, +kmod-ipt-led)
369 TITLE:=LED trigger iptables extension
372 define Package/iptables-mod-led/description
373 iptables extension for triggering a LED.
380 define Package/iptables-mod-tproxy
381 $(call Package/iptables/Module, +kmod-ipt-tproxy)
382 TITLE:=Transparent proxy iptables extensions
385 define Package/iptables-mod-tproxy/description
386 Transparent proxy iptables extensions.
396 define Package/iptables-mod-tee
397 $(call Package/iptables/Module, +kmod-ipt-tee)
398 TITLE:=TEE iptables extensions
401 define Package/iptables-mod-tee/description
402 TEE iptables extensions.
409 define Package/iptables-mod-u32
410 $(call Package/iptables/Module, +kmod-ipt-u32)
411 TITLE:=U32 iptables extensions
414 define Package/iptables-mod-u32/description
415 U32 iptables extensions.
422 define Package/iptables-mod-checksum
423 $(call Package/iptables/Module, +kmod-ipt-checksum)
424 TITLE:=IP CHECKSUM target extension
427 define Package/iptables-mod-checksum/description
428 iptables extension for the CHECKSUM calculation target
431 define Package/ip6tables
432 $(call Package/iptables/Default)
433 DEPENDS:=@IPV6 +kmod-ip6tables +iptables
435 TITLE:=IPv6 firewall administration tool
440 define Package/ip6tables-extra
441 $(call Package/iptables/Default)
442 DEPENDS:=ip6tables +kmod-ip6tables-extra
443 TITLE:=IPv6 header matching modules
446 define Package/ip6tables-mod-extra/description
447 iptables header matching modules for IPv6
450 define Package/ip6tables-mod-nat
451 $(call Package/iptables/Default)
452 DEPENDS:=ip6tables +kmod-ipt-nat6
453 TITLE:=IPv6 NAT extensions
456 define Package/ip6tables-mod-nat/description
457 iptables extensions for IPv6-NAT targets.
460 define Package/libiptc
461 $(call Package/iptables/Default)
464 DEPENDS:=+libip4tc +libip6tc +libxtables
465 ABI_VERSION:=$(PKG_VERSION)
466 TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
469 define Package/libip4tc
470 $(call Package/iptables/Default)
473 TITLE:=IPv4 firewall - shared libiptc library
474 ABI_VERSION:=$(PKG_VERSION)
478 define Package/libip6tc
479 $(call Package/iptables/Default)
482 TITLE:=IPv6 firewall - shared libiptc library
483 ABI_VERSION:=$(PKG_VERSION)
487 define Package/libxtables
488 $(call Package/iptables/Default)
491 TITLE:=IPv4/IPv6 firewall - shared xtables library
492 ABI_VERSION:=$(PKG_VERSION)
494 +IPTABLES_CONNLABEL:libnetfilter-conntrack \
495 +IPTABLES_NFTABLES:libnftnl
499 -I$(PKG_BUILD_DIR)/include \
500 -I$(LINUX_DIR)/user_headers/include \
504 -I$(PKG_BUILD_DIR)/include \
505 -I$(LINUX_DIR)/user_headers/include \
506 -ffunction-sections -fdata-sections \
516 --with-kernel="$(LINUX_DIR)/user_headers" \
517 --with-xtlibdir=/usr/lib/iptables \
518 --with-xt-lock-name=/var/run/xtables.lock \
519 $(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
520 $(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \
521 $(if $(CONFIG_IPV6),,--disable-ipv6)
524 $(TARGET_CONFIGURE_OPTS) \
525 COPT_FLAGS="$(TARGET_CFLAGS)" \
526 KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
527 KBUILD_OUTPUT="$(LINUX_DIR)" \
528 BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
530 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
531 define Build/Configure/rebuild
532 $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
533 rm -f $(PKG_BUILD_DIR)/.config_*
534 rm -f $(PKG_BUILD_DIR)/.configured_*
535 touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
539 define Build/Configure
540 $(Build/Configure/rebuild)
541 $(Build/Configure/Default)
544 define Build/InstallDev
545 $(INSTALL_DIR) $(1)/usr/include
546 $(INSTALL_DIR) $(1)/usr/include/iptables
547 $(INSTALL_DIR) $(1)/usr/include/net/netfilter
549 # XXX: iptables header fixup, some headers are not installed by iptables anymore
550 $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
551 $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
552 $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
553 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
554 $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
556 $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
557 $(INSTALL_DIR) $(1)/usr/lib
558 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
559 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
560 $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
561 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
562 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
564 # XXX: needed by firewall3
565 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
568 define Package/iptables/install
569 $(INSTALL_DIR) $(1)/usr/sbin
570 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
571 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
572 $(INSTALL_DIR) $(1)/usr/lib/iptables
575 define Package/ip6tables/install
576 $(INSTALL_DIR) $(1)/usr/sbin
577 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
580 define Package/libiptc/install
581 $(INSTALL_DIR) $(1)/usr/lib
582 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
585 define Package/libip4tc/install
586 $(INSTALL_DIR) $(1)/usr/lib
587 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
588 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
591 define Package/libip6tc/install
592 $(INSTALL_DIR) $(1)/usr/lib
593 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
594 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
597 define Package/libxtables/install
598 $(INSTALL_DIR) $(1)/usr/lib
599 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
600 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
604 define Package/$(1)/install
605 $(INSTALL_DIR) $$(1)/usr/lib/iptables
606 for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
607 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
608 $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
614 $$(eval $$(call BuildPackage,$(1)))
617 $(eval $(call BuildPackage,iptables))
618 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
619 $(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m)))
620 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
621 $(eval $(call BuildPlugin,iptables-mod-physdev,$(IPT_PHYSDEV-m)))
622 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
623 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
624 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
625 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
626 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
627 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
628 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
629 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
630 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
631 $(eval $(call BuildPlugin,iptables-mod-rpfilter,$(IPT_RPFILTER-m)))
632 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
633 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
634 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
635 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
636 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
637 $(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m)))
638 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
639 $(eval $(call BuildPlugin,iptables-mod-checksum,$(IPT_CHECKSUM-m)))
640 $(eval $(call BuildPackage,ip6tables))
641 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
642 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
643 $(eval $(call BuildPackage,libiptc))
644 $(eval $(call BuildPackage,libip4tc))
645 $(eval $(call BuildPackage,libip6tc))
646 $(eval $(call BuildPackage,libxtables))