projects / openwrt / openwrt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
netfilter: add iptables-mod-rpfilter package
[openwrt/openwrt.git] / package / network / utils / iptables / Makefile
1 #
2 # Copyright (C) 2006-2016 OpenWrt.org
3 #
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
6 #
7
8 include $(TOPDIR)/rules.mk
9 include $(INCLUDE_DIR)/kernel.mk
10
11 PKG_NAME:=iptables
12 PKG_VERSION:=1.4.21
13 PKG_RELEASE:=2
14
15 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
16 PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
17 ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
18 ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
19 ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
20 PKG_HASH:=52004c68021da9a599feed27f65defcfb22128f7da2c0531c0f75de0f479d3e0
21
22 PKG_FIXUP:=autoreconf
23 PKG_INSTALL:=1
24 PKG_BUILD_PARALLEL:=1
25 PKG_LICENSE:=GPL-2.0
26
27 include $(INCLUDE_DIR)/package.mk
28 ifeq ($(DUMP),)
29 -include $(LINUX_DIR)/.config
30 include $(INCLUDE_DIR)/netfilter.mk
31 STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | mkhash md5)
32 endif
33
34
35 define Package/iptables/Default
36 SECTION:=net
37 CATEGORY:=Network
38 SUBMENU:=Firewall
39 URL:=http://netfilter.org/
40 endef
41
42 define Package/iptables/Module
43 $(call Package/iptables/Default)
44 DEPENDS:=iptables $(1)
45 endef
46
47 define Package/iptables
48 $(call Package/iptables/Default)
49 TITLE:=IP firewall administration tool
50 MENU:=1
51 DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
52 endef
53
54 define Package/iptables/description
55 IP firewall administration tool.
56
57 Matches:
58 - icmp
59 - tcp
60 - udp
61 - comment
62 - conntrack
63 - limit
64 - mac
65 - mark
66 - multiport
67 - set
68 - state
69 - time
70
71 Targets:
72 - ACCEPT
73 - CT
74 - DNAT
75 - DROP
76 - REJECT
77 - LOG
78 - MARK
79 - MASQUERADE
80 - REDIRECT
81 - SET
82 - SNAT
83 - TCPMSS
84
85 Tables:
86 - filter
87 - mangle
88 - nat
89 - raw
90
91 endef
92
93 define Package/iptables-mod-conntrack-extra
94 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
95 TITLE:=Extra connection tracking extensions
96 endef
97
98 define Package/iptables-mod-conntrack-extra/description
99 Extra iptables extensions for connection tracking.
100
101 Matches:
102 - connbytes
103 - connlimit
104 - connmark
105 - recent
106 - helper
107
108 Targets:
109 - CONNMARK
110
111 endef
112
113 define Package/iptables-mod-filter
114 $(call Package/iptables/Module, +kmod-ipt-filter)
115 TITLE:=Content inspection extensions
116 endef
117
118 define Package/iptables-mod-filter/description
119 iptables extensions for packet content inspection.
120 Includes support for:
121
122 Matches:
123 - string
124
125 endef
126
127 define Package/iptables-mod-ipopt
128 $(call Package/iptables/Module, +kmod-ipt-ipopt)
129 TITLE:=IP/Packet option extensions
130 endef
131
132 define Package/iptables-mod-ipopt/description
133 iptables extensions for matching/changing IP packet options.
134
135 Matches:
136 - dscp
137 - ecn
138 - length
139 - statistic
140 - tcpmss
141 - unclean
142 - hl
143
144 Targets:
145 - DSCP
146 - CLASSIFY
147 - ECN
148 - HL
149
150 endef
151
152 define Package/iptables-mod-ipsec
153 $(call Package/iptables/Module, +kmod-ipt-ipsec)
154 TITLE:=IPsec extensions
155 endef
156
157 define Package/iptables-mod-ipsec/description
158 iptables extensions for matching ipsec traffic.
159
160 Matches:
161 - ah
162 - esp
163 - policy
164
165 endef
166
167 define Package/iptables-mod-nat-extra
168 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
169 TITLE:=Extra NAT extensions
170 endef
171
172 define Package/iptables-mod-nat-extra/description
173 iptables extensions for extra NAT targets.
174
175 Targets:
176 - MIRROR
177 - NETMAP
178 endef
179
180 define Package/iptables-mod-ulog
181 $(call Package/iptables/Module, +kmod-ipt-ulog)
182 TITLE:=user-space packet logging
183 endef
184
185 define Package/iptables-mod-ulog/description
186 iptables extensions for user-space packet logging.
187
188 Targets:
189 - ULOG
190
191 endef
192
193 define Package/iptables-mod-nflog
194 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
195 TITLE:=Netfilter NFLOG target
196 endef
197
198 define Package/iptables-mod-nflog/description
199 iptables extension for user-space logging via NFNETLINK.
200
201 Includes:
202 - libxt_NFLOG
203
204 endef
205
206 define Package/iptables-mod-nfqueue
207 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
208 TITLE:=Netfilter NFQUEUE target
209 endef
210
211 define Package/iptables-mod-nfqueue/description
212 iptables extension for user-space queuing via NFNETLINK.
213
214 Includes:
215 - libxt_NFQUEUE
216
217 endef
218
219 define Package/iptables-mod-hashlimit
220 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
221 TITLE:=hashlimit matching
222 endef
223
224 define Package/iptables-mod-hashlimit/description
225 iptables extensions for hashlimit matching
226
227 Matches:
228 - hashlimit
229
230 endef
231
232 define Package/iptables-mod-rpfilter
233 $(call Package/iptables/Module, +kmod-ipt-rpfilter)
234 TITLE:=rpfilter iptables extension
235 endef
236
237 define Package/iptables-mod-rpfilter/description
238 iptables extensions for reverse path filter test on a packet
239
240 Matches:
241 - rpfilter
242
243 endef
244
245 define Package/iptables-mod-iprange
246 $(call Package/iptables/Module, +kmod-ipt-iprange)
247 TITLE:=IP range extension
248 endef
249
250 define Package/iptables-mod-iprange/description
251 iptables extensions for matching ip ranges.
252
253 Matches:
254 - iprange
255
256 endef
257
258 define Package/iptables-mod-cluster
259 $(call Package/iptables/Module, +kmod-ipt-cluster)
260 TITLE:=Match cluster extension
261 endef
262
263 define Package/iptables-mod-cluster/description
264 iptables extensions for matching cluster.
265
266 Netfilter (IPv4/IPv6) module for matching cluster
267 This option allows you to build work-load-sharing clusters of
268 network servers/stateful firewalls without having a dedicated
269 load-balancing router/server/switch. Basically, this match returns
270 true when the packet must be handled by this cluster node. Thus,
271 all nodes see all packets and this match decides which node handles
272 what packets. The work-load sharing algorithm is based on source
273 address hashing.
274
275 This module is usable for ipv4 and ipv6.
276
277 If you select it, it enables kmod-ipt-cluster.
278
279 see `iptables -m cluster --help` for more information.
280 endef
281
282 define Package/iptables-mod-clusterip
283 $(call Package/iptables/Module, +kmod-ipt-clusterip)
284 TITLE:=Clusterip extension
285 endef
286
287 define Package/iptables-mod-clusterip/description
288 iptables extensions for CLUSTERIP.
289 The CLUSTERIP target allows you to build load-balancing clusters of
290 network servers without having a dedicated load-balancing
291 router/server/switch.
292
293 If you select it, it enables kmod-ipt-clusterip.
294
295 see `iptables -j CLUSTERIP --help` for more information.
296 endef
297
298 define Package/iptables-mod-extra
299 $(call Package/iptables/Module, +kmod-ipt-extra)
300 TITLE:=Other extra iptables extensions
301 endef
302
303 define Package/iptables-mod-extra/description
304 Other extra iptables extensions.
305
306 Matches:
307 - addrtype
308 - condition
309 - owner
310 - physdev (if ebtables is enabled)
311 - pkttype
312 - quota
313
314 endef
315
316 define Package/iptables-mod-led
317 $(call Package/iptables/Module, +kmod-ipt-led)
318 TITLE:=LED trigger iptables extension
319 endef
320
321 define Package/iptables-mod-led/description
322 iptables extension for triggering a LED.
323
324 Targets:
325 - LED
326
327 endef
328
329 define Package/iptables-mod-tproxy
330 $(call Package/iptables/Module, +kmod-ipt-tproxy)
331 TITLE:=Transparent proxy iptables extensions
332 endef
333
334 define Package/iptables-mod-tproxy/description
335 Transparent proxy iptables extensions.
336
337 Matches:
338 - socket
339
340 Targets:
341 - TPROXY
342
343 endef
344
345 define Package/iptables-mod-tee
346 $(call Package/iptables/Module, +kmod-ipt-tee)
347 TITLE:=TEE iptables extensions
348 endef
349
350 define Package/iptables-mod-tee/description
351 TEE iptables extensions.
352
353 Targets:
354 - TEE
355
356 endef
357
358 define Package/iptables-mod-u32
359 $(call Package/iptables/Module, +kmod-ipt-u32)
360 TITLE:=U32 iptables extensions
361 endef
362
363 define Package/iptables-mod-u32/description
364 U32 iptables extensions.
365
366 Matches:
367 - u32
368
369 endef
370
371 define Package/ip6tables
372 $(call Package/iptables/Default)
373 DEPENDS:=@IPV6 +kmod-ip6tables +iptables
374 CATEGORY:=Network
375 TITLE:=IPv6 firewall administration tool
376 MENU:=1
377 endef
378
379
380 define Package/ip6tables-extra
381 $(call Package/iptables/Default)
382 DEPENDS:=ip6tables +kmod-ip6tables-extra
383 TITLE:=IPv6 header matching modules
384 endef
385
386 define Package/ip6tables-mod-extra/description
387 iptables header matching modules for IPv6
388 endef
389
390 define Package/ip6tables-mod-nat
391 $(call Package/iptables/Default)
392 DEPENDS:=ip6tables +kmod-ipt-nat6
393 TITLE:=IPv6 NAT extensions
394 endef
395
396 define Package/ip6tables-mod-nat/description
397 iptables extensions for IPv6-NAT targets.
398 endef
399
400 define Package/libiptc
401 $(call Package/iptables/Default)
402 SECTION:=libs
403 CATEGORY:=Libraries
404 DEPENDS:=+libip4tc +libip6tc +libxtables
405 TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
406 endef
407
408 define Package/libip4tc
409 $(call Package/iptables/Default)
410 SECTION:=libs
411 CATEGORY:=Libraries
412 TITLE:=IPv4 firewall - shared libiptc library
413 DEPENDS:=+libxtables
414 endef
415
416 define Package/libip6tc
417 $(call Package/iptables/Default)
418 SECTION:=libs
419 CATEGORY:=Libraries
420 TITLE:=IPv6 firewall - shared libiptc library
421 DEPENDS:=+libxtables
422 endef
423
424 define Package/libxtables
425 $(call Package/iptables/Default)
426 SECTION:=libs
427 CATEGORY:=Libraries
428 TITLE:=IPv4/IPv6 firewall - shared xtables library
429 endef
430
431 TARGET_CPPFLAGS := \
432 -I$(PKG_BUILD_DIR)/include \
433 -I$(LINUX_DIR)/user_headers/include \
434 $(TARGET_CPPFLAGS)
435
436 TARGET_CFLAGS += \
437 -I$(PKG_BUILD_DIR)/include \
438 -I$(LINUX_DIR)/user_headers/include \
439 -ffunction-sections -fdata-sections \
440 -DNO_LEGACY
441
442 TARGET_LDFLAGS += \
443 -Wl,--gc-sections
444
445 CONFIGURE_ARGS += \
446 --enable-shared \
447 --enable-devel \
448 --with-kernel="$(LINUX_DIR)/user_headers" \
449 --with-xtlibdir=/usr/lib/iptables \
450 --enable-static \
451 $(if $(CONFIG_IPV6),,--disable-ipv6)
452
453 MAKE_FLAGS := \
454 $(TARGET_CONFIGURE_OPTS) \
455 COPT_FLAGS="$(TARGET_CFLAGS)" \
456 KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
457 KBUILD_OUTPUT="$(LINUX_DIR)" \
458 BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
459
460 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
461 define Build/Configure/rebuild
462 $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
463 rm -f $(PKG_BUILD_DIR)/.config_*
464 rm -f $(PKG_BUILD_DIR)/.configured_*
465 touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
466 endef
467 endif
468
469 define Build/Configure
470 $(Build/Configure/rebuild)
471 $(Build/Configure/Default)
472 endef
473
474 define Build/InstallDev
475 $(INSTALL_DIR) $(1)/usr/include
476 $(INSTALL_DIR) $(1)/usr/include/iptables
477 $(INSTALL_DIR) $(1)/usr/include/net/netfilter
478
479 # XXX: iptables header fixup, some headers are not installed by iptables anymore
480 $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
481 $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
482 $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
483 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
484 $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
485
486 $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
487 $(INSTALL_DIR) $(1)/usr/lib
488 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
489 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
490 $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
491 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
492 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
493
494 # XXX: needed by firewall3
495 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
496 endef
497
498 define Package/iptables/install
499 $(INSTALL_DIR) $(1)/usr/sbin
500 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
501 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
502 $(INSTALL_DIR) $(1)/usr/lib/iptables
503 endef
504
505 define Package/ip6tables/install
506 $(INSTALL_DIR) $(1)/usr/sbin
507 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
508 endef
509
510 define Package/libiptc/install
511 $(INSTALL_DIR) $(1)/usr/lib
512 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
513 endef
514
515 define Package/libip4tc/install
516 $(INSTALL_DIR) $(1)/usr/lib
517 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
518 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
519 endef
520
521 define Package/libip6tc/install
522 $(INSTALL_DIR) $(1)/usr/lib
523 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
524 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
525 endef
526
527 define Package/libxtables/install
528 $(INSTALL_DIR) $(1)/usr/lib
529 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
530 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
531 endef
532
533 define BuildPlugin
534 define Package/$(1)/install
535 $(INSTALL_DIR) $$(1)/usr/lib/iptables
536 for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
537 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
538 $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
539 fi; \
540 done
541 $(3)
542 endef
543
544 $$(eval $$(call BuildPackage,$(1)))
545 endef
546
547 $(eval $(call BuildPackage,iptables))
548 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
549 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
550 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
551 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
552 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
553 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
554 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
555 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
556 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
557 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
558 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
559 $(eval $(call BuildPlugin,iptables-mod-rpfilter,$(IPT_RPFILTER-m)))
560 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
561 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
562 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
563 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
564 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
565 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
566 $(eval $(call BuildPackage,ip6tables))
567 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
568 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
569 $(eval $(call BuildPackage,libiptc))
570 $(eval $(call BuildPackage,libip4tc))
571 $(eval $(call BuildPackage,libip6tc))
572 $(eval $(call BuildPackage,libxtables))
OpenWrt Source Repository