diff --git a/root/package/network/utils/iptables/Makefile b/root/package/network/utils/iptables/Makefile new file mode 100644 index 00000000..ea9561b6 --- /dev/null +++ b/root/package/network/utils/iptables/Makefile @@ -0,0 +1,806 @@ +# +# Copyright (C) 2006-2016 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk +include $(INCLUDE_DIR)/kernel.mk + +PKG_NAME:=iptables +PKG_VERSION:=1.8.7 +PKG_RELEASE:=6 + +PKG_SOURCE_URL:=https://netfilter.org/projects/iptables/files +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_HASH:=c109c96bb04998cd44156622d36f8e04b140701ec60531a10668cfdff5e8d8f0 + +PKG_FIXUP:=autoreconf +PKG_FLAGS:=nonshared + +PKG_INSTALL:=1 +PKG_BUILD_PARALLEL:=1 +PKG_LICENSE:=GPL-2.0 +PKG_CPE_ID:=cpe:/a:netfilter_core_team:iptables + +include $(INCLUDE_DIR)/package.mk +ifeq ($(DUMP),) + -include $(LINUX_DIR)/.config + include $(INCLUDE_DIR)/netfilter.mk + STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | $(MKHASH) md5) +endif + + +define Package/iptables/Default + SECTION:=net + CATEGORY:=Network + SUBMENU:=Firewall + URL:=https://netfilter.org/ +endef + +define Package/iptables/Module +$(call Package/iptables/Default) + DEPENDS:=+libxtables $(1) +endef + +define Package/xtables-legacy +$(call Package/iptables/Default) + TITLE:=IP firewall administration tool + DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libiptext +IPV6:libiptext6 +libxtables +endef + +define Package/iptables-legacy +$(call Package/iptables/Default) + TITLE:=IP firewall administration tool + DEPENDS+= +xtables-legacy + PROVIDES:=iptables + ALTERNATIVES:=\ + 200:/usr/sbin/iptables:/usr/sbin/xtables-legacy-multi \ + 200:/usr/sbin/iptables-restore:/usr/sbin/xtables-legacy-multi \ + 200:/usr/sbin/iptables-save:/usr/sbin/xtables-legacy-multi +endef + +define Package/iptables-legacy/description +IP firewall administration tool. + + Matches: + - icmp + - tcp + - udp + - comment + - conntrack + - limit + - mac + - mark + - multiport + - set + - state + - time + + Targets: + - ACCEPT + - CT + - DNAT + - DROP + - REJECT + - FLOWOFFLOAD + - LOG + - MARK + - MASQUERADE + - REDIRECT + - SET + - SNAT + - TCPMSS + + Tables: + - filter + - mangle + - nat + - raw + +endef + +define Package/xtables-nft +$(call Package/iptables/Default) + TITLE:=IP firewall administration tool nft + DEPENDS:=@IPTABLES_NFTABLES +libnftnl +libiptext +IPV6:libiptext6 +libiptext-nft +kmod-nft-compat +endef + +define Package/arptables-nft +$(call Package/iptables/Default) + DEPENDS:=+kmod-nft-arp +xtables-nft +kmod-arptables + TITLE:=ARP firewall administration tool nft + PROVIDES:=arptables + ALTERNATIVES:=\ + 300:/usr/sbin/arptables:/usr/sbin/xtables-nft-multi \ + 300:/usr/sbin/arptables-restore:/usr/sbin/xtables-nft-multi \ + 300:/usr/sbin/arptables-save:/usr/sbin/xtables-nft-multi +endef + +define Package/ebtables-nft +$(call Package/iptables/Default) + DEPENDS:=+kmod-nft-bridge +xtables-nft +kmod-ebtables + TITLE:=Bridge firewall administration tool nft + PROVIDES:=ebtables + ALTERNATIVES:=\ + 300:/usr/sbin/ebtables:/usr/sbin/xtables-nft-multi \ + 300:/usr/sbin/ebtables-restore:/usr/sbin/xtables-nft-multi \ + 300:/usr/sbin/ebtables-save:/usr/sbin/xtables-nft-multi +endef + +define Package/iptables-nft +$(call Package/iptables/Default) + TITLE:=IP firewall administration tool nft + DEPENDS:=+kmod-ipt-core +xtables-nft + PROVIDES:=iptables + ALTERNATIVES:=\ + 300:/usr/sbin/iptables:/usr/sbin/xtables-nft-multi \ + 300:/usr/sbin/iptables-restore:/usr/sbin/xtables-nft-multi \ + 300:/usr/sbin/iptables-save:/usr/sbin/xtables-nft-multi +endef + +define Package/iptables-nft/description +Extra iptables nftables nft binaries. + iptables-nft + iptables-nft-restore + iptables-nft-save + iptables-translate + iptables-restore-translate +endef + +define Package/iptables-mod-conntrack-extra +$(call Package/iptables/Module, +kmod-ipt-conntrack-extra +kmod-ipt-raw) + TITLE:=Extra connection tracking extensions +endef + +define Package/iptables-mod-conntrack-extra/description +Extra iptables extensions for connection tracking. + + Matches: + - connbytes + - connlimit + - connmark + - recent + - helper + + Targets: + - CONNMARK + +endef + +define Package/iptables-mod-conntrack-label +$(call Package/iptables/Module, +kmod-ipt-conntrack-label @IPTABLES_CONNLABEL) + TITLE:=Connection tracking labeling extension + DEFAULT:=y if IPTABLES_CONNLABEL +endef + +define Package/iptables-mod-conntrack-label/description +Match and set label(s) on connection tracking entries + + Matches: + - connlabel + +endef + +define Package/iptables-mod-filter +$(call Package/iptables/Module, +kmod-ipt-filter) + TITLE:=Content inspection extensions +endef + +define Package/iptables-mod-filter/description +iptables extensions for packet content inspection. +Includes support for: + + Matches: + - string + - bpf + +endef + +define Package/iptables-mod-ipopt +$(call Package/iptables/Module, +kmod-ipt-ipopt) + TITLE:=IP/Packet option extensions +endef + +define Package/iptables-mod-ipopt/description +iptables extensions for matching/changing IP packet options. + + Matches: + - dscp + - ecn + - length + - statistic + - tcpmss + - unclean + - hl + + Targets: + - DSCP + - CLASSIFY + - ECN + - HL + +endef + +define Package/iptables-mod-ipsec +$(call Package/iptables/Module, +kmod-ipt-ipsec) + TITLE:=IPsec extensions +endef + +define Package/iptables-mod-ipsec/description +iptables extensions for matching ipsec traffic. + + Matches: + - ah + - esp + - policy + +endef + +define Package/iptables-mod-nat-extra +$(call Package/iptables/Module, +kmod-ipt-nat-extra) + TITLE:=Extra NAT extensions +endef + +define Package/iptables-mod-nat-extra/description +iptables extensions for extra NAT targets. + + Targets: + - MIRROR + - NETMAP +endef + +define Package/iptables-mod-ulog +$(call Package/iptables/Module, +kmod-ipt-ulog) + TITLE:=user-space packet logging +endef + +define Package/iptables-mod-ulog/description +iptables extensions for user-space packet logging. + + Targets: + - ULOG + +endef + +define Package/iptables-mod-nflog +$(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog) + TITLE:=Netfilter NFLOG target +endef + +define Package/iptables-mod-nflog/description + iptables extension for user-space logging via NFNETLINK. + + Includes: + - libxt_NFLOG + +endef + +define Package/iptables-mod-trace +$(call Package/iptables/Module, +kmod-ipt-debug) + TITLE:=Netfilter TRACE target +endef + +define Package/iptables-mod-trace/description + iptables extension for TRACE target + + Includes: + - libxt_TRACE + +endef + + +define Package/iptables-mod-nfqueue +$(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue) + TITLE:=Netfilter NFQUEUE target +endef + +define Package/iptables-mod-nfqueue/description + iptables extension for user-space queuing via NFNETLINK. + + Includes: + - libxt_NFQUEUE + +endef + +define Package/iptables-mod-hashlimit +$(call Package/iptables/Module, +kmod-ipt-hashlimit) + TITLE:=hashlimit matching +endef + +define Package/iptables-mod-hashlimit/description +iptables extensions for hashlimit matching + + Matches: + - hashlimit + +endef + +define Package/iptables-mod-rpfilter +$(call Package/iptables/Module, +kmod-ipt-rpfilter) + TITLE:=rpfilter iptables extension +endef + +define Package/iptables-mod-rpfilter/description +iptables extensions for reverse path filter test on a packet + + Matches: + - rpfilter + +endef + +define Package/iptables-mod-iprange +$(call Package/iptables/Module, +kmod-ipt-iprange) + TITLE:=IP range extension +endef + +define Package/iptables-mod-iprange/description +iptables extensions for matching ip ranges. + + Matches: + - iprange + +endef + +define Package/iptables-mod-cluster +$(call Package/iptables/Module, +kmod-ipt-cluster) + TITLE:=Match cluster extension +endef + +define Package/iptables-mod-cluster/description +iptables extensions for matching cluster. + + Netfilter (IPv4/IPv6) module for matching cluster + This option allows you to build work-load-sharing clusters of + network servers/stateful firewalls without having a dedicated + load-balancing router/server/switch. Basically, this match returns + true when the packet must be handled by this cluster node. Thus, + all nodes see all packets and this match decides which node handles + what packets. The work-load sharing algorithm is based on source + address hashing. + + This module is usable for ipv4 and ipv6. + + If you select it, it enables kmod-ipt-cluster. + + see `iptables -m cluster --help` for more information. +endef + +define Package/iptables-mod-clusterip +$(call Package/iptables/Module, +kmod-ipt-clusterip) + TITLE:=Clusterip extension +endef + +define Package/iptables-mod-clusterip/description +iptables extensions for CLUSTERIP. + The CLUSTERIP target allows you to build load-balancing clusters of + network servers without having a dedicated load-balancing + router/server/switch. + + If you select it, it enables kmod-ipt-clusterip. + + see `iptables -j CLUSTERIP --help` for more information. +endef + +define Package/iptables-mod-extra +$(call Package/iptables/Module, +kmod-ipt-extra) + TITLE:=Other extra iptables extensions +endef + +define Package/iptables-mod-extra/description +Other extra iptables extensions. + + Matches: + - addrtype + - condition + - owner + - pkttype + - quota + +endef + +define Package/iptables-mod-physdev +$(call Package/iptables/Module, +kmod-ipt-physdev) + TITLE:=physdev iptables extension +endef + +define Package/iptables-mod-physdev/description +The iptables physdev match. +endef + +define Package/iptables-mod-led +$(call Package/iptables/Module, +kmod-ipt-led) + TITLE:=LED trigger iptables extension +endef + +define Package/iptables-mod-led/description +iptables extension for triggering a LED. + + Targets: + - LED + +endef + +define Package/iptables-mod-socket +$(call Package/iptables/Module, +kmod-ipt-socket) + TITLE:=Socket match iptables extensions +endef + +define Package/iptables-mod-socket/description +Socket match iptables extensions. + + Matches: + - socket + +endef + +define Package/iptables-mod-tproxy +$(call Package/iptables/Module, +kmod-ipt-tproxy) + TITLE:=Transparent proxy iptables extensions +endef + +define Package/iptables-mod-tproxy/description +Transparent proxy iptables extensions. + + Targets: + - TPROXY + +endef + +define Package/iptables-mod-tee +$(call Package/iptables/Module, +kmod-ipt-tee) + TITLE:=TEE iptables extensions +endef + +define Package/iptables-mod-tee/description +TEE iptables extensions. + + Targets: + - TEE + +endef + +define Package/iptables-mod-u32 +$(call Package/iptables/Module, +kmod-ipt-u32) + TITLE:=U32 iptables extensions +endef + +define Package/iptables-mod-u32/description +U32 iptables extensions. + + Matches: + - u32 + +endef + +define Package/iptables-mod-checksum +$(call Package/iptables/Module, +kmod-ipt-checksum) + TITLE:=IP CHECKSUM target extension +endef + +define Package/iptables-mod-checksum/description +iptables extension for the CHECKSUM calculation target +endef + +define Package/ip6tables-legacy +$(call Package/iptables/Default) + DEPENDS:=@IPV6 +kmod-ip6tables +xtables-legacy + CATEGORY:=Network + TITLE:=IPv6 firewall administration tool + PROVIDES:=ip6tables + ALTERNATIVES:=\ + 200:/usr/sbin/ip6tables:/usr/sbin/xtables-legacy-multi \ + 200:/usr/sbin/ip6tables-restore:/usr/sbin/xtables-legacy-multi \ + 200:/usr/sbin/ip6tables-save:/usr/sbin/xtables-legacy-multi +endef + +define Package/ip6tables-nft +$(call Package/iptables/Default) + DEPENDS:=@IPV6 +kmod-ip6tables +xtables-nft + TITLE:=IP firewall administration tool nft + PROVIDES:=ip6tables + ALTERNATIVES:=\ + 300:/usr/sbin/ip6tables:/usr/sbin/xtables-nft-multi \ + 300:/usr/sbin/ip6tables-restore:/usr/sbin/xtables-nft-multi \ + 300:/usr/sbin/ip6tables-save:/usr/sbin/xtables-nft-multi +endef + +define Package/ip6tables-nft/description +Extra ip6tables nftables nft binaries. + ip6tables-nft + ip6tables-nft-restore + ip6tables-nft-save + ip6tables-translate + ip6tables-restore-translate +endef + +define Package/ip6tables-extra +$(call Package/iptables/Default) + DEPENDS:=+libxtables +kmod-ip6tables-extra + TITLE:=IPv6 header matching modules +endef + +define Package/ip6tables-extra/description +iptables header matching modules for IPv6 +endef + +define Package/ip6tables-mod-nat +$(call Package/iptables/Default) + DEPENDS:=+libxtables +kmod-ipt-nat6 + TITLE:=IPv6 NAT extensions +endef + +define Package/ip6tables-mod-nat/description +iptables extensions for IPv6-NAT targets. +endef + +define Package/libip4tc +$(call Package/iptables/Default) + SECTION:=libs + CATEGORY:=Libraries + TITLE:=IPv4 firewall - shared libiptc library + ABI_VERSION:=2 +endef + +define Package/libip6tc +$(call Package/iptables/Default) + SECTION:=libs + CATEGORY:=Libraries + TITLE:=IPv6 firewall - shared libiptc library + ABI_VERSION:=2 +endef + +define Package/libiptext + $(call Package/iptables/Default) + SECTION:=libs + CATEGORY:=Libraries + TITLE:=IPv4 firewall - shared libiptext library + ABI_VERSION:=0 + DEPENDS:=+libxtables +endef + +define Package/libiptext6 + $(call Package/iptables/Default) + SECTION:=libs + CATEGORY:=Libraries + TITLE:=IPv6 firewall - shared libiptext library + ABI_VERSION:=0 + DEPENDS:=+libxtables +endef + +define Package/libiptext-nft + $(call Package/iptables/Default) + SECTION:=libs + CATEGORY:=Libraries + TITLE:=IPv4/IPv6 firewall - shared libiptext nft library + ABI_VERSION:=0 + DEPENDS:=@IPTABLES_NFTABLES +libxtables +endef + +define Package/libxtables + $(call Package/iptables/Default) + SECTION:=libs + CATEGORY:=Libraries + TITLE:=IPv4/IPv6 firewall - shared xtables library + MENU:=1 + ABI_VERSION:=12 + DEPENDS:=+IPTABLES_CONNLABEL:libnetfilter-conntrack +endef + +define Package/libxtables/config + config IPTABLES_CONNLABEL + bool "Enable Connlabel support" + default n + help + This enable connlabel support in iptables. + + config IPTABLES_NFTABLES + bool "Enable Nftables support" + default y + help + This enable nftables support in iptables. +endef + +TARGET_CPPFLAGS := \ + -I$(PKG_BUILD_DIR)/include \ + -I$(LINUX_DIR)/user_headers/include \ + $(TARGET_CPPFLAGS) + +TARGET_CFLAGS += \ + -I$(PKG_BUILD_DIR)/include \ + -I$(LINUX_DIR)/user_headers/include \ + -ffunction-sections -fdata-sections \ + -DNO_LEGACY + +TARGET_LDFLAGS += \ + -Wl,--gc-sections + +CONFIGURE_ARGS += \ + --enable-shared \ + --enable-static \ + --enable-devel \ + --with-kernel="$(LINUX_DIR)/user_headers" \ + --with-xtlibdir=/usr/lib/iptables \ + --with-xt-lock-name=/var/run/xtables.lock \ + $(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \ + $(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \ + $(if $(CONFIG_IPV6),,--disable-ipv6) + +MAKE_FLAGS := \ + $(TARGET_CONFIGURE_OPTS) \ + COPT_FLAGS="$(TARGET_CFLAGS)" \ + KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \ + KBUILD_OUTPUT="$(LINUX_DIR)" \ + BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))" + +ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED))) + define Build/Configure/rebuild + $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f + rm -f $(PKG_BUILD_DIR)/.config_* + rm -f $(PKG_BUILD_DIR)/.configured_* + touch $(subst .configured_,.config_,$(STAMP_CONFIGURED)) + endef +endif + +define Build/Configure +$(Build/Configure/rebuild) +$(Build/Configure/Default) +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(INSTALL_DIR) $(1)/usr/include/iptables + $(INSTALL_DIR) $(1)/usr/include/net/netfilter + + # XXX: iptables header fixup, some headers are not installed by iptables anymore + $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/ + $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/ + $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/ + $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/ + $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/ + + $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/ + + # XXX: needed by firewall3 + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/ +endef + +define Package/xtables-legacy/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-legacy-multi $(1)/usr/sbin/ +endef + +define Package/iptables-legacy/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-legacy{,-restore,-save} $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/usr/lib/iptables +endef + +define Package/xtables-nft/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-nft-multi $(1)/usr/sbin/ +endef + +define Package/arptables-nft/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/arptables-nft{,-restore,-save} $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/usr/lib/iptables + $(CP) $(PKG_BUILD_DIR)/extensions/libarpt_*.so $(1)/usr/lib/iptables/ +endef + +define Package/ebtables-nft/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ebtables-nft{,-restore,-save} $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/usr/lib/iptables + $(CP) $(PKG_BUILD_DIR)/extensions/libebt_*.so $(1)/usr/lib/iptables/ +endef + +define Package/iptables-nft/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-nft{,-restore,-save} $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore}-translate $(1)/usr/sbin/ +endef + +define Package/ip6tables-legacy/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables-legacy{,-restore,-save} $(1)/usr/sbin/ +endef + +define Package/ip6tables-nft/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables-nft{,-restore,-save} $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore}-translate $(1)/usr/sbin/ +endef + +define Package/libip4tc/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so.* $(1)/usr/lib/ +endef + +define Package/libip6tc/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so.* $(1)/usr/lib/ +endef + +define Package/libiptext/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/ + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/ +endef + +define Package/libiptext6/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/ +endef + +define Package/libiptext-nft/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext_*.so $(1)/usr/lib/ +endef + +define Package/libxtables/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so.* $(1)/usr/lib/ +endef + +define BuildPlugin + define Package/$(1)/install + $(INSTALL_DIR) $$(1)/usr/lib/iptables + for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \ + if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \ + fi; \ + done + $(3) + endef + + $$(eval $$(call BuildPackage,$(1))) +endef + +$(eval $(call BuildPackage,libxtables)) +$(eval $(call BuildPackage,libip4tc)) +$(eval $(call BuildPackage,libip6tc)) +$(eval $(call BuildPackage,libiptext)) +$(eval $(call BuildPackage,libiptext6)) +$(eval $(call BuildPackage,libiptext-nft)) +$(eval $(call BuildPackage,xtables-legacy)) +$(eval $(call BuildPackage,iptables-legacy)) +$(eval $(call BuildPackage,xtables-nft)) +$(eval $(call BuildPackage,arptables-nft)) +$(eval $(call BuildPackage,ebtables-nft)) +$(eval $(call BuildPackage,iptables-nft)) +$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m))) +$(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m))) +$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m))) +$(eval $(call BuildPlugin,iptables-mod-physdev,$(IPT_PHYSDEV-m))) +$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m))) +$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m))) +$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m))) +$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m))) +$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m))) +$(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m))) +$(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m))) +$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m))) +$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m))) +$(eval $(call BuildPlugin,iptables-mod-rpfilter,$(IPT_RPFILTER-m))) +$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m))) +$(eval $(call BuildPlugin,iptables-mod-socket,$(IPT_SOCKET-m))) +$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m))) +$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m))) +$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m))) +$(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m))) +$(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m))) +$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m))) +$(eval $(call BuildPlugin,iptables-mod-checksum,$(IPT_CHECKSUM-m))) +$(eval $(call BuildPackage,ip6tables-legacy)) +$(eval $(call BuildPackage,ip6tables-nft)) +$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m))) +$(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m))) + diff --git a/root/package/network/utils/iptables/patches/001-xtables-Call-init_extensions6-for-static-builds.patch b/root/package/network/utils/iptables/patches/001-xtables-Call-init_extensions6-for-static-builds.patch new file mode 100644 index 00000000..22ccfa53 --- /dev/null +++ b/root/package/network/utils/iptables/patches/001-xtables-Call-init_extensions6-for-static-builds.patch @@ -0,0 +1,68 @@ +From e727ccad036e2cdba3339536c65c7ceef43c0740 Mon Sep 17 00:00:00 2001 +From: Erik Wilson +Date: Tue, 13 Jul 2021 16:48:23 -0700 +Subject: [PATCH] xtables: Call init_extensions6() for static builds + +Initialize extensions from libext6 for cases where xtables is built statically. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1550 +Signed-off-by: Erik Wilson +Signed-off-by: Florian Westphal +--- + iptables/xtables-monitor.c | 1 + + iptables/xtables-restore.c | 1 + + iptables/xtables-save.c | 1 + + iptables/xtables-standalone.c | 1 + + iptables/xtables-translate.c | 1 + + 5 files changed, 5 insertions(+) + +--- a/iptables/xtables-monitor.c ++++ b/iptables/xtables-monitor.c +@@ -628,6 +628,7 @@ int xtables_monitor_main(int argc, char + #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + init_extensions(); + init_extensions4(); ++ init_extensions6(); + #endif + + if (nft_init(&h, AF_INET, xtables_ipv4)) { +--- a/iptables/xtables-restore.c ++++ b/iptables/xtables-restore.c +@@ -364,6 +364,7 @@ xtables_restore_main(int family, const c + #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + init_extensions(); + init_extensions4(); ++ init_extensions6(); + #endif + break; + case NFPROTO_ARP: +--- a/iptables/xtables-save.c ++++ b/iptables/xtables-save.c +@@ -202,6 +202,7 @@ xtables_save_main(int family, int argc, + #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + init_extensions(); + init_extensions4(); ++ init_extensions6(); + #endif + tables = xtables_ipv4; + d.commit = true; +--- a/iptables/xtables-standalone.c ++++ b/iptables/xtables-standalone.c +@@ -57,6 +57,7 @@ xtables_main(int family, const char *pro + #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + init_extensions(); + init_extensions4(); ++ init_extensions6(); + #endif + + if (nft_init(&h, family, xtables_ipv4) < 0) { +--- a/iptables/xtables-translate.c ++++ b/iptables/xtables-translate.c +@@ -469,6 +469,7 @@ static int xtables_xlate_main_common(str + #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + init_extensions(); + init_extensions4(); ++ init_extensions6(); + #endif + tables = xtables_ipv4; + break; diff --git a/root/package/network/utils/iptables/patches/002-xtables-Call-init_extensions_a_b.patch b/root/package/network/utils/iptables/patches/002-xtables-Call-init_extensions_a_b.patch new file mode 100644 index 00000000..0d7226cc --- /dev/null +++ b/root/package/network/utils/iptables/patches/002-xtables-Call-init_extensions_a_b.patch @@ -0,0 +1,107 @@ +A modified version of this patch was commited upstream +as part of a fixup series +https://bugzilla.netfilter.org/show_bug.cgi?id=1593 +https://git.netfilter.org/iptables/commit/?id=0836524f093c0fd9c39604a46a949e43d9b47ef2 + +--- a/iptables/xtables-monitor.c ++++ b/iptables/xtables-monitor.c +@@ -629,6 +629,8 @@ int xtables_monitor_main(int argc, char + init_extensions(); + init_extensions4(); + init_extensions6(); ++ init_extensionsa(); ++ init_extensionsb(); + #endif + + if (nft_init(&h, AF_INET, xtables_ipv4)) { +--- a/iptables/xtables-restore.c ++++ b/iptables/xtables-restore.c +@@ -368,9 +368,17 @@ xtables_restore_main(int family, const c + #endif + break; + case NFPROTO_ARP: ++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); ++ init_extensionsa(); ++#endif + tables = xtables_arp; + break; + case NFPROTO_BRIDGE: ++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); ++ init_extensionsb(); ++#endif + tables = xtables_bridge; + break; + default: +--- a/iptables/xtables-save.c ++++ b/iptables/xtables-save.c +@@ -208,9 +208,17 @@ xtables_save_main(int family, int argc, + d.commit = true; + break; + case NFPROTO_ARP: ++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); ++ init_extensionsa(); ++#endif + tables = xtables_arp; + break; + case NFPROTO_BRIDGE: { ++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); ++ init_extensionsb(); ++#endif + const char *ctr = getenv("EBTABLES_SAVE_COUNTER"); + + if (!(d.format & FMT_NOCOUNTS)) { +--- a/iptables/xtables-standalone.c ++++ b/iptables/xtables-standalone.c +@@ -58,6 +58,8 @@ xtables_main(int family, const char *pro + init_extensions(); + init_extensions4(); + init_extensions6(); ++ init_extensionsa(); ++ init_extensionsb(); + #endif + + if (nft_init(&h, family, xtables_ipv4) < 0) { +--- a/iptables/xtables-translate.c ++++ b/iptables/xtables-translate.c +@@ -474,9 +474,17 @@ static int xtables_xlate_main_common(str + tables = xtables_ipv4; + break; + case NFPROTO_ARP: ++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); ++ init_extensionsa(); ++#endif + tables = xtables_arp; + break; + case NFPROTO_BRIDGE: ++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); ++ init_extensionsb(); ++#endif + tables = xtables_bridge; + break; + default: +--- a/iptables/xtables-arp.c ++++ b/iptables/xtables-arp.c +@@ -438,6 +438,7 @@ int nft_init_arp(struct nft_handle *h, c + } + + #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); + init_extensionsa(); + #endif + +--- a/iptables/xtables-eb.c ++++ b/iptables/xtables-eb.c +@@ -685,6 +685,7 @@ int nft_init_eb(struct nft_handle *h, co + } + + #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); + init_extensionsb(); + #endif + diff --git a/root/package/network/utils/iptables/patches/010-add-set-dscpmark-support.patch b/root/package/network/utils/iptables/patches/010-add-set-dscpmark-support.patch new file mode 100644 index 00000000..9a5de639 --- /dev/null +++ b/root/package/network/utils/iptables/patches/010-add-set-dscpmark-support.patch @@ -0,0 +1,452 @@ +From 74267bacce0c43e5038b0377cb7c08f1ad9d50a3 Mon Sep 17 00:00:00 2001 +From: Kevin Darbyshire-Bryant +Date: Sat, 23 Mar 2019 10:21:03 +0000 +Subject: [PATCH] iptables: connmark - add set-dscpmark option for openwrt + +Naive user space front end to xt_connmark 'setdscp' option. + +iptables -A QOS_MARK_eth0 -t mangle -j CONNMARK --set-dscpmark 0xfc000000/0x01000000 + +This version has a hack to support a backport to 4.14 + +Signed-off-by: Kevin Darbyshire-Bryant +--- + extensions/libxt_CONNMARK.c | 315 +++++++++++++++++++++++++- + include/linux/netfilter/xt_connmark.h | 10 + + 2 files changed, 324 insertions(+), 1 deletion(-) + +--- a/extensions/libxt_CONNMARK.c ++++ b/extensions/libxt_CONNMARK.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -49,6 +50,7 @@ enum { + O_CTMASK, + O_NFMASK, + O_MASK, ++ O_DSCP_MARK, + F_SET_MARK = 1 << O_SET_MARK, + F_SAVE_MARK = 1 << O_SAVE_MARK, + F_RESTORE_MARK = 1 << O_RESTORE_MARK, +@@ -61,8 +63,10 @@ enum { + F_CTMASK = 1 << O_CTMASK, + F_NFMASK = 1 << O_NFMASK, + F_MASK = 1 << O_MASK, ++ F_DSCP_MARK = 1 << O_DSCP_MARK, + F_OP_ANY = F_SET_MARK | F_SAVE_MARK | F_RESTORE_MARK | +- F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK, ++ F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK | ++ F_DSCP_MARK, + }; + + static const char *const xt_connmark_shift_ops[] = { +@@ -114,6 +118,8 @@ static const struct xt_option_entry conn + .excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, nfmask)}, + {.name = "mask", .id = O_MASK, .type = XTTYPE_UINT32, + .excl = F_CTMASK | F_NFMASK}, ++ {.name = "set-dscpmark", .id = O_DSCP_MARK, .type = XTTYPE_MARKMASK32, ++ .excl = F_OP_ANY}, + XTOPT_TABLEEND, + }; + #undef s +@@ -148,6 +154,38 @@ static const struct xt_option_entry conn + }; + #undef s + ++#define s struct xt_connmark_tginfo3 ++static const struct xt_option_entry connmark_tg_opts_v3[] = { ++ {.name = "set-xmark", .id = O_SET_XMARK, .type = XTTYPE_MARKMASK32, ++ .excl = F_OP_ANY}, ++ {.name = "set-mark", .id = O_SET_MARK, .type = XTTYPE_MARKMASK32, ++ .excl = F_OP_ANY}, ++ {.name = "and-mark", .id = O_AND_MARK, .type = XTTYPE_UINT32, ++ .excl = F_OP_ANY}, ++ {.name = "or-mark", .id = O_OR_MARK, .type = XTTYPE_UINT32, ++ .excl = F_OP_ANY}, ++ {.name = "xor-mark", .id = O_XOR_MARK, .type = XTTYPE_UINT32, ++ .excl = F_OP_ANY}, ++ {.name = "save-mark", .id = O_SAVE_MARK, .type = XTTYPE_NONE, ++ .excl = F_OP_ANY}, ++ {.name = "restore-mark", .id = O_RESTORE_MARK, .type = XTTYPE_NONE, ++ .excl = F_OP_ANY}, ++ {.name = "left-shift-mark", .id = O_LEFT_SHIFT_MARK, .type = XTTYPE_UINT8, ++ .min = 0, .max = 32}, ++ {.name = "right-shift-mark", .id = O_RIGHT_SHIFT_MARK, .type = XTTYPE_UINT8, ++ .min = 0, .max = 32}, ++ {.name = "ctmask", .id = O_CTMASK, .type = XTTYPE_UINT32, ++ .excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, ctmask)}, ++ {.name = "nfmask", .id = O_NFMASK, .type = XTTYPE_UINT32, ++ .excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, nfmask)}, ++ {.name = "mask", .id = O_MASK, .type = XTTYPE_UINT32, ++ .excl = F_CTMASK | F_NFMASK}, ++ {.name = "set-dscpmark", .id = O_DSCP_MARK, .type = XTTYPE_MARKMASK32, ++ .excl = F_OP_ANY}, ++ XTOPT_TABLEEND, ++}; ++#undef s ++ + static void connmark_tg_help(void) + { + printf( +@@ -175,6 +213,15 @@ static void connmark_tg_help_v2(void) + ); + } + ++static void connmark_tg_help_v3(void) ++{ ++ connmark_tg_help_v2(); ++ printf( ++" --set-dscpmark value/mask Save DSCP to conntrack mark value\n" ++); ++} ++ ++ + static void connmark_tg_init(struct xt_entry_target *target) + { + struct xt_connmark_tginfo1 *info = (void *)target->data; +@@ -199,6 +246,16 @@ static void connmark_tg_init_v2(struct x + info->shift_bits = 0; + } + ++static void connmark_tg_init_v3(struct xt_entry_target *target) ++{ ++ struct xt_connmark_tginfo3 *info; ++ ++ connmark_tg_init_v2(target); ++ info = (void *)target->data; ++ ++ info->func = 0; ++} ++ + static void CONNMARK_parse(struct xt_option_call *cb) + { + struct xt_connmark_target_info *markinfo = cb->data; +@@ -253,6 +310,23 @@ static void connmark_tg_parse(struct xt_ + info->ctmark = cb->val.u32; + info->ctmask = 0; + break; ++ case O_DSCP_MARK: ++/* we sneaky sneaky this. nfmask isn't used by the set mark functionality ++ * and by default is set to uint32max. We can use the top bit as a flag ++ * that we're in DSCP_MARK submode of SET_MARK, if set then it's normal ++ * if unset then we're in DSCP_MARK ++ */ ++ info->mode = XT_CONNMARK_SET; ++ info->ctmark = cb->val.mark; ++ info->ctmask = cb->val.mask; ++ info->nfmask = info->ctmark ? ffs(info->ctmark) - 1 : 0; ++ /* need 6 contiguous bits */ ++ if ((~0 & (info->ctmark >> info->nfmask)) != 0x3f) ++ xtables_error(PARAMETER_PROBLEM, ++ "CONNMARK set-dscpmark: need 6 contiguous dscpmask bits"); ++ if (info->ctmark & info->ctmask) ++ xtables_error(PARAMETER_PROBLEM, ++ "CONNMARK set-dscpmark: dscpmask/statemask bits overlap"); + case O_SAVE_MARK: + info->mode = XT_CONNMARK_SAVE; + break; +@@ -320,6 +394,78 @@ static void connmark_tg_parse_v2(struct + } + } + ++static void connmark_tg_parse_v3(struct xt_option_call *cb) ++{ ++ struct xt_connmark_tginfo3 *info = cb->data; ++ ++ xtables_option_parse(cb); ++ switch (cb->entry->id) { ++ case O_SET_XMARK: ++ info->mode = XT_CONNMARK_SET; ++ info->func = XT_CONNMARK_VALUE; ++ info->ctmark = cb->val.mark; ++ info->ctmask = cb->val.mask; ++ break; ++ case O_SET_MARK: ++ info->mode = XT_CONNMARK_SET; ++ info->func = XT_CONNMARK_VALUE; ++ info->ctmark = cb->val.mark; ++ info->ctmask = cb->val.mark | cb->val.mask; ++ break; ++ case O_AND_MARK: ++ info->mode = XT_CONNMARK_SET; ++ info->func = XT_CONNMARK_VALUE; ++ info->ctmark = 0; ++ info->ctmask = ~cb->val.u32; ++ break; ++ case O_OR_MARK: ++ info->mode = XT_CONNMARK_SET; ++ info->func = XT_CONNMARK_VALUE; ++ info->ctmark = cb->val.u32; ++ info->ctmask = cb->val.u32; ++ break; ++ case O_XOR_MARK: ++ info->mode = XT_CONNMARK_SET; ++ info->func = XT_CONNMARK_VALUE; ++ info->ctmark = cb->val.u32; ++ info->ctmask = 0; ++ break; ++ case O_DSCP_MARK: ++ info->mode = XT_CONNMARK_SET; ++ info->func = XT_CONNMARK_DSCP; ++ info->ctmark = cb->val.mark; ++ info->ctmask = cb->val.mask; ++ info->shift_bits = info->ctmark ? ffs(info->ctmark) - 1 : 0; ++ /* need 6 contiguous bits */ ++ if ((~0 & (info->ctmark >> info->shift_bits)) != 0x3f) ++ xtables_error(PARAMETER_PROBLEM, ++ "CONNMARK set-dscpmark: need 6 contiguous dscpmask bits"); ++ if (info->ctmark & info->ctmask) ++ xtables_error(PARAMETER_PROBLEM, ++ "CONNMARK set-dscpmark: dscpmask/statemask bits overlap"); ++ break; ++ case O_SAVE_MARK: ++ info->mode = XT_CONNMARK_SAVE; ++ break; ++ case O_RESTORE_MARK: ++ info->mode = XT_CONNMARK_RESTORE; ++ break; ++ case O_MASK: ++ info->nfmask = info->ctmask = cb->val.u32; ++ break; ++ case O_LEFT_SHIFT_MARK: ++ info->shift_dir = D_SHIFT_LEFT; ++ info->shift_bits = cb->val.u8; ++ break; ++ case O_RIGHT_SHIFT_MARK: ++ info->shift_dir = D_SHIFT_RIGHT; ++ info->shift_bits = cb->val.u8; ++ break; ++ default: ++ break; ++ } ++} ++ + static void connmark_tg_check(struct xt_fcheck_call *cb) + { + if (!(cb->xflags & F_OP_ANY)) +@@ -463,6 +609,65 @@ connmark_tg_print_v2(const void *ip, con + } + } + ++static void ++connmark_tg_print_v3(const void *ip, const struct xt_entry_target *target, ++ int numeric) ++{ ++ const struct xt_connmark_tginfo3 *info = (const void *)target->data; ++ const char *shift_op = xt_connmark_shift_ops[info->shift_dir]; ++ ++ switch (info->mode) { ++ case XT_CONNMARK_SET: ++ if (info->func & XT_CONNMARK_DSCP) { ++ printf(" CONNMARK DSCP 0x%x/0x%x", ++ info->ctmark, info->ctmask); ++ } ++ if (info->func & XT_CONNMARK_VALUE) { ++ if (info->ctmark == 0) ++ printf(" CONNMARK and 0x%x", ++ (unsigned int)(uint32_t)~info->ctmask); ++ else if (info->ctmark == info->ctmask) ++ printf(" CONNMARK or 0x%x", info->ctmark); ++ else if (info->ctmask == 0) ++ printf(" CONNMARK xor 0x%x", info->ctmark); ++ else if (info->ctmask == 0xFFFFFFFFU) ++ printf(" CONNMARK set 0x%x", info->ctmark); ++ else ++ printf(" CONNMARK xset 0x%x/0x%x", ++ info->ctmark, info->ctmask); ++ } ++ break; ++ case XT_CONNMARK_SAVE: ++ if (info->nfmask == UINT32_MAX && info->ctmask == UINT32_MAX) ++ printf(" CONNMARK save"); ++ else if (info->nfmask == info->ctmask) ++ printf(" CONNMARK save mask 0x%x", info->nfmask); ++ else ++ printf(" CONNMARK save nfmask 0x%x ctmask ~0x%x", ++ info->nfmask, info->ctmask); ++ break; ++ case XT_CONNMARK_RESTORE: ++ if (info->ctmask == UINT32_MAX && info->nfmask == UINT32_MAX) ++ printf(" CONNMARK restore"); ++ else if (info->ctmask == info->nfmask) ++ printf(" CONNMARK restore mask 0x%x", info->ctmask); ++ else ++ printf(" CONNMARK restore ctmask 0x%x nfmask ~0x%x", ++ info->ctmask, info->nfmask); ++ break; ++ ++ default: ++ printf(" ERROR: UNKNOWN CONNMARK MODE"); ++ break; ++ } ++ ++ if (info->mode <= XT_CONNMARK_RESTORE && ++ !(info->mode == XT_CONNMARK_SET && info->func == XT_CONNMARK_DSCP) && ++ info->shift_bits != 0) { ++ printf(" %s %u", shift_op, info->shift_bits); ++ } ++} ++ + static void CONNMARK_save(const void *ip, const struct xt_entry_target *target) + { + const struct xt_connmark_target_info *markinfo = +@@ -548,6 +753,38 @@ connmark_tg_save_v2(const void *ip, cons + } + } + ++static void ++connmark_tg_save_v3(const void *ip, const struct xt_entry_target *target) ++{ ++ const struct xt_connmark_tginfo3 *info = (const void *)target->data; ++ const char *shift_op = xt_connmark_shift_ops[info->shift_dir]; ++ ++ switch (info->mode) { ++ case XT_CONNMARK_SET: ++ if (info->func & XT_CONNMARK_VALUE) ++ printf(" --set-xmark 0x%x/0x%x", info->ctmark, info->ctmask); ++ if (info->func & XT_CONNMARK_DSCP) ++ printf(" --set-dscpmark 0x%x/0x%x", info->ctmark, info->ctmask); ++ break; ++ case XT_CONNMARK_SAVE: ++ printf(" --save-mark --nfmask 0x%x --ctmask 0x%x", ++ info->nfmask, info->ctmask); ++ break; ++ case XT_CONNMARK_RESTORE: ++ printf(" --restore-mark --nfmask 0x%x --ctmask 0x%x", ++ info->nfmask, info->ctmask); ++ break; ++ default: ++ printf(" ERROR: UNKNOWN CONNMARK MODE"); ++ break; ++ } ++ if (info->mode <= XT_CONNMARK_RESTORE && ++ !(info->mode == XT_CONNMARK_SET && info->func == XT_CONNMARK_DSCP) && ++ info->shift_bits != 0) { ++ printf(" --%s %u", shift_op, info->shift_bits); ++ } ++} ++ + static int connmark_tg_xlate(struct xt_xlate *xl, + const struct xt_xlate_tg_params *params) + { +@@ -639,6 +876,66 @@ static int connmark_tg_xlate_v2(struct x + + return 1; + } ++ ++static int connmark_tg_xlate_v3(struct xt_xlate *xl, ++ const struct xt_xlate_tg_params *params) ++{ ++ const struct xt_connmark_tginfo3 *info = ++ (const void *)params->target->data; ++ const char *shift_op = xt_connmark_shift_ops[info->shift_dir]; ++ ++ switch (info->mode) { ++ case XT_CONNMARK_SET: ++ xt_xlate_add(xl, "ct mark set "); ++ if (info->func & XT_CONNMARK_VALUE) { ++ if (info->ctmask == 0xFFFFFFFFU) ++ xt_xlate_add(xl, "0x%x ", info->ctmark); ++ else if (info->ctmark == 0) ++ xt_xlate_add(xl, "ct mark and 0x%x", ~info->ctmask); ++ else if (info->ctmark == info->ctmask) ++ xt_xlate_add(xl, "ct mark or 0x%x", ++ info->ctmark); ++ else if (info->ctmask == 0) ++ xt_xlate_add(xl, "ct mark xor 0x%x", ++ info->ctmark); ++ else ++ xt_xlate_add(xl, "ct mark xor 0x%x and 0x%x", ++ info->ctmark, ~info->ctmask); ++ } ++ if (info->func & XT_CONNMARK_DSCP) { ++/* FIXME the nftables syntax would go here if only we knew what it was */ ++ xt_xlate_add(xl, "ct mark set typeof(ct mark) ip dscp " ++ "<< %u or 0x%x", info->shift_bits, ++ info->ctmask); ++ } ++ break; ++ case XT_CONNMARK_SAVE: ++ xt_xlate_add(xl, "ct mark set mark"); ++ if (!(info->nfmask == UINT32_MAX && ++ info->ctmask == UINT32_MAX)) { ++ if (info->nfmask == info->ctmask) ++ xt_xlate_add(xl, " and 0x%x", info->nfmask); ++ } ++ break; ++ case XT_CONNMARK_RESTORE: ++ xt_xlate_add(xl, "meta mark set ct mark"); ++ if (!(info->nfmask == UINT32_MAX && ++ info->ctmask == UINT32_MAX)) { ++ if (info->nfmask == info->ctmask) ++ xt_xlate_add(xl, " and 0x%x", info->nfmask); ++ } ++ break; ++ } ++ ++ if (info->mode <= XT_CONNMARK_RESTORE && ++ !(info->mode == XT_CONNMARK_SET && info->func == XT_CONNMARK_DSCP) && ++ info->shift_bits != 0) { ++ xt_xlate_add(xl, " %s %u", shift_op, info->shift_bits); ++ } ++ ++ return 1; ++} ++ + static struct xtables_target connmark_tg_reg[] = { + { + .family = NFPROTO_UNSPEC, +@@ -687,6 +984,22 @@ static struct xtables_target connmark_tg + .x6_options = connmark_tg_opts_v2, + .xlate = connmark_tg_xlate_v2, + }, ++ { ++ .version = XTABLES_VERSION, ++ .name = "CONNMARK", ++ .revision = 3, ++ .family = NFPROTO_UNSPEC, ++ .size = XT_ALIGN(sizeof(struct xt_connmark_tginfo3)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_tginfo3)), ++ .help = connmark_tg_help_v3, ++ .init = connmark_tg_init_v3, ++ .print = connmark_tg_print_v3, ++ .save = connmark_tg_save_v3, ++ .x6_parse = connmark_tg_parse_v3, ++ .x6_fcheck = connmark_tg_check, ++ .x6_options = connmark_tg_opts_v3, ++ .xlate = connmark_tg_xlate_v3, ++ }, + }; + + void _init(void) +--- a/include/linux/netfilter/xt_connmark.h ++++ b/include/linux/netfilter/xt_connmark.h +@@ -18,6 +18,11 @@ enum { + XT_CONNMARK_RESTORE + }; + ++enum { ++ XT_CONNMARK_VALUE = (1 << 0), ++ XT_CONNMARK_DSCP = (1 << 1) ++}; ++ + struct xt_connmark_tginfo1 { + __u32 ctmark, ctmask, nfmask; + __u8 mode; +@@ -28,6 +33,11 @@ struct xt_connmark_tginfo2 { + __u8 shift_dir, shift_bits, mode; + }; + ++struct xt_connmark_tginfo3 { ++ __u32 ctmark, ctmask, nfmask; ++ __u8 shift_dir, shift_bits, mode, func; ++}; ++ + struct xt_connmark_mtinfo1 { + __u32 mark, mask; + __u8 invert; diff --git a/root/package/network/utils/iptables/patches/101-remove-check-already.patch b/root/package/network/utils/iptables/patches/101-remove-check-already.patch new file mode 100644 index 00000000..16afafec --- /dev/null +++ b/root/package/network/utils/iptables/patches/101-remove-check-already.patch @@ -0,0 +1,28 @@ +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -968,12 +968,6 @@ void xtables_register_match(struct xtabl + struct xtables_match **pos; + bool seen_myself = false; + +- if (me->next) { +- fprintf(stderr, "%s: match \"%s\" already registered\n", +- xt_params->program_name, me->name); +- exit(1); +- } +- + if (me->version == NULL) { + fprintf(stderr, "%s: match %s<%u> is missing a version\n", + xt_params->program_name, me->name, me->revision); +@@ -1152,12 +1146,6 @@ void xtables_register_target(struct xtab + struct xtables_target **pos; + bool seen_myself = false; + +- if (me->next) { +- fprintf(stderr, "%s: target \"%s\" already registered\n", +- xt_params->program_name, me->name); +- exit(1); +- } +- + if (me->version == NULL) { + fprintf(stderr, "%s: target %s<%u> is missing a version\n", + xt_params->program_name, me->name, me->revision); diff --git a/root/package/network/utils/iptables/patches/102-iptables-disable-modprobe.patch b/root/package/network/utils/iptables/patches/102-iptables-disable-modprobe.patch new file mode 100644 index 00000000..b8e19c78 --- /dev/null +++ b/root/package/network/utils/iptables/patches/102-iptables-disable-modprobe.patch @@ -0,0 +1,18 @@ +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -403,6 +403,7 @@ static char *get_modprobe(void) + + int xtables_insmod(const char *modname, const char *modprobe, bool quiet) + { ++#if 0 + char *buf = NULL; + char *argv[4]; + int status; +@@ -437,6 +438,7 @@ int xtables_insmod(const char *modname, + free(buf); + if (WIFEXITED(status) && WEXITSTATUS(status) == 0) + return 0; ++#endif + return -1; + } + diff --git a/root/package/network/utils/iptables/patches/103-optional-xml.patch b/root/package/network/utils/iptables/patches/103-optional-xml.patch new file mode 100644 index 00000000..342808a3 --- /dev/null +++ b/root/package/network/utils/iptables/patches/103-optional-xml.patch @@ -0,0 +1,13 @@ +--- a/iptables/xtables-legacy-multi.c ++++ b/iptables/xtables-legacy-multi.c +@@ -32,8 +32,10 @@ static const struct subcommand multi_sub + + + #endif ++#ifdef ENABLE_XML + {"iptables-xml", iptables_xml_main}, + {"xml", iptables_xml_main}, ++#endif + #ifdef ENABLE_IPV6 + {"ip6tables", ip6tables_main}, + {"main6", ip6tables_main}, diff --git a/root/package/network/utils/iptables/patches/200-configurable_builtin.patch b/root/package/network/utils/iptables/patches/200-configurable_builtin.patch new file mode 100644 index 00000000..6d7b5b58 --- /dev/null +++ b/root/package/network/utils/iptables/patches/200-configurable_builtin.patch @@ -0,0 +1,79 @@ +--- a/extensions/GNUmakefile.in ++++ b/extensions/GNUmakefile.in +@@ -50,11 +50,31 @@ pfb_build_mod := $(filter-out @blacklist + pfa_build_mod := $(filter-out @blacklist_modules@ @blacklist_a_modules@,${pfa_build_mod}) + pf4_build_mod := $(filter-out @blacklist_modules@ @blacklist_4_modules@,${pf4_build_mod}) + pf6_build_mod := $(filter-out @blacklist_modules@ @blacklist_6_modules@,${pf6_build_mod}) +-pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod}) +-pfb_objs := $(patsubst %,libebt_%.o,${pfb_build_mod}) +-pfa_objs := $(patsubst %,libarpt_%.o,${pfa_build_mod}) +-pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod}) +-pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod}) ++ifdef BUILTIN_MODULES ++pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod}) ++pfb_build_static := $(filter $(BUILTIN_MODULES),${pfb_build_mod}) ++pfa_build_static := $(filter $(BUILTIN_MODULES),${pfa_build_mod}) ++pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod}) ++pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod}) ++else ++@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod) ++@ENABLE_STATIC_TRUE@ pfb_build_static := $(pfb_build_mod) ++@ENABLE_STATIC_TRUE@ pfa_build_static := $(pfa_build_mod) ++@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod) ++@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod) ++endif ++ ++pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod)) ++pfb_build_mod := $(filter-out $(pfb_build_static),$(pfb_build_mod)) ++pfa_build_mod := $(filter-out $(pfa_build_static),$(pfa_build_mod)) ++pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod)) ++pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod)) ++ ++pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_static}) ++pfb_objs := $(patsubst %,libebt_%.o,${pfb_build_static}) ++pfa_objs := $(patsubst %,libarpt_%.o,${pfa_build_static}) ++pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static}) ++pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static}) + pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod}) + pfb_solibs := $(patsubst %,libebt_%.so,${pfb_build_mod}) + pfa_solibs := $(patsubst %,libarpt_%.so,${pfa_build_mod}) +@@ -68,14 +88,14 @@ pfx_symlink_files := $(patsubst %,libxt_ + # + targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man + targets_install := +-@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs} +-@ENABLE_STATIC_TRUE@ libext_ebt_objs := ${pfb_objs} +-@ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs} +-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} +-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs} +-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files} +-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} +-@ENABLE_STATIC_FALSE@ symlinks_install := ${pfx_symlink_files} ++libext_objs := ${pfx_objs} ++libext_ebt_objs := ${pfb_objs} ++libext_arpt_objs := ${pfa_objs} ++libext4_objs := ${pf4_objs} ++libext6_objs := ${pf6_objs} ++targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files} ++targets_install := $(strip ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}) ++symlinks_install := ${pfx_symlink_files} + + .SECONDARY: + +@@ -161,11 +181,11 @@ libext4.a: initext4.o ${libext4_objs} + libext6.a: initext6.o ${libext6_objs} + ${AM_VERBOSE_AR} ${AR} crs $@ $^; + +-initext_func := $(addprefix xt_,${pfx_build_mod}) +-initextb_func := $(addprefix ebt_,${pfb_build_mod}) +-initexta_func := $(addprefix arpt_,${pfa_build_mod}) +-initext4_func := $(addprefix ipt_,${pf4_build_mod}) +-initext6_func := $(addprefix ip6t_,${pf6_build_mod}) ++initext_func := $(addprefix xt_,${pfx_build_static}) ++initextb_func := $(addprefix ebt_,${pfb_build_static}) ++initexta_func := $(addprefix arpt_,${pfa_build_static}) ++initext4_func := $(addprefix ipt_,${pf4_build_static}) ++initext6_func := $(addprefix ip6t_,${pf6_build_static}) + + .initext.dd: FORCE + @echo "${initext_func}" >$@.tmp; \ diff --git a/root/package/network/utils/iptables/patches/600-shared-libext.patch b/root/package/network/utils/iptables/patches/600-shared-libext.patch new file mode 100644 index 00000000..819f628f --- /dev/null +++ b/root/package/network/utils/iptables/patches/600-shared-libext.patch @@ -0,0 +1,102 @@ +--- a/extensions/GNUmakefile.in ++++ b/extensions/GNUmakefile.in +@@ -86,7 +86,7 @@ pfx_symlink_files := $(patsubst %,libxt_ + # + # Building blocks + # +-targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man ++targets := libiptext.so libiptext4.so libiptext6.so libiptext_ebt.so libiptext_arpt.so matches.man targets.man + targets_install := + libext_objs := ${pfx_objs} + libext_ebt_objs := ${pfb_objs} +@@ -132,7 +132,7 @@ clean: + distclean: clean + + init%.o: init%.c +- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init ${CFLAGS} -o $@ -c $<; ++ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; + + -include .*.d + +@@ -164,22 +164,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn + # handling code in the Makefiles. + # + lib%.o: ${srcdir}/lib%.c +- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<; ++ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; + +-libext.a: initext.o ${libext_objs} +- ${AM_VERBOSE_AR} ${AR} crs $@ $^; ++libiptext.so: initext.o ${libext_objs} ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD}); + +-libext_ebt.a: initextb.o ${libext_ebt_objs} +- ${AM_VERBOSE_AR} ${AR} crs $@ $^; ++libiptext_ebt.so: initextb.o ${libext_ebt_objs} ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD}); + +-libext_arpt.a: initexta.o ${libext_arpt_objs} +- ${AM_VERBOSE_AR} ${AR} crs $@ $^; ++libiptext_arpt.so: initexta.o ${libext_arpt_objs} ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD}); + +-libext4.a: initext4.o ${libext4_objs} +- ${AM_VERBOSE_AR} ${AR} crs $@ $^; ++libiptext4.so: initext4.o ${libext4_objs} ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD}); + +-libext6.a: initext6.o ${libext6_objs} +- ${AM_VERBOSE_AR} ${AR} crs $@ $^; ++libiptext6.so: initext6.o ${libext6_objs} ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD}); + + initext_func := $(addprefix xt_,${pfx_build_static}) + initextb_func := $(addprefix ebt_,${pfb_build_static}) +--- a/iptables/Makefile.am ++++ b/iptables/Makefile.am +@@ -7,19 +7,22 @@ BUILT_SOURCES = + + xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c + xtables_legacy_multi_CFLAGS = ${AM_CFLAGS} +-xtables_legacy_multi_LDADD = ../extensions/libext.a ++xtables_legacy_multi_LDADD = ++xtables_legacy_multi_LDFLAGS = -L../extensions/ -liptext + if ENABLE_STATIC + xtables_legacy_multi_CFLAGS += -DALL_INCLUSIVE + endif + if ENABLE_IPV4 + xtables_legacy_multi_SOURCES += iptables-standalone.c iptables.c + xtables_legacy_multi_CFLAGS += -DENABLE_IPV4 +-xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a ++xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ++xtables_legacy_multi_LDFLAGS += -liptext4 + endif + if ENABLE_IPV6 + xtables_legacy_multi_SOURCES += ip6tables-standalone.c ip6tables.c + xtables_legacy_multi_CFLAGS += -DENABLE_IPV6 +-xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a ++xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ++xtables_legacy_multi_LDFLAGS += -liptext6 + endif + xtables_legacy_multi_SOURCES += xshared.c iptables-restore.c iptables-save.c + xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm +@@ -28,7 +31,8 @@ xtables_legacy_multi_LDADD += ../libxt + if ENABLE_NFTABLES + xtables_nft_multi_SOURCES = xtables-nft-multi.c iptables-xml.c + xtables_nft_multi_CFLAGS = ${AM_CFLAGS} +-xtables_nft_multi_LDADD = ../extensions/libext.a ../extensions/libext_ebt.a ++xtables_nft_multi_LDADD = ++xtables_nft_multi_LDFLAGS = -L../extensions/ -liptext -liptext_ebt + if ENABLE_STATIC + xtables_nft_multi_CFLAGS += -DALL_INCLUSIVE + endif +@@ -42,7 +46,8 @@ xtables_nft_multi_SOURCES += xtables-sav + xtables-eb-standalone.c xtables-eb.c \ + xtables-eb-translate.c \ + xtables-translate.c +-xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ../extensions/libext4.a ../extensions/libext6.a ../extensions/libext_ebt.a ../extensions/libext_arpt.a ++xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ++xtables_nft_multi_LDFLAGS += -liptext4 -liptext6 -liptext_arpt + xtables_nft_multi_SOURCES += xshared.c + xtables_nft_multi_LDADD += ../libxtables/libxtables.la -lm + endif diff --git a/root/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch b/root/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch new file mode 100644 index 00000000..cc451ef9 --- /dev/null +++ b/root/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch @@ -0,0 +1,95 @@ +--- a/extensions/libxt_conntrack.c ++++ b/extensions/libxt_conntrack.c +@@ -1395,6 +1395,7 @@ static int conntrack3_mt6_xlate(struct x + } + + static struct xtables_match conntrack_mt_reg[] = { ++#ifndef NO_LEGACY + { + .version = XTABLES_VERSION, + .name = "conntrack", +@@ -1470,6 +1471,7 @@ static struct xtables_match conntrack_mt + .alias = conntrack_print_name_alias, + .x6_options = conntrack2_mt_opts, + }, ++#endif + { + .version = XTABLES_VERSION, + .name = "conntrack", +@@ -1502,6 +1504,7 @@ static struct xtables_match conntrack_mt + .x6_options = conntrack3_mt_opts, + .xlate = conntrack3_mt6_xlate, + }, ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "state", +@@ -1532,6 +1535,8 @@ static struct xtables_match conntrack_mt + .x6_parse = state_ct23_parse, + .x6_options = state_opts, + }, ++#endif ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "state", +@@ -1561,6 +1566,7 @@ static struct xtables_match conntrack_mt + .x6_parse = state_parse, + .x6_options = state_opts, + }, ++#endif + }; + + void _init(void) +--- a/extensions/libxt_CT.c ++++ b/extensions/libxt_CT.c +@@ -363,6 +363,7 @@ static int xlate_ct1_tg(struct xt_xlate + } + + static struct xtables_target ct_target_reg[] = { ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "CT", +@@ -388,6 +389,7 @@ static struct xtables_target ct_target_r + .x6_parse = ct_parse_v1, + .x6_options = ct_opts_v1, + }, ++#endif + { + .family = NFPROTO_UNSPEC, + .name = "CT", +@@ -403,6 +405,7 @@ static struct xtables_target ct_target_r + .x6_options = ct_opts_v1, + .xlate = xlate_ct1_tg, + }, ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "NOTRACK", +@@ -441,6 +444,7 @@ static struct xtables_target ct_target_r + .revision = 0, + .version = XTABLES_VERSION, + }, ++#endif + }; + + void _init(void) +--- a/extensions/libxt_multiport.c ++++ b/extensions/libxt_multiport.c +@@ -571,6 +571,7 @@ static int multiport_xlate6_v1(struct xt + } + + static struct xtables_match multiport_mt_reg[] = { ++#ifndef NO_LEGACY + { + .family = NFPROTO_IPV4, + .name = "multiport", +@@ -601,6 +602,7 @@ static struct xtables_match multiport_mt + .x6_options = multiport_opts, + .xlate = multiport_xlate6, + }, ++#endif + { + .family = NFPROTO_IPV4, + .name = "multiport", diff --git a/root/package/network/utils/iptables/patches/800-flowoffload_target.patch b/root/package/network/utils/iptables/patches/800-flowoffload_target.patch new file mode 100644 index 00000000..2f79ee83 --- /dev/null +++ b/root/package/network/utils/iptables/patches/800-flowoffload_target.patch @@ -0,0 +1,95 @@ +--- /dev/null ++++ b/extensions/libxt_FLOWOFFLOAD.c +@@ -0,0 +1,72 @@ ++#include ++#include ++#include ++ ++enum { ++ O_HW, ++}; ++ ++static void offload_help(void) ++{ ++ printf( ++"FLOWOFFLOAD target options:\n" ++" --hw Enable hardware offload\n" ++ ); ++} ++ ++static const struct xt_option_entry offload_opts[] = { ++ {.name = "hw", .id = O_HW, .type = XTTYPE_NONE}, ++ XTOPT_TABLEEND, ++}; ++ ++static void offload_parse(struct xt_option_call *cb) ++{ ++ struct xt_flowoffload_target_info *info = cb->data; ++ ++ xtables_option_parse(cb); ++ switch (cb->entry->id) { ++ case O_HW: ++ info->flags |= XT_FLOWOFFLOAD_HW; ++ break; ++ } ++} ++ ++static void offload_print(const void *ip, const struct xt_entry_target *target, int numeric) ++{ ++ const struct xt_flowoffload_target_info *info = ++ (const struct xt_flowoffload_target_info *)target->data; ++ ++ printf(" FLOWOFFLOAD"); ++ if (info->flags & XT_FLOWOFFLOAD_HW) ++ printf(" hw"); ++} ++ ++static void offload_save(const void *ip, const struct xt_entry_target *target) ++{ ++ const struct xt_flowoffload_target_info *info = ++ (const struct xt_flowoffload_target_info *)target->data; ++ ++ if (info->flags & XT_FLOWOFFLOAD_HW) ++ printf(" --hw"); ++} ++ ++static struct xtables_target offload_tg_reg[] = { ++ { ++ .family = NFPROTO_UNSPEC, ++ .name = "FLOWOFFLOAD", ++ .revision = 0, ++ .version = XTABLES_VERSION, ++ .size = XT_ALIGN(sizeof(struct xt_flowoffload_target_info)), ++ .userspacesize = sizeof(struct xt_flowoffload_target_info), ++ .help = offload_help, ++ .print = offload_print, ++ .save = offload_save, ++ .x6_parse = offload_parse, ++ .x6_options = offload_opts, ++ }, ++}; ++ ++void _init(void) ++{ ++ xtables_register_targets(offload_tg_reg, ARRAY_SIZE(offload_tg_reg)); ++} +--- /dev/null ++++ b/include/linux/netfilter/xt_FLOWOFFLOAD.h +@@ -0,0 +1,17 @@ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ ++#ifndef _XT_FLOWOFFLOAD_H ++#define _XT_FLOWOFFLOAD_H ++ ++#include ++ ++enum { ++ XT_FLOWOFFLOAD_HW = 1 << 0, ++ ++ XT_FLOWOFFLOAD_MASK = XT_FLOWOFFLOAD_HW ++}; ++ ++struct xt_flowoffload_target_info { ++ __u32 flags; ++}; ++ ++#endif /* _XT_FLOWOFFLOAD_H */