iptables: Support building connlabel module
[openwrt/openwrt.git] / package / network / utils / iptables / Makefile
1 #
2 # Copyright (C) 2006-2016 OpenWrt.org
3 #
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
6 #
7
8 include $(TOPDIR)/rules.mk
9 include $(INCLUDE_DIR)/kernel.mk
10
11 PKG_NAME:=iptables
12 PKG_VERSION:=1.6.1
13 PKG_RELEASE:=2
14
15 PKG_SOURCE_PROTO:=git
16 PKG_SOURCE_URL:=https://git.netfilter.org/iptables
17 PKG_SOURCE_VERSION:=7df66f1c13563cfbab75246b009ce36f69ee4487
18 PKG_MIRROR_HASH:=22f15ef41fd8e3724bedcee666b7b6a3491d2d038d580ef1fb032718dcb73f14
19
20 PKG_FIXUP:=autoreconf
21
22 PKG_INSTALL:=1
23 PKG_BUILD_PARALLEL:=1
24 PKG_LICENSE:=GPL-2.0
25 PKG_CPE_ID:=cpe:/a:netfilter_core_team:iptables
26
27 include $(INCLUDE_DIR)/package.mk
28 ifeq ($(DUMP),)
29 -include $(LINUX_DIR)/.config
30 include $(INCLUDE_DIR)/netfilter.mk
31 STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | mkhash md5)
32 endif
33
34
35 define Package/iptables/Default
36 SECTION:=net
37 CATEGORY:=Network
38 SUBMENU:=Firewall
39 URL:=http://netfilter.org/
40 endef
41
42 define Package/iptables/Module
43 $(call Package/iptables/Default)
44 DEPENDS:=iptables $(1)
45 endef
46
47 define Package/iptables
48 $(call Package/iptables/Default)
49 TITLE:=IP firewall administration tool
50 MENU:=1
51 DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
52 endef
53
54 define Package/iptables/config
55 config IPTABLES_CONNLABEL
56 bool "Enable Connlabel support"
57 default n
58 help
59 This enable connlabel support in iptables.
60
61 config IPTABLES_NFTABLES
62 bool "Enable Nftables support"
63 default n
64 help
65 This enable nftables support in iptables.
66 endef
67
68 define Package/iptables/description
69 IP firewall administration tool.
70
71 Matches:
72 - icmp
73 - tcp
74 - udp
75 - comment
76 - conntrack
77 - limit
78 - mac
79 - mark
80 - multiport
81 - set
82 - state
83 - time
84
85 Targets:
86 - ACCEPT
87 - CT
88 - DNAT
89 - DROP
90 - REJECT
91 - LOG
92 - MARK
93 - MASQUERADE
94 - REDIRECT
95 - SET
96 - SNAT
97 - TCPMSS
98
99 Tables:
100 - filter
101 - mangle
102 - nat
103 - raw
104
105 endef
106
107 define Package/iptables-mod-conntrack-extra
108 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
109 TITLE:=Extra connection tracking extensions
110 endef
111
112 define Package/iptables-mod-conntrack-extra/description
113 Extra iptables extensions for connection tracking.
114
115 Matches:
116 - connbytes
117 - connlimit
118 - connmark
119 - recent
120 - helper
121
122 Targets:
123 - CONNMARK
124
125 endef
126
127 define Package/iptables-mod-conntrack-label
128 $(call Package/iptables/Module, +kmod-ipt-conntrack-label @IPTABLES_CONNLABEL)
129 TITLE:=Connection tracking labeling extension
130 DEFAULT:=y if IPTABLES_CONNLABEL
131 endef
132
133 define Package/iptables-mod-conntrack-label/description
134 Match and set label(s) on connection tracking entries
135
136 Matches:
137 - connlabel
138
139 endef
140
141 define Package/iptables-mod-filter
142 $(call Package/iptables/Module, +kmod-ipt-filter)
143 TITLE:=Content inspection extensions
144 endef
145
146 define Package/iptables-mod-filter/description
147 iptables extensions for packet content inspection.
148 Includes support for:
149
150 Matches:
151 - string
152
153 endef
154
155 define Package/iptables-mod-ipopt
156 $(call Package/iptables/Module, +kmod-ipt-ipopt)
157 TITLE:=IP/Packet option extensions
158 endef
159
160 define Package/iptables-mod-ipopt/description
161 iptables extensions for matching/changing IP packet options.
162
163 Matches:
164 - dscp
165 - ecn
166 - length
167 - statistic
168 - tcpmss
169 - unclean
170 - hl
171
172 Targets:
173 - DSCP
174 - CLASSIFY
175 - ECN
176 - HL
177
178 endef
179
180 define Package/iptables-mod-ipsec
181 $(call Package/iptables/Module, +kmod-ipt-ipsec)
182 TITLE:=IPsec extensions
183 endef
184
185 define Package/iptables-mod-ipsec/description
186 iptables extensions for matching ipsec traffic.
187
188 Matches:
189 - ah
190 - esp
191 - policy
192
193 endef
194
195 define Package/iptables-mod-nat-extra
196 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
197 TITLE:=Extra NAT extensions
198 endef
199
200 define Package/iptables-mod-nat-extra/description
201 iptables extensions for extra NAT targets.
202
203 Targets:
204 - MIRROR
205 - NETMAP
206 endef
207
208 define Package/iptables-mod-ulog
209 $(call Package/iptables/Module, +kmod-ipt-ulog)
210 TITLE:=user-space packet logging
211 endef
212
213 define Package/iptables-mod-ulog/description
214 iptables extensions for user-space packet logging.
215
216 Targets:
217 - ULOG
218
219 endef
220
221 define Package/iptables-mod-nflog
222 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
223 TITLE:=Netfilter NFLOG target
224 endef
225
226 define Package/iptables-mod-nflog/description
227 iptables extension for user-space logging via NFNETLINK.
228
229 Includes:
230 - libxt_NFLOG
231
232 endef
233
234 define Package/iptables-mod-trace
235 $(call Package/iptables/Module, +kmod-ipt-debug)
236 TITLE:=Netfilter TRACE target
237 endef
238
239 define Package/iptables-mod-trace/description
240 iptables extension for TRACE target
241
242 Includes:
243 - libxt_TRACE
244
245 endef
246
247
248 define Package/iptables-mod-nfqueue
249 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
250 TITLE:=Netfilter NFQUEUE target
251 endef
252
253 define Package/iptables-mod-nfqueue/description
254 iptables extension for user-space queuing via NFNETLINK.
255
256 Includes:
257 - libxt_NFQUEUE
258
259 endef
260
261 define Package/iptables-mod-hashlimit
262 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
263 TITLE:=hashlimit matching
264 endef
265
266 define Package/iptables-mod-hashlimit/description
267 iptables extensions for hashlimit matching
268
269 Matches:
270 - hashlimit
271
272 endef
273
274 define Package/iptables-mod-rpfilter
275 $(call Package/iptables/Module, +kmod-ipt-rpfilter)
276 TITLE:=rpfilter iptables extension
277 endef
278
279 define Package/iptables-mod-rpfilter/description
280 iptables extensions for reverse path filter test on a packet
281
282 Matches:
283 - rpfilter
284
285 endef
286
287 define Package/iptables-mod-iprange
288 $(call Package/iptables/Module, +kmod-ipt-iprange)
289 TITLE:=IP range extension
290 endef
291
292 define Package/iptables-mod-iprange/description
293 iptables extensions for matching ip ranges.
294
295 Matches:
296 - iprange
297
298 endef
299
300 define Package/iptables-mod-cluster
301 $(call Package/iptables/Module, +kmod-ipt-cluster)
302 TITLE:=Match cluster extension
303 endef
304
305 define Package/iptables-mod-cluster/description
306 iptables extensions for matching cluster.
307
308 Netfilter (IPv4/IPv6) module for matching cluster
309 This option allows you to build work-load-sharing clusters of
310 network servers/stateful firewalls without having a dedicated
311 load-balancing router/server/switch. Basically, this match returns
312 true when the packet must be handled by this cluster node. Thus,
313 all nodes see all packets and this match decides which node handles
314 what packets. The work-load sharing algorithm is based on source
315 address hashing.
316
317 This module is usable for ipv4 and ipv6.
318
319 If you select it, it enables kmod-ipt-cluster.
320
321 see `iptables -m cluster --help` for more information.
322 endef
323
324 define Package/iptables-mod-clusterip
325 $(call Package/iptables/Module, +kmod-ipt-clusterip)
326 TITLE:=Clusterip extension
327 endef
328
329 define Package/iptables-mod-clusterip/description
330 iptables extensions for CLUSTERIP.
331 The CLUSTERIP target allows you to build load-balancing clusters of
332 network servers without having a dedicated load-balancing
333 router/server/switch.
334
335 If you select it, it enables kmod-ipt-clusterip.
336
337 see `iptables -j CLUSTERIP --help` for more information.
338 endef
339
340 define Package/iptables-mod-extra
341 $(call Package/iptables/Module, +kmod-ipt-extra)
342 TITLE:=Other extra iptables extensions
343 endef
344
345 define Package/iptables-mod-extra/description
346 Other extra iptables extensions.
347
348 Matches:
349 - addrtype
350 - condition
351 - owner
352 - physdev (if ebtables is enabled)
353 - pkttype
354 - quota
355
356 endef
357
358 define Package/iptables-mod-led
359 $(call Package/iptables/Module, +kmod-ipt-led)
360 TITLE:=LED trigger iptables extension
361 endef
362
363 define Package/iptables-mod-led/description
364 iptables extension for triggering a LED.
365
366 Targets:
367 - LED
368
369 endef
370
371 define Package/iptables-mod-tproxy
372 $(call Package/iptables/Module, +kmod-ipt-tproxy)
373 TITLE:=Transparent proxy iptables extensions
374 endef
375
376 define Package/iptables-mod-tproxy/description
377 Transparent proxy iptables extensions.
378
379 Matches:
380 - socket
381
382 Targets:
383 - TPROXY
384
385 endef
386
387 define Package/iptables-mod-tee
388 $(call Package/iptables/Module, +kmod-ipt-tee)
389 TITLE:=TEE iptables extensions
390 endef
391
392 define Package/iptables-mod-tee/description
393 TEE iptables extensions.
394
395 Targets:
396 - TEE
397
398 endef
399
400 define Package/iptables-mod-u32
401 $(call Package/iptables/Module, +kmod-ipt-u32)
402 TITLE:=U32 iptables extensions
403 endef
404
405 define Package/iptables-mod-u32/description
406 U32 iptables extensions.
407
408 Matches:
409 - u32
410
411 endef
412
413 define Package/iptables-mod-checksum
414 $(call Package/iptables/Module, +kmod-ipt-checksum)
415 TITLE:=IP CHECKSUM target extension
416 endef
417
418 define Package/iptables-mod-checksum/description
419 iptables extension for the CHECKSUM calculation target
420 endef
421
422 define Package/ip6tables
423 $(call Package/iptables/Default)
424 DEPENDS:=@IPV6 +kmod-ip6tables +iptables
425 CATEGORY:=Network
426 TITLE:=IPv6 firewall administration tool
427 MENU:=1
428 endef
429
430
431 define Package/ip6tables-extra
432 $(call Package/iptables/Default)
433 DEPENDS:=ip6tables +kmod-ip6tables-extra
434 TITLE:=IPv6 header matching modules
435 endef
436
437 define Package/ip6tables-mod-extra/description
438 iptables header matching modules for IPv6
439 endef
440
441 define Package/ip6tables-mod-nat
442 $(call Package/iptables/Default)
443 DEPENDS:=ip6tables +kmod-ipt-nat6
444 TITLE:=IPv6 NAT extensions
445 endef
446
447 define Package/ip6tables-mod-nat/description
448 iptables extensions for IPv6-NAT targets.
449 endef
450
451 define Package/libiptc
452 $(call Package/iptables/Default)
453 SECTION:=libs
454 CATEGORY:=Libraries
455 DEPENDS:=+libip4tc +libip6tc +libxtables
456 ABI_VERSION:=$(PKG_VERSION)
457 TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
458 endef
459
460 define Package/libip4tc
461 $(call Package/iptables/Default)
462 SECTION:=libs
463 CATEGORY:=Libraries
464 TITLE:=IPv4 firewall - shared libiptc library
465 ABI_VERSION:=$(PKG_VERSION)
466 DEPENDS:=+libxtables
467 endef
468
469 define Package/libip6tc
470 $(call Package/iptables/Default)
471 SECTION:=libs
472 CATEGORY:=Libraries
473 TITLE:=IPv6 firewall - shared libiptc library
474 ABI_VERSION:=$(PKG_VERSION)
475 DEPENDS:=+libxtables
476 endef
477
478 define Package/libxtables
479 $(call Package/iptables/Default)
480 SECTION:=libs
481 CATEGORY:=Libraries
482 TITLE:=IPv4/IPv6 firewall - shared xtables library
483 ABI_VERSION:=$(PKG_VERSION)
484 DEPENDS:= \
485 +IPTABLES_CONNLABEL:libnetfilter-conntrack \
486 +IPTABLES_NFTABLES:libnftnl
487 endef
488
489 TARGET_CPPFLAGS := \
490 -I$(PKG_BUILD_DIR)/include \
491 -I$(LINUX_DIR)/user_headers/include \
492 $(TARGET_CPPFLAGS)
493
494 TARGET_CFLAGS += \
495 -I$(PKG_BUILD_DIR)/include \
496 -I$(LINUX_DIR)/user_headers/include \
497 -ffunction-sections -fdata-sections \
498 -DNO_LEGACY
499
500 TARGET_LDFLAGS += \
501 -Wl,--gc-sections
502
503 CONFIGURE_ARGS += \
504 --enable-shared \
505 --enable-static \
506 --enable-devel \
507 --with-kernel="$(LINUX_DIR)/user_headers" \
508 --with-xtlibdir=/usr/lib/iptables \
509 $(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
510 $(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \
511 $(if $(CONFIG_IPV6),,--disable-ipv6)
512
513 MAKE_FLAGS := \
514 $(TARGET_CONFIGURE_OPTS) \
515 COPT_FLAGS="$(TARGET_CFLAGS)" \
516 KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
517 KBUILD_OUTPUT="$(LINUX_DIR)" \
518 BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
519
520 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
521 define Build/Configure/rebuild
522 $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
523 rm -f $(PKG_BUILD_DIR)/.config_*
524 rm -f $(PKG_BUILD_DIR)/.configured_*
525 touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
526 endef
527 endif
528
529 define Build/Configure
530 $(Build/Configure/rebuild)
531 $(Build/Configure/Default)
532 endef
533
534 define Build/InstallDev
535 $(INSTALL_DIR) $(1)/usr/include
536 $(INSTALL_DIR) $(1)/usr/include/iptables
537 $(INSTALL_DIR) $(1)/usr/include/net/netfilter
538
539 # XXX: iptables header fixup, some headers are not installed by iptables anymore
540 $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
541 $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
542 $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
543 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
544 $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
545
546 $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
547 $(INSTALL_DIR) $(1)/usr/lib
548 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
549 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
550 $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
551 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
552 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
553
554 # XXX: needed by firewall3
555 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
556 endef
557
558 define Package/iptables/install
559 $(INSTALL_DIR) $(1)/usr/sbin
560 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
561 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
562 $(INSTALL_DIR) $(1)/usr/lib/iptables
563 endef
564
565 define Package/ip6tables/install
566 $(INSTALL_DIR) $(1)/usr/sbin
567 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
568 endef
569
570 define Package/libiptc/install
571 $(INSTALL_DIR) $(1)/usr/lib
572 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
573 endef
574
575 define Package/libip4tc/install
576 $(INSTALL_DIR) $(1)/usr/lib
577 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
578 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
579 endef
580
581 define Package/libip6tc/install
582 $(INSTALL_DIR) $(1)/usr/lib
583 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
584 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
585 endef
586
587 define Package/libxtables/install
588 $(INSTALL_DIR) $(1)/usr/lib
589 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
590 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
591 endef
592
593 define BuildPlugin
594 define Package/$(1)/install
595 $(INSTALL_DIR) $$(1)/usr/lib/iptables
596 for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
597 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
598 $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
599 fi; \
600 done
601 $(3)
602 endef
603
604 $$(eval $$(call BuildPackage,$(1)))
605 endef
606
607 $(eval $(call BuildPackage,iptables))
608 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
609 $(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m)))
610 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
611 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
612 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
613 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
614 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
615 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
616 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
617 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
618 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
619 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
620 $(eval $(call BuildPlugin,iptables-mod-rpfilter,$(IPT_RPFILTER-m)))
621 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
622 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
623 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
624 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
625 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
626 $(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m)))
627 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
628 $(eval $(call BuildPlugin,iptables-mod-checksum,$(IPT_CHECKSUM-m)))
629 $(eval $(call BuildPackage,ip6tables))
630 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
631 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
632 $(eval $(call BuildPackage,libiptc))
633 $(eval $(call BuildPackage,libip4tc))
634 $(eval $(call BuildPackage,libip6tc))
635 $(eval $(call BuildPackage,libxtables))