netfilter: add bpf match support
[openwrt/openwrt.git] / package / network / utils / iptables / Makefile
1 #
2 # Copyright (C) 2006-2016 OpenWrt.org
3 #
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
6 #
7
8 include $(TOPDIR)/rules.mk
9 include $(INCLUDE_DIR)/kernel.mk
10
11 PKG_NAME:=iptables
12 PKG_VERSION:=1.6.2
13 PKG_RELEASE:=2
14
15 PKG_SOURCE_PROTO:=git
16 PKG_SOURCE_URL:=https://git.netfilter.org/iptables
17 PKG_SOURCE_VERSION:=c16bdec15137b241586310d0e61bc88cc3726004
18 PKG_MIRROR_HASH:=72e4bec94a56dd600097846c773e1074ff705e38f800ef221db646c064371a53
19
20 PKG_FIXUP:=autoreconf
21 PKG_FLAGS:=nonshared
22
23 PKG_INSTALL:=1
24 PKG_BUILD_PARALLEL:=1
25 PKG_LICENSE:=GPL-2.0
26 PKG_CPE_ID:=cpe:/a:netfilter_core_team:iptables
27
28 include $(INCLUDE_DIR)/package.mk
29 ifeq ($(DUMP),)
30 -include $(LINUX_DIR)/.config
31 include $(INCLUDE_DIR)/netfilter.mk
32 STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | mkhash md5)
33 endif
34
35
36 define Package/iptables/Default
37 SECTION:=net
38 CATEGORY:=Network
39 SUBMENU:=Firewall
40 URL:=http://netfilter.org/
41 endef
42
43 define Package/iptables/Module
44 $(call Package/iptables/Default)
45 DEPENDS:=iptables $(1)
46 endef
47
48 define Package/iptables
49 $(call Package/iptables/Default)
50 TITLE:=IP firewall administration tool
51 MENU:=1
52 DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
53 endef
54
55 define Package/iptables/config
56 config IPTABLES_CONNLABEL
57 bool "Enable Connlabel support"
58 default n
59 help
60 This enable connlabel support in iptables.
61
62 config IPTABLES_NFTABLES
63 bool "Enable Nftables support"
64 default n
65 help
66 This enable nftables support in iptables.
67 endef
68
69 define Package/iptables/description
70 IP firewall administration tool.
71
72 Matches:
73 - icmp
74 - tcp
75 - udp
76 - comment
77 - conntrack
78 - limit
79 - mac
80 - mark
81 - multiport
82 - set
83 - state
84 - time
85
86 Targets:
87 - ACCEPT
88 - CT
89 - DNAT
90 - DROP
91 - REJECT
92 - FLOWOFFLOAD
93 - LOG
94 - MARK
95 - MASQUERADE
96 - REDIRECT
97 - SET
98 - SNAT
99 - TCPMSS
100
101 Tables:
102 - filter
103 - mangle
104 - nat
105 - raw
106
107 endef
108
109 define Package/iptables-mod-conntrack-extra
110 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
111 TITLE:=Extra connection tracking extensions
112 endef
113
114 define Package/iptables-mod-conntrack-extra/description
115 Extra iptables extensions for connection tracking.
116
117 Matches:
118 - connbytes
119 - connlimit
120 - connmark
121 - recent
122 - helper
123
124 Targets:
125 - CONNMARK
126
127 endef
128
129 define Package/iptables-mod-conntrack-label
130 $(call Package/iptables/Module, +kmod-ipt-conntrack-label @IPTABLES_CONNLABEL)
131 TITLE:=Connection tracking labeling extension
132 DEFAULT:=y if IPTABLES_CONNLABEL
133 endef
134
135 define Package/iptables-mod-conntrack-label/description
136 Match and set label(s) on connection tracking entries
137
138 Matches:
139 - connlabel
140
141 endef
142
143 define Package/iptables-mod-filter
144 $(call Package/iptables/Module, +kmod-ipt-filter)
145 TITLE:=Content inspection extensions
146 endef
147
148 define Package/iptables-mod-filter/description
149 iptables extensions for packet content inspection.
150 Includes support for:
151
152 Matches:
153 - string
154 - bpf
155
156 endef
157
158 define Package/iptables-mod-ipopt
159 $(call Package/iptables/Module, +kmod-ipt-ipopt)
160 TITLE:=IP/Packet option extensions
161 endef
162
163 define Package/iptables-mod-ipopt/description
164 iptables extensions for matching/changing IP packet options.
165
166 Matches:
167 - dscp
168 - ecn
169 - length
170 - statistic
171 - tcpmss
172 - unclean
173 - hl
174
175 Targets:
176 - DSCP
177 - CLASSIFY
178 - ECN
179 - HL
180
181 endef
182
183 define Package/iptables-mod-ipsec
184 $(call Package/iptables/Module, +kmod-ipt-ipsec)
185 TITLE:=IPsec extensions
186 endef
187
188 define Package/iptables-mod-ipsec/description
189 iptables extensions for matching ipsec traffic.
190
191 Matches:
192 - ah
193 - esp
194 - policy
195
196 endef
197
198 define Package/iptables-mod-nat-extra
199 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
200 TITLE:=Extra NAT extensions
201 endef
202
203 define Package/iptables-mod-nat-extra/description
204 iptables extensions for extra NAT targets.
205
206 Targets:
207 - MIRROR
208 - NETMAP
209 endef
210
211 define Package/iptables-mod-ulog
212 $(call Package/iptables/Module, +kmod-ipt-ulog)
213 TITLE:=user-space packet logging
214 endef
215
216 define Package/iptables-mod-ulog/description
217 iptables extensions for user-space packet logging.
218
219 Targets:
220 - ULOG
221
222 endef
223
224 define Package/iptables-mod-nflog
225 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
226 TITLE:=Netfilter NFLOG target
227 endef
228
229 define Package/iptables-mod-nflog/description
230 iptables extension for user-space logging via NFNETLINK.
231
232 Includes:
233 - libxt_NFLOG
234
235 endef
236
237 define Package/iptables-mod-trace
238 $(call Package/iptables/Module, +kmod-ipt-debug)
239 TITLE:=Netfilter TRACE target
240 endef
241
242 define Package/iptables-mod-trace/description
243 iptables extension for TRACE target
244
245 Includes:
246 - libxt_TRACE
247
248 endef
249
250
251 define Package/iptables-mod-nfqueue
252 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
253 TITLE:=Netfilter NFQUEUE target
254 endef
255
256 define Package/iptables-mod-nfqueue/description
257 iptables extension for user-space queuing via NFNETLINK.
258
259 Includes:
260 - libxt_NFQUEUE
261
262 endef
263
264 define Package/iptables-mod-hashlimit
265 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
266 TITLE:=hashlimit matching
267 endef
268
269 define Package/iptables-mod-hashlimit/description
270 iptables extensions for hashlimit matching
271
272 Matches:
273 - hashlimit
274
275 endef
276
277 define Package/iptables-mod-rpfilter
278 $(call Package/iptables/Module, +kmod-ipt-rpfilter)
279 TITLE:=rpfilter iptables extension
280 endef
281
282 define Package/iptables-mod-rpfilter/description
283 iptables extensions for reverse path filter test on a packet
284
285 Matches:
286 - rpfilter
287
288 endef
289
290 define Package/iptables-mod-iprange
291 $(call Package/iptables/Module, +kmod-ipt-iprange)
292 TITLE:=IP range extension
293 endef
294
295 define Package/iptables-mod-iprange/description
296 iptables extensions for matching ip ranges.
297
298 Matches:
299 - iprange
300
301 endef
302
303 define Package/iptables-mod-cluster
304 $(call Package/iptables/Module, +kmod-ipt-cluster)
305 TITLE:=Match cluster extension
306 endef
307
308 define Package/iptables-mod-cluster/description
309 iptables extensions for matching cluster.
310
311 Netfilter (IPv4/IPv6) module for matching cluster
312 This option allows you to build work-load-sharing clusters of
313 network servers/stateful firewalls without having a dedicated
314 load-balancing router/server/switch. Basically, this match returns
315 true when the packet must be handled by this cluster node. Thus,
316 all nodes see all packets and this match decides which node handles
317 what packets. The work-load sharing algorithm is based on source
318 address hashing.
319
320 This module is usable for ipv4 and ipv6.
321
322 If you select it, it enables kmod-ipt-cluster.
323
324 see `iptables -m cluster --help` for more information.
325 endef
326
327 define Package/iptables-mod-clusterip
328 $(call Package/iptables/Module, +kmod-ipt-clusterip)
329 TITLE:=Clusterip extension
330 endef
331
332 define Package/iptables-mod-clusterip/description
333 iptables extensions for CLUSTERIP.
334 The CLUSTERIP target allows you to build load-balancing clusters of
335 network servers without having a dedicated load-balancing
336 router/server/switch.
337
338 If you select it, it enables kmod-ipt-clusterip.
339
340 see `iptables -j CLUSTERIP --help` for more information.
341 endef
342
343 define Package/iptables-mod-extra
344 $(call Package/iptables/Module, +kmod-ipt-extra)
345 TITLE:=Other extra iptables extensions
346 endef
347
348 define Package/iptables-mod-extra/description
349 Other extra iptables extensions.
350
351 Matches:
352 - addrtype
353 - condition
354 - owner
355 - pkttype
356 - quota
357
358 endef
359
360 define Package/iptables-mod-physdev
361 $(call Package/iptables/Module, +kmod-ipt-physdev)
362 TITLE:=physdev iptables extension
363 endef
364
365 define Package/iptables-mod-physdev/description
366 The iptables physdev match.
367 endef
368
369 define Package/iptables-mod-led
370 $(call Package/iptables/Module, +kmod-ipt-led)
371 TITLE:=LED trigger iptables extension
372 endef
373
374 define Package/iptables-mod-led/description
375 iptables extension for triggering a LED.
376
377 Targets:
378 - LED
379
380 endef
381
382 define Package/iptables-mod-tproxy
383 $(call Package/iptables/Module, +kmod-ipt-tproxy)
384 TITLE:=Transparent proxy iptables extensions
385 endef
386
387 define Package/iptables-mod-tproxy/description
388 Transparent proxy iptables extensions.
389
390 Matches:
391 - socket
392
393 Targets:
394 - TPROXY
395
396 endef
397
398 define Package/iptables-mod-tee
399 $(call Package/iptables/Module, +kmod-ipt-tee)
400 TITLE:=TEE iptables extensions
401 endef
402
403 define Package/iptables-mod-tee/description
404 TEE iptables extensions.
405
406 Targets:
407 - TEE
408
409 endef
410
411 define Package/iptables-mod-u32
412 $(call Package/iptables/Module, +kmod-ipt-u32)
413 TITLE:=U32 iptables extensions
414 endef
415
416 define Package/iptables-mod-u32/description
417 U32 iptables extensions.
418
419 Matches:
420 - u32
421
422 endef
423
424 define Package/iptables-mod-checksum
425 $(call Package/iptables/Module, +kmod-ipt-checksum)
426 TITLE:=IP CHECKSUM target extension
427 endef
428
429 define Package/iptables-mod-checksum/description
430 iptables extension for the CHECKSUM calculation target
431 endef
432
433 define Package/ip6tables
434 $(call Package/iptables/Default)
435 DEPENDS:=@IPV6 +kmod-ip6tables +iptables
436 CATEGORY:=Network
437 TITLE:=IPv6 firewall administration tool
438 MENU:=1
439 endef
440
441
442 define Package/ip6tables-extra
443 $(call Package/iptables/Default)
444 DEPENDS:=ip6tables +kmod-ip6tables-extra
445 TITLE:=IPv6 header matching modules
446 endef
447
448 define Package/ip6tables-mod-extra/description
449 iptables header matching modules for IPv6
450 endef
451
452 define Package/ip6tables-mod-nat
453 $(call Package/iptables/Default)
454 DEPENDS:=ip6tables +kmod-ipt-nat6
455 TITLE:=IPv6 NAT extensions
456 endef
457
458 define Package/ip6tables-mod-nat/description
459 iptables extensions for IPv6-NAT targets.
460 endef
461
462 define Package/libiptc
463 $(call Package/iptables/Default)
464 SECTION:=libs
465 CATEGORY:=Libraries
466 DEPENDS:=+libip4tc +libip6tc +libxtables
467 ABI_VERSION:=$(PKG_VERSION)
468 TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
469 endef
470
471 define Package/libip4tc
472 $(call Package/iptables/Default)
473 SECTION:=libs
474 CATEGORY:=Libraries
475 TITLE:=IPv4 firewall - shared libiptc library
476 ABI_VERSION:=$(PKG_VERSION)
477 DEPENDS:=+libxtables
478 endef
479
480 define Package/libip6tc
481 $(call Package/iptables/Default)
482 SECTION:=libs
483 CATEGORY:=Libraries
484 TITLE:=IPv6 firewall - shared libiptc library
485 ABI_VERSION:=$(PKG_VERSION)
486 DEPENDS:=+libxtables
487 endef
488
489 define Package/libxtables
490 $(call Package/iptables/Default)
491 SECTION:=libs
492 CATEGORY:=Libraries
493 TITLE:=IPv4/IPv6 firewall - shared xtables library
494 ABI_VERSION:=$(PKG_VERSION)
495 DEPENDS:= \
496 +IPTABLES_CONNLABEL:libnetfilter-conntrack \
497 +IPTABLES_NFTABLES:libnftnl
498 endef
499
500 TARGET_CPPFLAGS := \
501 -I$(PKG_BUILD_DIR)/include \
502 -I$(LINUX_DIR)/user_headers/include \
503 $(TARGET_CPPFLAGS)
504
505 TARGET_CFLAGS += \
506 -I$(PKG_BUILD_DIR)/include \
507 -I$(LINUX_DIR)/user_headers/include \
508 -ffunction-sections -fdata-sections \
509 -DNO_LEGACY
510
511 TARGET_LDFLAGS += \
512 -Wl,--gc-sections
513
514 CONFIGURE_ARGS += \
515 --enable-shared \
516 --enable-static \
517 --enable-devel \
518 --with-kernel="$(LINUX_DIR)/user_headers" \
519 --with-xtlibdir=/usr/lib/iptables \
520 --with-xt-lock-name=/var/run/xtables.lock \
521 $(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
522 $(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \
523 $(if $(CONFIG_IPV6),,--disable-ipv6)
524
525 MAKE_FLAGS := \
526 $(TARGET_CONFIGURE_OPTS) \
527 COPT_FLAGS="$(TARGET_CFLAGS)" \
528 KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
529 KBUILD_OUTPUT="$(LINUX_DIR)" \
530 BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
531
532 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
533 define Build/Configure/rebuild
534 $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
535 rm -f $(PKG_BUILD_DIR)/.config_*
536 rm -f $(PKG_BUILD_DIR)/.configured_*
537 touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
538 endef
539 endif
540
541 define Build/Configure
542 $(Build/Configure/rebuild)
543 $(Build/Configure/Default)
544 endef
545
546 define Build/InstallDev
547 $(INSTALL_DIR) $(1)/usr/include
548 $(INSTALL_DIR) $(1)/usr/include/iptables
549 $(INSTALL_DIR) $(1)/usr/include/net/netfilter
550
551 # XXX: iptables header fixup, some headers are not installed by iptables anymore
552 $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
553 $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
554 $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
555 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
556 $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
557
558 $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
559 $(INSTALL_DIR) $(1)/usr/lib
560 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
561 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
562 $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
563 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
564 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
565
566 # XXX: needed by firewall3
567 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
568 endef
569
570 define Package/iptables/install
571 $(INSTALL_DIR) $(1)/usr/sbin
572 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
573 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
574 $(INSTALL_DIR) $(1)/usr/lib/iptables
575 endef
576
577 define Package/ip6tables/install
578 $(INSTALL_DIR) $(1)/usr/sbin
579 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
580 endef
581
582 define Package/libiptc/install
583 $(INSTALL_DIR) $(1)/usr/lib
584 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
585 endef
586
587 define Package/libip4tc/install
588 $(INSTALL_DIR) $(1)/usr/lib
589 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
590 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
591 endef
592
593 define Package/libip6tc/install
594 $(INSTALL_DIR) $(1)/usr/lib
595 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
596 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
597 endef
598
599 define Package/libxtables/install
600 $(INSTALL_DIR) $(1)/usr/lib
601 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
602 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
603 endef
604
605 define BuildPlugin
606 define Package/$(1)/install
607 $(INSTALL_DIR) $$(1)/usr/lib/iptables
608 for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
609 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
610 $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
611 fi; \
612 done
613 $(3)
614 endef
615
616 $$(eval $$(call BuildPackage,$(1)))
617 endef
618
619 $(eval $(call BuildPackage,iptables))
620 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
621 $(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m)))
622 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
623 $(eval $(call BuildPlugin,iptables-mod-physdev,$(IPT_PHYSDEV-m)))
624 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
625 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
626 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
627 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
628 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
629 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
630 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
631 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
632 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
633 $(eval $(call BuildPlugin,iptables-mod-rpfilter,$(IPT_RPFILTER-m)))
634 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
635 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
636 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
637 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
638 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
639 $(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m)))
640 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
641 $(eval $(call BuildPlugin,iptables-mod-checksum,$(IPT_CHECKSUM-m)))
642 $(eval $(call BuildPackage,ip6tables))
643 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
644 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
645 $(eval $(call BuildPackage,libiptc))
646 $(eval $(call BuildPackage,libip4tc))
647 $(eval $(call BuildPackage,libip6tc))
648 $(eval $(call BuildPackage,libxtables))