package/network/utils/iptables/Makefile

   1 #
   2 # Copyright (C) 2006-2016 OpenWrt.org
   3 #
   4 # This is free software, licensed under the GNU General Public License v2.
   5 # See /LICENSE for more information.
   6 #
   7
   8 include $(TOPDIR)/rules.mk
   9 include $(INCLUDE_DIR)/kernel.mk
  10
  11 PKG_NAME:=iptables
  12 PKG_VERSION:=1.6.1
  13 PKG_RELEASE:=1
  14
  15 PKG_SOURCE_PROTO:=git
  16 PKG_SOURCE_URL:=https://git.netfilter.org/iptables
  17 PKG_SOURCE_VERSION:=7df66f1c13563cfbab75246b009ce36f69ee4487
  18 PKG_MIRROR_HASH:=22f15ef41fd8e3724bedcee666b7b6a3491d2d038d580ef1fb032718dcb73f14
  19
  20 PKG_FIXUP:=autoreconf
  21
  22 PKG_INSTALL:=1
  23 PKG_BUILD_PARALLEL:=1
  24 PKG_LICENSE:=GPL-2.0
  25 PKG_CPE=cpe:/a:netfilter_core_team:iptables
  26
  27 include $(INCLUDE_DIR)/package.mk
  28 ifeq ($(DUMP),)
  29   -include $(LINUX_DIR)/.config
  30   include $(INCLUDE_DIR)/netfilter.mk
  31   STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | mkhash md5)
  32 endif
  33
  34
  35 define Package/iptables/Default
  36   SECTION:=net
  37   CATEGORY:=Network
  38   SUBMENU:=Firewall
  39   URL:=http://netfilter.org/
  40 endef
  41
  42 define Package/iptables/Module
  43 $(call Package/iptables/Default)
  44   DEPENDS:=iptables $(1)
  45 endef
  46
  47 define Package/iptables
  48 $(call Package/iptables/Default)
  49   TITLE:=IP firewall administration tool
  50   MENU:=1
  51   DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
  52 endef
  53
  54 define Package/iptables/config
  55   config IPTABLES_CONNLABEL
  56         bool "Enable Connlabel support"
  57         default n
  58         help
  59                 This enable connlabel support in iptables.
  60
  61   config IPTABLES_NFTABLES
  62         bool "Enable Nftables support"
  63         default n
  64         help
  65                 This enable nftables support in iptables.
  66 endef
  67
  68 define Package/iptables/description
  69 IP firewall administration tool.
  70
  71  Matches:
  72   - icmp
  73   - tcp
  74   - udp
  75   - comment
  76   - conntrack
  77   - limit
  78   - mac
  79   - mark
  80   - multiport
  81   - set
  82   - state
  83   - time
  84
  85  Targets:
  86   - ACCEPT
  87   - CT
  88   - DNAT
  89   - DROP
  90   - REJECT
  91   - LOG
  92   - MARK
  93   - MASQUERADE
  94   - REDIRECT
  95   - SET
  96   - SNAT
  97   - TCPMSS
  98
  99  Tables:
 100   - filter
 101   - mangle
 102   - nat
 103   - raw
 104
 105 endef
 106
 107 define Package/iptables-mod-conntrack-extra
 108 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
 109   TITLE:=Extra connection tracking extensions
 110 endef
 111
 112 define Package/iptables-mod-conntrack-extra/description
 113 Extra iptables extensions for connection tracking.
 114
 115  Matches:
 116   - connbytes
 117   - connlimit
 118   - connmark
 119   - recent
 120   - helper
 121
 122  Targets:
 123   - CONNMARK
 124
 125 endef
 126
 127 define Package/iptables-mod-filter
 128 $(call Package/iptables/Module, +kmod-ipt-filter)
 129   TITLE:=Content inspection extensions
 130 endef
 131
 132 define Package/iptables-mod-filter/description
 133 iptables extensions for packet content inspection.
 134 Includes support for:
 135
 136  Matches:
 137   - string
 138
 139 endef
 140
 141 define Package/iptables-mod-ipopt
 142 $(call Package/iptables/Module, +kmod-ipt-ipopt)
 143   TITLE:=IP/Packet option extensions
 144 endef
 145
 146 define Package/iptables-mod-ipopt/description
 147 iptables extensions for matching/changing IP packet options.
 148
 149  Matches:
 150   - dscp
 151   - ecn
 152   - length
 153   - statistic
 154   - tcpmss
 155   - unclean
 156   - hl
 157
 158  Targets:
 159   - DSCP
 160   - CLASSIFY
 161   - ECN
 162   - HL
 163
 164 endef
 165
 166 define Package/iptables-mod-ipsec
 167 $(call Package/iptables/Module, +kmod-ipt-ipsec)
 168   TITLE:=IPsec extensions
 169 endef
 170
 171 define Package/iptables-mod-ipsec/description
 172 iptables extensions for matching ipsec traffic.
 173
 174  Matches:
 175   - ah
 176   - esp
 177   - policy
 178
 179 endef
 180
 181 define Package/iptables-mod-nat-extra
 182 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
 183   TITLE:=Extra NAT extensions
 184 endef
 185
 186 define Package/iptables-mod-nat-extra/description
 187 iptables extensions for extra NAT targets.
 188
 189  Targets:
 190   - MIRROR
 191   - NETMAP
 192 endef
 193
 194 define Package/iptables-mod-ulog
 195 $(call Package/iptables/Module, +kmod-ipt-ulog)
 196   TITLE:=user-space packet logging
 197 endef
 198
 199 define Package/iptables-mod-ulog/description
 200 iptables extensions for user-space packet logging.
 201
 202  Targets:
 203   - ULOG
 204
 205 endef
 206
 207 define Package/iptables-mod-nflog
 208 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
 209   TITLE:=Netfilter NFLOG target
 210 endef
 211
 212 define Package/iptables-mod-nflog/description
 213  iptables extension for user-space logging via NFNETLINK.
 214
 215  Includes:
 216   - libxt_NFLOG
 217
 218 endef
 219
 220 define Package/iptables-mod-nfqueue
 221 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
 222   TITLE:=Netfilter NFQUEUE target
 223 endef
 224
 225 define Package/iptables-mod-nfqueue/description
 226  iptables extension for user-space queuing via NFNETLINK.
 227
 228  Includes:
 229   - libxt_NFQUEUE
 230
 231 endef
 232
 233 define Package/iptables-mod-hashlimit
 234 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
 235   TITLE:=hashlimit matching
 236 endef
 237
 238 define Package/iptables-mod-hashlimit/description
 239 iptables extensions for hashlimit matching
 240
 241  Matches:
 242   - hashlimit
 243
 244 endef
 245
 246 define Package/iptables-mod-rpfilter
 247 $(call Package/iptables/Module, +kmod-ipt-rpfilter)
 248   TITLE:=rpfilter iptables extension
 249 endef
 250
 251 define Package/iptables-mod-rpfilter/description
 252 iptables extensions for reverse path filter test on a packet
 253
 254  Matches:
 255   - rpfilter
 256
 257 endef
 258
 259 define Package/iptables-mod-iprange
 260 $(call Package/iptables/Module, +kmod-ipt-iprange)
 261   TITLE:=IP range extension
 262 endef
 263
 264 define Package/iptables-mod-iprange/description
 265 iptables extensions for matching ip ranges.
 266
 267  Matches:
 268   - iprange
 269
 270 endef
 271
 272 define Package/iptables-mod-cluster
 273 $(call Package/iptables/Module, +kmod-ipt-cluster)
 274   TITLE:=Match cluster extension
 275 endef
 276
 277 define Package/iptables-mod-cluster/description
 278 iptables extensions for matching cluster.
 279
 280  Netfilter (IPv4/IPv6) module for matching cluster
 281  This option allows you to build work-load-sharing clusters of
 282  network servers/stateful firewalls without having a dedicated
 283  load-balancing router/server/switch. Basically, this match returns
 284  true when the packet must be handled by this cluster node. Thus,
 285  all nodes see all packets and this match decides which node handles
 286  what packets. The work-load sharing algorithm is based on source
 287  address hashing.
 288
 289  This module is usable for ipv4 and ipv6.
 290
 291  If you select it, it enables kmod-ipt-cluster.
 292
 293  see `iptables -m cluster --help` for more information.
 294 endef
 295
 296 define Package/iptables-mod-clusterip
 297 $(call Package/iptables/Module, +kmod-ipt-clusterip)
 298   TITLE:=Clusterip extension
 299 endef
 300
 301 define Package/iptables-mod-clusterip/description
 302 iptables extensions for CLUSTERIP.
 303  The CLUSTERIP target allows you to build load-balancing clusters of
 304  network servers without having a dedicated load-balancing
 305  router/server/switch.
 306
 307  If you select it, it enables kmod-ipt-clusterip.
 308
 309  see `iptables -j CLUSTERIP --help` for more information.
 310 endef
 311
 312 define Package/iptables-mod-extra
 313 $(call Package/iptables/Module, +kmod-ipt-extra)
 314   TITLE:=Other extra iptables extensions
 315 endef
 316
 317 define Package/iptables-mod-extra/description
 318 Other extra iptables extensions.
 319
 320  Matches:
 321   - addrtype
 322   - condition
 323   - owner
 324   - physdev (if ebtables is enabled)
 325   - pkttype
 326   - quota
 327
 328 endef
 329
 330 define Package/iptables-mod-led
 331 $(call Package/iptables/Module, +kmod-ipt-led)
 332   TITLE:=LED trigger iptables extension
 333 endef
 334
 335 define Package/iptables-mod-led/description
 336 iptables extension for triggering a LED.
 337
 338  Targets:
 339   - LED
 340
 341 endef
 342
 343 define Package/iptables-mod-tproxy
 344 $(call Package/iptables/Module, +kmod-ipt-tproxy)
 345   TITLE:=Transparent proxy iptables extensions
 346 endef
 347
 348 define Package/iptables-mod-tproxy/description
 349 Transparent proxy iptables extensions.
 350
 351  Matches:
 352   - socket
 353
 354  Targets:
 355   - TPROXY
 356
 357 endef
 358
 359 define Package/iptables-mod-tee
 360 $(call Package/iptables/Module, +kmod-ipt-tee)
 361   TITLE:=TEE iptables extensions
 362 endef
 363
 364 define Package/iptables-mod-tee/description
 365 TEE iptables extensions.
 366
 367  Targets:
 368   - TEE
 369
 370 endef
 371
 372 define Package/iptables-mod-u32
 373 $(call Package/iptables/Module, +kmod-ipt-u32)
 374   TITLE:=U32 iptables extensions
 375 endef
 376
 377 define Package/iptables-mod-u32/description
 378 U32 iptables extensions.
 379
 380  Matches:
 381   - u32
 382
 383 endef
 384
 385 define Package/ip6tables
 386 $(call Package/iptables/Default)
 387   DEPENDS:=@IPV6 +kmod-ip6tables +iptables
 388   CATEGORY:=Network
 389   TITLE:=IPv6 firewall administration tool
 390   MENU:=1
 391 endef
 392
 393
 394 define Package/ip6tables-extra
 395 $(call Package/iptables/Default)
 396   DEPENDS:=ip6tables +kmod-ip6tables-extra
 397   TITLE:=IPv6 header matching modules
 398 endef
 399
 400 define Package/ip6tables-mod-extra/description
 401 iptables header matching modules for IPv6
 402 endef
 403
 404 define Package/ip6tables-mod-nat
 405 $(call Package/iptables/Default)
 406   DEPENDS:=ip6tables +kmod-ipt-nat6
 407   TITLE:=IPv6 NAT extensions
 408 endef
 409
 410 define Package/ip6tables-mod-nat/description
 411 iptables extensions for IPv6-NAT targets.
 412 endef
 413
 414 define Package/libiptc
 415 $(call Package/iptables/Default)
 416   SECTION:=libs
 417   CATEGORY:=Libraries
 418   DEPENDS:=+libip4tc +libip6tc +libxtables
 419   ABI_VERSION:=$(PKG_VERSION)
 420   TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
 421 endef
 422
 423 define Package/libip4tc
 424 $(call Package/iptables/Default)
 425   SECTION:=libs
 426   CATEGORY:=Libraries
 427   TITLE:=IPv4 firewall - shared libiptc library
 428   ABI_VERSION:=$(PKG_VERSION)
 429   DEPENDS:=+libxtables
 430 endef
 431
 432 define Package/libip6tc
 433 $(call Package/iptables/Default)
 434   SECTION:=libs
 435   CATEGORY:=Libraries
 436   TITLE:=IPv6 firewall - shared libiptc library
 437   ABI_VERSION:=$(PKG_VERSION)
 438   DEPENDS:=+libxtables
 439 endef
 440
 441 define Package/libxtables
 442  $(call Package/iptables/Default)
 443  SECTION:=libs
 444  CATEGORY:=Libraries
 445  TITLE:=IPv4/IPv6 firewall - shared xtables library
 446  ABI_VERSION:=$(PKG_VERSION)
 447  DEPENDS:= \
 448         +IPTABLES_CONNLABEL:libnetfilter-conntrack \
 449         +IPTABLES_NFTABLES:libnftnl
 450 endef
 451
 452 TARGET_CPPFLAGS := \
 453         -I$(PKG_BUILD_DIR)/include \
 454         -I$(LINUX_DIR)/user_headers/include \
 455         $(TARGET_CPPFLAGS)
 456
 457 TARGET_CFLAGS += \
 458         -I$(PKG_BUILD_DIR)/include \
 459         -I$(LINUX_DIR)/user_headers/include \
 460         -ffunction-sections -fdata-sections \
 461         -DNO_LEGACY
 462
 463 TARGET_LDFLAGS += \
 464         -Wl,--gc-sections
 465
 466 CONFIGURE_ARGS += \
 467         --enable-shared \
 468         --enable-static \
 469         --enable-devel \
 470         --with-kernel="$(LINUX_DIR)/user_headers" \
 471         --with-xtlibdir=/usr/lib/iptables \
 472         $(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
 473         $(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \
 474         $(if $(CONFIG_IPV6),,--disable-ipv6)
 475
 476 MAKE_FLAGS := \
 477         $(TARGET_CONFIGURE_OPTS) \
 478         COPT_FLAGS="$(TARGET_CFLAGS)" \
 479         KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
 480         KBUILD_OUTPUT="$(LINUX_DIR)" \
 481         BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
 482
 483 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
 484   define Build/Configure/rebuild
 485         $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
 486         rm -f $(PKG_BUILD_DIR)/.config_*
 487         rm -f $(PKG_BUILD_DIR)/.configured_*
 488         touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
 489   endef
 490 endif
 491
 492 define Build/Configure
 493 $(Build/Configure/rebuild)
 494 $(Build/Configure/Default)
 495 endef
 496
 497 define Build/InstallDev
 498         $(INSTALL_DIR) $(1)/usr/include
 499         $(INSTALL_DIR) $(1)/usr/include/iptables
 500         $(INSTALL_DIR) $(1)/usr/include/net/netfilter
 501
 502         # XXX: iptables header fixup, some headers are not installed by iptables anymore
 503         $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
 504         $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
 505         $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
 506         $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
 507         $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
 508
 509         $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
 510         $(INSTALL_DIR) $(1)/usr/lib
 511         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
 512         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
 513         $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
 514         $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
 515         $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
 516
 517         # XXX: needed by firewall3
 518         $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
 519 endef
 520
 521 define Package/iptables/install
 522         $(INSTALL_DIR) $(1)/usr/sbin
 523         $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
 524         $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
 525         $(INSTALL_DIR) $(1)/usr/lib/iptables
 526 endef
 527
 528 define Package/ip6tables/install
 529         $(INSTALL_DIR) $(1)/usr/sbin
 530         $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
 531 endef
 532
 533 define Package/libiptc/install
 534         $(INSTALL_DIR) $(1)/usr/lib
 535         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
 536 endef
 537
 538 define Package/libip4tc/install
 539         $(INSTALL_DIR) $(1)/usr/lib
 540         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
 541         $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
 542 endef
 543
 544 define Package/libip6tc/install
 545         $(INSTALL_DIR) $(1)/usr/lib
 546         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
 547         $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
 548 endef
 549
 550 define Package/libxtables/install
 551         $(INSTALL_DIR) $(1)/usr/lib
 552         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
 553         $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
 554 endef
 555
 556 define BuildPlugin
 557   define Package/$(1)/install
 558         $(INSTALL_DIR) $$(1)/usr/lib/iptables
 559         for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
 560                 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
 561                         $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
 562                 fi; \
 563         done
 564         $(3)
 565   endef
 566
 567   $$(eval $$(call BuildPackage,$(1)))
 568 endef
 569
 570 $(eval $(call BuildPackage,iptables))
 571 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
 572 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
 573 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
 574 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
 575 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
 576 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
 577 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
 578 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
 579 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
 580 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
 581 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
 582 $(eval $(call BuildPlugin,iptables-mod-rpfilter,$(IPT_RPFILTER-m)))
 583 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
 584 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
 585 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
 586 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
 587 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
 588 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
 589 $(eval $(call BuildPackage,ip6tables))
 590 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
 591 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
 592 $(eval $(call BuildPackage,libiptc))
 593 $(eval $(call BuildPackage,libip4tc))
 594 $(eval $(call BuildPackage,libip6tc))
 595 $(eval $(call BuildPackage,libxtables))