diff --git a/root/package/network/utils/iptables/Makefile b/root/package/network/utils/iptables/Makefile deleted file mode 100644 index ea9561b6..00000000 --- a/root/package/network/utils/iptables/Makefile +++ /dev/null @@ -1,806 +0,0 @@ -# -# Copyright (C) 2006-2016 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk -include $(INCLUDE_DIR)/kernel.mk - -PKG_NAME:=iptables -PKG_VERSION:=1.8.7 -PKG_RELEASE:=6 - -PKG_SOURCE_URL:=https://netfilter.org/projects/iptables/files -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 -PKG_HASH:=c109c96bb04998cd44156622d36f8e04b140701ec60531a10668cfdff5e8d8f0 - -PKG_FIXUP:=autoreconf -PKG_FLAGS:=nonshared - -PKG_INSTALL:=1 -PKG_BUILD_PARALLEL:=1 -PKG_LICENSE:=GPL-2.0 -PKG_CPE_ID:=cpe:/a:netfilter_core_team:iptables - -include $(INCLUDE_DIR)/package.mk -ifeq ($(DUMP),) - -include $(LINUX_DIR)/.config - include $(INCLUDE_DIR)/netfilter.mk - STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | $(MKHASH) md5) -endif - - -define Package/iptables/Default - SECTION:=net - CATEGORY:=Network - SUBMENU:=Firewall - URL:=https://netfilter.org/ -endef - -define Package/iptables/Module -$(call Package/iptables/Default) - DEPENDS:=+libxtables $(1) -endef - -define Package/xtables-legacy -$(call Package/iptables/Default) - TITLE:=IP firewall administration tool - DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libiptext +IPV6:libiptext6 +libxtables -endef - -define Package/iptables-legacy -$(call Package/iptables/Default) - TITLE:=IP firewall administration tool - DEPENDS+= +xtables-legacy - PROVIDES:=iptables - ALTERNATIVES:=\ - 200:/usr/sbin/iptables:/usr/sbin/xtables-legacy-multi \ - 200:/usr/sbin/iptables-restore:/usr/sbin/xtables-legacy-multi \ - 200:/usr/sbin/iptables-save:/usr/sbin/xtables-legacy-multi -endef - -define Package/iptables-legacy/description -IP firewall administration tool. - - Matches: - - icmp - - tcp - - udp - - comment - - conntrack - - limit - - mac - - mark - - multiport - - set - - state - - time - - Targets: - - ACCEPT - - CT - - DNAT - - DROP - - REJECT - - FLOWOFFLOAD - - LOG - - MARK - - MASQUERADE - - REDIRECT - - SET - - SNAT - - TCPMSS - - Tables: - - filter - - mangle - - nat - - raw - -endef - -define Package/xtables-nft -$(call Package/iptables/Default) - TITLE:=IP firewall administration tool nft - DEPENDS:=@IPTABLES_NFTABLES +libnftnl +libiptext +IPV6:libiptext6 +libiptext-nft +kmod-nft-compat -endef - -define Package/arptables-nft -$(call Package/iptables/Default) - DEPENDS:=+kmod-nft-arp +xtables-nft +kmod-arptables - TITLE:=ARP firewall administration tool nft - PROVIDES:=arptables - ALTERNATIVES:=\ - 300:/usr/sbin/arptables:/usr/sbin/xtables-nft-multi \ - 300:/usr/sbin/arptables-restore:/usr/sbin/xtables-nft-multi \ - 300:/usr/sbin/arptables-save:/usr/sbin/xtables-nft-multi -endef - -define Package/ebtables-nft -$(call Package/iptables/Default) - DEPENDS:=+kmod-nft-bridge +xtables-nft +kmod-ebtables - TITLE:=Bridge firewall administration tool nft - PROVIDES:=ebtables - ALTERNATIVES:=\ - 300:/usr/sbin/ebtables:/usr/sbin/xtables-nft-multi \ - 300:/usr/sbin/ebtables-restore:/usr/sbin/xtables-nft-multi \ - 300:/usr/sbin/ebtables-save:/usr/sbin/xtables-nft-multi -endef - -define Package/iptables-nft -$(call Package/iptables/Default) - TITLE:=IP firewall administration tool nft - DEPENDS:=+kmod-ipt-core +xtables-nft - PROVIDES:=iptables - ALTERNATIVES:=\ - 300:/usr/sbin/iptables:/usr/sbin/xtables-nft-multi \ - 300:/usr/sbin/iptables-restore:/usr/sbin/xtables-nft-multi \ - 300:/usr/sbin/iptables-save:/usr/sbin/xtables-nft-multi -endef - -define Package/iptables-nft/description -Extra iptables nftables nft binaries. - iptables-nft - iptables-nft-restore - iptables-nft-save - iptables-translate - iptables-restore-translate -endef - -define Package/iptables-mod-conntrack-extra -$(call Package/iptables/Module, +kmod-ipt-conntrack-extra +kmod-ipt-raw) - TITLE:=Extra connection tracking extensions -endef - -define Package/iptables-mod-conntrack-extra/description -Extra iptables extensions for connection tracking. - - Matches: - - connbytes - - connlimit - - connmark - - recent - - helper - - Targets: - - CONNMARK - -endef - -define Package/iptables-mod-conntrack-label -$(call Package/iptables/Module, +kmod-ipt-conntrack-label @IPTABLES_CONNLABEL) - TITLE:=Connection tracking labeling extension - DEFAULT:=y if IPTABLES_CONNLABEL -endef - -define Package/iptables-mod-conntrack-label/description -Match and set label(s) on connection tracking entries - - Matches: - - connlabel - -endef - -define Package/iptables-mod-filter -$(call Package/iptables/Module, +kmod-ipt-filter) - TITLE:=Content inspection extensions -endef - -define Package/iptables-mod-filter/description -iptables extensions for packet content inspection. -Includes support for: - - Matches: - - string - - bpf - -endef - -define Package/iptables-mod-ipopt -$(call Package/iptables/Module, +kmod-ipt-ipopt) - TITLE:=IP/Packet option extensions -endef - -define Package/iptables-mod-ipopt/description -iptables extensions for matching/changing IP packet options. - - Matches: - - dscp - - ecn - - length - - statistic - - tcpmss - - unclean - - hl - - Targets: - - DSCP - - CLASSIFY - - ECN - - HL - -endef - -define Package/iptables-mod-ipsec -$(call Package/iptables/Module, +kmod-ipt-ipsec) - TITLE:=IPsec extensions -endef - -define Package/iptables-mod-ipsec/description -iptables extensions for matching ipsec traffic. - - Matches: - - ah - - esp - - policy - -endef - -define Package/iptables-mod-nat-extra -$(call Package/iptables/Module, +kmod-ipt-nat-extra) - TITLE:=Extra NAT extensions -endef - -define Package/iptables-mod-nat-extra/description -iptables extensions for extra NAT targets. - - Targets: - - MIRROR - - NETMAP -endef - -define Package/iptables-mod-ulog -$(call Package/iptables/Module, +kmod-ipt-ulog) - TITLE:=user-space packet logging -endef - -define Package/iptables-mod-ulog/description -iptables extensions for user-space packet logging. - - Targets: - - ULOG - -endef - -define Package/iptables-mod-nflog -$(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog) - TITLE:=Netfilter NFLOG target -endef - -define Package/iptables-mod-nflog/description - iptables extension for user-space logging via NFNETLINK. - - Includes: - - libxt_NFLOG - -endef - -define Package/iptables-mod-trace -$(call Package/iptables/Module, +kmod-ipt-debug) - TITLE:=Netfilter TRACE target -endef - -define Package/iptables-mod-trace/description - iptables extension for TRACE target - - Includes: - - libxt_TRACE - -endef - - -define Package/iptables-mod-nfqueue -$(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue) - TITLE:=Netfilter NFQUEUE target -endef - -define Package/iptables-mod-nfqueue/description - iptables extension for user-space queuing via NFNETLINK. - - Includes: - - libxt_NFQUEUE - -endef - -define Package/iptables-mod-hashlimit -$(call Package/iptables/Module, +kmod-ipt-hashlimit) - TITLE:=hashlimit matching -endef - -define Package/iptables-mod-hashlimit/description -iptables extensions for hashlimit matching - - Matches: - - hashlimit - -endef - -define Package/iptables-mod-rpfilter -$(call Package/iptables/Module, +kmod-ipt-rpfilter) - TITLE:=rpfilter iptables extension -endef - -define Package/iptables-mod-rpfilter/description -iptables extensions for reverse path filter test on a packet - - Matches: - - rpfilter - -endef - -define Package/iptables-mod-iprange -$(call Package/iptables/Module, +kmod-ipt-iprange) - TITLE:=IP range extension -endef - -define Package/iptables-mod-iprange/description -iptables extensions for matching ip ranges. - - Matches: - - iprange - -endef - -define Package/iptables-mod-cluster -$(call Package/iptables/Module, +kmod-ipt-cluster) - TITLE:=Match cluster extension -endef - -define Package/iptables-mod-cluster/description -iptables extensions for matching cluster. - - Netfilter (IPv4/IPv6) module for matching cluster - This option allows you to build work-load-sharing clusters of - network servers/stateful firewalls without having a dedicated - load-balancing router/server/switch. Basically, this match returns - true when the packet must be handled by this cluster node. Thus, - all nodes see all packets and this match decides which node handles - what packets. The work-load sharing algorithm is based on source - address hashing. - - This module is usable for ipv4 and ipv6. - - If you select it, it enables kmod-ipt-cluster. - - see `iptables -m cluster --help` for more information. -endef - -define Package/iptables-mod-clusterip -$(call Package/iptables/Module, +kmod-ipt-clusterip) - TITLE:=Clusterip extension -endef - -define Package/iptables-mod-clusterip/description -iptables extensions for CLUSTERIP. - The CLUSTERIP target allows you to build load-balancing clusters of - network servers without having a dedicated load-balancing - router/server/switch. - - If you select it, it enables kmod-ipt-clusterip. - - see `iptables -j CLUSTERIP --help` for more information. -endef - -define Package/iptables-mod-extra -$(call Package/iptables/Module, +kmod-ipt-extra) - TITLE:=Other extra iptables extensions -endef - -define Package/iptables-mod-extra/description -Other extra iptables extensions. - - Matches: - - addrtype - - condition - - owner - - pkttype - - quota - -endef - -define Package/iptables-mod-physdev -$(call Package/iptables/Module, +kmod-ipt-physdev) - TITLE:=physdev iptables extension -endef - -define Package/iptables-mod-physdev/description -The iptables physdev match. -endef - -define Package/iptables-mod-led -$(call Package/iptables/Module, +kmod-ipt-led) - TITLE:=LED trigger iptables extension -endef - -define Package/iptables-mod-led/description -iptables extension for triggering a LED. - - Targets: - - LED - -endef - -define Package/iptables-mod-socket -$(call Package/iptables/Module, +kmod-ipt-socket) - TITLE:=Socket match iptables extensions -endef - -define Package/iptables-mod-socket/description -Socket match iptables extensions. - - Matches: - - socket - -endef - -define Package/iptables-mod-tproxy -$(call Package/iptables/Module, +kmod-ipt-tproxy) - TITLE:=Transparent proxy iptables extensions -endef - -define Package/iptables-mod-tproxy/description -Transparent proxy iptables extensions. - - Targets: - - TPROXY - -endef - -define Package/iptables-mod-tee -$(call Package/iptables/Module, +kmod-ipt-tee) - TITLE:=TEE iptables extensions -endef - -define Package/iptables-mod-tee/description -TEE iptables extensions. - - Targets: - - TEE - -endef - -define Package/iptables-mod-u32 -$(call Package/iptables/Module, +kmod-ipt-u32) - TITLE:=U32 iptables extensions -endef - -define Package/iptables-mod-u32/description -U32 iptables extensions. - - Matches: - - u32 - -endef - -define Package/iptables-mod-checksum -$(call Package/iptables/Module, +kmod-ipt-checksum) - TITLE:=IP CHECKSUM target extension -endef - -define Package/iptables-mod-checksum/description -iptables extension for the CHECKSUM calculation target -endef - -define Package/ip6tables-legacy -$(call Package/iptables/Default) - DEPENDS:=@IPV6 +kmod-ip6tables +xtables-legacy - CATEGORY:=Network - TITLE:=IPv6 firewall administration tool - PROVIDES:=ip6tables - ALTERNATIVES:=\ - 200:/usr/sbin/ip6tables:/usr/sbin/xtables-legacy-multi \ - 200:/usr/sbin/ip6tables-restore:/usr/sbin/xtables-legacy-multi \ - 200:/usr/sbin/ip6tables-save:/usr/sbin/xtables-legacy-multi -endef - -define Package/ip6tables-nft -$(call Package/iptables/Default) - DEPENDS:=@IPV6 +kmod-ip6tables +xtables-nft - TITLE:=IP firewall administration tool nft - PROVIDES:=ip6tables - ALTERNATIVES:=\ - 300:/usr/sbin/ip6tables:/usr/sbin/xtables-nft-multi \ - 300:/usr/sbin/ip6tables-restore:/usr/sbin/xtables-nft-multi \ - 300:/usr/sbin/ip6tables-save:/usr/sbin/xtables-nft-multi -endef - -define Package/ip6tables-nft/description -Extra ip6tables nftables nft binaries. - ip6tables-nft - ip6tables-nft-restore - ip6tables-nft-save - ip6tables-translate - ip6tables-restore-translate -endef - -define Package/ip6tables-extra -$(call Package/iptables/Default) - DEPENDS:=+libxtables +kmod-ip6tables-extra - TITLE:=IPv6 header matching modules -endef - -define Package/ip6tables-extra/description -iptables header matching modules for IPv6 -endef - -define Package/ip6tables-mod-nat -$(call Package/iptables/Default) - DEPENDS:=+libxtables +kmod-ipt-nat6 - TITLE:=IPv6 NAT extensions -endef - -define Package/ip6tables-mod-nat/description -iptables extensions for IPv6-NAT targets. -endef - -define Package/libip4tc -$(call Package/iptables/Default) - SECTION:=libs - CATEGORY:=Libraries - TITLE:=IPv4 firewall - shared libiptc library - ABI_VERSION:=2 -endef - -define Package/libip6tc -$(call Package/iptables/Default) - SECTION:=libs - CATEGORY:=Libraries - TITLE:=IPv6 firewall - shared libiptc library - ABI_VERSION:=2 -endef - -define Package/libiptext - $(call Package/iptables/Default) - SECTION:=libs - CATEGORY:=Libraries - TITLE:=IPv4 firewall - shared libiptext library - ABI_VERSION:=0 - DEPENDS:=+libxtables -endef - -define Package/libiptext6 - $(call Package/iptables/Default) - SECTION:=libs - CATEGORY:=Libraries - TITLE:=IPv6 firewall - shared libiptext library - ABI_VERSION:=0 - DEPENDS:=+libxtables -endef - -define Package/libiptext-nft - $(call Package/iptables/Default) - SECTION:=libs - CATEGORY:=Libraries - TITLE:=IPv4/IPv6 firewall - shared libiptext nft library - ABI_VERSION:=0 - DEPENDS:=@IPTABLES_NFTABLES +libxtables -endef - -define Package/libxtables - $(call Package/iptables/Default) - SECTION:=libs - CATEGORY:=Libraries - TITLE:=IPv4/IPv6 firewall - shared xtables library - MENU:=1 - ABI_VERSION:=12 - DEPENDS:=+IPTABLES_CONNLABEL:libnetfilter-conntrack -endef - -define Package/libxtables/config - config IPTABLES_CONNLABEL - bool "Enable Connlabel support" - default n - help - This enable connlabel support in iptables. - - config IPTABLES_NFTABLES - bool "Enable Nftables support" - default y - help - This enable nftables support in iptables. -endef - -TARGET_CPPFLAGS := \ - -I$(PKG_BUILD_DIR)/include \ - -I$(LINUX_DIR)/user_headers/include \ - $(TARGET_CPPFLAGS) - -TARGET_CFLAGS += \ - -I$(PKG_BUILD_DIR)/include \ - -I$(LINUX_DIR)/user_headers/include \ - -ffunction-sections -fdata-sections \ - -DNO_LEGACY - -TARGET_LDFLAGS += \ - -Wl,--gc-sections - -CONFIGURE_ARGS += \ - --enable-shared \ - --enable-static \ - --enable-devel \ - --with-kernel="$(LINUX_DIR)/user_headers" \ - --with-xtlibdir=/usr/lib/iptables \ - --with-xt-lock-name=/var/run/xtables.lock \ - $(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \ - $(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \ - $(if $(CONFIG_IPV6),,--disable-ipv6) - -MAKE_FLAGS := \ - $(TARGET_CONFIGURE_OPTS) \ - COPT_FLAGS="$(TARGET_CFLAGS)" \ - KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \ - KBUILD_OUTPUT="$(LINUX_DIR)" \ - BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))" - -ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED))) - define Build/Configure/rebuild - $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f - rm -f $(PKG_BUILD_DIR)/.config_* - rm -f $(PKG_BUILD_DIR)/.configured_* - touch $(subst .configured_,.config_,$(STAMP_CONFIGURED)) - endef -endif - -define Build/Configure -$(Build/Configure/rebuild) -$(Build/Configure/Default) -endef - -define Build/InstallDev - $(INSTALL_DIR) $(1)/usr/include - $(INSTALL_DIR) $(1)/usr/include/iptables - $(INSTALL_DIR) $(1)/usr/include/net/netfilter - - # XXX: iptables header fixup, some headers are not installed by iptables anymore - $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/ - $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/ - $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/ - $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/ - $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/ - - $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/ - $(INSTALL_DIR) $(1)/usr/lib/pkgconfig - $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/ - - # XXX: needed by firewall3 - $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/ -endef - -define Package/xtables-legacy/install - $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-legacy-multi $(1)/usr/sbin/ -endef - -define Package/iptables-legacy/install - $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-legacy{,-restore,-save} $(1)/usr/sbin/ - $(INSTALL_DIR) $(1)/usr/lib/iptables -endef - -define Package/xtables-nft/install - $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-nft-multi $(1)/usr/sbin/ -endef - -define Package/arptables-nft/install - $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/arptables-nft{,-restore,-save} $(1)/usr/sbin/ - $(INSTALL_DIR) $(1)/usr/lib/iptables - $(CP) $(PKG_BUILD_DIR)/extensions/libarpt_*.so $(1)/usr/lib/iptables/ -endef - -define Package/ebtables-nft/install - $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ebtables-nft{,-restore,-save} $(1)/usr/sbin/ - $(INSTALL_DIR) $(1)/usr/lib/iptables - $(CP) $(PKG_BUILD_DIR)/extensions/libebt_*.so $(1)/usr/lib/iptables/ -endef - -define Package/iptables-nft/install - $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-nft{,-restore,-save} $(1)/usr/sbin/ - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore}-translate $(1)/usr/sbin/ -endef - -define Package/ip6tables-legacy/install - $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables-legacy{,-restore,-save} $(1)/usr/sbin/ -endef - -define Package/ip6tables-nft/install - $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables-nft{,-restore,-save} $(1)/usr/sbin/ - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore}-translate $(1)/usr/sbin/ -endef - -define Package/libip4tc/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so.* $(1)/usr/lib/ -endef - -define Package/libip6tc/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so.* $(1)/usr/lib/ -endef - -define Package/libiptext/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/ - $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/ -endef - -define Package/libiptext6/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/ -endef - -define Package/libiptext-nft/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_BUILD_DIR)/extensions/libiptext_*.so $(1)/usr/lib/ -endef - -define Package/libxtables/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so.* $(1)/usr/lib/ -endef - -define BuildPlugin - define Package/$(1)/install - $(INSTALL_DIR) $$(1)/usr/lib/iptables - for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \ - if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \ - fi; \ - done - $(3) - endef - - $$(eval $$(call BuildPackage,$(1))) -endef - -$(eval $(call BuildPackage,libxtables)) -$(eval $(call BuildPackage,libip4tc)) -$(eval $(call BuildPackage,libip6tc)) -$(eval $(call BuildPackage,libiptext)) -$(eval $(call BuildPackage,libiptext6)) -$(eval $(call BuildPackage,libiptext-nft)) -$(eval $(call BuildPackage,xtables-legacy)) -$(eval $(call BuildPackage,iptables-legacy)) -$(eval $(call BuildPackage,xtables-nft)) -$(eval $(call BuildPackage,arptables-nft)) -$(eval $(call BuildPackage,ebtables-nft)) -$(eval $(call BuildPackage,iptables-nft)) -$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m))) -$(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m))) -$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m))) -$(eval $(call BuildPlugin,iptables-mod-physdev,$(IPT_PHYSDEV-m))) -$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m))) -$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m))) -$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m))) -$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m))) -$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m))) -$(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m))) -$(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m))) -$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m))) -$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m))) -$(eval $(call BuildPlugin,iptables-mod-rpfilter,$(IPT_RPFILTER-m))) -$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m))) -$(eval $(call BuildPlugin,iptables-mod-socket,$(IPT_SOCKET-m))) -$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m))) -$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m))) -$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m))) -$(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m))) -$(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m))) -$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m))) -$(eval $(call BuildPlugin,iptables-mod-checksum,$(IPT_CHECKSUM-m))) -$(eval $(call BuildPackage,ip6tables-legacy)) -$(eval $(call BuildPackage,ip6tables-nft)) -$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m))) -$(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m))) - diff --git a/root/package/network/utils/iptables/patches/001-xtables-Call-init_extensions6-for-static-builds.patch b/root/package/network/utils/iptables/patches/001-xtables-Call-init_extensions6-for-static-builds.patch deleted file mode 100644 index 22ccfa53..00000000 --- a/root/package/network/utils/iptables/patches/001-xtables-Call-init_extensions6-for-static-builds.patch +++ /dev/null @@ -1,68 +0,0 @@ -From e727ccad036e2cdba3339536c65c7ceef43c0740 Mon Sep 17 00:00:00 2001 -From: Erik Wilson -Date: Tue, 13 Jul 2021 16:48:23 -0700 -Subject: [PATCH] xtables: Call init_extensions6() for static builds - -Initialize extensions from libext6 for cases where xtables is built statically. - -Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1550 -Signed-off-by: Erik Wilson -Signed-off-by: Florian Westphal ---- - iptables/xtables-monitor.c | 1 + - iptables/xtables-restore.c | 1 + - iptables/xtables-save.c | 1 + - iptables/xtables-standalone.c | 1 + - iptables/xtables-translate.c | 1 + - 5 files changed, 5 insertions(+) - ---- a/iptables/xtables-monitor.c -+++ b/iptables/xtables-monitor.c -@@ -628,6 +628,7 @@ int xtables_monitor_main(int argc, char - #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) - init_extensions(); - init_extensions4(); -+ init_extensions6(); - #endif - - if (nft_init(&h, AF_INET, xtables_ipv4)) { ---- a/iptables/xtables-restore.c -+++ b/iptables/xtables-restore.c -@@ -364,6 +364,7 @@ xtables_restore_main(int family, const c - #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) - init_extensions(); - init_extensions4(); -+ init_extensions6(); - #endif - break; - case NFPROTO_ARP: ---- a/iptables/xtables-save.c -+++ b/iptables/xtables-save.c -@@ -202,6 +202,7 @@ xtables_save_main(int family, int argc, - #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) - init_extensions(); - init_extensions4(); -+ init_extensions6(); - #endif - tables = xtables_ipv4; - d.commit = true; ---- a/iptables/xtables-standalone.c -+++ b/iptables/xtables-standalone.c -@@ -57,6 +57,7 @@ xtables_main(int family, const char *pro - #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) - init_extensions(); - init_extensions4(); -+ init_extensions6(); - #endif - - if (nft_init(&h, family, xtables_ipv4) < 0) { ---- a/iptables/xtables-translate.c -+++ b/iptables/xtables-translate.c -@@ -469,6 +469,7 @@ static int xtables_xlate_main_common(str - #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) - init_extensions(); - init_extensions4(); -+ init_extensions6(); - #endif - tables = xtables_ipv4; - break; diff --git a/root/package/network/utils/iptables/patches/002-xtables-Call-init_extensions_a_b.patch b/root/package/network/utils/iptables/patches/002-xtables-Call-init_extensions_a_b.patch deleted file mode 100644 index 0d7226cc..00000000 --- a/root/package/network/utils/iptables/patches/002-xtables-Call-init_extensions_a_b.patch +++ /dev/null @@ -1,107 +0,0 @@ -A modified version of this patch was commited upstream -as part of a fixup series -https://bugzilla.netfilter.org/show_bug.cgi?id=1593 -https://git.netfilter.org/iptables/commit/?id=0836524f093c0fd9c39604a46a949e43d9b47ef2 - ---- a/iptables/xtables-monitor.c -+++ b/iptables/xtables-monitor.c -@@ -629,6 +629,8 @@ int xtables_monitor_main(int argc, char - init_extensions(); - init_extensions4(); - init_extensions6(); -+ init_extensionsa(); -+ init_extensionsb(); - #endif - - if (nft_init(&h, AF_INET, xtables_ipv4)) { ---- a/iptables/xtables-restore.c -+++ b/iptables/xtables-restore.c -@@ -368,9 +368,17 @@ xtables_restore_main(int family, const c - #endif - break; - case NFPROTO_ARP: -+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) -+ init_extensions(); -+ init_extensionsa(); -+#endif - tables = xtables_arp; - break; - case NFPROTO_BRIDGE: -+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) -+ init_extensions(); -+ init_extensionsb(); -+#endif - tables = xtables_bridge; - break; - default: ---- a/iptables/xtables-save.c -+++ b/iptables/xtables-save.c -@@ -208,9 +208,17 @@ xtables_save_main(int family, int argc, - d.commit = true; - break; - case NFPROTO_ARP: -+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) -+ init_extensions(); -+ init_extensionsa(); -+#endif - tables = xtables_arp; - break; - case NFPROTO_BRIDGE: { -+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) -+ init_extensions(); -+ init_extensionsb(); -+#endif - const char *ctr = getenv("EBTABLES_SAVE_COUNTER"); - - if (!(d.format & FMT_NOCOUNTS)) { ---- a/iptables/xtables-standalone.c -+++ b/iptables/xtables-standalone.c -@@ -58,6 +58,8 @@ xtables_main(int family, const char *pro - init_extensions(); - init_extensions4(); - init_extensions6(); -+ init_extensionsa(); -+ init_extensionsb(); - #endif - - if (nft_init(&h, family, xtables_ipv4) < 0) { ---- a/iptables/xtables-translate.c -+++ b/iptables/xtables-translate.c -@@ -474,9 +474,17 @@ static int xtables_xlate_main_common(str - tables = xtables_ipv4; - break; - case NFPROTO_ARP: -+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) -+ init_extensions(); -+ init_extensionsa(); -+#endif - tables = xtables_arp; - break; - case NFPROTO_BRIDGE: -+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) -+ init_extensions(); -+ init_extensionsb(); -+#endif - tables = xtables_bridge; - break; - default: ---- a/iptables/xtables-arp.c -+++ b/iptables/xtables-arp.c -@@ -438,6 +438,7 @@ int nft_init_arp(struct nft_handle *h, c - } - - #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) -+ init_extensions(); - init_extensionsa(); - #endif - ---- a/iptables/xtables-eb.c -+++ b/iptables/xtables-eb.c -@@ -685,6 +685,7 @@ int nft_init_eb(struct nft_handle *h, co - } - - #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) -+ init_extensions(); - init_extensionsb(); - #endif - diff --git a/root/package/network/utils/iptables/patches/010-add-set-dscpmark-support.patch b/root/package/network/utils/iptables/patches/010-add-set-dscpmark-support.patch deleted file mode 100644 index 9a5de639..00000000 --- a/root/package/network/utils/iptables/patches/010-add-set-dscpmark-support.patch +++ /dev/null @@ -1,452 +0,0 @@ -From 74267bacce0c43e5038b0377cb7c08f1ad9d50a3 Mon Sep 17 00:00:00 2001 -From: Kevin Darbyshire-Bryant -Date: Sat, 23 Mar 2019 10:21:03 +0000 -Subject: [PATCH] iptables: connmark - add set-dscpmark option for openwrt - -Naive user space front end to xt_connmark 'setdscp' option. - -iptables -A QOS_MARK_eth0 -t mangle -j CONNMARK --set-dscpmark 0xfc000000/0x01000000 - -This version has a hack to support a backport to 4.14 - -Signed-off-by: Kevin Darbyshire-Bryant ---- - extensions/libxt_CONNMARK.c | 315 +++++++++++++++++++++++++- - include/linux/netfilter/xt_connmark.h | 10 + - 2 files changed, 324 insertions(+), 1 deletion(-) - ---- a/extensions/libxt_CONNMARK.c -+++ b/extensions/libxt_CONNMARK.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - #include - #include - -@@ -49,6 +50,7 @@ enum { - O_CTMASK, - O_NFMASK, - O_MASK, -+ O_DSCP_MARK, - F_SET_MARK = 1 << O_SET_MARK, - F_SAVE_MARK = 1 << O_SAVE_MARK, - F_RESTORE_MARK = 1 << O_RESTORE_MARK, -@@ -61,8 +63,10 @@ enum { - F_CTMASK = 1 << O_CTMASK, - F_NFMASK = 1 << O_NFMASK, - F_MASK = 1 << O_MASK, -+ F_DSCP_MARK = 1 << O_DSCP_MARK, - F_OP_ANY = F_SET_MARK | F_SAVE_MARK | F_RESTORE_MARK | -- F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK, -+ F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK | -+ F_DSCP_MARK, - }; - - static const char *const xt_connmark_shift_ops[] = { -@@ -114,6 +118,8 @@ static const struct xt_option_entry conn - .excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, nfmask)}, - {.name = "mask", .id = O_MASK, .type = XTTYPE_UINT32, - .excl = F_CTMASK | F_NFMASK}, -+ {.name = "set-dscpmark", .id = O_DSCP_MARK, .type = XTTYPE_MARKMASK32, -+ .excl = F_OP_ANY}, - XTOPT_TABLEEND, - }; - #undef s -@@ -148,6 +154,38 @@ static const struct xt_option_entry conn - }; - #undef s - -+#define s struct xt_connmark_tginfo3 -+static const struct xt_option_entry connmark_tg_opts_v3[] = { -+ {.name = "set-xmark", .id = O_SET_XMARK, .type = XTTYPE_MARKMASK32, -+ .excl = F_OP_ANY}, -+ {.name = "set-mark", .id = O_SET_MARK, .type = XTTYPE_MARKMASK32, -+ .excl = F_OP_ANY}, -+ {.name = "and-mark", .id = O_AND_MARK, .type = XTTYPE_UINT32, -+ .excl = F_OP_ANY}, -+ {.name = "or-mark", .id = O_OR_MARK, .type = XTTYPE_UINT32, -+ .excl = F_OP_ANY}, -+ {.name = "xor-mark", .id = O_XOR_MARK, .type = XTTYPE_UINT32, -+ .excl = F_OP_ANY}, -+ {.name = "save-mark", .id = O_SAVE_MARK, .type = XTTYPE_NONE, -+ .excl = F_OP_ANY}, -+ {.name = "restore-mark", .id = O_RESTORE_MARK, .type = XTTYPE_NONE, -+ .excl = F_OP_ANY}, -+ {.name = "left-shift-mark", .id = O_LEFT_SHIFT_MARK, .type = XTTYPE_UINT8, -+ .min = 0, .max = 32}, -+ {.name = "right-shift-mark", .id = O_RIGHT_SHIFT_MARK, .type = XTTYPE_UINT8, -+ .min = 0, .max = 32}, -+ {.name = "ctmask", .id = O_CTMASK, .type = XTTYPE_UINT32, -+ .excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, ctmask)}, -+ {.name = "nfmask", .id = O_NFMASK, .type = XTTYPE_UINT32, -+ .excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, nfmask)}, -+ {.name = "mask", .id = O_MASK, .type = XTTYPE_UINT32, -+ .excl = F_CTMASK | F_NFMASK}, -+ {.name = "set-dscpmark", .id = O_DSCP_MARK, .type = XTTYPE_MARKMASK32, -+ .excl = F_OP_ANY}, -+ XTOPT_TABLEEND, -+}; -+#undef s -+ - static void connmark_tg_help(void) - { - printf( -@@ -175,6 +213,15 @@ static void connmark_tg_help_v2(void) - ); - } - -+static void connmark_tg_help_v3(void) -+{ -+ connmark_tg_help_v2(); -+ printf( -+" --set-dscpmark value/mask Save DSCP to conntrack mark value\n" -+); -+} -+ -+ - static void connmark_tg_init(struct xt_entry_target *target) - { - struct xt_connmark_tginfo1 *info = (void *)target->data; -@@ -199,6 +246,16 @@ static void connmark_tg_init_v2(struct x - info->shift_bits = 0; - } - -+static void connmark_tg_init_v3(struct xt_entry_target *target) -+{ -+ struct xt_connmark_tginfo3 *info; -+ -+ connmark_tg_init_v2(target); -+ info = (void *)target->data; -+ -+ info->func = 0; -+} -+ - static void CONNMARK_parse(struct xt_option_call *cb) - { - struct xt_connmark_target_info *markinfo = cb->data; -@@ -253,6 +310,23 @@ static void connmark_tg_parse(struct xt_ - info->ctmark = cb->val.u32; - info->ctmask = 0; - break; -+ case O_DSCP_MARK: -+/* we sneaky sneaky this. nfmask isn't used by the set mark functionality -+ * and by default is set to uint32max. We can use the top bit as a flag -+ * that we're in DSCP_MARK submode of SET_MARK, if set then it's normal -+ * if unset then we're in DSCP_MARK -+ */ -+ info->mode = XT_CONNMARK_SET; -+ info->ctmark = cb->val.mark; -+ info->ctmask = cb->val.mask; -+ info->nfmask = info->ctmark ? ffs(info->ctmark) - 1 : 0; -+ /* need 6 contiguous bits */ -+ if ((~0 & (info->ctmark >> info->nfmask)) != 0x3f) -+ xtables_error(PARAMETER_PROBLEM, -+ "CONNMARK set-dscpmark: need 6 contiguous dscpmask bits"); -+ if (info->ctmark & info->ctmask) -+ xtables_error(PARAMETER_PROBLEM, -+ "CONNMARK set-dscpmark: dscpmask/statemask bits overlap"); - case O_SAVE_MARK: - info->mode = XT_CONNMARK_SAVE; - break; -@@ -320,6 +394,78 @@ static void connmark_tg_parse_v2(struct - } - } - -+static void connmark_tg_parse_v3(struct xt_option_call *cb) -+{ -+ struct xt_connmark_tginfo3 *info = cb->data; -+ -+ xtables_option_parse(cb); -+ switch (cb->entry->id) { -+ case O_SET_XMARK: -+ info->mode = XT_CONNMARK_SET; -+ info->func = XT_CONNMARK_VALUE; -+ info->ctmark = cb->val.mark; -+ info->ctmask = cb->val.mask; -+ break; -+ case O_SET_MARK: -+ info->mode = XT_CONNMARK_SET; -+ info->func = XT_CONNMARK_VALUE; -+ info->ctmark = cb->val.mark; -+ info->ctmask = cb->val.mark | cb->val.mask; -+ break; -+ case O_AND_MARK: -+ info->mode = XT_CONNMARK_SET; -+ info->func = XT_CONNMARK_VALUE; -+ info->ctmark = 0; -+ info->ctmask = ~cb->val.u32; -+ break; -+ case O_OR_MARK: -+ info->mode = XT_CONNMARK_SET; -+ info->func = XT_CONNMARK_VALUE; -+ info->ctmark = cb->val.u32; -+ info->ctmask = cb->val.u32; -+ break; -+ case O_XOR_MARK: -+ info->mode = XT_CONNMARK_SET; -+ info->func = XT_CONNMARK_VALUE; -+ info->ctmark = cb->val.u32; -+ info->ctmask = 0; -+ break; -+ case O_DSCP_MARK: -+ info->mode = XT_CONNMARK_SET; -+ info->func = XT_CONNMARK_DSCP; -+ info->ctmark = cb->val.mark; -+ info->ctmask = cb->val.mask; -+ info->shift_bits = info->ctmark ? ffs(info->ctmark) - 1 : 0; -+ /* need 6 contiguous bits */ -+ if ((~0 & (info->ctmark >> info->shift_bits)) != 0x3f) -+ xtables_error(PARAMETER_PROBLEM, -+ "CONNMARK set-dscpmark: need 6 contiguous dscpmask bits"); -+ if (info->ctmark & info->ctmask) -+ xtables_error(PARAMETER_PROBLEM, -+ "CONNMARK set-dscpmark: dscpmask/statemask bits overlap"); -+ break; -+ case O_SAVE_MARK: -+ info->mode = XT_CONNMARK_SAVE; -+ break; -+ case O_RESTORE_MARK: -+ info->mode = XT_CONNMARK_RESTORE; -+ break; -+ case O_MASK: -+ info->nfmask = info->ctmask = cb->val.u32; -+ break; -+ case O_LEFT_SHIFT_MARK: -+ info->shift_dir = D_SHIFT_LEFT; -+ info->shift_bits = cb->val.u8; -+ break; -+ case O_RIGHT_SHIFT_MARK: -+ info->shift_dir = D_SHIFT_RIGHT; -+ info->shift_bits = cb->val.u8; -+ break; -+ default: -+ break; -+ } -+} -+ - static void connmark_tg_check(struct xt_fcheck_call *cb) - { - if (!(cb->xflags & F_OP_ANY)) -@@ -463,6 +609,65 @@ connmark_tg_print_v2(const void *ip, con - } - } - -+static void -+connmark_tg_print_v3(const void *ip, const struct xt_entry_target *target, -+ int numeric) -+{ -+ const struct xt_connmark_tginfo3 *info = (const void *)target->data; -+ const char *shift_op = xt_connmark_shift_ops[info->shift_dir]; -+ -+ switch (info->mode) { -+ case XT_CONNMARK_SET: -+ if (info->func & XT_CONNMARK_DSCP) { -+ printf(" CONNMARK DSCP 0x%x/0x%x", -+ info->ctmark, info->ctmask); -+ } -+ if (info->func & XT_CONNMARK_VALUE) { -+ if (info->ctmark == 0) -+ printf(" CONNMARK and 0x%x", -+ (unsigned int)(uint32_t)~info->ctmask); -+ else if (info->ctmark == info->ctmask) -+ printf(" CONNMARK or 0x%x", info->ctmark); -+ else if (info->ctmask == 0) -+ printf(" CONNMARK xor 0x%x", info->ctmark); -+ else if (info->ctmask == 0xFFFFFFFFU) -+ printf(" CONNMARK set 0x%x", info->ctmark); -+ else -+ printf(" CONNMARK xset 0x%x/0x%x", -+ info->ctmark, info->ctmask); -+ } -+ break; -+ case XT_CONNMARK_SAVE: -+ if (info->nfmask == UINT32_MAX && info->ctmask == UINT32_MAX) -+ printf(" CONNMARK save"); -+ else if (info->nfmask == info->ctmask) -+ printf(" CONNMARK save mask 0x%x", info->nfmask); -+ else -+ printf(" CONNMARK save nfmask 0x%x ctmask ~0x%x", -+ info->nfmask, info->ctmask); -+ break; -+ case XT_CONNMARK_RESTORE: -+ if (info->ctmask == UINT32_MAX && info->nfmask == UINT32_MAX) -+ printf(" CONNMARK restore"); -+ else if (info->ctmask == info->nfmask) -+ printf(" CONNMARK restore mask 0x%x", info->ctmask); -+ else -+ printf(" CONNMARK restore ctmask 0x%x nfmask ~0x%x", -+ info->ctmask, info->nfmask); -+ break; -+ -+ default: -+ printf(" ERROR: UNKNOWN CONNMARK MODE"); -+ break; -+ } -+ -+ if (info->mode <= XT_CONNMARK_RESTORE && -+ !(info->mode == XT_CONNMARK_SET && info->func == XT_CONNMARK_DSCP) && -+ info->shift_bits != 0) { -+ printf(" %s %u", shift_op, info->shift_bits); -+ } -+} -+ - static void CONNMARK_save(const void *ip, const struct xt_entry_target *target) - { - const struct xt_connmark_target_info *markinfo = -@@ -548,6 +753,38 @@ connmark_tg_save_v2(const void *ip, cons - } - } - -+static void -+connmark_tg_save_v3(const void *ip, const struct xt_entry_target *target) -+{ -+ const struct xt_connmark_tginfo3 *info = (const void *)target->data; -+ const char *shift_op = xt_connmark_shift_ops[info->shift_dir]; -+ -+ switch (info->mode) { -+ case XT_CONNMARK_SET: -+ if (info->func & XT_CONNMARK_VALUE) -+ printf(" --set-xmark 0x%x/0x%x", info->ctmark, info->ctmask); -+ if (info->func & XT_CONNMARK_DSCP) -+ printf(" --set-dscpmark 0x%x/0x%x", info->ctmark, info->ctmask); -+ break; -+ case XT_CONNMARK_SAVE: -+ printf(" --save-mark --nfmask 0x%x --ctmask 0x%x", -+ info->nfmask, info->ctmask); -+ break; -+ case XT_CONNMARK_RESTORE: -+ printf(" --restore-mark --nfmask 0x%x --ctmask 0x%x", -+ info->nfmask, info->ctmask); -+ break; -+ default: -+ printf(" ERROR: UNKNOWN CONNMARK MODE"); -+ break; -+ } -+ if (info->mode <= XT_CONNMARK_RESTORE && -+ !(info->mode == XT_CONNMARK_SET && info->func == XT_CONNMARK_DSCP) && -+ info->shift_bits != 0) { -+ printf(" --%s %u", shift_op, info->shift_bits); -+ } -+} -+ - static int connmark_tg_xlate(struct xt_xlate *xl, - const struct xt_xlate_tg_params *params) - { -@@ -639,6 +876,66 @@ static int connmark_tg_xlate_v2(struct x - - return 1; - } -+ -+static int connmark_tg_xlate_v3(struct xt_xlate *xl, -+ const struct xt_xlate_tg_params *params) -+{ -+ const struct xt_connmark_tginfo3 *info = -+ (const void *)params->target->data; -+ const char *shift_op = xt_connmark_shift_ops[info->shift_dir]; -+ -+ switch (info->mode) { -+ case XT_CONNMARK_SET: -+ xt_xlate_add(xl, "ct mark set "); -+ if (info->func & XT_CONNMARK_VALUE) { -+ if (info->ctmask == 0xFFFFFFFFU) -+ xt_xlate_add(xl, "0x%x ", info->ctmark); -+ else if (info->ctmark == 0) -+ xt_xlate_add(xl, "ct mark and 0x%x", ~info->ctmask); -+ else if (info->ctmark == info->ctmask) -+ xt_xlate_add(xl, "ct mark or 0x%x", -+ info->ctmark); -+ else if (info->ctmask == 0) -+ xt_xlate_add(xl, "ct mark xor 0x%x", -+ info->ctmark); -+ else -+ xt_xlate_add(xl, "ct mark xor 0x%x and 0x%x", -+ info->ctmark, ~info->ctmask); -+ } -+ if (info->func & XT_CONNMARK_DSCP) { -+/* FIXME the nftables syntax would go here if only we knew what it was */ -+ xt_xlate_add(xl, "ct mark set typeof(ct mark) ip dscp " -+ "<< %u or 0x%x", info->shift_bits, -+ info->ctmask); -+ } -+ break; -+ case XT_CONNMARK_SAVE: -+ xt_xlate_add(xl, "ct mark set mark"); -+ if (!(info->nfmask == UINT32_MAX && -+ info->ctmask == UINT32_MAX)) { -+ if (info->nfmask == info->ctmask) -+ xt_xlate_add(xl, " and 0x%x", info->nfmask); -+ } -+ break; -+ case XT_CONNMARK_RESTORE: -+ xt_xlate_add(xl, "meta mark set ct mark"); -+ if (!(info->nfmask == UINT32_MAX && -+ info->ctmask == UINT32_MAX)) { -+ if (info->nfmask == info->ctmask) -+ xt_xlate_add(xl, " and 0x%x", info->nfmask); -+ } -+ break; -+ } -+ -+ if (info->mode <= XT_CONNMARK_RESTORE && -+ !(info->mode == XT_CONNMARK_SET && info->func == XT_CONNMARK_DSCP) && -+ info->shift_bits != 0) { -+ xt_xlate_add(xl, " %s %u", shift_op, info->shift_bits); -+ } -+ -+ return 1; -+} -+ - static struct xtables_target connmark_tg_reg[] = { - { - .family = NFPROTO_UNSPEC, -@@ -687,6 +984,22 @@ static struct xtables_target connmark_tg - .x6_options = connmark_tg_opts_v2, - .xlate = connmark_tg_xlate_v2, - }, -+ { -+ .version = XTABLES_VERSION, -+ .name = "CONNMARK", -+ .revision = 3, -+ .family = NFPROTO_UNSPEC, -+ .size = XT_ALIGN(sizeof(struct xt_connmark_tginfo3)), -+ .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_tginfo3)), -+ .help = connmark_tg_help_v3, -+ .init = connmark_tg_init_v3, -+ .print = connmark_tg_print_v3, -+ .save = connmark_tg_save_v3, -+ .x6_parse = connmark_tg_parse_v3, -+ .x6_fcheck = connmark_tg_check, -+ .x6_options = connmark_tg_opts_v3, -+ .xlate = connmark_tg_xlate_v3, -+ }, - }; - - void _init(void) ---- a/include/linux/netfilter/xt_connmark.h -+++ b/include/linux/netfilter/xt_connmark.h -@@ -18,6 +18,11 @@ enum { - XT_CONNMARK_RESTORE - }; - -+enum { -+ XT_CONNMARK_VALUE = (1 << 0), -+ XT_CONNMARK_DSCP = (1 << 1) -+}; -+ - struct xt_connmark_tginfo1 { - __u32 ctmark, ctmask, nfmask; - __u8 mode; -@@ -28,6 +33,11 @@ struct xt_connmark_tginfo2 { - __u8 shift_dir, shift_bits, mode; - }; - -+struct xt_connmark_tginfo3 { -+ __u32 ctmark, ctmask, nfmask; -+ __u8 shift_dir, shift_bits, mode, func; -+}; -+ - struct xt_connmark_mtinfo1 { - __u32 mark, mask; - __u8 invert; diff --git a/root/package/network/utils/iptables/patches/101-remove-check-already.patch b/root/package/network/utils/iptables/patches/101-remove-check-already.patch deleted file mode 100644 index 16afafec..00000000 --- a/root/package/network/utils/iptables/patches/101-remove-check-already.patch +++ /dev/null @@ -1,28 +0,0 @@ ---- a/libxtables/xtables.c -+++ b/libxtables/xtables.c -@@ -968,12 +968,6 @@ void xtables_register_match(struct xtabl - struct xtables_match **pos; - bool seen_myself = false; - -- if (me->next) { -- fprintf(stderr, "%s: match \"%s\" already registered\n", -- xt_params->program_name, me->name); -- exit(1); -- } -- - if (me->version == NULL) { - fprintf(stderr, "%s: match %s<%u> is missing a version\n", - xt_params->program_name, me->name, me->revision); -@@ -1152,12 +1146,6 @@ void xtables_register_target(struct xtab - struct xtables_target **pos; - bool seen_myself = false; - -- if (me->next) { -- fprintf(stderr, "%s: target \"%s\" already registered\n", -- xt_params->program_name, me->name); -- exit(1); -- } -- - if (me->version == NULL) { - fprintf(stderr, "%s: target %s<%u> is missing a version\n", - xt_params->program_name, me->name, me->revision); diff --git a/root/package/network/utils/iptables/patches/102-iptables-disable-modprobe.patch b/root/package/network/utils/iptables/patches/102-iptables-disable-modprobe.patch deleted file mode 100644 index b8e19c78..00000000 --- a/root/package/network/utils/iptables/patches/102-iptables-disable-modprobe.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- a/libxtables/xtables.c -+++ b/libxtables/xtables.c -@@ -403,6 +403,7 @@ static char *get_modprobe(void) - - int xtables_insmod(const char *modname, const char *modprobe, bool quiet) - { -+#if 0 - char *buf = NULL; - char *argv[4]; - int status; -@@ -437,6 +438,7 @@ int xtables_insmod(const char *modname, - free(buf); - if (WIFEXITED(status) && WEXITSTATUS(status) == 0) - return 0; -+#endif - return -1; - } - diff --git a/root/package/network/utils/iptables/patches/103-optional-xml.patch b/root/package/network/utils/iptables/patches/103-optional-xml.patch deleted file mode 100644 index 342808a3..00000000 --- a/root/package/network/utils/iptables/patches/103-optional-xml.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/iptables/xtables-legacy-multi.c -+++ b/iptables/xtables-legacy-multi.c -@@ -32,8 +32,10 @@ static const struct subcommand multi_sub - - - #endif -+#ifdef ENABLE_XML - {"iptables-xml", iptables_xml_main}, - {"xml", iptables_xml_main}, -+#endif - #ifdef ENABLE_IPV6 - {"ip6tables", ip6tables_main}, - {"main6", ip6tables_main}, diff --git a/root/package/network/utils/iptables/patches/200-configurable_builtin.patch b/root/package/network/utils/iptables/patches/200-configurable_builtin.patch deleted file mode 100644 index 6d7b5b58..00000000 --- a/root/package/network/utils/iptables/patches/200-configurable_builtin.patch +++ /dev/null @@ -1,79 +0,0 @@ ---- a/extensions/GNUmakefile.in -+++ b/extensions/GNUmakefile.in -@@ -50,11 +50,31 @@ pfb_build_mod := $(filter-out @blacklist - pfa_build_mod := $(filter-out @blacklist_modules@ @blacklist_a_modules@,${pfa_build_mod}) - pf4_build_mod := $(filter-out @blacklist_modules@ @blacklist_4_modules@,${pf4_build_mod}) - pf6_build_mod := $(filter-out @blacklist_modules@ @blacklist_6_modules@,${pf6_build_mod}) --pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod}) --pfb_objs := $(patsubst %,libebt_%.o,${pfb_build_mod}) --pfa_objs := $(patsubst %,libarpt_%.o,${pfa_build_mod}) --pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod}) --pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod}) -+ifdef BUILTIN_MODULES -+pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod}) -+pfb_build_static := $(filter $(BUILTIN_MODULES),${pfb_build_mod}) -+pfa_build_static := $(filter $(BUILTIN_MODULES),${pfa_build_mod}) -+pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod}) -+pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod}) -+else -+@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod) -+@ENABLE_STATIC_TRUE@ pfb_build_static := $(pfb_build_mod) -+@ENABLE_STATIC_TRUE@ pfa_build_static := $(pfa_build_mod) -+@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod) -+@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod) -+endif -+ -+pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod)) -+pfb_build_mod := $(filter-out $(pfb_build_static),$(pfb_build_mod)) -+pfa_build_mod := $(filter-out $(pfa_build_static),$(pfa_build_mod)) -+pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod)) -+pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod)) -+ -+pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_static}) -+pfb_objs := $(patsubst %,libebt_%.o,${pfb_build_static}) -+pfa_objs := $(patsubst %,libarpt_%.o,${pfa_build_static}) -+pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static}) -+pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static}) - pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod}) - pfb_solibs := $(patsubst %,libebt_%.so,${pfb_build_mod}) - pfa_solibs := $(patsubst %,libarpt_%.so,${pfa_build_mod}) -@@ -68,14 +88,14 @@ pfx_symlink_files := $(patsubst %,libxt_ - # - targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man - targets_install := --@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs} --@ENABLE_STATIC_TRUE@ libext_ebt_objs := ${pfb_objs} --@ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs} --@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} --@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs} --@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files} --@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} --@ENABLE_STATIC_FALSE@ symlinks_install := ${pfx_symlink_files} -+libext_objs := ${pfx_objs} -+libext_ebt_objs := ${pfb_objs} -+libext_arpt_objs := ${pfa_objs} -+libext4_objs := ${pf4_objs} -+libext6_objs := ${pf6_objs} -+targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files} -+targets_install := $(strip ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}) -+symlinks_install := ${pfx_symlink_files} - - .SECONDARY: - -@@ -161,11 +181,11 @@ libext4.a: initext4.o ${libext4_objs} - libext6.a: initext6.o ${libext6_objs} - ${AM_VERBOSE_AR} ${AR} crs $@ $^; - --initext_func := $(addprefix xt_,${pfx_build_mod}) --initextb_func := $(addprefix ebt_,${pfb_build_mod}) --initexta_func := $(addprefix arpt_,${pfa_build_mod}) --initext4_func := $(addprefix ipt_,${pf4_build_mod}) --initext6_func := $(addprefix ip6t_,${pf6_build_mod}) -+initext_func := $(addprefix xt_,${pfx_build_static}) -+initextb_func := $(addprefix ebt_,${pfb_build_static}) -+initexta_func := $(addprefix arpt_,${pfa_build_static}) -+initext4_func := $(addprefix ipt_,${pf4_build_static}) -+initext6_func := $(addprefix ip6t_,${pf6_build_static}) - - .initext.dd: FORCE - @echo "${initext_func}" >$@.tmp; \ diff --git a/root/package/network/utils/iptables/patches/600-shared-libext.patch b/root/package/network/utils/iptables/patches/600-shared-libext.patch deleted file mode 100644 index 819f628f..00000000 --- a/root/package/network/utils/iptables/patches/600-shared-libext.patch +++ /dev/null @@ -1,102 +0,0 @@ ---- a/extensions/GNUmakefile.in -+++ b/extensions/GNUmakefile.in -@@ -86,7 +86,7 @@ pfx_symlink_files := $(patsubst %,libxt_ - # - # Building blocks - # --targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man -+targets := libiptext.so libiptext4.so libiptext6.so libiptext_ebt.so libiptext_arpt.so matches.man targets.man - targets_install := - libext_objs := ${pfx_objs} - libext_ebt_objs := ${pfb_objs} -@@ -132,7 +132,7 @@ clean: - distclean: clean - - init%.o: init%.c -- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init ${CFLAGS} -o $@ -c $<; -+ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; - - -include .*.d - -@@ -164,22 +164,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn - # handling code in the Makefiles. - # - lib%.o: ${srcdir}/lib%.c -- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<; -+ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; - --libext.a: initext.o ${libext_objs} -- ${AM_VERBOSE_AR} ${AR} crs $@ $^; -+libiptext.so: initext.o ${libext_objs} -+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD}); - --libext_ebt.a: initextb.o ${libext_ebt_objs} -- ${AM_VERBOSE_AR} ${AR} crs $@ $^; -+libiptext_ebt.so: initextb.o ${libext_ebt_objs} -+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD}); - --libext_arpt.a: initexta.o ${libext_arpt_objs} -- ${AM_VERBOSE_AR} ${AR} crs $@ $^; -+libiptext_arpt.so: initexta.o ${libext_arpt_objs} -+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD}); - --libext4.a: initext4.o ${libext4_objs} -- ${AM_VERBOSE_AR} ${AR} crs $@ $^; -+libiptext4.so: initext4.o ${libext4_objs} -+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD}); - --libext6.a: initext6.o ${libext6_objs} -- ${AM_VERBOSE_AR} ${AR} crs $@ $^; -+libiptext6.so: initext6.o ${libext6_objs} -+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD}); - - initext_func := $(addprefix xt_,${pfx_build_static}) - initextb_func := $(addprefix ebt_,${pfb_build_static}) ---- a/iptables/Makefile.am -+++ b/iptables/Makefile.am -@@ -7,19 +7,22 @@ BUILT_SOURCES = - - xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c - xtables_legacy_multi_CFLAGS = ${AM_CFLAGS} --xtables_legacy_multi_LDADD = ../extensions/libext.a -+xtables_legacy_multi_LDADD = -+xtables_legacy_multi_LDFLAGS = -L../extensions/ -liptext - if ENABLE_STATIC - xtables_legacy_multi_CFLAGS += -DALL_INCLUSIVE - endif - if ENABLE_IPV4 - xtables_legacy_multi_SOURCES += iptables-standalone.c iptables.c - xtables_legacy_multi_CFLAGS += -DENABLE_IPV4 --xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a -+xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la -+xtables_legacy_multi_LDFLAGS += -liptext4 - endif - if ENABLE_IPV6 - xtables_legacy_multi_SOURCES += ip6tables-standalone.c ip6tables.c - xtables_legacy_multi_CFLAGS += -DENABLE_IPV6 --xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a -+xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la -+xtables_legacy_multi_LDFLAGS += -liptext6 - endif - xtables_legacy_multi_SOURCES += xshared.c iptables-restore.c iptables-save.c - xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm -@@ -28,7 +31,8 @@ xtables_legacy_multi_LDADD += ../libxt - if ENABLE_NFTABLES - xtables_nft_multi_SOURCES = xtables-nft-multi.c iptables-xml.c - xtables_nft_multi_CFLAGS = ${AM_CFLAGS} --xtables_nft_multi_LDADD = ../extensions/libext.a ../extensions/libext_ebt.a -+xtables_nft_multi_LDADD = -+xtables_nft_multi_LDFLAGS = -L../extensions/ -liptext -liptext_ebt - if ENABLE_STATIC - xtables_nft_multi_CFLAGS += -DALL_INCLUSIVE - endif -@@ -42,7 +46,8 @@ xtables_nft_multi_SOURCES += xtables-sav - xtables-eb-standalone.c xtables-eb.c \ - xtables-eb-translate.c \ - xtables-translate.c --xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ../extensions/libext4.a ../extensions/libext6.a ../extensions/libext_ebt.a ../extensions/libext_arpt.a -+xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} -+xtables_nft_multi_LDFLAGS += -liptext4 -liptext6 -liptext_arpt - xtables_nft_multi_SOURCES += xshared.c - xtables_nft_multi_LDADD += ../libxtables/libxtables.la -lm - endif diff --git a/root/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch b/root/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch deleted file mode 100644 index cc451ef9..00000000 --- a/root/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch +++ /dev/null @@ -1,95 +0,0 @@ ---- a/extensions/libxt_conntrack.c -+++ b/extensions/libxt_conntrack.c -@@ -1395,6 +1395,7 @@ static int conntrack3_mt6_xlate(struct x - } - - static struct xtables_match conntrack_mt_reg[] = { -+#ifndef NO_LEGACY - { - .version = XTABLES_VERSION, - .name = "conntrack", -@@ -1470,6 +1471,7 @@ static struct xtables_match conntrack_mt - .alias = conntrack_print_name_alias, - .x6_options = conntrack2_mt_opts, - }, -+#endif - { - .version = XTABLES_VERSION, - .name = "conntrack", -@@ -1502,6 +1504,7 @@ static struct xtables_match conntrack_mt - .x6_options = conntrack3_mt_opts, - .xlate = conntrack3_mt6_xlate, - }, -+#ifndef NO_LEGACY - { - .family = NFPROTO_UNSPEC, - .name = "state", -@@ -1532,6 +1535,8 @@ static struct xtables_match conntrack_mt - .x6_parse = state_ct23_parse, - .x6_options = state_opts, - }, -+#endif -+#ifndef NO_LEGACY - { - .family = NFPROTO_UNSPEC, - .name = "state", -@@ -1561,6 +1566,7 @@ static struct xtables_match conntrack_mt - .x6_parse = state_parse, - .x6_options = state_opts, - }, -+#endif - }; - - void _init(void) ---- a/extensions/libxt_CT.c -+++ b/extensions/libxt_CT.c -@@ -363,6 +363,7 @@ static int xlate_ct1_tg(struct xt_xlate - } - - static struct xtables_target ct_target_reg[] = { -+#ifndef NO_LEGACY - { - .family = NFPROTO_UNSPEC, - .name = "CT", -@@ -388,6 +389,7 @@ static struct xtables_target ct_target_r - .x6_parse = ct_parse_v1, - .x6_options = ct_opts_v1, - }, -+#endif - { - .family = NFPROTO_UNSPEC, - .name = "CT", -@@ -403,6 +405,7 @@ static struct xtables_target ct_target_r - .x6_options = ct_opts_v1, - .xlate = xlate_ct1_tg, - }, -+#ifndef NO_LEGACY - { - .family = NFPROTO_UNSPEC, - .name = "NOTRACK", -@@ -441,6 +444,7 @@ static struct xtables_target ct_target_r - .revision = 0, - .version = XTABLES_VERSION, - }, -+#endif - }; - - void _init(void) ---- a/extensions/libxt_multiport.c -+++ b/extensions/libxt_multiport.c -@@ -571,6 +571,7 @@ static int multiport_xlate6_v1(struct xt - } - - static struct xtables_match multiport_mt_reg[] = { -+#ifndef NO_LEGACY - { - .family = NFPROTO_IPV4, - .name = "multiport", -@@ -601,6 +602,7 @@ static struct xtables_match multiport_mt - .x6_options = multiport_opts, - .xlate = multiport_xlate6, - }, -+#endif - { - .family = NFPROTO_IPV4, - .name = "multiport", diff --git a/root/package/network/utils/iptables/patches/800-flowoffload_target.patch b/root/package/network/utils/iptables/patches/800-flowoffload_target.patch deleted file mode 100644 index 2f79ee83..00000000 --- a/root/package/network/utils/iptables/patches/800-flowoffload_target.patch +++ /dev/null @@ -1,95 +0,0 @@ ---- /dev/null -+++ b/extensions/libxt_FLOWOFFLOAD.c -@@ -0,0 +1,72 @@ -+#include -+#include -+#include -+ -+enum { -+ O_HW, -+}; -+ -+static void offload_help(void) -+{ -+ printf( -+"FLOWOFFLOAD target options:\n" -+" --hw Enable hardware offload\n" -+ ); -+} -+ -+static const struct xt_option_entry offload_opts[] = { -+ {.name = "hw", .id = O_HW, .type = XTTYPE_NONE}, -+ XTOPT_TABLEEND, -+}; -+ -+static void offload_parse(struct xt_option_call *cb) -+{ -+ struct xt_flowoffload_target_info *info = cb->data; -+ -+ xtables_option_parse(cb); -+ switch (cb->entry->id) { -+ case O_HW: -+ info->flags |= XT_FLOWOFFLOAD_HW; -+ break; -+ } -+} -+ -+static void offload_print(const void *ip, const struct xt_entry_target *target, int numeric) -+{ -+ const struct xt_flowoffload_target_info *info = -+ (const struct xt_flowoffload_target_info *)target->data; -+ -+ printf(" FLOWOFFLOAD"); -+ if (info->flags & XT_FLOWOFFLOAD_HW) -+ printf(" hw"); -+} -+ -+static void offload_save(const void *ip, const struct xt_entry_target *target) -+{ -+ const struct xt_flowoffload_target_info *info = -+ (const struct xt_flowoffload_target_info *)target->data; -+ -+ if (info->flags & XT_FLOWOFFLOAD_HW) -+ printf(" --hw"); -+} -+ -+static struct xtables_target offload_tg_reg[] = { -+ { -+ .family = NFPROTO_UNSPEC, -+ .name = "FLOWOFFLOAD", -+ .revision = 0, -+ .version = XTABLES_VERSION, -+ .size = XT_ALIGN(sizeof(struct xt_flowoffload_target_info)), -+ .userspacesize = sizeof(struct xt_flowoffload_target_info), -+ .help = offload_help, -+ .print = offload_print, -+ .save = offload_save, -+ .x6_parse = offload_parse, -+ .x6_options = offload_opts, -+ }, -+}; -+ -+void _init(void) -+{ -+ xtables_register_targets(offload_tg_reg, ARRAY_SIZE(offload_tg_reg)); -+} ---- /dev/null -+++ b/include/linux/netfilter/xt_FLOWOFFLOAD.h -@@ -0,0 +1,17 @@ -+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ -+#ifndef _XT_FLOWOFFLOAD_H -+#define _XT_FLOWOFFLOAD_H -+ -+#include -+ -+enum { -+ XT_FLOWOFFLOAD_HW = 1 << 0, -+ -+ XT_FLOWOFFLOAD_MASK = XT_FLOWOFFLOAD_HW -+}; -+ -+struct xt_flowoffload_target_info { -+ __u32 flags; -+}; -+ -+#endif /* _XT_FLOWOFFLOAD_H */