On 10/22/2011 09:47 AM, Stefan Tomanek wrote:
Any news about updating iptables to a recent version?
several commits in the cerowrt repo move iptables up to 1.4.12.1The cerowrt repository has the iptables 1.4.12.1 in it. As tested with linux 3.0.X, it works well (1.4.12 didn't!), but I haven't had time to push it up into openwrt.
If stefan's patches are better - please take 'em and I'll revert out of cerowrt.
https://github.com/dtaht/Cerowrt/tree/master/package/iptables I have a bit of a backlog accumulated in cerowrt of good patches, actually. stefan.tomanek+open...@wertarbyte.de -- Dave Täht
>From 21b0cd2d9d30abe2c359b2a7ce9e267e8633a8a6 Mon Sep 17 00:00:00 2001 From: Dave Taht <d+bufferbl...@taht.net> Date: Sun, 24 Jul 2011 17:57:32 -0700 Subject: [PATCH 007/253] update iptables to 1.4.12 --- package/iptables/Makefile | 4 +- package/iptables/patches/009-table-alignment.patch | 2 +- .../patches/010-multiport-linux-2.4-compat.patch | 265 -------------------- package/iptables/patches/011-recent-add-reap.patch | 116 --------- .../patches/020-iptables-disable-modprobe.patch | 6 +- package/iptables/patches/030-no-libnfnetlink.patch | 6 +- package/iptables/patches/100-bash-location.patch | 4 +- 7 files changed, 11 insertions(+), 392 deletions(-) delete mode 100644 package/iptables/patches/010-multiport-linux-2.4-compat.patch delete mode 100644 package/iptables/patches/011-recent-add-reap.patch diff --git a/package/iptables/Makefile b/package/iptables/Makefile index 1286062..a0ab076 100644 --- a/package/iptables/Makefile +++ b/package/iptables/Makefile @@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=iptables -PKG_VERSION:=1.4.10 +PKG_VERSION:=1.4.12 PKG_RELEASE:=3 -PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198 +PKG_MD5SUM:=d3f145c2c91daecbb4251bc79390b46c PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \ ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \ diff --git a/package/iptables/patches/009-table-alignment.patch b/package/iptables/patches/009-table-alignment.patch index 53012ab..ac543e8 100644 --- a/package/iptables/patches/009-table-alignment.patch +++ b/package/iptables/patches/009-table-alignment.patch @@ -1,6 +1,6 @@ --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c -@@ -69,7 +69,7 @@ static const char *hooknames[] = { +@@ -70,7 +70,7 @@ static const char *hooknames[] = { struct ipt_error_target { STRUCT_ENTRY_TARGET t; diff --git a/package/iptables/patches/010-multiport-linux-2.4-compat.patch b/package/iptables/patches/010-multiport-linux-2.4-compat.patch deleted file mode 100644 index 3b35f7e..0000000 --- a/package/iptables/patches/010-multiport-linux-2.4-compat.patch +++ /dev/null @@ -1,265 +0,0 @@ ---- a/extensions/libxt_multiport.c -+++ b/extensions/libxt_multiport.c -@@ -15,21 +15,6 @@ - #include <linux/netfilter/xt_multiport.h> - - /* Function which prints out usage message. */ --static void multiport_help(void) --{ -- printf( --"multiport match options:\n" --" --source-ports port[,port,port...]\n" --" --sports ...\n" --" match source port(s)\n" --" --destination-ports port[,port,port...]\n" --" --dports ...\n" --" match destination port(s)\n" --" --ports port[,port,port]\n" --" match both source and destination port(s)\n" --" NOTE: this kernel does not support port ranges in multiport.\n"); --} -- - static void multiport_help_v1(void) - { - printf( -@@ -72,26 +57,6 @@ proto_to_name(u_int8_t proto) - } - } - --static unsigned int --parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto) --{ -- char *buffer, *cp, *next; -- unsigned int i; -- -- buffer = strdup(portstring); -- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed"); -- -- for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++) -- { -- next=strchr(cp, ','); -- if (next) *next++='\0'; -- ports[i] = xtables_parse_port(cp, proto); -- } -- if (cp) xtables_error(PARAMETER_PROBLEM, "too many ports specified"); -- free(buffer); -- return i; --} -- - static void - parse_multi_ports_v1(const char *portstring, - struct xt_multiport_v1 *multiinfo, -@@ -155,73 +120,6 @@ check_proto(u_int16_t pnum, u_int8_t inv - /* Function which parses command options; returns true if it - ate an option */ - static int --__multiport_parse(int c, char **argv, int invert, unsigned int *flags, -- struct xt_entry_match **match, u_int16_t pnum, -- u_int8_t invflags) --{ -- const char *proto; -- struct xt_multiport *multiinfo -- = (struct xt_multiport *)(*match)->data; -- -- switch (c) { -- case '1': -- xtables_check_inverse(optarg, &invert, &optind, 0, argv); -- proto = check_proto(pnum, invflags); -- multiinfo->count = parse_multi_ports(optarg, -- multiinfo->ports, proto); -- multiinfo->flags = XT_MULTIPORT_SOURCE; -- break; -- -- case '2': -- xtables_check_inverse(optarg, &invert, &optind, 0, argv); -- proto = check_proto(pnum, invflags); -- multiinfo->count = parse_multi_ports(optarg, -- multiinfo->ports, proto); -- multiinfo->flags = XT_MULTIPORT_DESTINATION; -- break; -- -- case '3': -- xtables_check_inverse(optarg, &invert, &optind, 0, argv); -- proto = check_proto(pnum, invflags); -- multiinfo->count = parse_multi_ports(optarg, -- multiinfo->ports, proto); -- multiinfo->flags = XT_MULTIPORT_EITHER; -- break; -- -- default: -- return 0; -- } -- -- if (invert) -- xtables_error(PARAMETER_PROBLEM, -- "multiport does not support invert"); -- -- if (*flags) -- xtables_error(PARAMETER_PROBLEM, -- "multiport can only have one option"); -- *flags = 1; -- return 1; --} -- --static int --multiport_parse(int c, char **argv, int invert, unsigned int *flags, -- const void *e, struct xt_entry_match **match) --{ -- const struct ipt_entry *entry = e; -- return __multiport_parse(c, argv, invert, flags, match, -- entry->ip.proto, entry->ip.invflags); --} -- --static int --multiport_parse6(int c, char **argv, int invert, unsigned int *flags, -- const void *e, struct xt_entry_match **match) --{ -- const struct ip6t_entry *entry = e; -- return __multiport_parse(c, argv, invert, flags, match, -- entry->ipv6.proto, entry->ipv6.invflags); --} -- --static int - __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags, - struct xt_entry_match **match, u_int16_t pnum, - u_int8_t invflags) -@@ -314,55 +212,6 @@ print_port(u_int16_t port, u_int8_t prot - } - - /* Prints out the matchinfo. */ --static void --__multiport_print(const struct xt_entry_match *match, int numeric, -- u_int16_t proto) --{ -- const struct xt_multiport *multiinfo -- = (const struct xt_multiport *)match->data; -- unsigned int i; -- -- printf("multiport "); -- -- switch (multiinfo->flags) { -- case XT_MULTIPORT_SOURCE: -- printf("sports "); -- break; -- -- case XT_MULTIPORT_DESTINATION: -- printf("dports "); -- break; -- -- case XT_MULTIPORT_EITHER: -- printf("ports "); -- break; -- -- default: -- printf("ERROR "); -- break; -- } -- -- for (i=0; i < multiinfo->count; i++) { -- printf("%s", i ? "," : ""); -- print_port(multiinfo->ports[i], proto, numeric); -- } -- printf(" "); --} -- --static void multiport_print(const void *ip_void, -- const struct xt_entry_match *match, int numeric) --{ -- const struct ipt_ip *ip = ip_void; -- __multiport_print(match, numeric, ip->proto); --} -- --static void multiport_print6(const void *ip_void, -- const struct xt_entry_match *match, int numeric) --{ -- const struct ip6t_ip6 *ip = ip_void; -- __multiport_print(match, numeric, ip->proto); --} -- - static void __multiport_print_v1(const struct xt_entry_match *match, - int numeric, u_int16_t proto) - { -@@ -419,48 +268,6 @@ static void multiport_print6_v1(const vo - } - - /* Saves the union ipt_matchinfo in parsable form to stdout. */ --static void __multiport_save(const struct xt_entry_match *match, -- u_int16_t proto) --{ -- const struct xt_multiport *multiinfo -- = (const struct xt_multiport *)match->data; -- unsigned int i; -- -- switch (multiinfo->flags) { -- case XT_MULTIPORT_SOURCE: -- printf("--sports "); -- break; -- -- case XT_MULTIPORT_DESTINATION: -- printf("--dports "); -- break; -- -- case XT_MULTIPORT_EITHER: -- printf("--ports "); -- break; -- } -- -- for (i=0; i < multiinfo->count; i++) { -- printf("%s", i ? "," : ""); -- print_port(multiinfo->ports[i], proto, 1); -- } -- printf(" "); --} -- --static void multiport_save(const void *ip_void, -- const struct xt_entry_match *match) --{ -- const struct ipt_ip *ip = ip_void; -- __multiport_save(match, ip->proto); --} -- --static void multiport_save6(const void *ip_void, -- const struct xt_entry_match *match) --{ -- const struct ip6t_ip6 *ip = ip_void; -- __multiport_save(match, ip->proto); --} -- - static void __multiport_save_v1(const struct xt_entry_match *match, - u_int16_t proto) - { -@@ -514,34 +321,6 @@ static struct xtables_match multiport_mt - { - .family = NFPROTO_IPV4, - .name = "multiport", -- .revision = 0, -- .version = XTABLES_VERSION, -- .size = XT_ALIGN(sizeof(struct xt_multiport)), -- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), -- .help = multiport_help, -- .parse = multiport_parse, -- .final_check = multiport_check, -- .print = multiport_print, -- .save = multiport_save, -- .extra_opts = multiport_opts, -- }, -- { -- .family = NFPROTO_IPV6, -- .name = "multiport", -- .revision = 0, -- .version = XTABLES_VERSION, -- .size = XT_ALIGN(sizeof(struct xt_multiport)), -- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), -- .help = multiport_help, -- .parse = multiport_parse6, -- .final_check = multiport_check, -- .print = multiport_print6, -- .save = multiport_save6, -- .extra_opts = multiport_opts, -- }, -- { -- .family = NFPROTO_IPV4, -- .name = "multiport", - .version = XTABLES_VERSION, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_multiport_v1)), diff --git a/package/iptables/patches/011-recent-add-reap.patch b/package/iptables/patches/011-recent-add-reap.patch deleted file mode 100644 index 275265b..0000000 --- a/package/iptables/patches/011-recent-add-reap.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001 -From: Tim Gardner <tim.gard...@canonical.com> -Date: Mon, 1 Mar 2010 19:00:29 -0700 -Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation - -Signed-off-by: Tim Gardner <tim.gard...@canonical.com> ---- - extensions/libxt_recent.c | 20 ++++++++++++++++++++ - extensions/libxt_recent.man | 5 +++++ - include/linux/netfilter/xt_recent.h | 7 +++++++ - 3 files changed, 32 insertions(+), 0 deletions(-) - ---- a/extensions/libxt_recent.c -+++ b/extensions/libxt_recent.c -@@ -20,6 +20,7 @@ static const struct option recent_opts[] - {.name = "name", .has_arg = true, .val = 208}, - {.name = "rsource", .has_arg = false, .val = 209}, - {.name = "rdest", .has_arg = false, .val = 210}, -+ {.name = "reap", .has_arg = false, .val = 211}, - XT_GETOPT_TABLEEND, - }; - -@@ -37,6 +38,7 @@ static void recent_help(void) - " --hitcount hits For check and update commands above.\n" - " Specifies that the match will only occur if source address seen hits times.\n" - " May be used in conjunction with the seconds option.\n" -+" --reap Remove entries that have expired. Can only be used with --seconds\n" - " --rttl For check and update commands above.\n" - " Specifies that the match will only occur if the source address and the TTL\n" - " match between this packet and the one which was set.\n" -@@ -63,6 +65,8 @@ static void recent_init(struct xt_entry_ - (XT_RECENT_SET | XT_RECENT_CHECK | \ - XT_RECENT_UPDATE | XT_RECENT_REMOVE) - -+#define XT_RECENT_SECONDS 1 << 31 -+ - static int recent_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) - { -@@ -104,6 +108,7 @@ static int recent_parse(int c, char **ar - - case 204: - info->seconds = atoi(optarg); -+ *flags |= XT_RECENT_SECONDS; - break; - - case 205: -@@ -139,6 +144,11 @@ static int recent_parse(int c, char **ar - info->side = XT_RECENT_DEST; - break; - -+ case 211: -+ info->check_set |= XT_RECENT_REAP; -+ *flags |= XT_RECENT_REAP; -+ break; -+ - default: - return 0; - } -@@ -157,6 +167,12 @@ static void recent_check(unsigned int fl - xtables_error(PARAMETER_PROBLEM, - "recent: --rttl may only be used with --rcheck or " - "--update"); -+ if ((flags & XT_RECENT_REAP) && -+ ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) || -+ (!(flags & XT_RECENT_SECONDS)))) -+ xtables_error(PARAMETER_PROBLEM, -+ "recent: --reap may only be used with --rcheck or " -+ "--update and --seconds"); - } - - static void recent_print(const void *ip, const struct xt_entry_match *match, -@@ -185,6 +201,8 @@ static void recent_print(const void *ip, - printf("side: source "); - if (info->side == XT_RECENT_DEST) - printf("side: dest "); -+ if (info->check_set & XT_RECENT_REAP) -+ printf("reap "); - } - - static void recent_save(const void *ip, const struct xt_entry_match *match) -@@ -211,6 +229,8 @@ static void recent_save(const void *ip, - printf("--rsource "); - if (info->side == XT_RECENT_DEST) - printf("--rdest "); -+ if (info->check_set & XT_RECENT_REAP) -+ printf("--reap "); - } - - static struct xtables_match recent_mt_reg = { ---- a/extensions/libxt_recent.man -+++ b/extensions/libxt_recent.man -@@ -41,6 +41,11 @@ This option must be used in conjunction - \fB\-\-update\fP. When used, this will narrow the match to only happen when the - address is in the list and was seen within the last given number of seconds. - .TP -+\fB\-\-reap\fP \fIreap\fP -+This option must be used in conjunction with \fB\-\-seconds\fP. When used, this -+will remove entries with the most recent timestamp older then \fB\-\-seconds\fP -+since the last packet was received. -+.TP - \fB\-\-hitcount\fP \fIhits\fP - This option must be used in conjunction with one of \fB\-\-rcheck\fP or - \fB\-\-update\fP. When used, this will narrow the match to only happen when the ---- a/include/linux/netfilter/xt_recent.h -+++ b/include/linux/netfilter/xt_recent.h -@@ -23,6 +23,9 @@ enum { - #define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\ - XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP) - -+/* Only allowed with --rcheck and --update */ -+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP) -+ - struct xt_recent_mtinfo { - __u32 seconds; - __u32 hit_count; diff --git a/package/iptables/patches/020-iptables-disable-modprobe.patch b/package/iptables/patches/020-iptables-disable-modprobe.patch index 338962f..1cebd8b 100644 --- a/package/iptables/patches/020-iptables-disable-modprobe.patch +++ b/package/iptables/patches/020-iptables-disable-modprobe.patch @@ -1,6 +1,6 @@ ---- a/xtables.c -+++ b/xtables.c -@@ -305,6 +305,7 @@ static char *get_modprobe(void) +--- a/iptables/xtables.c ++++ b/iptables/xtables.c +@@ -328,6 +328,7 @@ static char *get_modprobe(void) int xtables_insmod(const char *modname, const char *modprobe, bool quiet) { diff --git a/package/iptables/patches/030-no-libnfnetlink.patch b/package/iptables/patches/030-no-libnfnetlink.patch index cda9a72..24c0311 100644 --- a/package/iptables/patches/030-no-libnfnetlink.patch +++ b/package/iptables/patches/030-no-libnfnetlink.patch @@ -1,6 +1,6 @@ --- a/configure +++ b/configure -@@ -10917,75 +10917,7 @@ $as_echo "no" >&6; } +@@ -10924,75 +10924,7 @@ $as_echo "no" >&6; } fi fi @@ -88,5 +88,5 @@ -AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1]) +AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false]) - regular_CFLAGS="${largefile_cflags} \ - -D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \ + regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \ + -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \ diff --git a/package/iptables/patches/100-bash-location.patch b/package/iptables/patches/100-bash-location.patch index 818246e..ef85feb 100644 --- a/package/iptables/patches/100-bash-location.patch +++ b/package/iptables/patches/100-bash-location.patch @@ -6,8 +6,8 @@ autoreconf -fi; rm -Rf autom4te*.cache; ---- a/iptables-apply -+++ b/iptables-apply +--- a/iptables/iptables-apply ++++ b/iptables/iptables-apply @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash -- 1.7.5.4
>From f40d0911ae7225f562e47a38546e7c6c8f4f63d7 Mon Sep 17 00:00:00 2001 From: Dave Taht <d+bufferbl...@taht.net> Date: Sun, 24 Jul 2011 22:23:33 -0700 Subject: [PATCH 008/253] correct links for iptables ip6tables to xtables --- package/iptables/Makefile | 14 +++++++------- 1 files changed, 7 insertions(+), 7 deletions(-) diff --git a/package/iptables/Makefile b/package/iptables/Makefile index a0ab076..dc4ec76 100644 --- a/package/iptables/Makefile +++ b/package/iptables/Makefile @@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=iptables PKG_VERSION:=1.4.12 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_MD5SUM:=d3f145c2c91daecbb4251bc79390b46c PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 @@ -450,9 +450,9 @@ endef define Package/iptables-utils/install $(INSTALL_DIR) $(1)/usr/sbin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables-multi $(1)/usr/sbin/ - $(LN) iptables-multi $(1)/usr/sbin/iptables-save - $(LN) iptables-multi $(1)/usr/sbin/iptables-restore + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/ + $(LN) xtables-multi $(1)/usr/sbin/iptables-save + $(LN) xtables-multi $(1)/usr/sbin/iptables-restore endef define Package/ip6tables/install @@ -466,9 +466,9 @@ endef define Package/ip6tables-utils/install $(INSTALL_DIR) $(1)/usr/sbin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables-multi $(1)/usr/sbin/ - $(LN) ip6tables-multi $(1)/usr/sbin/ip6tables-save - $(LN) ip6tables-multi $(1)/usr/sbin/ip6tables-restore + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/ + $(LN) xtables-multi $(1)/usr/sbin/ip6tables-save + $(LN) xtables-multi $(1)/usr/sbin/ip6tables-restore endef define Package/libiptc/install -- 1.7.5.4
>From 7997943784a36eb1b40e427489b071de311a6b60 Mon Sep 17 00:00:00 2001 From: Dave Taht <d+bufferbl...@taht.net> Date: Thu, 1 Sep 2011 12:01:28 -0700 Subject: [PATCH 119/253] update to iptables 1.4.12.1 --- package/iptables/Makefile | 4 ++-- package/iptables/patches/100-bash-location.patch | 16 ---------------- 2 files changed, 2 insertions(+), 18 deletions(-) delete mode 100644 package/iptables/patches/100-bash-location.patch diff --git a/package/iptables/Makefile b/package/iptables/Makefile index e2ff936..911e55b 100644 --- a/package/iptables/Makefile +++ b/package/iptables/Makefile @@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=iptables -PKG_VERSION:=1.4.12 +PKG_VERSION:=1.4.12.1 PKG_RELEASE:=4 -PKG_MD5SUM:=d3f145c2c91daecbb4251bc79390b46c +PKG_MD5SUM:=b08a1195ec2c1ebeaf072db3c55fdf43 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \ ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \ diff --git a/package/iptables/patches/100-bash-location.patch b/package/iptables/patches/100-bash-location.patch deleted file mode 100644 index ef85feb..0000000 --- a/package/iptables/patches/100-bash-location.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- a/autogen.sh -+++ b/autogen.sh -@@ -1,4 +1,4 @@ --#!/bin/bash -+#!/usr/bin/env bash - - autoreconf -fi; - rm -Rf autom4te*.cache; ---- a/iptables/iptables-apply -+++ b/iptables/iptables-apply -@@ -1,4 +1,4 @@ --#!/bin/bash -+#!/usr/bin/env bash - # - # iptables-apply -- a safer way to update iptables remotely - # -- 1.7.5.4
<<attachment: dave_taht.vcf>>
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
