2 # Copyright (C) 2006-2013 OpenWrt.org
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
8 include $(TOPDIR)/rules.mk
9 include $(INCLUDE_DIR)/kernel.mk
15 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
16 PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
17 ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
18 ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
19 ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
20 PKG_MD5SUM:=536d048c8e8eeebcd9757d0863ebb0c0
27 ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"")
31 include $(INCLUDE_DIR)/package.mk
33 -include $(LINUX_DIR)/.config
34 include $(INCLUDE_DIR)/netfilter.mk
35 STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s)
39 define Package/iptables/Default
43 URL:=http://netfilter.org/
46 define Package/iptables/Module
47 $(call Package/iptables/Default)
48 DEPENDS:=iptables $(1)
51 define Package/iptables
52 $(call Package/iptables/Default)
53 TITLE:=IP firewall administration tool
55 DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
58 define Package/iptables/description
59 IP firewall administration tool.
97 define Package/iptables-mod-conntrack-extra
98 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
99 TITLE:=Extra connection tracking extensions
102 define Package/iptables-mod-conntrack-extra/description
103 Extra iptables extensions for connection tracking.
117 define Package/iptables-mod-filter
118 $(call Package/iptables/Module, +kmod-ipt-filter)
119 TITLE:=Content inspection extensions
122 define Package/iptables-mod-filter/description
123 iptables extensions for packet content inspection.
124 Includes support for:
132 define Package/iptables-mod-ipopt
133 $(call Package/iptables/Module, +kmod-ipt-ipopt)
134 TITLE:=IP/Packet option extensions
137 define Package/iptables-mod-ipopt/description
138 iptables extensions for matching/changing IP packet options.
157 define Package/iptables-mod-ipsec
158 $(call Package/iptables/Module, +kmod-ipt-ipsec)
159 TITLE:=IPsec extensions
162 define Package/iptables-mod-ipsec/description
163 iptables extensions for matching ipsec traffic.
172 define Package/iptables-mod-nat-extra
173 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
174 TITLE:=Extra NAT extensions
177 define Package/iptables-mod-nat-extra/description
178 iptables extensions for extra NAT targets.
185 define Package/iptables-mod-ulog
186 $(call Package/iptables/Module, +kmod-ipt-ulog)
187 TITLE:=user-space packet logging
190 define Package/iptables-mod-ulog/description
191 iptables extensions for user-space packet logging.
198 define Package/iptables-mod-nflog
199 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
200 TITLE:=Netfilter NFLOG target
203 define Package/iptables-mod-nflog/description
204 iptables extension for user-space logging via NFNETLINK.
211 define Package/iptables-mod-nfqueue
212 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
213 TITLE:=Netfilter NFQUEUE target
216 define Package/iptables-mod-nfqueue/description
217 iptables extension for user-space queuing via NFNETLINK.
224 define Package/iptables-mod-hashlimit
225 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
226 TITLE:=hashlimit matching
229 define Package/iptables-mod-hashlimit/description
230 iptables extensions for hashlimit matching
237 define Package/iptables-mod-iprange
238 $(call Package/iptables/Module, +kmod-ipt-iprange)
239 TITLE:=IP range extension
242 define Package/iptables-mod-iprange/description
243 iptables extensions for matching ip ranges.
250 define Package/iptables-mod-cluster
251 $(call Package/iptables/Module, +kmod-ipt-cluster)
252 TITLE:=Match cluster extension
255 define Package/iptables-mod-cluster/description
256 iptables extensions for matching cluster.
258 Netfilter (IPv4/IPv6) module for matching cluster
259 This option allows you to build work-load-sharing clusters of
260 network servers/stateful firewalls without having a dedicated
261 load-balancing router/server/switch. Basically, this match returns
262 true when the packet must be handled by this cluster node. Thus,
263 all nodes see all packets and this match decides which node handles
264 what packets. The work-load sharing algorithm is based on source
267 This module is usable for ipv4 and ipv6.
269 If you select it, it enables kmod-ipt-cluster.
271 see `iptables -m cluster --help` for more information.
274 define Package/iptables-mod-clusterip
275 $(call Package/iptables/Module, +kmod-ipt-clusterip)
276 TITLE:=Clusterip extension
279 define Package/iptables-mod-clusterip/description
280 iptables extensions for CLUSTERIP.
281 The CLUSTERIP target allows you to build load-balancing clusters of
282 network servers without having a dedicated load-balancing
283 router/server/switch.
285 If you select it, it enables kmod-ipt-clusterip.
287 see `iptables -j CLUSTERIP --help` for more information.
290 define Package/iptables-mod-extra
291 $(call Package/iptables/Module, +kmod-ipt-extra)
292 TITLE:=Other extra iptables extensions
295 define Package/iptables-mod-extra/description
296 Other extra iptables extensions.
302 - physdev (if ebtables is enabled)
308 define Package/iptables-mod-led
309 $(call Package/iptables/Module, +kmod-ipt-led)
310 TITLE:=LED trigger iptables extension
313 define Package/iptables-mod-led/description
314 iptables extension for triggering a LED.
321 define Package/iptables-mod-tproxy
322 $(call Package/iptables/Module, +kmod-ipt-tproxy)
323 TITLE:=Transparent proxy iptables extensions
326 define Package/iptables-mod-tproxy/description
327 Transparent proxy iptables extensions.
337 define Package/iptables-mod-tee
338 $(call Package/iptables/Module, +kmod-ipt-tee)
339 TITLE:=TEE iptables extensions
342 define Package/iptables-mod-tee/description
343 TEE iptables extensions.
350 define Package/iptables-mod-u32
351 $(call Package/iptables/Module, +kmod-ipt-u32)
352 TITLE:=U32 iptables extensions
355 define Package/iptables-mod-u32/description
356 U32 iptables extensions.
363 define Package/ip6tables
364 $(call Package/iptables/Default)
365 DEPENDS:=@IPV6 +kmod-ip6tables +iptables
367 TITLE:=IPv6 firewall administration tool
372 define Package/ip6tables-extra
373 $(call Package/iptables/Default)
374 DEPENDS:=ip6tables +kmod-ip6tables-extra
375 TITLE:=IPv6 header matching modules
378 define Package/ip6tables-mod-extra/description
379 iptables header matching modules for IPv6
382 define Package/ip6tables-mod-nat
383 $(call Package/iptables/Default)
384 DEPENDS:=ip6tables +kmod-ipt-nat6
385 TITLE:=IPv6 NAT extensions
388 define Package/ip6tables-mod-nat/description
389 iptables extensions for IPv6-NAT targets.
392 define Package/libiptc
393 $(call Package/iptables/Default)
396 DEPENDS:=+libip4tc +IPV6:libip6tc
397 TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
400 define Package/libip4tc
401 $(call Package/iptables/Default)
404 TITLE:=IPv4 firewall - shared libiptc library
407 define Package/libip6tc
408 $(call Package/iptables/Default)
411 TITLE:=IPv6 firewall - shared libiptc library
414 define Package/libxtables
415 $(call Package/iptables/Default)
418 TITLE:=IPv4/IPv6 firewall - shared xtables library
422 -I$(PKG_BUILD_DIR)/include \
423 -I$(LINUX_DIR)/user_headers/include \
427 -I$(PKG_BUILD_DIR)/include \
428 -I$(LINUX_DIR)/user_headers/include \
429 -ffunction-sections -fdata-sections
437 --with-kernel="$(LINUX_DIR)/user_headers" \
438 --with-xtlibdir=/usr/lib/iptables \
440 $(if $(CONFIG_IPV6),,--disable-ipv6)
443 $(TARGET_CONFIGURE_OPTS) \
444 COPT_FLAGS="$(TARGET_CFLAGS)" \
445 KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
446 KBUILD_OUTPUT="$(LINUX_DIR)" \
447 BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
449 define Build/InstallDev
450 $(INSTALL_DIR) $(1)/usr/include
451 $(INSTALL_DIR) $(1)/usr/include/iptables
452 $(INSTALL_DIR) $(1)/usr/include/net/netfilter
454 # XXX: iptables header fixup, some headers are not installed by iptables anymore
455 $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
456 $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
457 $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
458 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
459 $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
461 $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
462 $(INSTALL_DIR) $(1)/usr/lib
463 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
464 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
465 $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
466 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
467 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
469 # XXX: needed by firewall3
470 $(INSTALL_DIR) $(1)/usr/lib/iptables
471 $(CP) $(PKG_BUILD_DIR)/extensions/libext*.a $(1)/usr/lib/iptables/
474 define Package/iptables/install
475 $(INSTALL_DIR) $(1)/usr/sbin
476 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
477 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
478 $(INSTALL_DIR) $(1)/usr/lib/iptables
481 define Package/ip6tables/install
482 $(INSTALL_DIR) $(1)/usr/sbin
483 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
486 define Package/libiptc/install
487 $(INSTALL_DIR) $(1)/usr/lib
488 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
491 define Package/libip4tc/install
492 $(INSTALL_DIR) $(1)/usr/lib
493 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
496 define Package/libip6tc/install
497 $(INSTALL_DIR) $(1)/usr/lib
498 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
501 define Package/libxtables/install
502 $(INSTALL_DIR) $(1)/usr/lib
503 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
507 define Package/$(1)/install
508 $(INSTALL_DIR) $$(1)/usr/lib/iptables
509 for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
510 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
511 $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
517 $$(eval $$(call BuildPackage,$(1)))
521 $(INSTALL_DIR) $$(1)/etc/l7-protocols; \
522 $(CP) files/l7/*.pat $$(1)/etc/l7-protocols/
525 $(eval $(call BuildPackage,iptables))
526 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
527 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
528 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m),$(L7_INSTALL)))
529 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
530 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
531 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
532 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
533 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
534 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
535 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
536 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
537 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
538 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
539 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
540 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
541 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
542 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
543 $(eval $(call BuildPackage,ip6tables))
544 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
545 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
546 $(eval $(call BuildPackage,libiptc))
547 $(eval $(call BuildPackage,libip4tc))
548 $(eval $(call BuildPackage,libip6tc))
549 $(eval $(call BuildPackage,libxtables))