package/network/utils/iptables/Makefile

   1 #
   2 # Copyright (C) 2006-2016 OpenWrt.org
   3 #
   4 # This is free software, licensed under the GNU General Public License v2.
   5 # See /LICENSE for more information.
   6 #
   7
   8 include $(TOPDIR)/rules.mk
   9 include $(INCLUDE_DIR)/kernel.mk
  10
  11 PKG_NAME:=iptables
  12 PKG_VERSION:=1.6.1
  13 PKG_RELEASE:=1
  14
  15 PKG_SOURCE_PROTO:=git
  16 PKG_SOURCE_URL:=https://git.netfilter.org/iptables
  17 PKG_SOURCE_VERSION:=7df66f1c13563cfbab75246b009ce36f69ee4487
  18 PKG_MIRROR_HASH:=22f15ef41fd8e3724bedcee666b7b6a3491d2d038d580ef1fb032718dcb73f14
  19
  20 PKG_FIXUP:=autoreconf
  21
  22 PKG_INSTALL:=1
  23 PKG_BUILD_PARALLEL:=1
  24 PKG_LICENSE:=GPL-2.0
  25
  26 include $(INCLUDE_DIR)/package.mk
  27 ifeq ($(DUMP),)
  28   -include $(LINUX_DIR)/.config
  29   include $(INCLUDE_DIR)/netfilter.mk
  30   STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | mkhash md5)
  31 endif
  32
  33
  34 define Package/iptables/Default
  35   SECTION:=net
  36   CATEGORY:=Network
  37   SUBMENU:=Firewall
  38   URL:=http://netfilter.org/
  39 endef
  40
  41 define Package/iptables/Module
  42 $(call Package/iptables/Default)
  43   DEPENDS:=iptables $(1)
  44 endef
  45
  46 define Package/iptables
  47 $(call Package/iptables/Default)
  48   TITLE:=IP firewall administration tool
  49   MENU:=1
  50   DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
  51 endef
  52
  53 define Package/iptables/config
  54   config IPTABLES_CONNLABEL
  55         bool "Enable Connlabel support"
  56         default n
  57         help
  58                 This enable connlabel support in iptables.
  59
  60   config IPTABLES_NFTABLES
  61         bool "Enable Nftables support"
  62         default n
  63         help
  64                 This enable nftables support in iptables.
  65 endef
  66
  67 define Package/iptables/description
  68 IP firewall administration tool.
  69
  70  Matches:
  71   - icmp
  72   - tcp
  73   - udp
  74   - comment
  75   - conntrack
  76   - limit
  77   - mac
  78   - mark
  79   - multiport
  80   - set
  81   - state
  82   - time
  83
  84  Targets:
  85   - ACCEPT
  86   - CT
  87   - DNAT
  88   - DROP
  89   - REJECT
  90   - LOG
  91   - MARK
  92   - MASQUERADE
  93   - REDIRECT
  94   - SET
  95   - SNAT
  96   - TCPMSS
  97
  98  Tables:
  99   - filter
 100   - mangle
 101   - nat
 102   - raw
 103
 104 endef
 105
 106 define Package/iptables-mod-conntrack-extra
 107 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
 108   TITLE:=Extra connection tracking extensions
 109 endef
 110
 111 define Package/iptables-mod-conntrack-extra/description
 112 Extra iptables extensions for connection tracking.
 113
 114  Matches:
 115   - connbytes
 116   - connlimit
 117   - connmark
 118   - recent
 119   - helper
 120
 121  Targets:
 122   - CONNMARK
 123
 124 endef
 125
 126 define Package/iptables-mod-filter
 127 $(call Package/iptables/Module, +kmod-ipt-filter)
 128   TITLE:=Content inspection extensions
 129 endef
 130
 131 define Package/iptables-mod-filter/description
 132 iptables extensions for packet content inspection.
 133 Includes support for:
 134
 135  Matches:
 136   - string
 137
 138 endef
 139
 140 define Package/iptables-mod-ipopt
 141 $(call Package/iptables/Module, +kmod-ipt-ipopt)
 142   TITLE:=IP/Packet option extensions
 143 endef
 144
 145 define Package/iptables-mod-ipopt/description
 146 iptables extensions for matching/changing IP packet options.
 147
 148  Matches:
 149   - dscp
 150   - ecn
 151   - length
 152   - statistic
 153   - tcpmss
 154   - unclean
 155   - hl
 156
 157  Targets:
 158   - DSCP
 159   - CLASSIFY
 160   - ECN
 161   - HL
 162
 163 endef
 164
 165 define Package/iptables-mod-ipsec
 166 $(call Package/iptables/Module, +kmod-ipt-ipsec)
 167   TITLE:=IPsec extensions
 168 endef
 169
 170 define Package/iptables-mod-ipsec/description
 171 iptables extensions for matching ipsec traffic.
 172
 173  Matches:
 174   - ah
 175   - esp
 176   - policy
 177
 178 endef
 179
 180 define Package/iptables-mod-nat-extra
 181 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
 182   TITLE:=Extra NAT extensions
 183 endef
 184
 185 define Package/iptables-mod-nat-extra/description
 186 iptables extensions for extra NAT targets.
 187
 188  Targets:
 189   - MIRROR
 190   - NETMAP
 191 endef
 192
 193 define Package/iptables-mod-ulog
 194 $(call Package/iptables/Module, +kmod-ipt-ulog)
 195   TITLE:=user-space packet logging
 196 endef
 197
 198 define Package/iptables-mod-ulog/description
 199 iptables extensions for user-space packet logging.
 200
 201  Targets:
 202   - ULOG
 203
 204 endef
 205
 206 define Package/iptables-mod-nflog
 207 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
 208   TITLE:=Netfilter NFLOG target
 209 endef
 210
 211 define Package/iptables-mod-nflog/description
 212  iptables extension for user-space logging via NFNETLINK.
 213
 214  Includes:
 215   - libxt_NFLOG
 216
 217 endef
 218
 219 define Package/iptables-mod-trace
 220 $(call Package/iptables/Module, +kmod-ipt-debug +kmod-ipt-raw)
 221   TITLE:=Netfilter TRACE target
 222 endef
 223
 224 define Package/iptables-mod-trace/description
 225  iptables extension for TRACE target
 226
 227  Includes:
 228   - libxt_TRACE
 229
 230 endef
 231
 232
 233 define Package/iptables-mod-nfqueue
 234 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
 235   TITLE:=Netfilter NFQUEUE target
 236 endef
 237
 238 define Package/iptables-mod-nfqueue/description
 239  iptables extension for user-space queuing via NFNETLINK.
 240
 241  Includes:
 242   - libxt_NFQUEUE
 243
 244 endef
 245
 246 define Package/iptables-mod-hashlimit
 247 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
 248   TITLE:=hashlimit matching
 249 endef
 250
 251 define Package/iptables-mod-hashlimit/description
 252 iptables extensions for hashlimit matching
 253
 254  Matches:
 255   - hashlimit
 256
 257 endef
 258
 259 define Package/iptables-mod-rpfilter
 260 $(call Package/iptables/Module, +kmod-ipt-rpfilter)
 261   TITLE:=rpfilter iptables extension
 262 endef
 263
 264 define Package/iptables-mod-rpfilter/description
 265 iptables extensions for reverse path filter test on a packet
 266
 267  Matches:
 268   - rpfilter
 269
 270 endef
 271
 272 define Package/iptables-mod-iprange
 273 $(call Package/iptables/Module, +kmod-ipt-iprange)
 274   TITLE:=IP range extension
 275 endef
 276
 277 define Package/iptables-mod-iprange/description
 278 iptables extensions for matching ip ranges.
 279
 280  Matches:
 281   - iprange
 282
 283 endef
 284
 285 define Package/iptables-mod-cluster
 286 $(call Package/iptables/Module, +kmod-ipt-cluster)
 287   TITLE:=Match cluster extension
 288 endef
 289
 290 define Package/iptables-mod-cluster/description
 291 iptables extensions for matching cluster.
 292
 293  Netfilter (IPv4/IPv6) module for matching cluster
 294  This option allows you to build work-load-sharing clusters of
 295  network servers/stateful firewalls without having a dedicated
 296  load-balancing router/server/switch. Basically, this match returns
 297  true when the packet must be handled by this cluster node. Thus,
 298  all nodes see all packets and this match decides which node handles
 299  what packets. The work-load sharing algorithm is based on source
 300  address hashing.
 301
 302  This module is usable for ipv4 and ipv6.
 303
 304  If you select it, it enables kmod-ipt-cluster.
 305
 306  see `iptables -m cluster --help` for more information.
 307 endef
 308
 309 define Package/iptables-mod-clusterip
 310 $(call Package/iptables/Module, +kmod-ipt-clusterip)
 311   TITLE:=Clusterip extension
 312 endef
 313
 314 define Package/iptables-mod-clusterip/description
 315 iptables extensions for CLUSTERIP.
 316  The CLUSTERIP target allows you to build load-balancing clusters of
 317  network servers without having a dedicated load-balancing
 318  router/server/switch.
 319
 320  If you select it, it enables kmod-ipt-clusterip.
 321
 322  see `iptables -j CLUSTERIP --help` for more information.
 323 endef
 324
 325 define Package/iptables-mod-extra
 326 $(call Package/iptables/Module, +kmod-ipt-extra)
 327   TITLE:=Other extra iptables extensions
 328 endef
 329
 330 define Package/iptables-mod-extra/description
 331 Other extra iptables extensions.
 332
 333  Matches:
 334   - addrtype
 335   - condition
 336   - owner
 337   - physdev (if ebtables is enabled)
 338   - pkttype
 339   - quota
 340
 341 endef
 342
 343 define Package/iptables-mod-led
 344 $(call Package/iptables/Module, +kmod-ipt-led)
 345   TITLE:=LED trigger iptables extension
 346 endef
 347
 348 define Package/iptables-mod-led/description
 349 iptables extension for triggering a LED.
 350
 351  Targets:
 352   - LED
 353
 354 endef
 355
 356 define Package/iptables-mod-tproxy
 357 $(call Package/iptables/Module, +kmod-ipt-tproxy)
 358   TITLE:=Transparent proxy iptables extensions
 359 endef
 360
 361 define Package/iptables-mod-tproxy/description
 362 Transparent proxy iptables extensions.
 363
 364  Matches:
 365   - socket
 366
 367  Targets:
 368   - TPROXY
 369
 370 endef
 371
 372 define Package/iptables-mod-tee
 373 $(call Package/iptables/Module, +kmod-ipt-tee)
 374   TITLE:=TEE iptables extensions
 375 endef
 376
 377 define Package/iptables-mod-tee/description
 378 TEE iptables extensions.
 379
 380  Targets:
 381   - TEE
 382
 383 endef
 384
 385 define Package/iptables-mod-u32
 386 $(call Package/iptables/Module, +kmod-ipt-u32)
 387   TITLE:=U32 iptables extensions
 388 endef
 389
 390 define Package/iptables-mod-u32/description
 391 U32 iptables extensions.
 392
 393  Matches:
 394   - u32
 395
 396 endef
 397
 398 define Package/ip6tables
 399 $(call Package/iptables/Default)
 400   DEPENDS:=@IPV6 +kmod-ip6tables +iptables
 401   CATEGORY:=Network
 402   TITLE:=IPv6 firewall administration tool
 403   MENU:=1
 404 endef
 405
 406
 407 define Package/ip6tables-extra
 408 $(call Package/iptables/Default)
 409   DEPENDS:=ip6tables +kmod-ip6tables-extra
 410   TITLE:=IPv6 header matching modules
 411 endef
 412
 413 define Package/ip6tables-mod-extra/description
 414 iptables header matching modules for IPv6
 415 endef
 416
 417 define Package/ip6tables-mod-nat
 418 $(call Package/iptables/Default)
 419   DEPENDS:=ip6tables +kmod-ipt-nat6
 420   TITLE:=IPv6 NAT extensions
 421 endef
 422
 423 define Package/ip6tables-mod-nat/description
 424 iptables extensions for IPv6-NAT targets.
 425 endef
 426
 427 define Package/libiptc
 428 $(call Package/iptables/Default)
 429   SECTION:=libs
 430   CATEGORY:=Libraries
 431   DEPENDS:=+libip4tc +libip6tc +libxtables
 432   ABI_VERSION:=$(PKG_VERSION)
 433   TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
 434 endef
 435
 436 define Package/libip4tc
 437 $(call Package/iptables/Default)
 438   SECTION:=libs
 439   CATEGORY:=Libraries
 440   TITLE:=IPv4 firewall - shared libiptc library
 441   ABI_VERSION:=$(PKG_VERSION)
 442   DEPENDS:=+libxtables
 443 endef
 444
 445 define Package/libip6tc
 446 $(call Package/iptables/Default)
 447   SECTION:=libs
 448   CATEGORY:=Libraries
 449   TITLE:=IPv6 firewall - shared libiptc library
 450   ABI_VERSION:=$(PKG_VERSION)
 451   DEPENDS:=+libxtables
 452 endef
 453
 454 define Package/libxtables
 455  $(call Package/iptables/Default)
 456  SECTION:=libs
 457  CATEGORY:=Libraries
 458  TITLE:=IPv4/IPv6 firewall - shared xtables library
 459  ABI_VERSION:=$(PKG_VERSION)
 460  DEPENDS:= \
 461         +IPTABLES_CONNLABEL:libnetfilter-conntrack \
 462         +IPTABLES_NFTABLES:libnftnl
 463 endef
 464
 465 TARGET_CPPFLAGS := \
 466         -I$(PKG_BUILD_DIR)/include \
 467         -I$(LINUX_DIR)/user_headers/include \
 468         $(TARGET_CPPFLAGS)
 469
 470 TARGET_CFLAGS += \
 471         -I$(PKG_BUILD_DIR)/include \
 472         -I$(LINUX_DIR)/user_headers/include \
 473         -ffunction-sections -fdata-sections \
 474         -DNO_LEGACY
 475
 476 TARGET_LDFLAGS += \
 477         -Wl,--gc-sections
 478
 479 CONFIGURE_ARGS += \
 480         --enable-shared \
 481         --enable-static \
 482         --enable-devel \
 483         --with-kernel="$(LINUX_DIR)/user_headers" \
 484         --with-xtlibdir=/usr/lib/iptables \
 485         $(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
 486         $(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \
 487         $(if $(CONFIG_IPV6),,--disable-ipv6)
 488
 489 MAKE_FLAGS := \
 490         $(TARGET_CONFIGURE_OPTS) \
 491         COPT_FLAGS="$(TARGET_CFLAGS)" \
 492         KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
 493         KBUILD_OUTPUT="$(LINUX_DIR)" \
 494         BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
 495
 496 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
 497   define Build/Configure/rebuild
 498         $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
 499         rm -f $(PKG_BUILD_DIR)/.config_*
 500         rm -f $(PKG_BUILD_DIR)/.configured_*
 501         touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
 502   endef
 503 endif
 504
 505 define Build/Configure
 506 $(Build/Configure/rebuild)
 507 $(Build/Configure/Default)
 508 endef
 509
 510 define Build/InstallDev
 511         $(INSTALL_DIR) $(1)/usr/include
 512         $(INSTALL_DIR) $(1)/usr/include/iptables
 513         $(INSTALL_DIR) $(1)/usr/include/net/netfilter
 514
 515         # XXX: iptables header fixup, some headers are not installed by iptables anymore
 516         $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
 517         $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
 518         $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
 519         $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
 520         $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
 521
 522         $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
 523         $(INSTALL_DIR) $(1)/usr/lib
 524         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
 525         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
 526         $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
 527         $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
 528         $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
 529
 530         # XXX: needed by firewall3
 531         $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
 532 endef
 533
 534 define Package/iptables/install
 535         $(INSTALL_DIR) $(1)/usr/sbin
 536         $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
 537         $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
 538         $(INSTALL_DIR) $(1)/usr/lib/iptables
 539 endef
 540
 541 define Package/ip6tables/install
 542         $(INSTALL_DIR) $(1)/usr/sbin
 543         $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
 544 endef
 545
 546 define Package/libiptc/install
 547         $(INSTALL_DIR) $(1)/usr/lib
 548         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
 549 endef
 550
 551 define Package/libip4tc/install
 552         $(INSTALL_DIR) $(1)/usr/lib
 553         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
 554         $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
 555 endef
 556
 557 define Package/libip6tc/install
 558         $(INSTALL_DIR) $(1)/usr/lib
 559         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
 560         $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
 561 endef
 562
 563 define Package/libxtables/install
 564         $(INSTALL_DIR) $(1)/usr/lib
 565         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
 566         $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
 567 endef
 568
 569 define BuildPlugin
 570   define Package/$(1)/install
 571         $(INSTALL_DIR) $$(1)/usr/lib/iptables
 572         for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
 573                 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
 574                         $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
 575                 fi; \
 576         done
 577         $(3)
 578   endef
 579
 580   $$(eval $$(call BuildPackage,$(1)))
 581 endef
 582
 583 $(eval $(call BuildPackage,iptables))
 584 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
 585 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
 586 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
 587 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
 588 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
 589 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
 590 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
 591 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
 592 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
 593 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
 594 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
 595 $(eval $(call BuildPlugin,iptables-mod-rpfilter,$(IPT_RPFILTER-m)))
 596 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
 597 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
 598 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
 599 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
 600 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
 601 $(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m)))
 602 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
 603 $(eval $(call BuildPackage,ip6tables))
 604 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
 605 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
 606 $(eval $(call BuildPackage,libiptc))
 607 $(eval $(call BuildPackage,libip4tc))
 608 $(eval $(call BuildPackage,libip6tc))
 609 $(eval $(call BuildPackage,libxtables))