ac3712b498b4937fa3d3f75f706b48efb847b568
[openwrt/openwrt.git] / package / network / utils / iptables / Makefile
1 #
2 # Copyright (C) 2006-2016 OpenWrt.org
3 #
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
6 #
7
8 include $(TOPDIR)/rules.mk
9 include $(INCLUDE_DIR)/kernel.mk
10
11 PKG_NAME:=iptables
12 PKG_VERSION:=1.6.2
13 PKG_RELEASE:=2
14
15 PKG_SOURCE_PROTO:=git
16 PKG_SOURCE_URL:=https://git.netfilter.org/iptables
17 PKG_SOURCE_VERSION:=c16bdec15137b241586310d0e61bc88cc3726004
18 PKG_MIRROR_HASH:=72e4bec94a56dd600097846c773e1074ff705e38f800ef221db646c064371a53
19
20 PKG_FIXUP:=autoreconf
21 PKG_FLAGS:=nonshared
22
23 PKG_INSTALL:=1
24 PKG_BUILD_PARALLEL:=1
25 PKG_LICENSE:=GPL-2.0
26 PKG_CPE_ID:=cpe:/a:netfilter_core_team:iptables
27
28 include $(INCLUDE_DIR)/package.mk
29 ifeq ($(DUMP),)
30 -include $(LINUX_DIR)/.config
31 include $(INCLUDE_DIR)/netfilter.mk
32 STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | mkhash md5)
33 endif
34
35
36 define Package/iptables/Default
37 SECTION:=net
38 CATEGORY:=Network
39 SUBMENU:=Firewall
40 URL:=http://netfilter.org/
41 endef
42
43 define Package/iptables/Module
44 $(call Package/iptables/Default)
45 DEPENDS:=iptables $(1)
46 endef
47
48 define Package/iptables
49 $(call Package/iptables/Default)
50 TITLE:=IP firewall administration tool
51 MENU:=1
52 DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
53 endef
54
55 define Package/iptables/config
56 config IPTABLES_CONNLABEL
57 bool "Enable Connlabel support"
58 default n
59 help
60 This enable connlabel support in iptables.
61
62 config IPTABLES_NFTABLES
63 bool "Enable Nftables support"
64 default n
65 help
66 This enable nftables support in iptables.
67 endef
68
69 define Package/iptables/description
70 IP firewall administration tool.
71
72 Matches:
73 - icmp
74 - tcp
75 - udp
76 - comment
77 - conntrack
78 - limit
79 - mac
80 - mark
81 - multiport
82 - set
83 - state
84 - time
85
86 Targets:
87 - ACCEPT
88 - CT
89 - DNAT
90 - DROP
91 - REJECT
92 - LOG
93 - MARK
94 - MASQUERADE
95 - REDIRECT
96 - SET
97 - SNAT
98 - TCPMSS
99
100 Tables:
101 - filter
102 - mangle
103 - nat
104 - raw
105
106 endef
107
108 define Package/iptables-mod-conntrack-extra
109 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
110 TITLE:=Extra connection tracking extensions
111 endef
112
113 define Package/iptables-mod-conntrack-extra/description
114 Extra iptables extensions for connection tracking.
115
116 Matches:
117 - connbytes
118 - connlimit
119 - connmark
120 - recent
121 - helper
122
123 Targets:
124 - CONNMARK
125
126 endef
127
128 define Package/iptables-mod-conntrack-label
129 $(call Package/iptables/Module, +kmod-ipt-conntrack-label @IPTABLES_CONNLABEL)
130 TITLE:=Connection tracking labeling extension
131 DEFAULT:=y if IPTABLES_CONNLABEL
132 endef
133
134 define Package/iptables-mod-conntrack-label/description
135 Match and set label(s) on connection tracking entries
136
137 Matches:
138 - connlabel
139
140 endef
141
142 define Package/iptables-mod-filter
143 $(call Package/iptables/Module, +kmod-ipt-filter)
144 TITLE:=Content inspection extensions
145 endef
146
147 define Package/iptables-mod-filter/description
148 iptables extensions for packet content inspection.
149 Includes support for:
150
151 Matches:
152 - string
153 - bpf
154
155 endef
156
157 define Package/iptables-mod-ipopt
158 $(call Package/iptables/Module, +kmod-ipt-ipopt)
159 TITLE:=IP/Packet option extensions
160 endef
161
162 define Package/iptables-mod-ipopt/description
163 iptables extensions for matching/changing IP packet options.
164
165 Matches:
166 - dscp
167 - ecn
168 - length
169 - statistic
170 - tcpmss
171 - unclean
172 - hl
173
174 Targets:
175 - DSCP
176 - CLASSIFY
177 - ECN
178 - HL
179
180 endef
181
182 define Package/iptables-mod-ipsec
183 $(call Package/iptables/Module, +kmod-ipt-ipsec)
184 TITLE:=IPsec extensions
185 endef
186
187 define Package/iptables-mod-ipsec/description
188 iptables extensions for matching ipsec traffic.
189
190 Matches:
191 - ah
192 - esp
193 - policy
194
195 endef
196
197 define Package/iptables-mod-nat-extra
198 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
199 TITLE:=Extra NAT extensions
200 endef
201
202 define Package/iptables-mod-nat-extra/description
203 iptables extensions for extra NAT targets.
204
205 Targets:
206 - MIRROR
207 - NETMAP
208 endef
209
210 define Package/iptables-mod-ulog
211 $(call Package/iptables/Module, +kmod-ipt-ulog)
212 TITLE:=user-space packet logging
213 endef
214
215 define Package/iptables-mod-ulog/description
216 iptables extensions for user-space packet logging.
217
218 Targets:
219 - ULOG
220
221 endef
222
223 define Package/iptables-mod-nflog
224 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
225 TITLE:=Netfilter NFLOG target
226 endef
227
228 define Package/iptables-mod-nflog/description
229 iptables extension for user-space logging via NFNETLINK.
230
231 Includes:
232 - libxt_NFLOG
233
234 endef
235
236 define Package/iptables-mod-trace
237 $(call Package/iptables/Module, +kmod-ipt-debug)
238 TITLE:=Netfilter TRACE target
239 endef
240
241 define Package/iptables-mod-trace/description
242 iptables extension for TRACE target
243
244 Includes:
245 - libxt_TRACE
246
247 endef
248
249
250 define Package/iptables-mod-nfqueue
251 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
252 TITLE:=Netfilter NFQUEUE target
253 endef
254
255 define Package/iptables-mod-nfqueue/description
256 iptables extension for user-space queuing via NFNETLINK.
257
258 Includes:
259 - libxt_NFQUEUE
260
261 endef
262
263 define Package/iptables-mod-hashlimit
264 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
265 TITLE:=hashlimit matching
266 endef
267
268 define Package/iptables-mod-hashlimit/description
269 iptables extensions for hashlimit matching
270
271 Matches:
272 - hashlimit
273
274 endef
275
276 define Package/iptables-mod-rpfilter
277 $(call Package/iptables/Module, +kmod-ipt-rpfilter)
278 TITLE:=rpfilter iptables extension
279 endef
280
281 define Package/iptables-mod-rpfilter/description
282 iptables extensions for reverse path filter test on a packet
283
284 Matches:
285 - rpfilter
286
287 endef
288
289 define Package/iptables-mod-iprange
290 $(call Package/iptables/Module, +kmod-ipt-iprange)
291 TITLE:=IP range extension
292 endef
293
294 define Package/iptables-mod-iprange/description
295 iptables extensions for matching ip ranges.
296
297 Matches:
298 - iprange
299
300 endef
301
302 define Package/iptables-mod-cluster
303 $(call Package/iptables/Module, +kmod-ipt-cluster)
304 TITLE:=Match cluster extension
305 endef
306
307 define Package/iptables-mod-cluster/description
308 iptables extensions for matching cluster.
309
310 Netfilter (IPv4/IPv6) module for matching cluster
311 This option allows you to build work-load-sharing clusters of
312 network servers/stateful firewalls without having a dedicated
313 load-balancing router/server/switch. Basically, this match returns
314 true when the packet must be handled by this cluster node. Thus,
315 all nodes see all packets and this match decides which node handles
316 what packets. The work-load sharing algorithm is based on source
317 address hashing.
318
319 This module is usable for ipv4 and ipv6.
320
321 If you select it, it enables kmod-ipt-cluster.
322
323 see `iptables -m cluster --help` for more information.
324 endef
325
326 define Package/iptables-mod-clusterip
327 $(call Package/iptables/Module, +kmod-ipt-clusterip)
328 TITLE:=Clusterip extension
329 endef
330
331 define Package/iptables-mod-clusterip/description
332 iptables extensions for CLUSTERIP.
333 The CLUSTERIP target allows you to build load-balancing clusters of
334 network servers without having a dedicated load-balancing
335 router/server/switch.
336
337 If you select it, it enables kmod-ipt-clusterip.
338
339 see `iptables -j CLUSTERIP --help` for more information.
340 endef
341
342 define Package/iptables-mod-extra
343 $(call Package/iptables/Module, +kmod-ipt-extra)
344 TITLE:=Other extra iptables extensions
345 endef
346
347 define Package/iptables-mod-extra/description
348 Other extra iptables extensions.
349
350 Matches:
351 - addrtype
352 - condition
353 - owner
354 - pkttype
355 - quota
356
357 endef
358
359 define Package/iptables-mod-physdev
360 $(call Package/iptables/Module, +kmod-ipt-physdev)
361 TITLE:=physdev iptables extension
362 endef
363
364 define Package/iptables-mod-physdev/description
365 The iptables physdev match.
366 endef
367
368 define Package/iptables-mod-led
369 $(call Package/iptables/Module, +kmod-ipt-led)
370 TITLE:=LED trigger iptables extension
371 endef
372
373 define Package/iptables-mod-led/description
374 iptables extension for triggering a LED.
375
376 Targets:
377 - LED
378
379 endef
380
381 define Package/iptables-mod-tproxy
382 $(call Package/iptables/Module, +kmod-ipt-tproxy)
383 TITLE:=Transparent proxy iptables extensions
384 endef
385
386 define Package/iptables-mod-tproxy/description
387 Transparent proxy iptables extensions.
388
389 Matches:
390 - socket
391
392 Targets:
393 - TPROXY
394
395 endef
396
397 define Package/iptables-mod-tee
398 $(call Package/iptables/Module, +kmod-ipt-tee)
399 TITLE:=TEE iptables extensions
400 endef
401
402 define Package/iptables-mod-tee/description
403 TEE iptables extensions.
404
405 Targets:
406 - TEE
407
408 endef
409
410 define Package/iptables-mod-u32
411 $(call Package/iptables/Module, +kmod-ipt-u32)
412 TITLE:=U32 iptables extensions
413 endef
414
415 define Package/iptables-mod-u32/description
416 U32 iptables extensions.
417
418 Matches:
419 - u32
420
421 endef
422
423 define Package/iptables-mod-checksum
424 $(call Package/iptables/Module, +kmod-ipt-checksum)
425 TITLE:=IP CHECKSUM target extension
426 endef
427
428 define Package/iptables-mod-checksum/description
429 iptables extension for the CHECKSUM calculation target
430 endef
431
432 define Package/ip6tables
433 $(call Package/iptables/Default)
434 DEPENDS:=@IPV6 +kmod-ip6tables +iptables
435 CATEGORY:=Network
436 TITLE:=IPv6 firewall administration tool
437 MENU:=1
438 endef
439
440
441 define Package/ip6tables-extra
442 $(call Package/iptables/Default)
443 DEPENDS:=ip6tables +kmod-ip6tables-extra
444 TITLE:=IPv6 header matching modules
445 endef
446
447 define Package/ip6tables-mod-extra/description
448 iptables header matching modules for IPv6
449 endef
450
451 define Package/ip6tables-mod-nat
452 $(call Package/iptables/Default)
453 DEPENDS:=ip6tables +kmod-ipt-nat6
454 TITLE:=IPv6 NAT extensions
455 endef
456
457 define Package/ip6tables-mod-nat/description
458 iptables extensions for IPv6-NAT targets.
459 endef
460
461 define Package/libiptc
462 $(call Package/iptables/Default)
463 SECTION:=libs
464 CATEGORY:=Libraries
465 DEPENDS:=+libip4tc +libip6tc +libxtables
466 ABI_VERSION:=$(PKG_VERSION)
467 TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
468 endef
469
470 define Package/libip4tc
471 $(call Package/iptables/Default)
472 SECTION:=libs
473 CATEGORY:=Libraries
474 TITLE:=IPv4 firewall - shared libiptc library
475 ABI_VERSION:=$(PKG_VERSION)
476 DEPENDS:=+libxtables
477 endef
478
479 define Package/libip6tc
480 $(call Package/iptables/Default)
481 SECTION:=libs
482 CATEGORY:=Libraries
483 TITLE:=IPv6 firewall - shared libiptc library
484 ABI_VERSION:=$(PKG_VERSION)
485 DEPENDS:=+libxtables
486 endef
487
488 define Package/libxtables
489 $(call Package/iptables/Default)
490 SECTION:=libs
491 CATEGORY:=Libraries
492 TITLE:=IPv4/IPv6 firewall - shared xtables library
493 ABI_VERSION:=$(PKG_VERSION)
494 DEPENDS:= \
495 +IPTABLES_CONNLABEL:libnetfilter-conntrack \
496 +IPTABLES_NFTABLES:libnftnl
497 endef
498
499 TARGET_CPPFLAGS := \
500 -I$(PKG_BUILD_DIR)/include \
501 -I$(LINUX_DIR)/user_headers/include \
502 $(TARGET_CPPFLAGS)
503
504 TARGET_CFLAGS += \
505 -I$(PKG_BUILD_DIR)/include \
506 -I$(LINUX_DIR)/user_headers/include \
507 -ffunction-sections -fdata-sections \
508 -DNO_LEGACY
509
510 TARGET_LDFLAGS += \
511 -Wl,--gc-sections
512
513 CONFIGURE_ARGS += \
514 --enable-shared \
515 --enable-static \
516 --enable-devel \
517 --with-kernel="$(LINUX_DIR)/user_headers" \
518 --with-xtlibdir=/usr/lib/iptables \
519 --with-xt-lock-name=/var/run/xtables.lock \
520 $(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
521 $(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \
522 $(if $(CONFIG_IPV6),,--disable-ipv6)
523
524 MAKE_FLAGS := \
525 $(TARGET_CONFIGURE_OPTS) \
526 COPT_FLAGS="$(TARGET_CFLAGS)" \
527 KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
528 KBUILD_OUTPUT="$(LINUX_DIR)" \
529 BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
530
531 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
532 define Build/Configure/rebuild
533 $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
534 rm -f $(PKG_BUILD_DIR)/.config_*
535 rm -f $(PKG_BUILD_DIR)/.configured_*
536 touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
537 endef
538 endif
539
540 define Build/Configure
541 $(Build/Configure/rebuild)
542 $(Build/Configure/Default)
543 endef
544
545 define Build/InstallDev
546 $(INSTALL_DIR) $(1)/usr/include
547 $(INSTALL_DIR) $(1)/usr/include/iptables
548 $(INSTALL_DIR) $(1)/usr/include/net/netfilter
549
550 # XXX: iptables header fixup, some headers are not installed by iptables anymore
551 $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
552 $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
553 $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
554 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
555 $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
556
557 $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
558 $(INSTALL_DIR) $(1)/usr/lib
559 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
560 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
561 $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
562 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
563 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
564
565 # XXX: needed by firewall3
566 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
567 endef
568
569 define Package/iptables/install
570 $(INSTALL_DIR) $(1)/usr/sbin
571 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
572 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
573 $(INSTALL_DIR) $(1)/usr/lib/iptables
574 endef
575
576 define Package/ip6tables/install
577 $(INSTALL_DIR) $(1)/usr/sbin
578 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
579 endef
580
581 define Package/libiptc/install
582 $(INSTALL_DIR) $(1)/usr/lib
583 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
584 endef
585
586 define Package/libip4tc/install
587 $(INSTALL_DIR) $(1)/usr/lib
588 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
589 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
590 endef
591
592 define Package/libip6tc/install
593 $(INSTALL_DIR) $(1)/usr/lib
594 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
595 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
596 endef
597
598 define Package/libxtables/install
599 $(INSTALL_DIR) $(1)/usr/lib
600 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
601 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
602 endef
603
604 define BuildPlugin
605 define Package/$(1)/install
606 $(INSTALL_DIR) $$(1)/usr/lib/iptables
607 for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
608 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
609 $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
610 fi; \
611 done
612 $(3)
613 endef
614
615 $$(eval $$(call BuildPackage,$(1)))
616 endef
617
618 $(eval $(call BuildPackage,iptables))
619 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
620 $(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m)))
621 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
622 $(eval $(call BuildPlugin,iptables-mod-physdev,$(IPT_PHYSDEV-m)))
623 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
624 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
625 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
626 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
627 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
628 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
629 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
630 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
631 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
632 $(eval $(call BuildPlugin,iptables-mod-rpfilter,$(IPT_RPFILTER-m)))
633 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
634 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
635 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
636 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
637 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
638 $(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m)))
639 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
640 $(eval $(call BuildPlugin,iptables-mod-checksum,$(IPT_CHECKSUM-m)))
641 $(eval $(call BuildPackage,ip6tables))
642 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
643 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
644 $(eval $(call BuildPackage,libiptc))
645 $(eval $(call BuildPackage,libip4tc))
646 $(eval $(call BuildPackage,libip6tc))
647 $(eval $(call BuildPackage,libxtables))