X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=package%2Fnetwork%2Futils%2Fiptables%2FMakefile;h=626b2527619602a50e2df6df64fb466f8d9b578e;hb=deff5fb6c89b58b193bb57ab129cbe441a4404b4;hp=a3d8864c3ffecfb5c2cc685d7264f9af012ade4f;hpb=16c72b09cc2ede984f3f640fb43fdf934477dd3c;p=oweals%2Fopenwrt.git diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile index a3d8864c3f..626b252761 100644 --- a/package/network/utils/iptables/Makefile +++ b/package/network/utils/iptables/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2012 OpenWrt.org +# Copyright (C) 2006-2013 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -9,19 +9,20 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=iptables -PKG_VERSION:=1.4.10 -PKG_RELEASE:=4 +PKG_VERSION:=1.4.21 +PKG_RELEASE:=1 -PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \ ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \ ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \ ftp://ftp.no.netfilter.org/pub/netfilter/iptables/ +PKG_MD5SUM:=536d048c8e8eeebcd9757d0863ebb0c0 PKG_FIXUP:=autoreconf PKG_INSTALL:=1 PKG_BUILD_PARALLEL:=1 +PKG_LICENSE:=GPL-2.0 ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"") PATCH_DIR:= @@ -49,33 +50,47 @@ endef define Package/iptables $(call Package/iptables/Default) - TITLE:=IPv4 firewall administration tool + TITLE:=IP firewall administration tool MENU:=1 - DEPENDS+= +kmod-ipt-core +libip4tc +libxtables + DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables endef define Package/iptables/description -IPv4 firewall administration tool. +IP firewall administration tool. Matches: - icmp - tcp - udp - comment + - conntrack - limit - mac + - mark - multiport + - set + - state + - time Targets: - ACCEPT + - CT + - DNAT - DROP - REJECT - LOG + - MARK + - MASQUERADE + - REDIRECT + - SET + - SNAT - TCPMSS Tables: - filter - mangle + - nat + - raw endef @@ -89,6 +104,7 @@ Extra iptables extensions for connection tracking. Matches: - connbytes + - connlimit - connmark - recent - helper @@ -108,7 +124,6 @@ iptables extensions for packet content inspection. Includes support for: Matches: - - layer7 - string endef @@ -125,10 +140,8 @@ iptables extensions for matching/changing IP packet options. - dscp - ecn - length - - mark - statistic - tcpmss - - time - unclean - hl @@ -136,7 +149,6 @@ iptables extensions for matching/changing IP packet options. - DSCP - CLASSIFY - ECN - - MARK - HL endef @@ -156,22 +168,6 @@ iptables extensions for matching ipsec traffic. endef -define Package/iptables-mod-ipset -$(call Package/iptables/Module,) - TITLE:=IPset iptables extensions -endef - -define Package/iptables-mod-ipset/description -IPset iptables extensions. - - Matches: - - set - - Targets: - - SET - -endef - define Package/iptables-mod-nat-extra $(call Package/iptables/Module, +kmod-ipt-nat-extra) TITLE:=Extra NAT extensions @@ -183,7 +179,6 @@ iptables extensions for extra NAT targets. Targets: - MIRROR - NETMAP - - REDIRECT endef define Package/iptables-mod-ulog @@ -199,6 +194,32 @@ iptables extensions for user-space packet logging. endef +define Package/iptables-mod-nflog +$(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog) + TITLE:=Netfilter NFLOG target +endef + +define Package/iptables-mod-nflog/description + iptables extension for user-space logging via NFNETLINK. + + Includes: + - libxt_NFLOG + +endef + +define Package/iptables-mod-nfqueue +$(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue) + TITLE:=Netfilter NFQUEUE target +endef + +define Package/iptables-mod-nfqueue/description + iptables extension for user-space queuing via NFNETLINK. + + Includes: + - libxt_NFQUEUE + +endef + define Package/iptables-mod-hashlimit $(call Package/iptables/Module, +kmod-ipt-hashlimit) TITLE:=hashlimit matching @@ -225,6 +246,46 @@ iptables extensions for matching ip ranges. endef +define Package/iptables-mod-cluster +$(call Package/iptables/Module, +kmod-ipt-cluster) + TITLE:=Match cluster extension +endef + +define Package/iptables-mod-cluster/description +iptables extensions for matching cluster. + + Netfilter (IPv4/IPv6) module for matching cluster + This option allows you to build work-load-sharing clusters of + network servers/stateful firewalls without having a dedicated + load-balancing router/server/switch. Basically, this match returns + true when the packet must be handled by this cluster node. Thus, + all nodes see all packets and this match decides which node handles + what packets. The work-load sharing algorithm is based on source + address hashing. + + This module is usable for ipv4 and ipv6. + + If you select it, it enables kmod-ipt-cluster. + + see `iptables -m cluster --help` for more information. +endef + +define Package/iptables-mod-clusterip +$(call Package/iptables/Module, +kmod-ipt-clusterip) + TITLE:=Clusterip extension +endef + +define Package/iptables-mod-clusterip/description +iptables extensions for CLUSTERIP. + The CLUSTERIP target allows you to build load-balancing clusters of + network servers without having a dedicated load-balancing + router/server/switch. + + If you select it, it enables kmod-ipt-clusterip. + + see `iptables -j CLUSTERIP --help` for more information. +endef + define Package/iptables-mod-extra $(call Package/iptables/Module, +kmod-ipt-extra) TITLE:=Other extra iptables extensions @@ -234,6 +295,7 @@ define Package/iptables-mod-extra/description Other extra iptables extensions. Matches: + - addrtype - condition - owner - physdev (if ebtables is enabled) @@ -299,17 +361,38 @@ endef define Package/ip6tables $(call Package/iptables/Default) - DEPENDS:=+kmod-ip6tables +libip6tc +libxtables - CATEGORY:=IPv6 + DEPENDS:=@IPV6 +kmod-ip6tables +iptables + CATEGORY:=Network TITLE:=IPv6 firewall administration tool MENU:=1 endef + +define Package/ip6tables-extra +$(call Package/iptables/Default) + DEPENDS:=ip6tables +kmod-ip6tables-extra + TITLE:=IPv6 header matching modules +endef + +define Package/ip6tables-mod-extra/description +iptables header matching modules for IPv6 +endef + +define Package/ip6tables-mod-nat +$(call Package/iptables/Default) + DEPENDS:=ip6tables +kmod-ipt-nat6 + TITLE:=IPv6 NAT extensions +endef + +define Package/ip6tables-mod-nat/description +iptables extensions for IPv6-NAT targets. +endef + define Package/libiptc $(call Package/iptables/Default) SECTION:=libs CATEGORY:=Libraries - DEPENDS:=+libip4tc +libip6tc + DEPENDS:=+libip4tc +libip6tc +libxtables TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub) endef @@ -318,6 +401,7 @@ $(call Package/iptables/Default) SECTION:=libs CATEGORY:=Libraries TITLE:=IPv4 firewall - shared libiptc library + DEPENDS:=+libxtables endef define Package/libip6tc @@ -325,6 +409,7 @@ $(call Package/iptables/Default) SECTION:=libs CATEGORY:=Libraries TITLE:=IPv6 firewall - shared libiptc library + DEPENDS:=+libxtables endef define Package/libxtables @@ -341,22 +426,27 @@ TARGET_CPPFLAGS := \ TARGET_CFLAGS += \ -I$(PKG_BUILD_DIR)/include \ - -I$(LINUX_DIR)/user_headers/include + -I$(LINUX_DIR)/user_headers/include \ + -ffunction-sections -fdata-sections \ + -DNO_LEGACY + +TARGET_LDFLAGS += \ + -Wl,--gc-sections CONFIGURE_ARGS += \ --enable-shared \ --enable-devel \ - $(if $(CONFIG_IPV6),--enable-ipv6,--disable-ipv6) \ --with-kernel="$(LINUX_DIR)/user_headers" \ --with-xtlibdir=/usr/lib/iptables \ - --enable-static + --enable-static \ + $(if $(CONFIG_IPV6),,--disable-ipv6) MAKE_FLAGS := \ $(TARGET_CONFIGURE_OPTS) \ COPT_FLAGS="$(TARGET_CFLAGS)" \ KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \ KBUILD_OUTPUT="$(LINUX_DIR)" \ - BUILTIN_MODULES="$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m)))" + BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))" define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include @@ -364,9 +454,9 @@ define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include/net/netfilter # XXX: iptables header fixup, some headers are not installed by iptables anymore - $(CP) $(PKG_BUILD_DIR)/include/net/netfilter/*.h $(1)/usr/include/net/netfilter/ $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/ $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/ + $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/ $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/ $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/ @@ -376,26 +466,22 @@ define Build/InstallDev $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/ $(INSTALL_DIR) $(1)/usr/lib/pkgconfig $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libiptc.pc $(1)/usr/lib/pkgconfig/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/ + + # XXX: needed by firewall3 + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/ endef define Package/iptables/install $(INSTALL_DIR) $(1)/usr/sbin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(1)/usr/sbin/ - $(LN) iptables $(1)/usr/sbin/iptables-save - $(LN) iptables $(1)/usr/sbin/iptables-restore + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/ $(INSTALL_DIR) $(1)/usr/lib/iptables endef define Package/ip6tables/install $(INSTALL_DIR) $(1)/usr/sbin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables $(1)/usr/sbin/ - $(LN) ip6tables $(1)/usr/sbin/ip6tables-save - $(LN) ip6tables $(1)/usr/sbin/ip6tables-restore - $(INSTALL_DIR) $(1)/usr/lib/iptables - (cd $(PKG_INSTALL_DIR)/usr/lib/iptables ; \ - $(CP) libip6t_*.so $(1)/usr/lib/iptables/ \ - ) + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/ endef define Package/libiptc/install @@ -406,22 +492,25 @@ endef define Package/libip4tc/install $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/ + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/ endef define Package/libip6tc/install $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/ + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/ endef define Package/libxtables/install $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/ + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/ endef define BuildPlugin define Package/$(1)/install $(INSTALL_DIR) $$(1)/usr/lib/iptables - for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)); do \ + for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \ if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \ $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \ fi; \ @@ -432,27 +521,27 @@ define BuildPlugin $$(eval $$(call BuildPackage,$(1))) endef -L7_INSTALL:=\ - $(INSTALL_DIR) $$(1)/etc/l7-protocols; \ - $(CP) files/l7/*.pat $$(1)/etc/l7-protocols/ - - $(eval $(call BuildPackage,iptables)) $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m))) $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m))) -$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m),$(L7_INSTALL))) +$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m))) $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m))) $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m))) -$(eval $(call BuildPlugin,iptables-mod-ipset,ipt_set ipt_SET)) $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m))) $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m))) +$(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m))) +$(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m))) $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m))) $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m))) $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m))) $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m))) $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m))) $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m))) +$(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m))) +$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m))) $(eval $(call BuildPackage,ip6tables)) +$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m))) +$(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m))) $(eval $(call BuildPackage,libiptc)) $(eval $(call BuildPackage,libip4tc)) $(eval $(call BuildPackage,libip6tc))