iptables: make kmod-ipt-debug part of default ALL build
[openwrt/openwrt.git] / package / network / utils / iptables / Makefile
1 #
2 # Copyright (C) 2006-2016 OpenWrt.org
3 #
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
6 #
7
8 include $(TOPDIR)/rules.mk
9 include $(INCLUDE_DIR)/kernel.mk
10
11 PKG_NAME:=iptables
12 PKG_VERSION:=1.4.21
13 PKG_RELEASE:=3
14
15 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
16 PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
17 ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
18 ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
19 ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
20 PKG_HASH:=52004c68021da9a599feed27f65defcfb22128f7da2c0531c0f75de0f479d3e0
21
22 PKG_FIXUP:=autoreconf
23 PKG_INSTALL:=1
24 PKG_BUILD_PARALLEL:=1
25 PKG_LICENSE:=GPL-2.0
26
27 include $(INCLUDE_DIR)/package.mk
28 ifeq ($(DUMP),)
29 -include $(LINUX_DIR)/.config
30 include $(INCLUDE_DIR)/netfilter.mk
31 STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | mkhash md5)
32 endif
33
34
35 define Package/iptables/Default
36 SECTION:=net
37 CATEGORY:=Network
38 SUBMENU:=Firewall
39 URL:=http://netfilter.org/
40 endef
41
42 define Package/iptables/Module
43 $(call Package/iptables/Default)
44 DEPENDS:=iptables $(1)
45 endef
46
47 define Package/iptables
48 $(call Package/iptables/Default)
49 TITLE:=IP firewall administration tool
50 MENU:=1
51 DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
52 endef
53
54 define Package/iptables/description
55 IP firewall administration tool.
56
57 Matches:
58 - icmp
59 - tcp
60 - udp
61 - comment
62 - conntrack
63 - limit
64 - mac
65 - mark
66 - multiport
67 - set
68 - state
69 - time
70
71 Targets:
72 - ACCEPT
73 - CT
74 - DNAT
75 - DROP
76 - REJECT
77 - LOG
78 - MARK
79 - MASQUERADE
80 - REDIRECT
81 - SET
82 - SNAT
83 - TCPMSS
84
85 Tables:
86 - filter
87 - mangle
88 - nat
89 - raw
90
91 endef
92
93 define Package/iptables-mod-conntrack-extra
94 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
95 TITLE:=Extra connection tracking extensions
96 endef
97
98 define Package/iptables-mod-conntrack-extra/description
99 Extra iptables extensions for connection tracking.
100
101 Matches:
102 - connbytes
103 - connlimit
104 - connmark
105 - recent
106 - helper
107
108 Targets:
109 - CONNMARK
110
111 endef
112
113 define Package/iptables-mod-filter
114 $(call Package/iptables/Module, +kmod-ipt-filter)
115 TITLE:=Content inspection extensions
116 endef
117
118 define Package/iptables-mod-filter/description
119 iptables extensions for packet content inspection.
120 Includes support for:
121
122 Matches:
123 - string
124
125 endef
126
127 define Package/iptables-mod-ipopt
128 $(call Package/iptables/Module, +kmod-ipt-ipopt)
129 TITLE:=IP/Packet option extensions
130 endef
131
132 define Package/iptables-mod-ipopt/description
133 iptables extensions for matching/changing IP packet options.
134
135 Matches:
136 - dscp
137 - ecn
138 - length
139 - statistic
140 - tcpmss
141 - unclean
142 - hl
143
144 Targets:
145 - DSCP
146 - CLASSIFY
147 - ECN
148 - HL
149
150 endef
151
152 define Package/iptables-mod-ipsec
153 $(call Package/iptables/Module, +kmod-ipt-ipsec)
154 TITLE:=IPsec extensions
155 endef
156
157 define Package/iptables-mod-ipsec/description
158 iptables extensions for matching ipsec traffic.
159
160 Matches:
161 - ah
162 - esp
163 - policy
164
165 endef
166
167 define Package/iptables-mod-nat-extra
168 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
169 TITLE:=Extra NAT extensions
170 endef
171
172 define Package/iptables-mod-nat-extra/description
173 iptables extensions for extra NAT targets.
174
175 Targets:
176 - MIRROR
177 - NETMAP
178 endef
179
180 define Package/iptables-mod-ulog
181 $(call Package/iptables/Module, +kmod-ipt-ulog)
182 TITLE:=user-space packet logging
183 endef
184
185 define Package/iptables-mod-ulog/description
186 iptables extensions for user-space packet logging.
187
188 Targets:
189 - ULOG
190
191 endef
192
193 define Package/iptables-mod-nflog
194 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
195 TITLE:=Netfilter NFLOG target
196 endef
197
198 define Package/iptables-mod-nflog/description
199 iptables extension for user-space logging via NFNETLINK.
200
201 Includes:
202 - libxt_NFLOG
203
204 endef
205
206 define Package/iptables-mod-trace
207 $(call Package/iptables/Module, +kmod-ipt-debug)
208 TITLE:=Netfilter TRACE target
209 endef
210
211 define Package/iptables-mod-trace/description
212 iptables extension for TRACE target
213
214 Includes:
215 - libxt_TRACE
216
217 endef
218
219
220 define Package/iptables-mod-nfqueue
221 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
222 TITLE:=Netfilter NFQUEUE target
223 endef
224
225 define Package/iptables-mod-nfqueue/description
226 iptables extension for user-space queuing via NFNETLINK.
227
228 Includes:
229 - libxt_NFQUEUE
230
231 endef
232
233 define Package/iptables-mod-hashlimit
234 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
235 TITLE:=hashlimit matching
236 endef
237
238 define Package/iptables-mod-hashlimit/description
239 iptables extensions for hashlimit matching
240
241 Matches:
242 - hashlimit
243
244 endef
245
246 define Package/iptables-mod-rpfilter
247 $(call Package/iptables/Module, +kmod-ipt-rpfilter)
248 TITLE:=rpfilter iptables extension
249 endef
250
251 define Package/iptables-mod-rpfilter/description
252 iptables extensions for reverse path filter test on a packet
253
254 Matches:
255 - rpfilter
256
257 endef
258
259 define Package/iptables-mod-iprange
260 $(call Package/iptables/Module, +kmod-ipt-iprange)
261 TITLE:=IP range extension
262 endef
263
264 define Package/iptables-mod-iprange/description
265 iptables extensions for matching ip ranges.
266
267 Matches:
268 - iprange
269
270 endef
271
272 define Package/iptables-mod-cluster
273 $(call Package/iptables/Module, +kmod-ipt-cluster)
274 TITLE:=Match cluster extension
275 endef
276
277 define Package/iptables-mod-cluster/description
278 iptables extensions for matching cluster.
279
280 Netfilter (IPv4/IPv6) module for matching cluster
281 This option allows you to build work-load-sharing clusters of
282 network servers/stateful firewalls without having a dedicated
283 load-balancing router/server/switch. Basically, this match returns
284 true when the packet must be handled by this cluster node. Thus,
285 all nodes see all packets and this match decides which node handles
286 what packets. The work-load sharing algorithm is based on source
287 address hashing.
288
289 This module is usable for ipv4 and ipv6.
290
291 If you select it, it enables kmod-ipt-cluster.
292
293 see `iptables -m cluster --help` for more information.
294 endef
295
296 define Package/iptables-mod-clusterip
297 $(call Package/iptables/Module, +kmod-ipt-clusterip)
298 TITLE:=Clusterip extension
299 endef
300
301 define Package/iptables-mod-clusterip/description
302 iptables extensions for CLUSTERIP.
303 The CLUSTERIP target allows you to build load-balancing clusters of
304 network servers without having a dedicated load-balancing
305 router/server/switch.
306
307 If you select it, it enables kmod-ipt-clusterip.
308
309 see `iptables -j CLUSTERIP --help` for more information.
310 endef
311
312 define Package/iptables-mod-extra
313 $(call Package/iptables/Module, +kmod-ipt-extra)
314 TITLE:=Other extra iptables extensions
315 endef
316
317 define Package/iptables-mod-extra/description
318 Other extra iptables extensions.
319
320 Matches:
321 - addrtype
322 - condition
323 - owner
324 - physdev (if ebtables is enabled)
325 - pkttype
326 - quota
327
328 endef
329
330 define Package/iptables-mod-led
331 $(call Package/iptables/Module, +kmod-ipt-led)
332 TITLE:=LED trigger iptables extension
333 endef
334
335 define Package/iptables-mod-led/description
336 iptables extension for triggering a LED.
337
338 Targets:
339 - LED
340
341 endef
342
343 define Package/iptables-mod-tproxy
344 $(call Package/iptables/Module, +kmod-ipt-tproxy)
345 TITLE:=Transparent proxy iptables extensions
346 endef
347
348 define Package/iptables-mod-tproxy/description
349 Transparent proxy iptables extensions.
350
351 Matches:
352 - socket
353
354 Targets:
355 - TPROXY
356
357 endef
358
359 define Package/iptables-mod-tee
360 $(call Package/iptables/Module, +kmod-ipt-tee)
361 TITLE:=TEE iptables extensions
362 endef
363
364 define Package/iptables-mod-tee/description
365 TEE iptables extensions.
366
367 Targets:
368 - TEE
369
370 endef
371
372 define Package/iptables-mod-u32
373 $(call Package/iptables/Module, +kmod-ipt-u32)
374 TITLE:=U32 iptables extensions
375 endef
376
377 define Package/iptables-mod-u32/description
378 U32 iptables extensions.
379
380 Matches:
381 - u32
382
383 endef
384
385 define Package/ip6tables
386 $(call Package/iptables/Default)
387 DEPENDS:=@IPV6 +kmod-ip6tables +iptables
388 CATEGORY:=Network
389 TITLE:=IPv6 firewall administration tool
390 MENU:=1
391 endef
392
393
394 define Package/ip6tables-extra
395 $(call Package/iptables/Default)
396 DEPENDS:=ip6tables +kmod-ip6tables-extra
397 TITLE:=IPv6 header matching modules
398 endef
399
400 define Package/ip6tables-mod-extra/description
401 iptables header matching modules for IPv6
402 endef
403
404 define Package/ip6tables-mod-nat
405 $(call Package/iptables/Default)
406 DEPENDS:=ip6tables +kmod-ipt-nat6
407 TITLE:=IPv6 NAT extensions
408 endef
409
410 define Package/ip6tables-mod-nat/description
411 iptables extensions for IPv6-NAT targets.
412 endef
413
414 define Package/libiptc
415 $(call Package/iptables/Default)
416 SECTION:=libs
417 CATEGORY:=Libraries
418 DEPENDS:=+libip4tc +libip6tc +libxtables
419 TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
420 endef
421
422 define Package/libip4tc
423 $(call Package/iptables/Default)
424 SECTION:=libs
425 CATEGORY:=Libraries
426 TITLE:=IPv4 firewall - shared libiptc library
427 DEPENDS:=+libxtables
428 endef
429
430 define Package/libip6tc
431 $(call Package/iptables/Default)
432 SECTION:=libs
433 CATEGORY:=Libraries
434 TITLE:=IPv6 firewall - shared libiptc library
435 DEPENDS:=+libxtables
436 endef
437
438 define Package/libxtables
439 $(call Package/iptables/Default)
440 SECTION:=libs
441 CATEGORY:=Libraries
442 TITLE:=IPv4/IPv6 firewall - shared xtables library
443 endef
444
445 TARGET_CPPFLAGS := \
446 -I$(PKG_BUILD_DIR)/include \
447 -I$(LINUX_DIR)/user_headers/include \
448 $(TARGET_CPPFLAGS)
449
450 TARGET_CFLAGS += \
451 -I$(PKG_BUILD_DIR)/include \
452 -I$(LINUX_DIR)/user_headers/include \
453 -ffunction-sections -fdata-sections \
454 -DNO_LEGACY
455
456 TARGET_LDFLAGS += \
457 -Wl,--gc-sections
458
459 CONFIGURE_ARGS += \
460 --enable-shared \
461 --enable-devel \
462 --with-kernel="$(LINUX_DIR)/user_headers" \
463 --with-xtlibdir=/usr/lib/iptables \
464 --enable-static \
465 $(if $(CONFIG_IPV6),,--disable-ipv6)
466
467 MAKE_FLAGS := \
468 $(TARGET_CONFIGURE_OPTS) \
469 COPT_FLAGS="$(TARGET_CFLAGS)" \
470 KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
471 KBUILD_OUTPUT="$(LINUX_DIR)" \
472 BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
473
474 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
475 define Build/Configure/rebuild
476 $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
477 rm -f $(PKG_BUILD_DIR)/.config_*
478 rm -f $(PKG_BUILD_DIR)/.configured_*
479 touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
480 endef
481 endif
482
483 define Build/Configure
484 $(Build/Configure/rebuild)
485 $(Build/Configure/Default)
486 endef
487
488 define Build/InstallDev
489 $(INSTALL_DIR) $(1)/usr/include
490 $(INSTALL_DIR) $(1)/usr/include/iptables
491 $(INSTALL_DIR) $(1)/usr/include/net/netfilter
492
493 # XXX: iptables header fixup, some headers are not installed by iptables anymore
494 $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
495 $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
496 $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
497 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
498 $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
499
500 $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
501 $(INSTALL_DIR) $(1)/usr/lib
502 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
503 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
504 $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
505 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
506 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
507
508 # XXX: needed by firewall3
509 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
510 endef
511
512 define Package/iptables/install
513 $(INSTALL_DIR) $(1)/usr/sbin
514 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
515 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
516 $(INSTALL_DIR) $(1)/usr/lib/iptables
517 endef
518
519 define Package/ip6tables/install
520 $(INSTALL_DIR) $(1)/usr/sbin
521 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
522 endef
523
524 define Package/libiptc/install
525 $(INSTALL_DIR) $(1)/usr/lib
526 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
527 endef
528
529 define Package/libip4tc/install
530 $(INSTALL_DIR) $(1)/usr/lib
531 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
532 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
533 endef
534
535 define Package/libip6tc/install
536 $(INSTALL_DIR) $(1)/usr/lib
537 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
538 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
539 endef
540
541 define Package/libxtables/install
542 $(INSTALL_DIR) $(1)/usr/lib
543 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
544 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
545 endef
546
547 define BuildPlugin
548 define Package/$(1)/install
549 $(INSTALL_DIR) $$(1)/usr/lib/iptables
550 for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
551 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
552 $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
553 fi; \
554 done
555 $(3)
556 endef
557
558 $$(eval $$(call BuildPackage,$(1)))
559 endef
560
561 $(eval $(call BuildPackage,iptables))
562 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
563 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
564 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
565 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
566 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
567 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
568 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
569 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
570 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
571 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
572 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
573 $(eval $(call BuildPlugin,iptables-mod-rpfilter,$(IPT_RPFILTER-m)))
574 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
575 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
576 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
577 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
578 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
579 $(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m)))
580 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
581 $(eval $(call BuildPackage,ip6tables))
582 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
583 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
584 $(eval $(call BuildPackage,libiptc))
585 $(eval $(call BuildPackage,libip4tc))
586 $(eval $(call BuildPackage,libip6tc))
587 $(eval $(call BuildPackage,libxtables))