This patch updates iptables to 1.4.17 and now utilises the xtables-multi(call) binary via symlinks.
Additionally, end-to-end connectivity has been thoroughly eviscerated and disemboweled in the form of adding comprehensive IPv6 NAT capabilities. I hope that nobody will actually use this to let braindead ISPs dish out single on-link addresses - if you build OpenWRT images to distribute them, ideally, don't enable this at all. Signed-off-by: Oliver Smith <oli...@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> --- package/network/utils/iptables/Makefile | 78 ++++-- .../utils/iptables/patches/002-layer7_2.22.patch | 4 +- .../iptables/patches/009-table-alignment.patch | 11 - .../patches/010-multiport-linux-2.4-compat.patch | 265 --------------------- .../iptables/patches/011-recent-add-reap.patch | 116 --------- .../patches/020-iptables-disable-modprobe.patch | 10 +- .../iptables/patches/030-no-libnfnetlink.patch | 26 +- ...0-libip6t_DNPT-fix-wording-in-DNPT-target.patch | 75 ++++++ ...ip6t_DNAT-allow-port-DNAT-without-address.patch | 89 +++++++ ...et-ipv6-DNAT-to-destination-fix-DNAT_save.patch | 52 ++++ .../060-resolve-link-failure-for-ip6t_NETMAP.patch | 81 +++++++ .../070-iptables-1.4.17-fix-build-failure.patch | 14 ++ .../utils/iptables/patches/100-bash-location.patch | 14 +- .../iptables/patches/110-linux_3.2_compat.patch | 12 - .../patches/200-configurable_builtin.patch | 40 ++-- .../utils/iptables/patches/300-musl_fixes.patch | 80 ++++--- 16 files changed, 477 insertions(+), 490 deletions(-) delete mode 100644 package/network/utils/iptables/patches/009-table-alignment.patch delete mode 100644 package/network/utils/iptables/patches/010-multiport-linux-2.4-compat.patch delete mode 100644 package/network/utils/iptables/patches/011-recent-add-reap.patch create mode 100644 package/network/utils/iptables/patches/040-libip6t_DNPT-fix-wording-in-DNPT-target.patch create mode 100644 package/network/utils/iptables/patches/050-libip6t_DNAT-allow-port-DNAT-without-address.patch create mode 100644 package/network/utils/iptables/patches/051-libip6t_DNAT-set-ipv6-DNAT-to-destination-fix-DNAT_save.patch create mode 100644 package/network/utils/iptables/patches/060-resolve-link-failure-for-ip6t_NETMAP.patch create mode 100644 package/network/utils/iptables/patches/070-iptables-1.4.17-fix-build-failure.patch delete mode 100644 package/network/utils/iptables/patches/110-linux_3.2_compat.patch diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile index a3d8864..c57e4bb 100644 --- a/package/network/utils/iptables/Makefile +++ b/package/network/utils/iptables/Makefile @@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=iptables -PKG_VERSION:=1.4.10 -PKG_RELEASE:=4 +PKG_VERSION:=1.4.17 +PKG_RELEASE:=1 -PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198 +PKG_MD5SUM:=c3fb2ffd5b39d0d54b06ccc4c8660116 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \ ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \ @@ -42,16 +42,29 @@ define Package/iptables/Default URL:=http://netfilter.org/ endef +define Package/ip6tables/Default + SECTION:=net + CATEGORY:=IPv6 + SUBMENU:=Firewall + TITLE:=IPv6 firewall administration tool + URL:=http://netfilter.org/ +endef + define Package/iptables/Module $(call Package/iptables/Default) DEPENDS:=iptables $(1) endef +define Package/ip6tables/Module +$(call Package/ip6tables/Default) + DEPENDS:=ip6tables $(1) +endef + define Package/iptables $(call Package/iptables/Default) TITLE:=IPv4 firewall administration tool MENU:=1 - DEPENDS+= +kmod-ipt-core +libip4tc +libxtables + DEPENDS+= +kmod-ipt-core +libip4tc +libxtables $(if $(CONFIG_IPV6),+libip6tc,) endef define Package/iptables/description @@ -62,9 +75,11 @@ IPv4 firewall administration tool. - tcp - udp - comment + - conntrack - limit - mac - multiport + - state Targets: - ACCEPT @@ -72,16 +87,20 @@ IPv4 firewall administration tool. - REJECT - LOG - TCPMSS + - NOTRACK + - CT Tables: - filter - mangle + - raw endef define Package/iptables-mod-conntrack-extra $(call Package/iptables/Module, +kmod-ipt-conntrack-extra) TITLE:=Extra connection tracking extensions +# DEPENDS+= +libxtables endef define Package/iptables-mod-conntrack-extra/description @@ -110,6 +129,7 @@ Includes support for: Matches: - layer7 - string + - rpfilter endef @@ -299,12 +319,38 @@ endef define Package/ip6tables $(call Package/iptables/Default) - DEPENDS:=+kmod-ip6tables +libip6tc +libxtables + DEPENDS:=+kmod-ip6tables +libip4tc +libip6tc +libxtables CATEGORY:=IPv6 TITLE:=IPv6 firewall administration tool MENU:=1 endef +define Package/ip6tables-nat +$(call Package/ip6tables/Module, +kmod-ip6t-nat) + TITLE:=NAT capabilities for IPv6 +endef + +define Package/ip6tables-nat/description +NAT capabilities for IPv6. + +Unless you are dealing with geolocation restrictions over IPv6 or +are some sort of masochist who prefers manually mapping ports over +end-to-end connectivity and stateful firewalling, you don't need this. + + Targets: + - DNAT + - SNAT + - MASQUERADE + - NETMAP + - REDIRECT + - DNPT + - SNPT + + Tables: + - nat +endef + + define Package/libiptc $(call Package/iptables/Default) SECTION:=libs @@ -346,7 +392,7 @@ TARGET_CFLAGS += \ CONFIGURE_ARGS += \ --enable-shared \ --enable-devel \ - $(if $(CONFIG_IPV6),--enable-ipv6,--disable-ipv6) \ + $(if $(CONFIG_IPV6),,--disable-ipv6) \ --with-kernel="$(LINUX_DIR)/user_headers" \ --with-xtlibdir=/usr/lib/iptables \ --enable-static @@ -364,9 +410,10 @@ define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include/net/netfilter # XXX: iptables header fixup, some headers are not installed by iptables anymore - $(CP) $(PKG_BUILD_DIR)/include/net/netfilter/*.h $(1)/usr/include/net/netfilter/ + $(CP) $(PKG_BUILD_DIR)/include/xtables.h $(1)/usr/include/ $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/ $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/ + $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/ $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/ $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/ @@ -381,17 +428,19 @@ endef define Package/iptables/install $(INSTALL_DIR) $(1)/usr/sbin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(1)/usr/sbin/ - $(LN) iptables $(1)/usr/sbin/iptables-save - $(LN) iptables $(1)/usr/sbin/iptables-restore + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/ + $(LN) xtables-multi $(1)/usr/sbin/iptables + $(LN) xtables-multi $(1)/usr/sbin/iptables-save + $(LN) xtables-multi $(1)/usr/sbin/iptables-restore $(INSTALL_DIR) $(1)/usr/lib/iptables endef define Package/ip6tables/install $(INSTALL_DIR) $(1)/usr/sbin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables $(1)/usr/sbin/ - $(LN) ip6tables $(1)/usr/sbin/ip6tables-save - $(LN) ip6tables $(1)/usr/sbin/ip6tables-restore + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/ + $(LN) xtables-multi $(1)/usr/sbin/ip6tables + $(LN) xtables-multi $(1)/usr/sbin/ip6tables-save + $(LN) xtables-multi $(1)/usr/sbin/ip6tables-restore $(INSTALL_DIR) $(1)/usr/lib/iptables (cd $(PKG_INSTALL_DIR)/usr/lib/iptables ; \ $(CP) libip6t_*.so $(1)/usr/lib/iptables/ \ @@ -421,7 +470,7 @@ endef define BuildPlugin define Package/$(1)/install $(INSTALL_DIR) $$(1)/usr/lib/iptables - for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)); do \ + for m in $(patsubst xt_%,ipt_,%ip6t_%,$(2)) $(patsubst ipt_%,xt_%,ip6t_%,$(2)); do \ if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \ $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \ fi; \ @@ -453,6 +502,7 @@ $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m))) $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m))) $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m))) $(eval $(call BuildPackage,ip6tables)) +$(eval $(call BuildPlugin,ip6tables-nat,$(IP6T_NAT-m))) $(eval $(call BuildPackage,libiptc)) $(eval $(call BuildPackage,libip4tc)) $(eval $(call BuildPackage,libip6tc)) diff --git a/package/network/utils/iptables/patches/002-layer7_2.22.patch b/package/network/utils/iptables/patches/002-layer7_2.22.patch index ba4531e..88e8fd5 100644 --- a/package/network/utils/iptables/patches/002-layer7_2.22.patch +++ b/package/network/utils/iptables/patches/002-layer7_2.22.patch @@ -1,5 +1,7 @@ +Index: iptables-1.4.17/extensions/libxt_layer7.c +=================================================================== --- /dev/null -+++ b/extensions/libxt_layer7.c ++++ iptables-1.4.17/extensions/libxt_layer7.c @@ -0,0 +1,368 @@ +/* + Shared library add-on to iptables for layer 7 matching support. diff --git a/package/network/utils/iptables/patches/009-table-alignment.patch b/package/network/utils/iptables/patches/009-table-alignment.patch deleted file mode 100644 index 53012ab..0000000 --- a/package/network/utils/iptables/patches/009-table-alignment.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/libiptc/libiptc.c -+++ b/libiptc/libiptc.c -@@ -69,7 +69,7 @@ static const char *hooknames[] = { - struct ipt_error_target - { - STRUCT_ENTRY_TARGET t; -- char error[TABLE_MAXNAMELEN]; -+ char error[FUNCTION_MAXNAMELEN]; - }; - - struct chain_head; diff --git a/package/network/utils/iptables/patches/010-multiport-linux-2.4-compat.patch b/package/network/utils/iptables/patches/010-multiport-linux-2.4-compat.patch deleted file mode 100644 index 3b35f7e..0000000 --- a/package/network/utils/iptables/patches/010-multiport-linux-2.4-compat.patch +++ /dev/null @@ -1,265 +0,0 @@ ---- a/extensions/libxt_multiport.c -+++ b/extensions/libxt_multiport.c -@@ -15,21 +15,6 @@ - #include <linux/netfilter/xt_multiport.h> - - /* Function which prints out usage message. */ --static void multiport_help(void) --{ -- printf( --"multiport match options:\n" --" --source-ports port[,port,port...]\n" --" --sports ...\n" --" match source port(s)\n" --" --destination-ports port[,port,port...]\n" --" --dports ...\n" --" match destination port(s)\n" --" --ports port[,port,port]\n" --" match both source and destination port(s)\n" --" NOTE: this kernel does not support port ranges in multiport.\n"); --} -- - static void multiport_help_v1(void) - { - printf( -@@ -72,26 +57,6 @@ proto_to_name(u_int8_t proto) - } - } - --static unsigned int --parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto) --{ -- char *buffer, *cp, *next; -- unsigned int i; -- -- buffer = strdup(portstring); -- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed"); -- -- for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++) -- { -- next=strchr(cp, ','); -- if (next) *next++='\0'; -- ports[i] = xtables_parse_port(cp, proto); -- } -- if (cp) xtables_error(PARAMETER_PROBLEM, "too many ports specified"); -- free(buffer); -- return i; --} -- - static void - parse_multi_ports_v1(const char *portstring, - struct xt_multiport_v1 *multiinfo, -@@ -155,73 +120,6 @@ check_proto(u_int16_t pnum, u_int8_t inv - /* Function which parses command options; returns true if it - ate an option */ - static int --__multiport_parse(int c, char **argv, int invert, unsigned int *flags, -- struct xt_entry_match **match, u_int16_t pnum, -- u_int8_t invflags) --{ -- const char *proto; -- struct xt_multiport *multiinfo -- = (struct xt_multiport *)(*match)->data; -- -- switch (c) { -- case '1': -- xtables_check_inverse(optarg, &invert, &optind, 0, argv); -- proto = check_proto(pnum, invflags); -- multiinfo->count = parse_multi_ports(optarg, -- multiinfo->ports, proto); -- multiinfo->flags = XT_MULTIPORT_SOURCE; -- break; -- -- case '2': -- xtables_check_inverse(optarg, &invert, &optind, 0, argv); -- proto = check_proto(pnum, invflags); -- multiinfo->count = parse_multi_ports(optarg, -- multiinfo->ports, proto); -- multiinfo->flags = XT_MULTIPORT_DESTINATION; -- break; -- -- case '3': -- xtables_check_inverse(optarg, &invert, &optind, 0, argv); -- proto = check_proto(pnum, invflags); -- multiinfo->count = parse_multi_ports(optarg, -- multiinfo->ports, proto); -- multiinfo->flags = XT_MULTIPORT_EITHER; -- break; -- -- default: -- return 0; -- } -- -- if (invert) -- xtables_error(PARAMETER_PROBLEM, -- "multiport does not support invert"); -- -- if (*flags) -- xtables_error(PARAMETER_PROBLEM, -- "multiport can only have one option"); -- *flags = 1; -- return 1; --} -- --static int --multiport_parse(int c, char **argv, int invert, unsigned int *flags, -- const void *e, struct xt_entry_match **match) --{ -- const struct ipt_entry *entry = e; -- return __multiport_parse(c, argv, invert, flags, match, -- entry->ip.proto, entry->ip.invflags); --} -- --static int --multiport_parse6(int c, char **argv, int invert, unsigned int *flags, -- const void *e, struct xt_entry_match **match) --{ -- const struct ip6t_entry *entry = e; -- return __multiport_parse(c, argv, invert, flags, match, -- entry->ipv6.proto, entry->ipv6.invflags); --} -- --static int - __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags, - struct xt_entry_match **match, u_int16_t pnum, - u_int8_t invflags) -@@ -314,55 +212,6 @@ print_port(u_int16_t port, u_int8_t prot - } - - /* Prints out the matchinfo. */ --static void --__multiport_print(const struct xt_entry_match *match, int numeric, -- u_int16_t proto) --{ -- const struct xt_multiport *multiinfo -- = (const struct xt_multiport *)match->data; -- unsigned int i; -- -- printf("multiport "); -- -- switch (multiinfo->flags) { -- case XT_MULTIPORT_SOURCE: -- printf("sports "); -- break; -- -- case XT_MULTIPORT_DESTINATION: -- printf("dports "); -- break; -- -- case XT_MULTIPORT_EITHER: -- printf("ports "); -- break; -- -- default: -- printf("ERROR "); -- break; -- } -- -- for (i=0; i < multiinfo->count; i++) { -- printf("%s", i ? "," : ""); -- print_port(multiinfo->ports[i], proto, numeric); -- } -- printf(" "); --} -- --static void multiport_print(const void *ip_void, -- const struct xt_entry_match *match, int numeric) --{ -- const struct ipt_ip *ip = ip_void; -- __multiport_print(match, numeric, ip->proto); --} -- --static void multiport_print6(const void *ip_void, -- const struct xt_entry_match *match, int numeric) --{ -- const struct ip6t_ip6 *ip = ip_void; -- __multiport_print(match, numeric, ip->proto); --} -- - static void __multiport_print_v1(const struct xt_entry_match *match, - int numeric, u_int16_t proto) - { -@@ -419,48 +268,6 @@ static void multiport_print6_v1(const vo - } - - /* Saves the union ipt_matchinfo in parsable form to stdout. */ --static void __multiport_save(const struct xt_entry_match *match, -- u_int16_t proto) --{ -- const struct xt_multiport *multiinfo -- = (const struct xt_multiport *)match->data; -- unsigned int i; -- -- switch (multiinfo->flags) { -- case XT_MULTIPORT_SOURCE: -- printf("--sports "); -- break; -- -- case XT_MULTIPORT_DESTINATION: -- printf("--dports "); -- break; -- -- case XT_MULTIPORT_EITHER: -- printf("--ports "); -- break; -- } -- -- for (i=0; i < multiinfo->count; i++) { -- printf("%s", i ? "," : ""); -- print_port(multiinfo->ports[i], proto, 1); -- } -- printf(" "); --} -- --static void multiport_save(const void *ip_void, -- const struct xt_entry_match *match) --{ -- const struct ipt_ip *ip = ip_void; -- __multiport_save(match, ip->proto); --} -- --static void multiport_save6(const void *ip_void, -- const struct xt_entry_match *match) --{ -- const struct ip6t_ip6 *ip = ip_void; -- __multiport_save(match, ip->proto); --} -- - static void __multiport_save_v1(const struct xt_entry_match *match, - u_int16_t proto) - { -@@ -514,34 +321,6 @@ static struct xtables_match multiport_mt - { - .family = NFPROTO_IPV4, - .name = "multiport", -- .revision = 0, -- .version = XTABLES_VERSION, -- .size = XT_ALIGN(sizeof(struct xt_multiport)), -- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), -- .help = multiport_help, -- .parse = multiport_parse, -- .final_check = multiport_check, -- .print = multiport_print, -- .save = multiport_save, -- .extra_opts = multiport_opts, -- }, -- { -- .family = NFPROTO_IPV6, -- .name = "multiport", -- .revision = 0, -- .version = XTABLES_VERSION, -- .size = XT_ALIGN(sizeof(struct xt_multiport)), -- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), -- .help = multiport_help, -- .parse = multiport_parse6, -- .final_check = multiport_check, -- .print = multiport_print6, -- .save = multiport_save6, -- .extra_opts = multiport_opts, -- }, -- { -- .family = NFPROTO_IPV4, -- .name = "multiport", - .version = XTABLES_VERSION, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_multiport_v1)), diff --git a/package/network/utils/iptables/patches/011-recent-add-reap.patch b/package/network/utils/iptables/patches/011-recent-add-reap.patch deleted file mode 100644 index 6a2923f..0000000 --- a/package/network/utils/iptables/patches/011-recent-add-reap.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001 -From: Tim Gardner <tim.gard...@canonical.com> -Date: Mon, 1 Mar 2010 19:00:29 -0700 -Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation - -Signed-off-by: Tim Gardner <tim.gard...@canonical.com> ---- - extensions/libxt_recent.c | 20 ++++++++++++++++++++ - extensions/libxt_recent.man | 5 +++++ - include/linux/netfilter/xt_recent.h | 7 +++++++ - 3 files changed, 32 insertions(+), 0 deletions(-) - ---- a/extensions/libxt_recent.c -+++ b/extensions/libxt_recent.c -@@ -20,6 +20,7 @@ static const struct option recent_opts[] - {.name = "name", .has_arg = true, .val = 208}, - {.name = "rsource", .has_arg = false, .val = 209}, - {.name = "rdest", .has_arg = false, .val = 210}, -+ {.name = "reap", .has_arg = false, .val = 211}, - XT_GETOPT_TABLEEND, - }; - -@@ -37,6 +38,7 @@ static void recent_help(void) - " --hitcount hits For check and update commands above.\n" - " Specifies that the match will only occur if source address seen hits times.\n" - " May be used in conjunction with the seconds option.\n" -+" --reap Remove entries that have expired. Can only be used with --seconds\n" - " --rttl For check and update commands above.\n" - " Specifies that the match will only occur if the source address and the TTL\n" - " match between this packet and the one which was set.\n" -@@ -63,6 +65,8 @@ static void recent_init(struct xt_entry_ - (XT_RECENT_SET | XT_RECENT_CHECK | \ - XT_RECENT_UPDATE | XT_RECENT_REMOVE) - -+#define XT_RECENT_SECONDS 1 << 31 -+ - static int recent_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) - { -@@ -104,6 +108,7 @@ static int recent_parse(int c, char **ar - - case 204: - info->seconds = atoi(optarg); -+ *flags |= XT_RECENT_SECONDS; - break; - - case 205: -@@ -139,6 +144,11 @@ static int recent_parse(int c, char **ar - info->side = XT_RECENT_DEST; - break; - -+ case 211: -+ info->check_set |= XT_RECENT_REAP; -+ *flags |= XT_RECENT_REAP; -+ break; -+ - default: - return 0; - } -@@ -157,6 +167,12 @@ static void recent_check(unsigned int fl - xtables_error(PARAMETER_PROBLEM, - "recent: --rttl may only be used with --rcheck or " - "--update"); -+ if ((flags & XT_RECENT_REAP) && -+ ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) || -+ (!(flags & XT_RECENT_SECONDS)))) -+ xtables_error(PARAMETER_PROBLEM, -+ "recent: --reap may only be used with --rcheck or " -+ "--update and --seconds"); - } - - static void recent_print(const void *ip, const struct xt_entry_match *match, -@@ -185,6 +201,8 @@ static void recent_print(const void *ip, - printf("side: source "); - if (info->side == XT_RECENT_DEST) - printf("side: dest "); -+ if (info->check_set & XT_RECENT_REAP) -+ printf("reap "); - } - - static void recent_save(const void *ip, const struct xt_entry_match *match) -@@ -211,6 +229,8 @@ static void recent_save(const void *ip, - printf("--rsource "); - if (info->side == XT_RECENT_DEST) - printf("--rdest "); -+ if (info->check_set & XT_RECENT_REAP) -+ printf("--reap "); - } - - static struct xtables_match recent_mt_reg = { ---- a/extensions/libxt_recent.man -+++ b/extensions/libxt_recent.man -@@ -41,6 +41,11 @@ This option must be used in conjunction - \fB\-\-update\fP. When used, this will narrow the match to only happen when the - address is in the list and was seen within the last given number of seconds. - .TP -+\fB\-\-reap\fP \fIreap\fP -+This option must be used in conjunction with \fB\-\-seconds\fP. When used, this -+will remove entries with the most recent timestamp older then \fB\-\-seconds\fP -+since the last packet was received. -+.TP - \fB\-\-hitcount\fP \fIhits\fP - This option must be used in conjunction with one of \fB\-\-rcheck\fP or - \fB\-\-update\fP. When used, this will narrow the match to only happen when the ---- a/include/linux/netfilter/xt_recent.h -+++ b/include/linux/netfilter/xt_recent.h -@@ -23,6 +23,9 @@ enum { - #define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\ - XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP) - -+/* Only allowed with --rcheck and --update */ -+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP) -+ - struct xt_recent_mtinfo { - __u32 seconds; - __u32 hit_count; diff --git a/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch index 422058d..bec5397 100644 --- a/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch +++ b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch @@ -1,6 +1,8 @@ ---- a/xtables.c -+++ b/xtables.c -@@ -305,6 +305,7 @@ static char *get_modprobe(void) +Index: iptables-1.4.17/libxtables/xtables.c +=================================================================== +--- iptables-1.4.17.orig/libxtables/xtables.c ++++ iptables-1.4.17/libxtables/xtables.c +@@ -336,6 +336,7 @@ static char *get_modprobe(void) int xtables_insmod(const char *modname, const char *modprobe, bool quiet) { @@ -8,7 +10,7 @@ char *buf = NULL; char *argv[4]; int status; -@@ -348,6 +349,7 @@ int xtables_insmod(const char *modname, +@@ -380,6 +381,7 @@ int xtables_insmod(const char *modname, free(buf); if (WIFEXITED(status) && WEXITSTATUS(status) == 0) return 0; diff --git a/package/network/utils/iptables/patches/030-no-libnfnetlink.patch b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch index cda9a72..39f17e3 100644 --- a/package/network/utils/iptables/patches/030-no-libnfnetlink.patch +++ b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch @@ -1,6 +1,8 @@ ---- a/configure -+++ b/configure -@@ -10917,75 +10917,7 @@ $as_echo "no" >&6; } +Index: iptables-1.4.17/configure +=================================================================== +--- iptables-1.4.17.orig/configure ++++ iptables-1.4.17/configure +@@ -12173,77 +12173,7 @@ $as_echo "no" >&6; } fi fi @@ -18,6 +20,7 @@ - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null` +- test "x$?" != "x0" && pkg_failed=yes -else - pkg_failed=yes -fi @@ -34,6 +37,7 @@ - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null` +- test "x$?" != "x0" && pkg_failed=yes -else - pkg_failed=yes -fi @@ -53,9 +57,9 @@ - _pkg_short_errors_supported=no -fi - if test $_pkg_short_errors_supported = yes; then -- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libnfnetlink >= 1.0" 2>&1` +- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1` - else -- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors "libnfnetlink >= 1.0" 2>&1` +- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1` - fi - # Put the nasty error message in config.log where it belongs - echo "$libnfnetlink_PKG_ERRORS" >&5 @@ -77,9 +81,11 @@ HAVE_LIBNFNETLINK_TRUE= HAVE_LIBNFNETLINK_FALSE='#' else ---- a/configure.ac -+++ b/configure.ac -@@ -79,9 +79,7 @@ AM_CONDITIONAL([ENABLE_LARGEFILE], [test +Index: iptables-1.4.17/configure.ac +=================================================================== +--- iptables-1.4.17.orig/configure.ac ++++ iptables-1.4.17/configure.ac +@@ -89,9 +89,7 @@ AM_CONDITIONAL([ENABLE_LARGEFILE], [test AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"]) AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"]) @@ -88,5 +94,5 @@ -AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1]) +AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false]) - regular_CFLAGS="${largefile_cflags} \ - -D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \ + regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \ + -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \ diff --git a/package/network/utils/iptables/patches/040-libip6t_DNPT-fix-wording-in-DNPT-target.patch b/package/network/utils/iptables/patches/040-libip6t_DNPT-fix-wording-in-DNPT-target.patch new file mode 100644 index 0000000..8f424fd --- /dev/null +++ b/package/network/utils/iptables/patches/040-libip6t_DNPT-fix-wording-in-DNPT-target.patch @@ -0,0 +1,75 @@ +From 7b04e3ef3a6ffccb23de83ef3b2d8f5aeaaa09e5 Mon Sep 17 00:00:00 2001 +From: Ulrich Weber <ulrich.we...@sophos.com> +Date: Wed, 2 Jan 2013 06:03:49 +0000 +Subject: [PATCH] extensions: libip6t_DNPT: fix wording in DNPT target + +replaces SNPT by DNPT. + +This fixes broken help message that points to SNPT. + +Signed-off-by: Ulrich Weber <ulrich.we...@sophos.com> +Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> +--- + extensions/libip6t_DNPT.c | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/extensions/libip6t_DNPT.c b/extensions/libip6t_DNPT.c +index 9e4dc5c..7439816 100644 +--- a/extensions/libip6t_DNPT.c ++++ b/extensions/libip6t_DNPT.c +@@ -8,7 +8,7 @@ enum { + O_DST_PFX = 1 << 1, + }; + +-static const struct xt_option_entry SNPT_options[] = { ++static const struct xt_option_entry DNPT_options[] = { + { .name = "src-pfx", .id = O_SRC_PFX, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_MAND }, + { .name = "dst-pfx", .id = O_DST_PFX, .type = XTTYPE_HOSTMASK, +@@ -16,16 +16,16 @@ static const struct xt_option_entry SNPT_options[] = { + { } + }; + +-static void SNPT_help(void) ++static void DNPT_help(void) + { +- printf("SNPT target options:" ++ printf("DNPT target options:" + "\n" + " --src-pfx prefix/length\n" + " --dst-pfx prefix/length\n" + "\n"); + } + +-static void SNPT_parse(struct xt_option_call *cb) ++static void DNPT_parse(struct xt_option_call *cb) + { + struct ip6t_npt_tginfo *npt = cb->data; + +@@ -42,7 +42,7 @@ static void SNPT_parse(struct xt_option_call *cb) + } + } + +-static void SNPT_print(const void *ip, const struct xt_entry_target *target, ++static void DNPT_print(const void *ip, const struct xt_entry_target *target, + int numeric) + { + const struct ip6t_npt_tginfo *npt = (const void *)target->data; +@@ -59,10 +59,10 @@ static struct xtables_target snpt_tg_reg = { + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct ip6t_npt_tginfo)), + .userspacesize = offsetof(struct ip6t_npt_tginfo, adjustment), +- .help = SNPT_help, +- .x6_parse = SNPT_parse, +- .print = SNPT_print, +- .x6_options = SNPT_options, ++ .help = DNPT_help, ++ .x6_parse = DNPT_parse, ++ .print = DNPT_print, ++ .x6_options = DNPT_options, + }; + + void _init(void) +-- +1.7.2.5 + diff --git a/package/network/utils/iptables/patches/050-libip6t_DNAT-allow-port-DNAT-without-address.patch b/package/network/utils/iptables/patches/050-libip6t_DNAT-allow-port-DNAT-without-address.patch new file mode 100644 index 0000000..8792bcb --- /dev/null +++ b/package/network/utils/iptables/patches/050-libip6t_DNAT-allow-port-DNAT-without-address.patch @@ -0,0 +1,89 @@ +From: Ulrich Weber <ulrich.we...@sophos.com> +Date: Thu, 3 Jan 2013 00:39:58 +0000 (+0000) +Subject: extension: libip6t_DNAT: allow port DNAT without address +X-Git-Url: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commitdiff_plain;h=92f05a2f38e6c6bc6c69880358c41ac17bd31298 + +extension: libip6t_DNAT: allow port DNAT without address + +correct parsing of IPv6 port NAT without address NAT, +assume one colon as port information. + +Allows: +* address only: + -j DNAT --to affe::1 + -j DNAT --to [affe::1] + +* port only + -j DNAT --to :80 + -j DNAT --to :80-110 + -j DNAT --to []:80 + -j DNAT --to []:80-110 + +* address and port + -j DNAT --to [affe::1]:80 + -j DNAT --to [affe::1]:80-110 + +Signed-off-by: Ulrich Weber <ulrich.we...@sophos.com> +Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> +--- + +diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c +index a5969c3..1bba37e 100644 +--- a/extensions/libip6t_DNAT.c ++++ b/extensions/libip6t_DNAT.c +@@ -54,8 +54,13 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range) + xtables_error(RESOURCE_PROBLEM, "strdup"); + + start = strchr(arg, '['); +- if (start == NULL) ++ if (start == NULL) { + start = arg; ++ /* Lets assume one colon is port information. Otherwise its an IPv6 address */ ++ colon = strchr(arg, ':'); ++ if (colon && strchr(colon+1, ':')) ++ colon = NULL; ++ } + else { + start++; + end = strchr(start, ']'); +@@ -105,8 +110,8 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range) + range->min_proto.tcp.port = htons(port); + range->max_proto.tcp.port = htons(maxport); + } +- /* Starts with a colon? No IP info...*/ +- if (colon == arg) { ++ /* Starts with colon or [] colon? No IP info...*/ ++ if (colon == arg || colon == arg+2) { + free(arg); + return; + } +diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c +index 307be70..7382ad0 100644 +--- a/extensions/libip6t_SNAT.c ++++ b/extensions/libip6t_SNAT.c +@@ -54,8 +54,13 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range) + xtables_error(RESOURCE_PROBLEM, "strdup"); + + start = strchr(arg, '['); +- if (start == NULL) ++ if (start == NULL) { + start = arg; ++ /* Lets assume one colon is port information. Otherwise its an IPv6 address */ ++ colon = strchr(arg, ':'); ++ if (colon && strchr(colon+1, ':')) ++ colon = NULL; ++ } + else { + start++; + end = strchr(start, ']'); +@@ -105,8 +110,8 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range) + range->min_proto.tcp.port = htons(port); + range->max_proto.tcp.port = htons(maxport); + } +- /* Starts with a colon? No IP info...*/ +- if (colon == arg) { ++ /* Starts with colon or [] colon? No IP info...*/ ++ if (colon == arg || colon == arg+2) { + free(arg); + return; + } diff --git a/package/network/utils/iptables/patches/051-libip6t_DNAT-set-ipv6-DNAT-to-destination-fix-DNAT_save.patch b/package/network/utils/iptables/patches/051-libip6t_DNAT-set-ipv6-DNAT-to-destination-fix-DNAT_save.patch new file mode 100644 index 0000000..c0fd5cf --- /dev/null +++ b/package/network/utils/iptables/patches/051-libip6t_DNAT-set-ipv6-DNAT-to-destination-fix-DNAT_save.patch @@ -0,0 +1,52 @@ +From: Ulrich Weber <ulrich.we...@sophos.com> +Date: Thu, 3 Jan 2013 00:41:38 +0000 (+0000) +Subject: extensions: libip6t_DNAT: set IPv6 DNAT --to-destination +X-Git-Url: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commitdiff_plain;h=ff338552d318b49e07662fd7648fdb11e3c42bc9 + +extensions: libip6t_DNAT: set IPv6 DNAT --to-destination + +as in IPv4 and fixes DNAT_save + +Signed-off-by: Ulrich Weber <ulrich.we...@sophos.com> +Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> +--- + +diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c +index 1bba37e..eaa6bf1 100644 +--- a/extensions/libip6t_DNAT.c ++++ b/extensions/libip6t_DNAT.c +@@ -29,13 +29,13 @@ static void DNAT_help(void) + { + printf( + "DNAT target options:\n" +-" --to-dest [<ipaddr>[-<ipaddr>]][:port[-port]]\n" +-" Address to map source to.\n" ++" --to-destination [<ipaddr>[-<ipaddr>]][:port[-port]]\n" ++" Address to map destination to.\n" + "[--random] [--persistent]\n"); + } + + static const struct xt_option_entry DNAT_opts[] = { +- {.name = "to-dest", .id = O_TO_DEST, .type = XTTYPE_STRING, ++ {.name = "to-destination", .id = O_TO_DEST, .type = XTTYPE_STRING, + .flags = XTOPT_MAND | XTOPT_MULTI}, + {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, + {.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE}, +@@ -167,7 +167,7 @@ static void DNAT_parse(struct xt_option_call *cb) + get_kernel_version(); + if (kernel_version > LINUX_VERSION(2, 6, 10)) + xtables_error(PARAMETER_PROBLEM, +- "DNAT: Multiple --to-source not supported"); ++ "DNAT: Multiple --to-destination not supported"); + } + parse_to(cb->arg, portok, range); + break; +@@ -223,7 +223,7 @@ static void DNAT_save(const void *ip, const struct xt_entry_target *target) + { + const struct nf_nat_range *range = (const void *)target->data; + +- printf(" --to-source "); ++ printf(" --to-destination "); + print_range(range); + if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) + printf(" --random"); diff --git a/package/network/utils/iptables/patches/060-resolve-link-failure-for-ip6t_NETMAP.patch b/package/network/utils/iptables/patches/060-resolve-link-failure-for-ip6t_NETMAP.patch new file mode 100644 index 0000000..4008162 --- /dev/null +++ b/package/network/utils/iptables/patches/060-resolve-link-failure-for-ip6t_NETMAP.patch @@ -0,0 +1,81 @@ +From: Jan Engelhardt <jeng...@inai.de> +Date: Tue, 1 Jan 2013 22:47:51 +0000 (+0000) +Subject: build: resolve link failure for ip6t_NETMAP +X-Git-Url: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commitdiff_plain;h=68e77a26111ee6b8f10c735a76891a7de6d57ee6;hp=eec83c7ce4351359cae797840d63cf4ef2809c95 + +build: resolve link failure for ip6t_NETMAP + +Link stage of libip6t_NETMAP failed since recently. + + CCLD libip6t_NETMAP.so +/usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: +cannot find -lip6tc + +libip6t_NETMAP.c uses the "ipv6_prefix_length" function from +libip6tc.so; "-lip6tc" is used in the Makefile, but, the directory to +it is not specified. + +Why does the link succeed for some people? Because +/usr/lib(64)/libip6tc.so satisfies -lip6tc, but not all environments, +especially those without iptables development files, have that file, +hence this link error can happen. + +By suggestion of Mike Frysinger, this patch uses libtool to produce +and link the plugins. + +Signed-off-by: Jan Engelhardt <jeng...@inai.de> +Acked-by: Mike Frysinger <vap...@gentoo.org> +Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> +--- + +diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in +index e71e3ff..adad4d6 100644 +--- a/extensions/GNUmakefile.in ++++ b/extensions/GNUmakefile.in +@@ -33,6 +33,7 @@ AM_VERBOSE_CXX = @echo " CXX " $@; + AM_VERBOSE_CXXLD = @echo " CXXLD " $@; + AM_VERBOSE_AR = @echo " AR " $@; + AM_VERBOSE_GEN = @echo " GEN " $@; ++AM_VERBOSE_NULL = @ + endif + + # +@@ -75,7 +76,7 @@ install: ${targets_install} + if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi; + + clean: +- rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c; ++ rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c; + rm -f .*.d .*.dd; + + distclean: clean +@@ -89,19 +90,22 @@ init%.o: init%.c + # + # Shared libraries + # +-lib%.so: lib%.oo +- ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD}; ++lib%.so: lib%.la ++ ${AM_VERBOSE_NULL} ln -fs .libs/$@ $@ + +-lib%.oo: ${srcdir}/lib%.c +- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; ++lib%.la: lib%.lo ++ ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir} ++ ++lib%.lo: ${srcdir}/lib%.c ++ ${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $< + + libxt_NOTRACK.so: libxt_CT.so +- ln -fs $< $@ ++ ${AM_VERBOSE_GEN} ln -fs $< $@ + libxt_state.so: libxt_conntrack.so +- ln -fs $< $@ ++ ${AM_VERBOSE_GEN} ln -fs $< $@ + + # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD +-ip6t_NETMAP_LIBADD = -lip6tc ++ip6t_NETMAP_LIBADD = ../libiptc/libip6tc.la + xt_RATEEST_LIBADD = -lm + xt_statistic_LIBADD = -lm + diff --git a/package/network/utils/iptables/patches/070-iptables-1.4.17-fix-build-failure.patch b/package/network/utils/iptables/patches/070-iptables-1.4.17-fix-build-failure.patch new file mode 100644 index 0000000..c6c8559 --- /dev/null +++ b/package/network/utils/iptables/patches/070-iptables-1.4.17-fix-build-failure.patch @@ -0,0 +1,14 @@ +Index: iptables-1.4.17/extensions/GNUmakefile.in +=================================================================== +--- iptables-1.4.17.orig/extensions/GNUmakefile.in ++++ iptables-1.4.17/extensions/GNUmakefile.in +@@ -23,7 +23,7 @@ kinclude_CPPFLAGS = @kinclude_CPPFLAGS@ + AM_CFLAGS = ${regular_CFLAGS} + AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include ${kinclude_CPPFLAGS} + AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@ +-AM_LDFLAGS = @noundef_LDFLAGS@ ++AM_LDFLAGS = ${noundef_LDFLAGS} -L${top_srcdir}/libiptc/.libs + + ifeq (${V},) + AM_LIBTOOL_SILENT = --silent + diff --git a/package/network/utils/iptables/patches/100-bash-location.patch b/package/network/utils/iptables/patches/100-bash-location.patch index 818246e..26d3a61 100644 --- a/package/network/utils/iptables/patches/100-bash-location.patch +++ b/package/network/utils/iptables/patches/100-bash-location.patch @@ -1,13 +1,7 @@ ---- a/autogen.sh -+++ b/autogen.sh -@@ -1,4 +1,4 @@ --#!/bin/bash -+#!/usr/bin/env bash - - autoreconf -fi; - rm -Rf autom4te*.cache; ---- a/iptables-apply -+++ b/iptables-apply +Index: iptables-1.4.17/iptables/iptables-apply +=================================================================== +--- iptables-1.4.17.orig/iptables/iptables-apply ++++ iptables-1.4.17/iptables/iptables-apply @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash diff --git a/package/network/utils/iptables/patches/110-linux_3.2_compat.patch b/package/network/utils/iptables/patches/110-linux_3.2_compat.patch deleted file mode 100644 index 536cb23..0000000 --- a/package/network/utils/iptables/patches/110-linux_3.2_compat.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/include/linux/types.h -+++ b/include/linux/types.h -@@ -34,5 +34,9 @@ typedef __u64 __bitwise __be64; - typedef __u16 __bitwise __sum16; - typedef __u32 __bitwise __wsum; - -+#define __aligned_u64 __u64 __attribute__((aligned(8))) -+#define __aligned_be64 __be64 __attribute__((aligned(8))) -+#define __aligned_le64 __le64 __attribute__((aligned(8))) -+ - #endif /* __ASSEMBLY__ */ - #endif /* _LINUX_TYPES_H */ diff --git a/package/network/utils/iptables/patches/200-configurable_builtin.patch b/package/network/utils/iptables/patches/200-configurable_builtin.patch index 4c9c88f..f983505 100644 --- a/package/network/utils/iptables/patches/200-configurable_builtin.patch +++ b/package/network/utils/iptables/patches/200-configurable_builtin.patch @@ -1,6 +1,8 @@ ---- a/extensions/GNUmakefile.in -+++ b/extensions/GNUmakefile.in -@@ -40,9 +40,24 @@ pfx_build_mod := $(patsubst ${srcdir}/li +Index: iptables-1.4.17/extensions/GNUmakefile.in +=================================================================== +--- iptables-1.4.17.orig/extensions/GNUmakefile.in ++++ iptables-1.4.17/extensions/GNUmakefile.in +@@ -46,9 +46,24 @@ pfx_symlinks := NOTRACK state pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod}) pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod}) pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod}) @@ -25,32 +27,36 @@ +pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_static}) +pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static}) +pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static}) - pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod}) + pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks}) pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod}) pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) -@@ -54,10 +69,10 @@ pf6_solibs := $(patsubst %,libip6t_%. - targets := libext4.a libext6.a matches4.man matches6.man \ - targets4.man targets6.man +@@ -59,11 +74,11 @@ pf6_solibs := $(patsubst %,libip6t_%. + # + targets := libext.a libext4.a libext6.a matches.man targets.man targets_install := --@ENABLE_STATIC_TRUE@ libext4_objs := ${pfx_objs} ${pf4_objs} --@ENABLE_STATIC_TRUE@ libext6_objs := ${pfx_objs} ${pf6_objs} +-@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs} +-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} +-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs} -@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} -@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} -+libext4_objs := ${pfx_objs} ${pf4_objs} -+libext6_objs := ${pfx_objs} ${pf6_objs} ++libext_objs := ${pfx_objs} ++libext4_objs := ${pf4_objs} ++libext6_objs := ${pf6_objs} +targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} +targets_install := $(strip ${targets_install} ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}) .SECONDARY: -@@ -107,8 +122,8 @@ libext4.a: initext4.o ${libext4_objs} +@@ -128,9 +143,9 @@ libext4.a: initext4.o ${libext4_objs} libext6.a: initext6.o ${libext6_objs} ${AM_VERBOSE_AR} ${AR} crs $@ $^; --initext_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ipt_,${pf4_build_mod}) --initext6_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ip6t_,${pf6_build_mod}) -+initext_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ipt_,${pf4_build_static}) -+initext6_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ip6t_,${pf6_build_static}) +-initext_func := $(addprefix xt_,${pfx_build_mod}) +-initext4_func := $(addprefix ipt_,${pf4_build_mod}) +-initext6_func := $(addprefix ip6t_,${pf6_build_mod}) ++initext_func := $(addprefix xt_,${pfx_build_static}) ++initext4_func := $(addprefix ipt_,${pf4_build_static}) ++initext6_func := $(addprefix ip6t_,${pf6_build_static}) - .initext4.dd: FORCE + .initext.dd: FORCE @echo "${initext_func}" >$@.tmp; \ diff --git a/package/network/utils/iptables/patches/300-musl_fixes.patch b/package/network/utils/iptables/patches/300-musl_fixes.patch index e329aa9..b349d8a 100644 --- a/package/network/utils/iptables/patches/300-musl_fixes.patch +++ b/package/network/utils/iptables/patches/300-musl_fixes.patch @@ -1,18 +1,22 @@ ---- a/extensions/libip6t_ipv6header.c -+++ b/extensions/libip6t_ipv6header.c -@@ -15,6 +15,9 @@ on whether they contain certain headers - #include <sys/types.h> - +Index: iptables-1.4.17/extensions/libip6t_ipv6header.c +=================================================================== +--- iptables-1.4.17.orig/extensions/libip6t_ipv6header.c ++++ iptables-1.4.17/extensions/libip6t_ipv6header.c +@@ -10,6 +10,9 @@ on whether they contain certain headers + #include <netdb.h> + #include <xtables.h> #include <linux/netfilter_ipv6/ip6t_ipv6header.h> +#ifndef IPPROTO_HOPOPTS +# define IPPROTO_HOPOPTS 0 +#endif - /* This maybe required - #include <linux/in.h> ---- a/extensions/libxt_TCPOPTSTRIP.c -+++ b/extensions/libxt_TCPOPTSTRIP.c -@@ -16,6 +16,21 @@ + enum { + O_HEADER = 0, +Index: iptables-1.4.17/extensions/libxt_TCPOPTSTRIP.c +=================================================================== +--- iptables-1.4.17.orig/extensions/libxt_TCPOPTSTRIP.c ++++ iptables-1.4.17/extensions/libxt_TCPOPTSTRIP.c +@@ -12,6 +12,21 @@ #ifndef TCPOPT_MD5SIG # define TCPOPT_MD5SIG 19 #endif @@ -33,9 +37,11 @@ +#endif enum { - FLAG_STRIP = 1 << 0, ---- a/include/libiptc/ipt_kernel_headers.h -+++ b/include/libiptc/ipt_kernel_headers.h + O_STRIP_OPTION = 0, +Index: iptables-1.4.17/include/libiptc/ipt_kernel_headers.h +=================================================================== +--- iptables-1.4.17.orig/include/libiptc/ipt_kernel_headers.h ++++ iptables-1.4.17/include/libiptc/ipt_kernel_headers.h @@ -5,7 +5,6 @@ #include <limits.h> @@ -60,8 +66,10 @@ -#include <linux/in6.h> -#endif #endif ---- a/include/linux/netfilter/xt_osf.h -+++ b/include/linux/netfilter/xt_osf.h +Index: iptables-1.4.17/include/linux/netfilter/xt_osf.h +=================================================================== +--- iptables-1.4.17.orig/include/linux/netfilter/xt_osf.h ++++ iptables-1.4.17/include/linux/netfilter/xt_osf.h @@ -21,6 +21,9 @@ #define _XT_OSF_H @@ -72,8 +80,10 @@ #define MAXGENRELEN 32 ---- a/include/linux/netfilter_ipv4/ip_tables.h -+++ b/include/linux/netfilter_ipv4/ip_tables.h +Index: iptables-1.4.17/include/linux/netfilter_ipv4/ip_tables.h +=================================================================== +--- iptables-1.4.17.orig/include/linux/netfilter_ipv4/ip_tables.h ++++ iptables-1.4.17/include/linux/netfilter_ipv4/ip_tables.h @@ -16,6 +16,7 @@ #define _IPTABLES_H @@ -82,9 +92,11 @@ #include <linux/netfilter_ipv4.h> ---- a/ip6tables-restore.c -+++ b/ip6tables-restore.c -@@ -11,7 +11,7 @@ +Index: iptables-1.4.17/iptables/ip6tables-restore.c +=================================================================== +--- iptables-1.4.17.orig/iptables/ip6tables-restore.c ++++ iptables-1.4.17/iptables/ip6tables-restore.c +@@ -9,7 +9,7 @@ */ #include <getopt.h> @@ -93,8 +105,10 @@ #include <stdbool.h> #include <string.h> #include <stdio.h> ---- a/ip6tables-save.c -+++ b/ip6tables-save.c +Index: iptables-1.4.17/iptables/ip6tables-save.c +=================================================================== +--- iptables-1.4.17.orig/iptables/ip6tables-save.c ++++ iptables-1.4.17/iptables/ip6tables-save.c @@ -6,7 +6,7 @@ * This code is distributed under the terms of GNU GPL v2 */ @@ -104,9 +118,11 @@ #include <stdio.h> #include <fcntl.h> #include <stdlib.h> ---- a/iptables-restore.c -+++ b/iptables-restore.c -@@ -8,7 +8,7 @@ +Index: iptables-1.4.17/iptables/iptables-restore.c +=================================================================== +--- iptables-1.4.17.orig/iptables/iptables-restore.c ++++ iptables-1.4.17/iptables/iptables-restore.c +@@ -6,7 +6,7 @@ */ #include <getopt.h> @@ -115,8 +131,10 @@ #include <stdbool.h> #include <string.h> #include <stdio.h> ---- a/iptables-save.c -+++ b/iptables-save.c +Index: iptables-1.4.17/iptables/iptables-save.c +=================================================================== +--- iptables-1.4.17.orig/iptables/iptables-save.c ++++ iptables-1.4.17/iptables/iptables-save.c @@ -6,7 +6,7 @@ * */ @@ -126,9 +144,11 @@ #include <stdio.h> #include <fcntl.h> #include <stdlib.h> ---- a/iptables-xml.c -+++ b/iptables-xml.c -@@ -9,7 +9,7 @@ +Index: iptables-1.4.17/iptables/iptables-xml.c +=================================================================== +--- iptables-1.4.17.orig/iptables/iptables-xml.c ++++ iptables-1.4.17/iptables/iptables-xml.c +@@ -7,7 +7,7 @@ */ #include <getopt.h> -- 1.8.0.2 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
