projects / openwrt / staging / dedeckeh.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
netfilter, iptables: add optional CHECKSUM module
[openwrt/staging/dedeckeh.git] / package / network / utils / iptables / Makefile
1 #
2 # Copyright (C) 2006-2016 OpenWrt.org
3 #
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
6 #
7
8 include $(TOPDIR)/rules.mk
9 include $(INCLUDE_DIR)/kernel.mk
10
11 PKG_NAME:=iptables
12 PKG_VERSION:=1.6.1
13 PKG_RELEASE:=1
14
15 PKG_SOURCE_PROTO:=git
16 PKG_SOURCE_URL:=https://git.netfilter.org/iptables
17 PKG_SOURCE_VERSION:=7df66f1c13563cfbab75246b009ce36f69ee4487
18 PKG_MIRROR_HASH:=22f15ef41fd8e3724bedcee666b7b6a3491d2d038d580ef1fb032718dcb73f14
19
20 PKG_FIXUP:=autoreconf
21
22 PKG_INSTALL:=1
23 PKG_BUILD_PARALLEL:=1
24 PKG_LICENSE:=GPL-2.0
25
26 include $(INCLUDE_DIR)/package.mk
27 ifeq ($(DUMP),)
28 -include $(LINUX_DIR)/.config
29 include $(INCLUDE_DIR)/netfilter.mk
30 STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | mkhash md5)
31 endif
32
33
34 define Package/iptables/Default
35 SECTION:=net
36 CATEGORY:=Network
37 SUBMENU:=Firewall
38 URL:=http://netfilter.org/
39 endef
40
41 define Package/iptables/Module
42 $(call Package/iptables/Default)
43 DEPENDS:=iptables $(1)
44 endef
45
46 define Package/iptables
47 $(call Package/iptables/Default)
48 TITLE:=IP firewall administration tool
49 MENU:=1
50 DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
51 endef
52
53 define Package/iptables/config
54 config IPTABLES_CONNLABEL
55 bool "Enable Connlabel support"
56 default n
57 help
58 This enable connlabel support in iptables.
59
60 config IPTABLES_NFTABLES
61 bool "Enable Nftables support"
62 default n
63 help
64 This enable nftables support in iptables.
65 endef
66
67 define Package/iptables/description
68 IP firewall administration tool.
69
70 Matches:
71 - icmp
72 - tcp
73 - udp
74 - comment
75 - conntrack
76 - limit
77 - mac
78 - mark
79 - multiport
80 - set
81 - state
82 - time
83
84 Targets:
85 - ACCEPT
86 - CT
87 - DNAT
88 - DROP
89 - REJECT
90 - LOG
91 - MARK
92 - MASQUERADE
93 - REDIRECT
94 - SET
95 - SNAT
96 - TCPMSS
97
98 Tables:
99 - filter
100 - mangle
101 - nat
102 - raw
103
104 endef
105
106 define Package/iptables-mod-conntrack-extra
107 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
108 TITLE:=Extra connection tracking extensions
109 endef
110
111 define Package/iptables-mod-conntrack-extra/description
112 Extra iptables extensions for connection tracking.
113
114 Matches:
115 - connbytes
116 - connlimit
117 - connmark
118 - recent
119 - helper
120
121 Targets:
122 - CONNMARK
123
124 endef
125
126 define Package/iptables-mod-filter
127 $(call Package/iptables/Module, +kmod-ipt-filter)
128 TITLE:=Content inspection extensions
129 endef
130
131 define Package/iptables-mod-filter/description
132 iptables extensions for packet content inspection.
133 Includes support for:
134
135 Matches:
136 - string
137
138 endef
139
140 define Package/iptables-mod-ipopt
141 $(call Package/iptables/Module, +kmod-ipt-ipopt)
142 TITLE:=IP/Packet option extensions
143 endef
144
145 define Package/iptables-mod-ipopt/description
146 iptables extensions for matching/changing IP packet options.
147
148 Matches:
149 - dscp
150 - ecn
151 - length
152 - statistic
153 - tcpmss
154 - unclean
155 - hl
156
157 Targets:
158 - DSCP
159 - CLASSIFY
160 - ECN
161 - HL
162
163 endef
164
165 define Package/iptables-mod-ipsec
166 $(call Package/iptables/Module, +kmod-ipt-ipsec)
167 TITLE:=IPsec extensions
168 endef
169
170 define Package/iptables-mod-ipsec/description
171 iptables extensions for matching ipsec traffic.
172
173 Matches:
174 - ah
175 - esp
176 - policy
177
178 endef
179
180 define Package/iptables-mod-nat-extra
181 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
182 TITLE:=Extra NAT extensions
183 endef
184
185 define Package/iptables-mod-nat-extra/description
186 iptables extensions for extra NAT targets.
187
188 Targets:
189 - MIRROR
190 - NETMAP
191 endef
192
193 define Package/iptables-mod-ulog
194 $(call Package/iptables/Module, +kmod-ipt-ulog)
195 TITLE:=user-space packet logging
196 endef
197
198 define Package/iptables-mod-ulog/description
199 iptables extensions for user-space packet logging.
200
201 Targets:
202 - ULOG
203
204 endef
205
206 define Package/iptables-mod-nflog
207 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
208 TITLE:=Netfilter NFLOG target
209 endef
210
211 define Package/iptables-mod-nflog/description
212 iptables extension for user-space logging via NFNETLINK.
213
214 Includes:
215 - libxt_NFLOG
216
217 endef
218
219 define Package/iptables-mod-trace
220 $(call Package/iptables/Module, +kmod-ipt-debug +kmod-ipt-raw)
221 TITLE:=Netfilter TRACE target
222 endef
223
224 define Package/iptables-mod-trace/description
225 iptables extension for TRACE target
226
227 Includes:
228 - libxt_TRACE
229
230 endef
231
232
233 define Package/iptables-mod-nfqueue
234 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
235 TITLE:=Netfilter NFQUEUE target
236 endef
237
238 define Package/iptables-mod-nfqueue/description
239 iptables extension for user-space queuing via NFNETLINK.
240
241 Includes:
242 - libxt_NFQUEUE
243
244 endef
245
246 define Package/iptables-mod-hashlimit
247 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
248 TITLE:=hashlimit matching
249 endef
250
251 define Package/iptables-mod-hashlimit/description
252 iptables extensions for hashlimit matching
253
254 Matches:
255 - hashlimit
256
257 endef
258
259 define Package/iptables-mod-rpfilter
260 $(call Package/iptables/Module, +kmod-ipt-rpfilter)
261 TITLE:=rpfilter iptables extension
262 endef
263
264 define Package/iptables-mod-rpfilter/description
265 iptables extensions for reverse path filter test on a packet
266
267 Matches:
268 - rpfilter
269
270 endef
271
272 define Package/iptables-mod-iprange
273 $(call Package/iptables/Module, +kmod-ipt-iprange)
274 TITLE:=IP range extension
275 endef
276
277 define Package/iptables-mod-iprange/description
278 iptables extensions for matching ip ranges.
279
280 Matches:
281 - iprange
282
283 endef
284
285 define Package/iptables-mod-cluster
286 $(call Package/iptables/Module, +kmod-ipt-cluster)
287 TITLE:=Match cluster extension
288 endef
289
290 define Package/iptables-mod-cluster/description
291 iptables extensions for matching cluster.
292
293 Netfilter (IPv4/IPv6) module for matching cluster
294 This option allows you to build work-load-sharing clusters of
295 network servers/stateful firewalls without having a dedicated
296 load-balancing router/server/switch. Basically, this match returns
297 true when the packet must be handled by this cluster node. Thus,
298 all nodes see all packets and this match decides which node handles
299 what packets. The work-load sharing algorithm is based on source
300 address hashing.
301
302 This module is usable for ipv4 and ipv6.
303
304 If you select it, it enables kmod-ipt-cluster.
305
306 see `iptables -m cluster --help` for more information.
307 endef
308
309 define Package/iptables-mod-clusterip
310 $(call Package/iptables/Module, +kmod-ipt-clusterip)
311 TITLE:=Clusterip extension
312 endef
313
314 define Package/iptables-mod-clusterip/description
315 iptables extensions for CLUSTERIP.
316 The CLUSTERIP target allows you to build load-balancing clusters of
317 network servers without having a dedicated load-balancing
318 router/server/switch.
319
320 If you select it, it enables kmod-ipt-clusterip.
321
322 see `iptables -j CLUSTERIP --help` for more information.
323 endef
324
325 define Package/iptables-mod-extra
326 $(call Package/iptables/Module, +kmod-ipt-extra)
327 TITLE:=Other extra iptables extensions
328 endef
329
330 define Package/iptables-mod-extra/description
331 Other extra iptables extensions.
332
333 Matches:
334 - addrtype
335 - condition
336 - owner
337 - physdev (if ebtables is enabled)
338 - pkttype
339 - quota
340
341 endef
342
343 define Package/iptables-mod-led
344 $(call Package/iptables/Module, +kmod-ipt-led)
345 TITLE:=LED trigger iptables extension
346 endef
347
348 define Package/iptables-mod-led/description
349 iptables extension for triggering a LED.
350
351 Targets:
352 - LED
353
354 endef
355
356 define Package/iptables-mod-tproxy
357 $(call Package/iptables/Module, +kmod-ipt-tproxy)
358 TITLE:=Transparent proxy iptables extensions
359 endef
360
361 define Package/iptables-mod-tproxy/description
362 Transparent proxy iptables extensions.
363
364 Matches:
365 - socket
366
367 Targets:
368 - TPROXY
369
370 endef
371
372 define Package/iptables-mod-tee
373 $(call Package/iptables/Module, +kmod-ipt-tee)
374 TITLE:=TEE iptables extensions
375 endef
376
377 define Package/iptables-mod-tee/description
378 TEE iptables extensions.
379
380 Targets:
381 - TEE
382
383 endef
384
385 define Package/iptables-mod-u32
386 $(call Package/iptables/Module, +kmod-ipt-u32)
387 TITLE:=U32 iptables extensions
388 endef
389
390 define Package/iptables-mod-u32/description
391 U32 iptables extensions.
392
393 Matches:
394 - u32
395
396 endef
397
398 define Package/iptables-mod-checksum
399 $(call Package/iptables/Module, +kmod-ipt-checksum)
400 TITLE:=IP CHECKSUM target extension
401 endef
402
403 define Package/iptables-mod-checksum/description
404 iptables extension for the CHECKSUM calculation target
405 endef
406
407 define Package/ip6tables
408 $(call Package/iptables/Default)
409 DEPENDS:=@IPV6 +kmod-ip6tables +iptables
410 CATEGORY:=Network
411 TITLE:=IPv6 firewall administration tool
412 MENU:=1
413 endef
414
415
416 define Package/ip6tables-extra
417 $(call Package/iptables/Default)
418 DEPENDS:=ip6tables +kmod-ip6tables-extra
419 TITLE:=IPv6 header matching modules
420 endef
421
422 define Package/ip6tables-mod-extra/description
423 iptables header matching modules for IPv6
424 endef
425
426 define Package/ip6tables-mod-nat
427 $(call Package/iptables/Default)
428 DEPENDS:=ip6tables +kmod-ipt-nat6
429 TITLE:=IPv6 NAT extensions
430 endef
431
432 define Package/ip6tables-mod-nat/description
433 iptables extensions for IPv6-NAT targets.
434 endef
435
436 define Package/libiptc
437 $(call Package/iptables/Default)
438 SECTION:=libs
439 CATEGORY:=Libraries
440 DEPENDS:=+libip4tc +libip6tc +libxtables
441 ABI_VERSION:=$(PKG_VERSION)
442 TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
443 endef
444
445 define Package/libip4tc
446 $(call Package/iptables/Default)
447 SECTION:=libs
448 CATEGORY:=Libraries
449 TITLE:=IPv4 firewall - shared libiptc library
450 ABI_VERSION:=$(PKG_VERSION)
451 DEPENDS:=+libxtables
452 endef
453
454 define Package/libip6tc
455 $(call Package/iptables/Default)
456 SECTION:=libs
457 CATEGORY:=Libraries
458 TITLE:=IPv6 firewall - shared libiptc library
459 ABI_VERSION:=$(PKG_VERSION)
460 DEPENDS:=+libxtables
461 endef
462
463 define Package/libxtables
464 $(call Package/iptables/Default)
465 SECTION:=libs
466 CATEGORY:=Libraries
467 TITLE:=IPv4/IPv6 firewall - shared xtables library
468 ABI_VERSION:=$(PKG_VERSION)
469 DEPENDS:= \
470 +IPTABLES_CONNLABEL:libnetfilter-conntrack \
471 +IPTABLES_NFTABLES:libnftnl
472 endef
473
474 TARGET_CPPFLAGS := \
475 -I$(PKG_BUILD_DIR)/include \
476 -I$(LINUX_DIR)/user_headers/include \
477 $(TARGET_CPPFLAGS)
478
479 TARGET_CFLAGS += \
480 -I$(PKG_BUILD_DIR)/include \
481 -I$(LINUX_DIR)/user_headers/include \
482 -ffunction-sections -fdata-sections \
483 -DNO_LEGACY
484
485 TARGET_LDFLAGS += \
486 -Wl,--gc-sections
487
488 CONFIGURE_ARGS += \
489 --enable-shared \
490 --enable-static \
491 --enable-devel \
492 --with-kernel="$(LINUX_DIR)/user_headers" \
493 --with-xtlibdir=/usr/lib/iptables \
494 $(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
495 $(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \
496 $(if $(CONFIG_IPV6),,--disable-ipv6)
497
498 MAKE_FLAGS := \
499 $(TARGET_CONFIGURE_OPTS) \
500 COPT_FLAGS="$(TARGET_CFLAGS)" \
501 KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
502 KBUILD_OUTPUT="$(LINUX_DIR)" \
503 BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
504
505 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
506 define Build/Configure/rebuild
507 $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
508 rm -f $(PKG_BUILD_DIR)/.config_*
509 rm -f $(PKG_BUILD_DIR)/.configured_*
510 touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
511 endef
512 endif
513
514 define Build/Configure
515 $(Build/Configure/rebuild)
516 $(Build/Configure/Default)
517 endef
518
519 define Build/InstallDev
520 $(INSTALL_DIR) $(1)/usr/include
521 $(INSTALL_DIR) $(1)/usr/include/iptables
522 $(INSTALL_DIR) $(1)/usr/include/net/netfilter
523
524 # XXX: iptables header fixup, some headers are not installed by iptables anymore
525 $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
526 $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
527 $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
528 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
529 $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
530
531 $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
532 $(INSTALL_DIR) $(1)/usr/lib
533 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
534 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
535 $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
536 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
537 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
538
539 # XXX: needed by firewall3
540 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
541 endef
542
543 define Package/iptables/install
544 $(INSTALL_DIR) $(1)/usr/sbin
545 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
546 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
547 $(INSTALL_DIR) $(1)/usr/lib/iptables
548 endef
549
550 define Package/ip6tables/install
551 $(INSTALL_DIR) $(1)/usr/sbin
552 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
553 endef
554
555 define Package/libiptc/install
556 $(INSTALL_DIR) $(1)/usr/lib
557 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
558 endef
559
560 define Package/libip4tc/install
561 $(INSTALL_DIR) $(1)/usr/lib
562 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
563 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
564 endef
565
566 define Package/libip6tc/install
567 $(INSTALL_DIR) $(1)/usr/lib
568 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
569 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
570 endef
571
572 define Package/libxtables/install
573 $(INSTALL_DIR) $(1)/usr/lib
574 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
575 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
576 endef
577
578 define BuildPlugin
579 define Package/$(1)/install
580 $(INSTALL_DIR) $$(1)/usr/lib/iptables
581 for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
582 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
583 $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
584 fi; \
585 done
586 $(3)
587 endef
588
589 $$(eval $$(call BuildPackage,$(1)))
590 endef
591
592 $(eval $(call BuildPackage,iptables))
593 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
594 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
595 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
596 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
597 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
598 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
599 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
600 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
601 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
602 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
603 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
604 $(eval $(call BuildPlugin,iptables-mod-rpfilter,$(IPT_RPFILTER-m)))
605 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
606 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
607 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
608 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
609 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
610 $(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m)))
611 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
612 $(eval $(call BuildPlugin,iptables-mod-checksum,$(IPT_CHECKSUM-m)))
613 $(eval $(call BuildPackage,ip6tables))
614 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
615 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
616 $(eval $(call BuildPackage,libiptc))
617 $(eval $(call BuildPackage,libip4tc))
618 $(eval $(call BuildPackage,libip6tc))
619 $(eval $(call BuildPackage,libxtables))
Staging tree of dedeckeh