1
0
Fork 0
mirror of https://github.com/Ysurac/openmptcprouter.git synced 2025-03-09 15:40:20 +00:00

add iptables

This commit is contained in:
suyuan168 2022-05-03 17:31:05 +08:00
parent 14b97870c9
commit 80b8ca8412
11 changed files with 1863 additions and 0 deletions

View file

@ -0,0 +1,806 @@
#
# Copyright (C) 2006-2016 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=iptables
PKG_VERSION:=1.8.7
PKG_RELEASE:=6
PKG_SOURCE_URL:=https://netfilter.org/projects/iptables/files
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_HASH:=c109c96bb04998cd44156622d36f8e04b140701ec60531a10668cfdff5e8d8f0
PKG_FIXUP:=autoreconf
PKG_FLAGS:=nonshared
PKG_INSTALL:=1
PKG_BUILD_PARALLEL:=1
PKG_LICENSE:=GPL-2.0
PKG_CPE_ID:=cpe:/a:netfilter_core_team:iptables
include $(INCLUDE_DIR)/package.mk
ifeq ($(DUMP),)
-include $(LINUX_DIR)/.config
include $(INCLUDE_DIR)/netfilter.mk
STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | $(MKHASH) md5)
endif
define Package/iptables/Default
SECTION:=net
CATEGORY:=Network
SUBMENU:=Firewall
URL:=https://netfilter.org/
endef
define Package/iptables/Module
$(call Package/iptables/Default)
DEPENDS:=+libxtables $(1)
endef
define Package/xtables-legacy
$(call Package/iptables/Default)
TITLE:=IP firewall administration tool
DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libiptext +IPV6:libiptext6 +libxtables
endef
define Package/iptables-legacy
$(call Package/iptables/Default)
TITLE:=IP firewall administration tool
DEPENDS+= +xtables-legacy
PROVIDES:=iptables
ALTERNATIVES:=\
200:/usr/sbin/iptables:/usr/sbin/xtables-legacy-multi \
200:/usr/sbin/iptables-restore:/usr/sbin/xtables-legacy-multi \
200:/usr/sbin/iptables-save:/usr/sbin/xtables-legacy-multi
endef
define Package/iptables-legacy/description
IP firewall administration tool.
Matches:
- icmp
- tcp
- udp
- comment
- conntrack
- limit
- mac
- mark
- multiport
- set
- state
- time
Targets:
- ACCEPT
- CT
- DNAT
- DROP
- REJECT
- FLOWOFFLOAD
- LOG
- MARK
- MASQUERADE
- REDIRECT
- SET
- SNAT
- TCPMSS
Tables:
- filter
- mangle
- nat
- raw
endef
define Package/xtables-nft
$(call Package/iptables/Default)
TITLE:=IP firewall administration tool nft
DEPENDS:=@IPTABLES_NFTABLES +libnftnl +libiptext +IPV6:libiptext6 +libiptext-nft +kmod-nft-compat
endef
define Package/arptables-nft
$(call Package/iptables/Default)
DEPENDS:=+kmod-nft-arp +xtables-nft +kmod-arptables
TITLE:=ARP firewall administration tool nft
PROVIDES:=arptables
ALTERNATIVES:=\
300:/usr/sbin/arptables:/usr/sbin/xtables-nft-multi \
300:/usr/sbin/arptables-restore:/usr/sbin/xtables-nft-multi \
300:/usr/sbin/arptables-save:/usr/sbin/xtables-nft-multi
endef
define Package/ebtables-nft
$(call Package/iptables/Default)
DEPENDS:=+kmod-nft-bridge +xtables-nft +kmod-ebtables
TITLE:=Bridge firewall administration tool nft
PROVIDES:=ebtables
ALTERNATIVES:=\
300:/usr/sbin/ebtables:/usr/sbin/xtables-nft-multi \
300:/usr/sbin/ebtables-restore:/usr/sbin/xtables-nft-multi \
300:/usr/sbin/ebtables-save:/usr/sbin/xtables-nft-multi
endef
define Package/iptables-nft
$(call Package/iptables/Default)
TITLE:=IP firewall administration tool nft
DEPENDS:=+kmod-ipt-core +xtables-nft
PROVIDES:=iptables
ALTERNATIVES:=\
300:/usr/sbin/iptables:/usr/sbin/xtables-nft-multi \
300:/usr/sbin/iptables-restore:/usr/sbin/xtables-nft-multi \
300:/usr/sbin/iptables-save:/usr/sbin/xtables-nft-multi
endef
define Package/iptables-nft/description
Extra iptables nftables nft binaries.
iptables-nft
iptables-nft-restore
iptables-nft-save
iptables-translate
iptables-restore-translate
endef
define Package/iptables-mod-conntrack-extra
$(call Package/iptables/Module, +kmod-ipt-conntrack-extra +kmod-ipt-raw)
TITLE:=Extra connection tracking extensions
endef
define Package/iptables-mod-conntrack-extra/description
Extra iptables extensions for connection tracking.
Matches:
- connbytes
- connlimit
- connmark
- recent
- helper
Targets:
- CONNMARK
endef
define Package/iptables-mod-conntrack-label
$(call Package/iptables/Module, +kmod-ipt-conntrack-label @IPTABLES_CONNLABEL)
TITLE:=Connection tracking labeling extension
DEFAULT:=y if IPTABLES_CONNLABEL
endef
define Package/iptables-mod-conntrack-label/description
Match and set label(s) on connection tracking entries
Matches:
- connlabel
endef
define Package/iptables-mod-filter
$(call Package/iptables/Module, +kmod-ipt-filter)
TITLE:=Content inspection extensions
endef
define Package/iptables-mod-filter/description
iptables extensions for packet content inspection.
Includes support for:
Matches:
- string
- bpf
endef
define Package/iptables-mod-ipopt
$(call Package/iptables/Module, +kmod-ipt-ipopt)
TITLE:=IP/Packet option extensions
endef
define Package/iptables-mod-ipopt/description
iptables extensions for matching/changing IP packet options.
Matches:
- dscp
- ecn
- length
- statistic
- tcpmss
- unclean
- hl
Targets:
- DSCP
- CLASSIFY
- ECN
- HL
endef
define Package/iptables-mod-ipsec
$(call Package/iptables/Module, +kmod-ipt-ipsec)
TITLE:=IPsec extensions
endef
define Package/iptables-mod-ipsec/description
iptables extensions for matching ipsec traffic.
Matches:
- ah
- esp
- policy
endef
define Package/iptables-mod-nat-extra
$(call Package/iptables/Module, +kmod-ipt-nat-extra)
TITLE:=Extra NAT extensions
endef
define Package/iptables-mod-nat-extra/description
iptables extensions for extra NAT targets.
Targets:
- MIRROR
- NETMAP
endef
define Package/iptables-mod-ulog
$(call Package/iptables/Module, +kmod-ipt-ulog)
TITLE:=user-space packet logging
endef
define Package/iptables-mod-ulog/description
iptables extensions for user-space packet logging.
Targets:
- ULOG
endef
define Package/iptables-mod-nflog
$(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
TITLE:=Netfilter NFLOG target
endef
define Package/iptables-mod-nflog/description
iptables extension for user-space logging via NFNETLINK.
Includes:
- libxt_NFLOG
endef
define Package/iptables-mod-trace
$(call Package/iptables/Module, +kmod-ipt-debug)
TITLE:=Netfilter TRACE target
endef
define Package/iptables-mod-trace/description
iptables extension for TRACE target
Includes:
- libxt_TRACE
endef
define Package/iptables-mod-nfqueue
$(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
TITLE:=Netfilter NFQUEUE target
endef
define Package/iptables-mod-nfqueue/description
iptables extension for user-space queuing via NFNETLINK.
Includes:
- libxt_NFQUEUE
endef
define Package/iptables-mod-hashlimit
$(call Package/iptables/Module, +kmod-ipt-hashlimit)
TITLE:=hashlimit matching
endef
define Package/iptables-mod-hashlimit/description
iptables extensions for hashlimit matching
Matches:
- hashlimit
endef
define Package/iptables-mod-rpfilter
$(call Package/iptables/Module, +kmod-ipt-rpfilter)
TITLE:=rpfilter iptables extension
endef
define Package/iptables-mod-rpfilter/description
iptables extensions for reverse path filter test on a packet
Matches:
- rpfilter
endef
define Package/iptables-mod-iprange
$(call Package/iptables/Module, +kmod-ipt-iprange)
TITLE:=IP range extension
endef
define Package/iptables-mod-iprange/description
iptables extensions for matching ip ranges.
Matches:
- iprange
endef
define Package/iptables-mod-cluster
$(call Package/iptables/Module, +kmod-ipt-cluster)
TITLE:=Match cluster extension
endef
define Package/iptables-mod-cluster/description
iptables extensions for matching cluster.
Netfilter (IPv4/IPv6) module for matching cluster
This option allows you to build work-load-sharing clusters of
network servers/stateful firewalls without having a dedicated
load-balancing router/server/switch. Basically, this match returns
true when the packet must be handled by this cluster node. Thus,
all nodes see all packets and this match decides which node handles
what packets. The work-load sharing algorithm is based on source
address hashing.
This module is usable for ipv4 and ipv6.
If you select it, it enables kmod-ipt-cluster.
see `iptables -m cluster --help` for more information.
endef
define Package/iptables-mod-clusterip
$(call Package/iptables/Module, +kmod-ipt-clusterip)
TITLE:=Clusterip extension
endef
define Package/iptables-mod-clusterip/description
iptables extensions for CLUSTERIP.
The CLUSTERIP target allows you to build load-balancing clusters of
network servers without having a dedicated load-balancing
router/server/switch.
If you select it, it enables kmod-ipt-clusterip.
see `iptables -j CLUSTERIP --help` for more information.
endef
define Package/iptables-mod-extra
$(call Package/iptables/Module, +kmod-ipt-extra)
TITLE:=Other extra iptables extensions
endef
define Package/iptables-mod-extra/description
Other extra iptables extensions.
Matches:
- addrtype
- condition
- owner
- pkttype
- quota
endef
define Package/iptables-mod-physdev
$(call Package/iptables/Module, +kmod-ipt-physdev)
TITLE:=physdev iptables extension
endef
define Package/iptables-mod-physdev/description
The iptables physdev match.
endef
define Package/iptables-mod-led
$(call Package/iptables/Module, +kmod-ipt-led)
TITLE:=LED trigger iptables extension
endef
define Package/iptables-mod-led/description
iptables extension for triggering a LED.
Targets:
- LED
endef
define Package/iptables-mod-socket
$(call Package/iptables/Module, +kmod-ipt-socket)
TITLE:=Socket match iptables extensions
endef
define Package/iptables-mod-socket/description
Socket match iptables extensions.
Matches:
- socket
endef
define Package/iptables-mod-tproxy
$(call Package/iptables/Module, +kmod-ipt-tproxy)
TITLE:=Transparent proxy iptables extensions
endef
define Package/iptables-mod-tproxy/description
Transparent proxy iptables extensions.
Targets:
- TPROXY
endef
define Package/iptables-mod-tee
$(call Package/iptables/Module, +kmod-ipt-tee)
TITLE:=TEE iptables extensions
endef
define Package/iptables-mod-tee/description
TEE iptables extensions.
Targets:
- TEE
endef
define Package/iptables-mod-u32
$(call Package/iptables/Module, +kmod-ipt-u32)
TITLE:=U32 iptables extensions
endef
define Package/iptables-mod-u32/description
U32 iptables extensions.
Matches:
- u32
endef
define Package/iptables-mod-checksum
$(call Package/iptables/Module, +kmod-ipt-checksum)
TITLE:=IP CHECKSUM target extension
endef
define Package/iptables-mod-checksum/description
iptables extension for the CHECKSUM calculation target
endef
define Package/ip6tables-legacy
$(call Package/iptables/Default)
DEPENDS:=@IPV6 +kmod-ip6tables +xtables-legacy
CATEGORY:=Network
TITLE:=IPv6 firewall administration tool
PROVIDES:=ip6tables
ALTERNATIVES:=\
200:/usr/sbin/ip6tables:/usr/sbin/xtables-legacy-multi \
200:/usr/sbin/ip6tables-restore:/usr/sbin/xtables-legacy-multi \
200:/usr/sbin/ip6tables-save:/usr/sbin/xtables-legacy-multi
endef
define Package/ip6tables-nft
$(call Package/iptables/Default)
DEPENDS:=@IPV6 +kmod-ip6tables +xtables-nft
TITLE:=IP firewall administration tool nft
PROVIDES:=ip6tables
ALTERNATIVES:=\
300:/usr/sbin/ip6tables:/usr/sbin/xtables-nft-multi \
300:/usr/sbin/ip6tables-restore:/usr/sbin/xtables-nft-multi \
300:/usr/sbin/ip6tables-save:/usr/sbin/xtables-nft-multi
endef
define Package/ip6tables-nft/description
Extra ip6tables nftables nft binaries.
ip6tables-nft
ip6tables-nft-restore
ip6tables-nft-save
ip6tables-translate
ip6tables-restore-translate
endef
define Package/ip6tables-extra
$(call Package/iptables/Default)
DEPENDS:=+libxtables +kmod-ip6tables-extra
TITLE:=IPv6 header matching modules
endef
define Package/ip6tables-extra/description
iptables header matching modules for IPv6
endef
define Package/ip6tables-mod-nat
$(call Package/iptables/Default)
DEPENDS:=+libxtables +kmod-ipt-nat6
TITLE:=IPv6 NAT extensions
endef
define Package/ip6tables-mod-nat/description
iptables extensions for IPv6-NAT targets.
endef
define Package/libip4tc
$(call Package/iptables/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE:=IPv4 firewall - shared libiptc library
ABI_VERSION:=2
endef
define Package/libip6tc
$(call Package/iptables/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE:=IPv6 firewall - shared libiptc library
ABI_VERSION:=2
endef
define Package/libiptext
$(call Package/iptables/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE:=IPv4 firewall - shared libiptext library
ABI_VERSION:=0
DEPENDS:=+libxtables
endef
define Package/libiptext6
$(call Package/iptables/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE:=IPv6 firewall - shared libiptext library
ABI_VERSION:=0
DEPENDS:=+libxtables
endef
define Package/libiptext-nft
$(call Package/iptables/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE:=IPv4/IPv6 firewall - shared libiptext nft library
ABI_VERSION:=0
DEPENDS:=@IPTABLES_NFTABLES +libxtables
endef
define Package/libxtables
$(call Package/iptables/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE:=IPv4/IPv6 firewall - shared xtables library
MENU:=1
ABI_VERSION:=12
DEPENDS:=+IPTABLES_CONNLABEL:libnetfilter-conntrack
endef
define Package/libxtables/config
config IPTABLES_CONNLABEL
bool "Enable Connlabel support"
default n
help
This enable connlabel support in iptables.
config IPTABLES_NFTABLES
bool "Enable Nftables support"
default y
help
This enable nftables support in iptables.
endef
TARGET_CPPFLAGS := \
-I$(PKG_BUILD_DIR)/include \
-I$(LINUX_DIR)/user_headers/include \
$(TARGET_CPPFLAGS)
TARGET_CFLAGS += \
-I$(PKG_BUILD_DIR)/include \
-I$(LINUX_DIR)/user_headers/include \
-ffunction-sections -fdata-sections \
-DNO_LEGACY
TARGET_LDFLAGS += \
-Wl,--gc-sections
CONFIGURE_ARGS += \
--enable-shared \
--enable-static \
--enable-devel \
--with-kernel="$(LINUX_DIR)/user_headers" \
--with-xtlibdir=/usr/lib/iptables \
--with-xt-lock-name=/var/run/xtables.lock \
$(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
$(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \
$(if $(CONFIG_IPV6),,--disable-ipv6)
MAKE_FLAGS := \
$(TARGET_CONFIGURE_OPTS) \
COPT_FLAGS="$(TARGET_CFLAGS)" \
KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
KBUILD_OUTPUT="$(LINUX_DIR)" \
BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
define Build/Configure/rebuild
$(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
rm -f $(PKG_BUILD_DIR)/.config_*
rm -f $(PKG_BUILD_DIR)/.configured_*
touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
endef
endif
define Build/Configure
$(Build/Configure/rebuild)
$(Build/Configure/Default)
endef
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include
$(INSTALL_DIR) $(1)/usr/include/iptables
$(INSTALL_DIR) $(1)/usr/include/net/netfilter
# XXX: iptables header fixup, some headers are not installed by iptables anymore
$(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
$(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
$(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
$(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
$(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
# XXX: needed by firewall3
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
endef
define Package/xtables-legacy/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-legacy-multi $(1)/usr/sbin/
endef
define Package/iptables-legacy/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-legacy{,-restore,-save} $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/usr/lib/iptables
endef
define Package/xtables-nft/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-nft-multi $(1)/usr/sbin/
endef
define Package/arptables-nft/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/arptables-nft{,-restore,-save} $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/usr/lib/iptables
$(CP) $(PKG_BUILD_DIR)/extensions/libarpt_*.so $(1)/usr/lib/iptables/
endef
define Package/ebtables-nft/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ebtables-nft{,-restore,-save} $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/usr/lib/iptables
$(CP) $(PKG_BUILD_DIR)/extensions/libebt_*.so $(1)/usr/lib/iptables/
endef
define Package/iptables-nft/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-nft{,-restore,-save} $(1)/usr/sbin/
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore}-translate $(1)/usr/sbin/
endef
define Package/ip6tables-legacy/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables-legacy{,-restore,-save} $(1)/usr/sbin/
endef
define Package/ip6tables-nft/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables-nft{,-restore,-save} $(1)/usr/sbin/
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore}-translate $(1)/usr/sbin/
endef
define Package/libip4tc/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so.* $(1)/usr/lib/
endef
define Package/libip6tc/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so.* $(1)/usr/lib/
endef
define Package/libiptext/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
endef
define Package/libiptext6/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
endef
define Package/libiptext-nft/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext_*.so $(1)/usr/lib/
endef
define Package/libxtables/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so.* $(1)/usr/lib/
endef
define BuildPlugin
define Package/$(1)/install
$(INSTALL_DIR) $$(1)/usr/lib/iptables
for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
$(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
fi; \
done
$(3)
endef
$$(eval $$(call BuildPackage,$(1)))
endef
$(eval $(call BuildPackage,libxtables))
$(eval $(call BuildPackage,libip4tc))
$(eval $(call BuildPackage,libip6tc))
$(eval $(call BuildPackage,libiptext))
$(eval $(call BuildPackage,libiptext6))
$(eval $(call BuildPackage,libiptext-nft))
$(eval $(call BuildPackage,xtables-legacy))
$(eval $(call BuildPackage,iptables-legacy))
$(eval $(call BuildPackage,xtables-nft))
$(eval $(call BuildPackage,arptables-nft))
$(eval $(call BuildPackage,ebtables-nft))
$(eval $(call BuildPackage,iptables-nft))
$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
$(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m)))
$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
$(eval $(call BuildPlugin,iptables-mod-physdev,$(IPT_PHYSDEV-m)))
$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
$(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
$(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
$(eval $(call BuildPlugin,iptables-mod-rpfilter,$(IPT_RPFILTER-m)))
$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
$(eval $(call BuildPlugin,iptables-mod-socket,$(IPT_SOCKET-m)))
$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
$(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
$(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m)))
$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
$(eval $(call BuildPlugin,iptables-mod-checksum,$(IPT_CHECKSUM-m)))
$(eval $(call BuildPackage,ip6tables-legacy))
$(eval $(call BuildPackage,ip6tables-nft))
$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
$(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))

View file

@ -0,0 +1,68 @@
From e727ccad036e2cdba3339536c65c7ceef43c0740 Mon Sep 17 00:00:00 2001
From: Erik Wilson <erik.e.wilson@gmail.com>
Date: Tue, 13 Jul 2021 16:48:23 -0700
Subject: [PATCH] xtables: Call init_extensions6() for static builds
Initialize extensions from libext6 for cases where xtables is built statically.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1550
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/xtables-monitor.c | 1 +
iptables/xtables-restore.c | 1 +
iptables/xtables-save.c | 1 +
iptables/xtables-standalone.c | 1 +
iptables/xtables-translate.c | 1 +
5 files changed, 5 insertions(+)
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -628,6 +628,7 @@ int xtables_monitor_main(int argc, char
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensions();
init_extensions4();
+ init_extensions6();
#endif
if (nft_init(&h, AF_INET, xtables_ipv4)) {
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -364,6 +364,7 @@ xtables_restore_main(int family, const c
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensions();
init_extensions4();
+ init_extensions6();
#endif
break;
case NFPROTO_ARP:
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -202,6 +202,7 @@ xtables_save_main(int family, int argc,
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensions();
init_extensions4();
+ init_extensions6();
#endif
tables = xtables_ipv4;
d.commit = true;
--- a/iptables/xtables-standalone.c
+++ b/iptables/xtables-standalone.c
@@ -57,6 +57,7 @@ xtables_main(int family, const char *pro
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensions();
init_extensions4();
+ init_extensions6();
#endif
if (nft_init(&h, family, xtables_ipv4) < 0) {
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -469,6 +469,7 @@ static int xtables_xlate_main_common(str
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensions();
init_extensions4();
+ init_extensions6();
#endif
tables = xtables_ipv4;
break;

View file

@ -0,0 +1,107 @@
A modified version of this patch was commited upstream
as part of a fixup series
https://bugzilla.netfilter.org/show_bug.cgi?id=1593
https://git.netfilter.org/iptables/commit/?id=0836524f093c0fd9c39604a46a949e43d9b47ef2
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -629,6 +629,8 @@ int xtables_monitor_main(int argc, char
init_extensions();
init_extensions4();
init_extensions6();
+ init_extensionsa();
+ init_extensionsb();
#endif
if (nft_init(&h, AF_INET, xtables_ipv4)) {
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -368,9 +368,17 @@ xtables_restore_main(int family, const c
#endif
break;
case NFPROTO_ARP:
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+ init_extensions();
+ init_extensionsa();
+#endif
tables = xtables_arp;
break;
case NFPROTO_BRIDGE:
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+ init_extensions();
+ init_extensionsb();
+#endif
tables = xtables_bridge;
break;
default:
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -208,9 +208,17 @@ xtables_save_main(int family, int argc,
d.commit = true;
break;
case NFPROTO_ARP:
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+ init_extensions();
+ init_extensionsa();
+#endif
tables = xtables_arp;
break;
case NFPROTO_BRIDGE: {
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+ init_extensions();
+ init_extensionsb();
+#endif
const char *ctr = getenv("EBTABLES_SAVE_COUNTER");
if (!(d.format & FMT_NOCOUNTS)) {
--- a/iptables/xtables-standalone.c
+++ b/iptables/xtables-standalone.c
@@ -58,6 +58,8 @@ xtables_main(int family, const char *pro
init_extensions();
init_extensions4();
init_extensions6();
+ init_extensionsa();
+ init_extensionsb();
#endif
if (nft_init(&h, family, xtables_ipv4) < 0) {
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -474,9 +474,17 @@ static int xtables_xlate_main_common(str
tables = xtables_ipv4;
break;
case NFPROTO_ARP:
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+ init_extensions();
+ init_extensionsa();
+#endif
tables = xtables_arp;
break;
case NFPROTO_BRIDGE:
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+ init_extensions();
+ init_extensionsb();
+#endif
tables = xtables_bridge;
break;
default:
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -438,6 +438,7 @@ int nft_init_arp(struct nft_handle *h, c
}
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+ init_extensions();
init_extensionsa();
#endif
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -685,6 +685,7 @@ int nft_init_eb(struct nft_handle *h, co
}
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+ init_extensions();
init_extensionsb();
#endif

View file

@ -0,0 +1,452 @@
From 74267bacce0c43e5038b0377cb7c08f1ad9d50a3 Mon Sep 17 00:00:00 2001
From: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Date: Sat, 23 Mar 2019 10:21:03 +0000
Subject: [PATCH] iptables: connmark - add set-dscpmark option for openwrt
Naive user space front end to xt_connmark 'setdscp' option.
iptables -A QOS_MARK_eth0 -t mangle -j CONNMARK --set-dscpmark 0xfc000000/0x01000000
This version has a hack to support a backport to 4.14
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
extensions/libxt_CONNMARK.c | 315 +++++++++++++++++++++++++-
include/linux/netfilter/xt_connmark.h | 10 +
2 files changed, 324 insertions(+), 1 deletion(-)
--- a/extensions/libxt_CONNMARK.c
+++ b/extensions/libxt_CONNMARK.c
@@ -22,6 +22,7 @@
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
+#include <strings.h>
#include <xtables.h>
#include <linux/netfilter/xt_CONNMARK.h>
@@ -49,6 +50,7 @@ enum {
O_CTMASK,
O_NFMASK,
O_MASK,
+ O_DSCP_MARK,
F_SET_MARK = 1 << O_SET_MARK,
F_SAVE_MARK = 1 << O_SAVE_MARK,
F_RESTORE_MARK = 1 << O_RESTORE_MARK,
@@ -61,8 +63,10 @@ enum {
F_CTMASK = 1 << O_CTMASK,
F_NFMASK = 1 << O_NFMASK,
F_MASK = 1 << O_MASK,
+ F_DSCP_MARK = 1 << O_DSCP_MARK,
F_OP_ANY = F_SET_MARK | F_SAVE_MARK | F_RESTORE_MARK |
- F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK,
+ F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK |
+ F_DSCP_MARK,
};
static const char *const xt_connmark_shift_ops[] = {
@@ -114,6 +118,8 @@ static const struct xt_option_entry conn
.excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, nfmask)},
{.name = "mask", .id = O_MASK, .type = XTTYPE_UINT32,
.excl = F_CTMASK | F_NFMASK},
+ {.name = "set-dscpmark", .id = O_DSCP_MARK, .type = XTTYPE_MARKMASK32,
+ .excl = F_OP_ANY},
XTOPT_TABLEEND,
};
#undef s
@@ -148,6 +154,38 @@ static const struct xt_option_entry conn
};
#undef s
+#define s struct xt_connmark_tginfo3
+static const struct xt_option_entry connmark_tg_opts_v3[] = {
+ {.name = "set-xmark", .id = O_SET_XMARK, .type = XTTYPE_MARKMASK32,
+ .excl = F_OP_ANY},
+ {.name = "set-mark", .id = O_SET_MARK, .type = XTTYPE_MARKMASK32,
+ .excl = F_OP_ANY},
+ {.name = "and-mark", .id = O_AND_MARK, .type = XTTYPE_UINT32,
+ .excl = F_OP_ANY},
+ {.name = "or-mark", .id = O_OR_MARK, .type = XTTYPE_UINT32,
+ .excl = F_OP_ANY},
+ {.name = "xor-mark", .id = O_XOR_MARK, .type = XTTYPE_UINT32,
+ .excl = F_OP_ANY},
+ {.name = "save-mark", .id = O_SAVE_MARK, .type = XTTYPE_NONE,
+ .excl = F_OP_ANY},
+ {.name = "restore-mark", .id = O_RESTORE_MARK, .type = XTTYPE_NONE,
+ .excl = F_OP_ANY},
+ {.name = "left-shift-mark", .id = O_LEFT_SHIFT_MARK, .type = XTTYPE_UINT8,
+ .min = 0, .max = 32},
+ {.name = "right-shift-mark", .id = O_RIGHT_SHIFT_MARK, .type = XTTYPE_UINT8,
+ .min = 0, .max = 32},
+ {.name = "ctmask", .id = O_CTMASK, .type = XTTYPE_UINT32,
+ .excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, ctmask)},
+ {.name = "nfmask", .id = O_NFMASK, .type = XTTYPE_UINT32,
+ .excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, nfmask)},
+ {.name = "mask", .id = O_MASK, .type = XTTYPE_UINT32,
+ .excl = F_CTMASK | F_NFMASK},
+ {.name = "set-dscpmark", .id = O_DSCP_MARK, .type = XTTYPE_MARKMASK32,
+ .excl = F_OP_ANY},
+ XTOPT_TABLEEND,
+};
+#undef s
+
static void connmark_tg_help(void)
{
printf(
@@ -175,6 +213,15 @@ static void connmark_tg_help_v2(void)
);
}
+static void connmark_tg_help_v3(void)
+{
+ connmark_tg_help_v2();
+ printf(
+" --set-dscpmark value/mask Save DSCP to conntrack mark value\n"
+);
+}
+
+
static void connmark_tg_init(struct xt_entry_target *target)
{
struct xt_connmark_tginfo1 *info = (void *)target->data;
@@ -199,6 +246,16 @@ static void connmark_tg_init_v2(struct x
info->shift_bits = 0;
}
+static void connmark_tg_init_v3(struct xt_entry_target *target)
+{
+ struct xt_connmark_tginfo3 *info;
+
+ connmark_tg_init_v2(target);
+ info = (void *)target->data;
+
+ info->func = 0;
+}
+
static void CONNMARK_parse(struct xt_option_call *cb)
{
struct xt_connmark_target_info *markinfo = cb->data;
@@ -253,6 +310,23 @@ static void connmark_tg_parse(struct xt_
info->ctmark = cb->val.u32;
info->ctmask = 0;
break;
+ case O_DSCP_MARK:
+/* we sneaky sneaky this. nfmask isn't used by the set mark functionality
+ * and by default is set to uint32max. We can use the top bit as a flag
+ * that we're in DSCP_MARK submode of SET_MARK, if set then it's normal
+ * if unset then we're in DSCP_MARK
+ */
+ info->mode = XT_CONNMARK_SET;
+ info->ctmark = cb->val.mark;
+ info->ctmask = cb->val.mask;
+ info->nfmask = info->ctmark ? ffs(info->ctmark) - 1 : 0;
+ /* need 6 contiguous bits */
+ if ((~0 & (info->ctmark >> info->nfmask)) != 0x3f)
+ xtables_error(PARAMETER_PROBLEM,
+ "CONNMARK set-dscpmark: need 6 contiguous dscpmask bits");
+ if (info->ctmark & info->ctmask)
+ xtables_error(PARAMETER_PROBLEM,
+ "CONNMARK set-dscpmark: dscpmask/statemask bits overlap");
case O_SAVE_MARK:
info->mode = XT_CONNMARK_SAVE;
break;
@@ -320,6 +394,78 @@ static void connmark_tg_parse_v2(struct
}
}
+static void connmark_tg_parse_v3(struct xt_option_call *cb)
+{
+ struct xt_connmark_tginfo3 *info = cb->data;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_SET_XMARK:
+ info->mode = XT_CONNMARK_SET;
+ info->func = XT_CONNMARK_VALUE;
+ info->ctmark = cb->val.mark;
+ info->ctmask = cb->val.mask;
+ break;
+ case O_SET_MARK:
+ info->mode = XT_CONNMARK_SET;
+ info->func = XT_CONNMARK_VALUE;
+ info->ctmark = cb->val.mark;
+ info->ctmask = cb->val.mark | cb->val.mask;
+ break;
+ case O_AND_MARK:
+ info->mode = XT_CONNMARK_SET;
+ info->func = XT_CONNMARK_VALUE;
+ info->ctmark = 0;
+ info->ctmask = ~cb->val.u32;
+ break;
+ case O_OR_MARK:
+ info->mode = XT_CONNMARK_SET;
+ info->func = XT_CONNMARK_VALUE;
+ info->ctmark = cb->val.u32;
+ info->ctmask = cb->val.u32;
+ break;
+ case O_XOR_MARK:
+ info->mode = XT_CONNMARK_SET;
+ info->func = XT_CONNMARK_VALUE;
+ info->ctmark = cb->val.u32;
+ info->ctmask = 0;
+ break;
+ case O_DSCP_MARK:
+ info->mode = XT_CONNMARK_SET;
+ info->func = XT_CONNMARK_DSCP;
+ info->ctmark = cb->val.mark;
+ info->ctmask = cb->val.mask;
+ info->shift_bits = info->ctmark ? ffs(info->ctmark) - 1 : 0;
+ /* need 6 contiguous bits */
+ if ((~0 & (info->ctmark >> info->shift_bits)) != 0x3f)
+ xtables_error(PARAMETER_PROBLEM,
+ "CONNMARK set-dscpmark: need 6 contiguous dscpmask bits");
+ if (info->ctmark & info->ctmask)
+ xtables_error(PARAMETER_PROBLEM,
+ "CONNMARK set-dscpmark: dscpmask/statemask bits overlap");
+ break;
+ case O_SAVE_MARK:
+ info->mode = XT_CONNMARK_SAVE;
+ break;
+ case O_RESTORE_MARK:
+ info->mode = XT_CONNMARK_RESTORE;
+ break;
+ case O_MASK:
+ info->nfmask = info->ctmask = cb->val.u32;
+ break;
+ case O_LEFT_SHIFT_MARK:
+ info->shift_dir = D_SHIFT_LEFT;
+ info->shift_bits = cb->val.u8;
+ break;
+ case O_RIGHT_SHIFT_MARK:
+ info->shift_dir = D_SHIFT_RIGHT;
+ info->shift_bits = cb->val.u8;
+ break;
+ default:
+ break;
+ }
+}
+
static void connmark_tg_check(struct xt_fcheck_call *cb)
{
if (!(cb->xflags & F_OP_ANY))
@@ -463,6 +609,65 @@ connmark_tg_print_v2(const void *ip, con
}
}
+static void
+connmark_tg_print_v3(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_connmark_tginfo3 *info = (const void *)target->data;
+ const char *shift_op = xt_connmark_shift_ops[info->shift_dir];
+
+ switch (info->mode) {
+ case XT_CONNMARK_SET:
+ if (info->func & XT_CONNMARK_DSCP) {
+ printf(" CONNMARK DSCP 0x%x/0x%x",
+ info->ctmark, info->ctmask);
+ }
+ if (info->func & XT_CONNMARK_VALUE) {
+ if (info->ctmark == 0)
+ printf(" CONNMARK and 0x%x",
+ (unsigned int)(uint32_t)~info->ctmask);
+ else if (info->ctmark == info->ctmask)
+ printf(" CONNMARK or 0x%x", info->ctmark);
+ else if (info->ctmask == 0)
+ printf(" CONNMARK xor 0x%x", info->ctmark);
+ else if (info->ctmask == 0xFFFFFFFFU)
+ printf(" CONNMARK set 0x%x", info->ctmark);
+ else
+ printf(" CONNMARK xset 0x%x/0x%x",
+ info->ctmark, info->ctmask);
+ }
+ break;
+ case XT_CONNMARK_SAVE:
+ if (info->nfmask == UINT32_MAX && info->ctmask == UINT32_MAX)
+ printf(" CONNMARK save");
+ else if (info->nfmask == info->ctmask)
+ printf(" CONNMARK save mask 0x%x", info->nfmask);
+ else
+ printf(" CONNMARK save nfmask 0x%x ctmask ~0x%x",
+ info->nfmask, info->ctmask);
+ break;
+ case XT_CONNMARK_RESTORE:
+ if (info->ctmask == UINT32_MAX && info->nfmask == UINT32_MAX)
+ printf(" CONNMARK restore");
+ else if (info->ctmask == info->nfmask)
+ printf(" CONNMARK restore mask 0x%x", info->ctmask);
+ else
+ printf(" CONNMARK restore ctmask 0x%x nfmask ~0x%x",
+ info->ctmask, info->nfmask);
+ break;
+
+ default:
+ printf(" ERROR: UNKNOWN CONNMARK MODE");
+ break;
+ }
+
+ if (info->mode <= XT_CONNMARK_RESTORE &&
+ !(info->mode == XT_CONNMARK_SET && info->func == XT_CONNMARK_DSCP) &&
+ info->shift_bits != 0) {
+ printf(" %s %u", shift_op, info->shift_bits);
+ }
+}
+
static void CONNMARK_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_connmark_target_info *markinfo =
@@ -548,6 +753,38 @@ connmark_tg_save_v2(const void *ip, cons
}
}
+static void
+connmark_tg_save_v3(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_connmark_tginfo3 *info = (const void *)target->data;
+ const char *shift_op = xt_connmark_shift_ops[info->shift_dir];
+
+ switch (info->mode) {
+ case XT_CONNMARK_SET:
+ if (info->func & XT_CONNMARK_VALUE)
+ printf(" --set-xmark 0x%x/0x%x", info->ctmark, info->ctmask);
+ if (info->func & XT_CONNMARK_DSCP)
+ printf(" --set-dscpmark 0x%x/0x%x", info->ctmark, info->ctmask);
+ break;
+ case XT_CONNMARK_SAVE:
+ printf(" --save-mark --nfmask 0x%x --ctmask 0x%x",
+ info->nfmask, info->ctmask);
+ break;
+ case XT_CONNMARK_RESTORE:
+ printf(" --restore-mark --nfmask 0x%x --ctmask 0x%x",
+ info->nfmask, info->ctmask);
+ break;
+ default:
+ printf(" ERROR: UNKNOWN CONNMARK MODE");
+ break;
+ }
+ if (info->mode <= XT_CONNMARK_RESTORE &&
+ !(info->mode == XT_CONNMARK_SET && info->func == XT_CONNMARK_DSCP) &&
+ info->shift_bits != 0) {
+ printf(" --%s %u", shift_op, info->shift_bits);
+ }
+}
+
static int connmark_tg_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
@@ -639,6 +876,66 @@ static int connmark_tg_xlate_v2(struct x
return 1;
}
+
+static int connmark_tg_xlate_v3(struct xt_xlate *xl,
+ const struct xt_xlate_tg_params *params)
+{
+ const struct xt_connmark_tginfo3 *info =
+ (const void *)params->target->data;
+ const char *shift_op = xt_connmark_shift_ops[info->shift_dir];
+
+ switch (info->mode) {
+ case XT_CONNMARK_SET:
+ xt_xlate_add(xl, "ct mark set ");
+ if (info->func & XT_CONNMARK_VALUE) {
+ if (info->ctmask == 0xFFFFFFFFU)
+ xt_xlate_add(xl, "0x%x ", info->ctmark);
+ else if (info->ctmark == 0)
+ xt_xlate_add(xl, "ct mark and 0x%x", ~info->ctmask);
+ else if (info->ctmark == info->ctmask)
+ xt_xlate_add(xl, "ct mark or 0x%x",
+ info->ctmark);
+ else if (info->ctmask == 0)
+ xt_xlate_add(xl, "ct mark xor 0x%x",
+ info->ctmark);
+ else
+ xt_xlate_add(xl, "ct mark xor 0x%x and 0x%x",
+ info->ctmark, ~info->ctmask);
+ }
+ if (info->func & XT_CONNMARK_DSCP) {
+/* FIXME the nftables syntax would go here if only we knew what it was */
+ xt_xlate_add(xl, "ct mark set typeof(ct mark) ip dscp "
+ "<< %u or 0x%x", info->shift_bits,
+ info->ctmask);
+ }
+ break;
+ case XT_CONNMARK_SAVE:
+ xt_xlate_add(xl, "ct mark set mark");
+ if (!(info->nfmask == UINT32_MAX &&
+ info->ctmask == UINT32_MAX)) {
+ if (info->nfmask == info->ctmask)
+ xt_xlate_add(xl, " and 0x%x", info->nfmask);
+ }
+ break;
+ case XT_CONNMARK_RESTORE:
+ xt_xlate_add(xl, "meta mark set ct mark");
+ if (!(info->nfmask == UINT32_MAX &&
+ info->ctmask == UINT32_MAX)) {
+ if (info->nfmask == info->ctmask)
+ xt_xlate_add(xl, " and 0x%x", info->nfmask);
+ }
+ break;
+ }
+
+ if (info->mode <= XT_CONNMARK_RESTORE &&
+ !(info->mode == XT_CONNMARK_SET && info->func == XT_CONNMARK_DSCP) &&
+ info->shift_bits != 0) {
+ xt_xlate_add(xl, " %s %u", shift_op, info->shift_bits);
+ }
+
+ return 1;
+}
+
static struct xtables_target connmark_tg_reg[] = {
{
.family = NFPROTO_UNSPEC,
@@ -687,6 +984,22 @@ static struct xtables_target connmark_tg
.x6_options = connmark_tg_opts_v2,
.xlate = connmark_tg_xlate_v2,
},
+ {
+ .version = XTABLES_VERSION,
+ .name = "CONNMARK",
+ .revision = 3,
+ .family = NFPROTO_UNSPEC,
+ .size = XT_ALIGN(sizeof(struct xt_connmark_tginfo3)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_tginfo3)),
+ .help = connmark_tg_help_v3,
+ .init = connmark_tg_init_v3,
+ .print = connmark_tg_print_v3,
+ .save = connmark_tg_save_v3,
+ .x6_parse = connmark_tg_parse_v3,
+ .x6_fcheck = connmark_tg_check,
+ .x6_options = connmark_tg_opts_v3,
+ .xlate = connmark_tg_xlate_v3,
+ },
};
void _init(void)
--- a/include/linux/netfilter/xt_connmark.h
+++ b/include/linux/netfilter/xt_connmark.h
@@ -18,6 +18,11 @@ enum {
XT_CONNMARK_RESTORE
};
+enum {
+ XT_CONNMARK_VALUE = (1 << 0),
+ XT_CONNMARK_DSCP = (1 << 1)
+};
+
struct xt_connmark_tginfo1 {
__u32 ctmark, ctmask, nfmask;
__u8 mode;
@@ -28,6 +33,11 @@ struct xt_connmark_tginfo2 {
__u8 shift_dir, shift_bits, mode;
};
+struct xt_connmark_tginfo3 {
+ __u32 ctmark, ctmask, nfmask;
+ __u8 shift_dir, shift_bits, mode, func;
+};
+
struct xt_connmark_mtinfo1 {
__u32 mark, mask;
__u8 invert;

View file

@ -0,0 +1,28 @@
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -968,12 +968,6 @@ void xtables_register_match(struct xtabl
struct xtables_match **pos;
bool seen_myself = false;
- if (me->next) {
- fprintf(stderr, "%s: match \"%s\" already registered\n",
- xt_params->program_name, me->name);
- exit(1);
- }
-
if (me->version == NULL) {
fprintf(stderr, "%s: match %s<%u> is missing a version\n",
xt_params->program_name, me->name, me->revision);
@@ -1152,12 +1146,6 @@ void xtables_register_target(struct xtab
struct xtables_target **pos;
bool seen_myself = false;
- if (me->next) {
- fprintf(stderr, "%s: target \"%s\" already registered\n",
- xt_params->program_name, me->name);
- exit(1);
- }
-
if (me->version == NULL) {
fprintf(stderr, "%s: target %s<%u> is missing a version\n",
xt_params->program_name, me->name, me->revision);

View file

@ -0,0 +1,18 @@
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -403,6 +403,7 @@ static char *get_modprobe(void)
int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
{
+#if 0
char *buf = NULL;
char *argv[4];
int status;
@@ -437,6 +438,7 @@ int xtables_insmod(const char *modname,
free(buf);
if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
return 0;
+#endif
return -1;
}

View file

@ -0,0 +1,13 @@
--- a/iptables/xtables-legacy-multi.c
+++ b/iptables/xtables-legacy-multi.c
@@ -32,8 +32,10 @@ static const struct subcommand multi_sub
#endif
+#ifdef ENABLE_XML
{"iptables-xml", iptables_xml_main},
{"xml", iptables_xml_main},
+#endif
#ifdef ENABLE_IPV6
{"ip6tables", ip6tables_main},
{"main6", ip6tables_main},

View file

@ -0,0 +1,79 @@
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -50,11 +50,31 @@ pfb_build_mod := $(filter-out @blacklist
pfa_build_mod := $(filter-out @blacklist_modules@ @blacklist_a_modules@,${pfa_build_mod})
pf4_build_mod := $(filter-out @blacklist_modules@ @blacklist_4_modules@,${pf4_build_mod})
pf6_build_mod := $(filter-out @blacklist_modules@ @blacklist_6_modules@,${pf6_build_mod})
-pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod})
-pfb_objs := $(patsubst %,libebt_%.o,${pfb_build_mod})
-pfa_objs := $(patsubst %,libarpt_%.o,${pfa_build_mod})
-pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod})
-pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod})
+ifdef BUILTIN_MODULES
+pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod})
+pfb_build_static := $(filter $(BUILTIN_MODULES),${pfb_build_mod})
+pfa_build_static := $(filter $(BUILTIN_MODULES),${pfa_build_mod})
+pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod})
+pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod})
+else
+@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod)
+@ENABLE_STATIC_TRUE@ pfb_build_static := $(pfb_build_mod)
+@ENABLE_STATIC_TRUE@ pfa_build_static := $(pfa_build_mod)
+@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod)
+@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod)
+endif
+
+pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod))
+pfb_build_mod := $(filter-out $(pfb_build_static),$(pfb_build_mod))
+pfa_build_mod := $(filter-out $(pfa_build_static),$(pfa_build_mod))
+pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod))
+pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod))
+
+pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_static})
+pfb_objs := $(patsubst %,libebt_%.o,${pfb_build_static})
+pfa_objs := $(patsubst %,libarpt_%.o,${pfa_build_static})
+pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static})
+pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static})
pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
pfb_solibs := $(patsubst %,libebt_%.so,${pfb_build_mod})
pfa_solibs := $(patsubst %,libarpt_%.so,${pfa_build_mod})
@@ -68,14 +88,14 @@ pfx_symlink_files := $(patsubst %,libxt_
#
targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man
targets_install :=
-@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
-@ENABLE_STATIC_TRUE@ libext_ebt_objs := ${pfb_objs}
-@ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs}
-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
-@ENABLE_STATIC_FALSE@ symlinks_install := ${pfx_symlink_files}
+libext_objs := ${pfx_objs}
+libext_ebt_objs := ${pfb_objs}
+libext_arpt_objs := ${pfa_objs}
+libext4_objs := ${pf4_objs}
+libext6_objs := ${pf6_objs}
+targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
+targets_install := $(strip ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs})
+symlinks_install := ${pfx_symlink_files}
.SECONDARY:
@@ -161,11 +181,11 @@ libext4.a: initext4.o ${libext4_objs}
libext6.a: initext6.o ${libext6_objs}
${AM_VERBOSE_AR} ${AR} crs $@ $^;
-initext_func := $(addprefix xt_,${pfx_build_mod})
-initextb_func := $(addprefix ebt_,${pfb_build_mod})
-initexta_func := $(addprefix arpt_,${pfa_build_mod})
-initext4_func := $(addprefix ipt_,${pf4_build_mod})
-initext6_func := $(addprefix ip6t_,${pf6_build_mod})
+initext_func := $(addprefix xt_,${pfx_build_static})
+initextb_func := $(addprefix ebt_,${pfb_build_static})
+initexta_func := $(addprefix arpt_,${pfa_build_static})
+initext4_func := $(addprefix ipt_,${pf4_build_static})
+initext6_func := $(addprefix ip6t_,${pf6_build_static})
.initext.dd: FORCE
@echo "${initext_func}" >$@.tmp; \

View file

@ -0,0 +1,102 @@
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -86,7 +86,7 @@ pfx_symlink_files := $(patsubst %,libxt_
#
# Building blocks
#
-targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man
+targets := libiptext.so libiptext4.so libiptext6.so libiptext_ebt.so libiptext_arpt.so matches.man targets.man
targets_install :=
libext_objs := ${pfx_objs}
libext_ebt_objs := ${pfb_objs}
@@ -132,7 +132,7 @@ clean:
distclean: clean
init%.o: init%.c
- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init ${CFLAGS} -o $@ -c $<;
+ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
-include .*.d
@@ -164,22 +164,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
# handling code in the Makefiles.
#
lib%.o: ${srcdir}/lib%.c
- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<;
+ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
-libext.a: initext.o ${libext_objs}
- ${AM_VERBOSE_AR} ${AR} crs $@ $^;
+libiptext.so: initext.o ${libext_objs}
+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD});
-libext_ebt.a: initextb.o ${libext_ebt_objs}
- ${AM_VERBOSE_AR} ${AR} crs $@ $^;
+libiptext_ebt.so: initextb.o ${libext_ebt_objs}
+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD});
-libext_arpt.a: initexta.o ${libext_arpt_objs}
- ${AM_VERBOSE_AR} ${AR} crs $@ $^;
+libiptext_arpt.so: initexta.o ${libext_arpt_objs}
+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD});
-libext4.a: initext4.o ${libext4_objs}
- ${AM_VERBOSE_AR} ${AR} crs $@ $^;
+libiptext4.so: initext4.o ${libext4_objs}
+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD});
-libext6.a: initext6.o ${libext6_objs}
- ${AM_VERBOSE_AR} ${AR} crs $@ $^;
+libiptext6.so: initext6.o ${libext6_objs}
+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD});
initext_func := $(addprefix xt_,${pfx_build_static})
initextb_func := $(addprefix ebt_,${pfb_build_static})
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -7,19 +7,22 @@ BUILT_SOURCES =
xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c
xtables_legacy_multi_CFLAGS = ${AM_CFLAGS}
-xtables_legacy_multi_LDADD = ../extensions/libext.a
+xtables_legacy_multi_LDADD =
+xtables_legacy_multi_LDFLAGS = -L../extensions/ -liptext
if ENABLE_STATIC
xtables_legacy_multi_CFLAGS += -DALL_INCLUSIVE
endif
if ENABLE_IPV4
xtables_legacy_multi_SOURCES += iptables-standalone.c iptables.c
xtables_legacy_multi_CFLAGS += -DENABLE_IPV4
-xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a
+xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la
+xtables_legacy_multi_LDFLAGS += -liptext4
endif
if ENABLE_IPV6
xtables_legacy_multi_SOURCES += ip6tables-standalone.c ip6tables.c
xtables_legacy_multi_CFLAGS += -DENABLE_IPV6
-xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a
+xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la
+xtables_legacy_multi_LDFLAGS += -liptext6
endif
xtables_legacy_multi_SOURCES += xshared.c iptables-restore.c iptables-save.c
xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm
@@ -28,7 +31,8 @@ xtables_legacy_multi_LDADD += ../libxt
if ENABLE_NFTABLES
xtables_nft_multi_SOURCES = xtables-nft-multi.c iptables-xml.c
xtables_nft_multi_CFLAGS = ${AM_CFLAGS}
-xtables_nft_multi_LDADD = ../extensions/libext.a ../extensions/libext_ebt.a
+xtables_nft_multi_LDADD =
+xtables_nft_multi_LDFLAGS = -L../extensions/ -liptext -liptext_ebt
if ENABLE_STATIC
xtables_nft_multi_CFLAGS += -DALL_INCLUSIVE
endif
@@ -42,7 +46,8 @@ xtables_nft_multi_SOURCES += xtables-sav
xtables-eb-standalone.c xtables-eb.c \
xtables-eb-translate.c \
xtables-translate.c
-xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ../extensions/libext4.a ../extensions/libext6.a ../extensions/libext_ebt.a ../extensions/libext_arpt.a
+xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS}
+xtables_nft_multi_LDFLAGS += -liptext4 -liptext6 -liptext_arpt
xtables_nft_multi_SOURCES += xshared.c
xtables_nft_multi_LDADD += ../libxtables/libxtables.la -lm
endif

View file

@ -0,0 +1,95 @@
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1395,6 +1395,7 @@ static int conntrack3_mt6_xlate(struct x
}
static struct xtables_match conntrack_mt_reg[] = {
+#ifndef NO_LEGACY
{
.version = XTABLES_VERSION,
.name = "conntrack",
@@ -1470,6 +1471,7 @@ static struct xtables_match conntrack_mt
.alias = conntrack_print_name_alias,
.x6_options = conntrack2_mt_opts,
},
+#endif
{
.version = XTABLES_VERSION,
.name = "conntrack",
@@ -1502,6 +1504,7 @@ static struct xtables_match conntrack_mt
.x6_options = conntrack3_mt_opts,
.xlate = conntrack3_mt6_xlate,
},
+#ifndef NO_LEGACY
{
.family = NFPROTO_UNSPEC,
.name = "state",
@@ -1532,6 +1535,8 @@ static struct xtables_match conntrack_mt
.x6_parse = state_ct23_parse,
.x6_options = state_opts,
},
+#endif
+#ifndef NO_LEGACY
{
.family = NFPROTO_UNSPEC,
.name = "state",
@@ -1561,6 +1566,7 @@ static struct xtables_match conntrack_mt
.x6_parse = state_parse,
.x6_options = state_opts,
},
+#endif
};
void _init(void)
--- a/extensions/libxt_CT.c
+++ b/extensions/libxt_CT.c
@@ -363,6 +363,7 @@ static int xlate_ct1_tg(struct xt_xlate
}
static struct xtables_target ct_target_reg[] = {
+#ifndef NO_LEGACY
{
.family = NFPROTO_UNSPEC,
.name = "CT",
@@ -388,6 +389,7 @@ static struct xtables_target ct_target_r
.x6_parse = ct_parse_v1,
.x6_options = ct_opts_v1,
},
+#endif
{
.family = NFPROTO_UNSPEC,
.name = "CT",
@@ -403,6 +405,7 @@ static struct xtables_target ct_target_r
.x6_options = ct_opts_v1,
.xlate = xlate_ct1_tg,
},
+#ifndef NO_LEGACY
{
.family = NFPROTO_UNSPEC,
.name = "NOTRACK",
@@ -441,6 +444,7 @@ static struct xtables_target ct_target_r
.revision = 0,
.version = XTABLES_VERSION,
},
+#endif
};
void _init(void)
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -571,6 +571,7 @@ static int multiport_xlate6_v1(struct xt
}
static struct xtables_match multiport_mt_reg[] = {
+#ifndef NO_LEGACY
{
.family = NFPROTO_IPV4,
.name = "multiport",
@@ -601,6 +602,7 @@ static struct xtables_match multiport_mt
.x6_options = multiport_opts,
.xlate = multiport_xlate6,
},
+#endif
{
.family = NFPROTO_IPV4,
.name = "multiport",

View file

@ -0,0 +1,95 @@
--- /dev/null
+++ b/extensions/libxt_FLOWOFFLOAD.c
@@ -0,0 +1,72 @@
+#include <stdio.h>
+#include <xtables.h>
+#include <linux/netfilter/xt_FLOWOFFLOAD.h>
+
+enum {
+ O_HW,
+};
+
+static void offload_help(void)
+{
+ printf(
+"FLOWOFFLOAD target options:\n"
+" --hw Enable hardware offload\n"
+ );
+}
+
+static const struct xt_option_entry offload_opts[] = {
+ {.name = "hw", .id = O_HW, .type = XTTYPE_NONE},
+ XTOPT_TABLEEND,
+};
+
+static void offload_parse(struct xt_option_call *cb)
+{
+ struct xt_flowoffload_target_info *info = cb->data;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_HW:
+ info->flags |= XT_FLOWOFFLOAD_HW;
+ break;
+ }
+}
+
+static void offload_print(const void *ip, const struct xt_entry_target *target, int numeric)
+{
+ const struct xt_flowoffload_target_info *info =
+ (const struct xt_flowoffload_target_info *)target->data;
+
+ printf(" FLOWOFFLOAD");
+ if (info->flags & XT_FLOWOFFLOAD_HW)
+ printf(" hw");
+}
+
+static void offload_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_flowoffload_target_info *info =
+ (const struct xt_flowoffload_target_info *)target->data;
+
+ if (info->flags & XT_FLOWOFFLOAD_HW)
+ printf(" --hw");
+}
+
+static struct xtables_target offload_tg_reg[] = {
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "FLOWOFFLOAD",
+ .revision = 0,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_flowoffload_target_info)),
+ .userspacesize = sizeof(struct xt_flowoffload_target_info),
+ .help = offload_help,
+ .print = offload_print,
+ .save = offload_save,
+ .x6_parse = offload_parse,
+ .x6_options = offload_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_targets(offload_tg_reg, ARRAY_SIZE(offload_tg_reg));
+}
--- /dev/null
+++ b/include/linux/netfilter/xt_FLOWOFFLOAD.h
@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+#ifndef _XT_FLOWOFFLOAD_H
+#define _XT_FLOWOFFLOAD_H
+
+#include <linux/types.h>
+
+enum {
+ XT_FLOWOFFLOAD_HW = 1 << 0,
+
+ XT_FLOWOFFLOAD_MASK = XT_FLOWOFFLOAD_HW
+};
+
+struct xt_flowoffload_target_info {
+ __u32 flags;
+};
+
+#endif /* _XT_FLOWOFFLOAD_H */