ac869f038532b5363c0f3218934a42d32e3eb861
[openwrt/openwrt.git] / package / network / utils / iptables / Makefile
1 #
2 # Copyright (C) 2006-2016 OpenWrt.org
3 #
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
6 #
7
8 include $(TOPDIR)/rules.mk
9 include $(INCLUDE_DIR)/kernel.mk
10
11 PKG_NAME:=iptables
12 PKG_VERSION:=1.4.21
13 PKG_RELEASE:=2
14
15 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
16 PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
17 ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
18 ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
19 ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
20 PKG_HASH:=52004c68021da9a599feed27f65defcfb22128f7da2c0531c0f75de0f479d3e0
21
22 PKG_FIXUP:=autoreconf
23 PKG_INSTALL:=1
24 PKG_BUILD_PARALLEL:=1
25 PKG_LICENSE:=GPL-2.0
26
27 include $(INCLUDE_DIR)/package.mk
28 ifeq ($(DUMP),)
29 -include $(LINUX_DIR)/.config
30 include $(INCLUDE_DIR)/netfilter.mk
31 STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | mkhash md5)
32 endif
33
34
35 define Package/iptables/Default
36 SECTION:=net
37 CATEGORY:=Network
38 SUBMENU:=Firewall
39 URL:=http://netfilter.org/
40 endef
41
42 define Package/iptables/Module
43 $(call Package/iptables/Default)
44 DEPENDS:=iptables $(1)
45 endef
46
47 define Package/iptables
48 $(call Package/iptables/Default)
49 TITLE:=IP firewall administration tool
50 MENU:=1
51 DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
52 endef
53
54 define Package/iptables/description
55 IP firewall administration tool.
56
57 Matches:
58 - icmp
59 - tcp
60 - udp
61 - comment
62 - conntrack
63 - limit
64 - mac
65 - mark
66 - multiport
67 - set
68 - state
69 - time
70
71 Targets:
72 - ACCEPT
73 - CT
74 - DNAT
75 - DROP
76 - REJECT
77 - LOG
78 - MARK
79 - MASQUERADE
80 - REDIRECT
81 - SET
82 - SNAT
83 - TCPMSS
84
85 Tables:
86 - filter
87 - mangle
88 - nat
89 - raw
90
91 endef
92
93 define Package/iptables-mod-conntrack-extra
94 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
95 TITLE:=Extra connection tracking extensions
96 endef
97
98 define Package/iptables-mod-conntrack-extra/description
99 Extra iptables extensions for connection tracking.
100
101 Matches:
102 - connbytes
103 - connlimit
104 - connmark
105 - recent
106 - helper
107
108 Targets:
109 - CONNMARK
110
111 endef
112
113 define Package/iptables-mod-filter
114 $(call Package/iptables/Module, +kmod-ipt-filter)
115 TITLE:=Content inspection extensions
116 endef
117
118 define Package/iptables-mod-filter/description
119 iptables extensions for packet content inspection.
120 Includes support for:
121
122 Matches:
123 - string
124
125 endef
126
127 define Package/iptables-mod-ipopt
128 $(call Package/iptables/Module, +kmod-ipt-ipopt)
129 TITLE:=IP/Packet option extensions
130 endef
131
132 define Package/iptables-mod-ipopt/description
133 iptables extensions for matching/changing IP packet options.
134
135 Matches:
136 - dscp
137 - ecn
138 - length
139 - statistic
140 - tcpmss
141 - unclean
142 - hl
143
144 Targets:
145 - DSCP
146 - CLASSIFY
147 - ECN
148 - HL
149
150 endef
151
152 define Package/iptables-mod-ipsec
153 $(call Package/iptables/Module, +kmod-ipt-ipsec)
154 TITLE:=IPsec extensions
155 endef
156
157 define Package/iptables-mod-ipsec/description
158 iptables extensions for matching ipsec traffic.
159
160 Matches:
161 - ah
162 - esp
163 - policy
164
165 endef
166
167 define Package/iptables-mod-nat-extra
168 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
169 TITLE:=Extra NAT extensions
170 endef
171
172 define Package/iptables-mod-nat-extra/description
173 iptables extensions for extra NAT targets.
174
175 Targets:
176 - MIRROR
177 - NETMAP
178 endef
179
180 define Package/iptables-mod-ulog
181 $(call Package/iptables/Module, +kmod-ipt-ulog)
182 TITLE:=user-space packet logging
183 endef
184
185 define Package/iptables-mod-ulog/description
186 iptables extensions for user-space packet logging.
187
188 Targets:
189 - ULOG
190
191 endef
192
193 define Package/iptables-mod-nflog
194 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
195 TITLE:=Netfilter NFLOG target
196 endef
197
198 define Package/iptables-mod-nflog/description
199 iptables extension for user-space logging via NFNETLINK.
200
201 Includes:
202 - libxt_NFLOG
203
204 endef
205
206 define Package/iptables-mod-nfqueue
207 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
208 TITLE:=Netfilter NFQUEUE target
209 endef
210
211 define Package/iptables-mod-nfqueue/description
212 iptables extension for user-space queuing via NFNETLINK.
213
214 Includes:
215 - libxt_NFQUEUE
216
217 endef
218
219 define Package/iptables-mod-hashlimit
220 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
221 TITLE:=hashlimit matching
222 endef
223
224 define Package/iptables-mod-hashlimit/description
225 iptables extensions for hashlimit matching
226
227 Matches:
228 - hashlimit
229
230 endef
231
232 define Package/iptables-mod-iprange
233 $(call Package/iptables/Module, +kmod-ipt-iprange)
234 TITLE:=IP range extension
235 endef
236
237 define Package/iptables-mod-iprange/description
238 iptables extensions for matching ip ranges.
239
240 Matches:
241 - iprange
242
243 endef
244
245 define Package/iptables-mod-cluster
246 $(call Package/iptables/Module, +kmod-ipt-cluster)
247 TITLE:=Match cluster extension
248 endef
249
250 define Package/iptables-mod-cluster/description
251 iptables extensions for matching cluster.
252
253 Netfilter (IPv4/IPv6) module for matching cluster
254 This option allows you to build work-load-sharing clusters of
255 network servers/stateful firewalls without having a dedicated
256 load-balancing router/server/switch. Basically, this match returns
257 true when the packet must be handled by this cluster node. Thus,
258 all nodes see all packets and this match decides which node handles
259 what packets. The work-load sharing algorithm is based on source
260 address hashing.
261
262 This module is usable for ipv4 and ipv6.
263
264 If you select it, it enables kmod-ipt-cluster.
265
266 see `iptables -m cluster --help` for more information.
267 endef
268
269 define Package/iptables-mod-clusterip
270 $(call Package/iptables/Module, +kmod-ipt-clusterip)
271 TITLE:=Clusterip extension
272 endef
273
274 define Package/iptables-mod-clusterip/description
275 iptables extensions for CLUSTERIP.
276 The CLUSTERIP target allows you to build load-balancing clusters of
277 network servers without having a dedicated load-balancing
278 router/server/switch.
279
280 If you select it, it enables kmod-ipt-clusterip.
281
282 see `iptables -j CLUSTERIP --help` for more information.
283 endef
284
285 define Package/iptables-mod-extra
286 $(call Package/iptables/Module, +kmod-ipt-extra)
287 TITLE:=Other extra iptables extensions
288 endef
289
290 define Package/iptables-mod-extra/description
291 Other extra iptables extensions.
292
293 Matches:
294 - addrtype
295 - condition
296 - owner
297 - physdev (if ebtables is enabled)
298 - pkttype
299 - quota
300
301 endef
302
303 define Package/iptables-mod-led
304 $(call Package/iptables/Module, +kmod-ipt-led)
305 TITLE:=LED trigger iptables extension
306 endef
307
308 define Package/iptables-mod-led/description
309 iptables extension for triggering a LED.
310
311 Targets:
312 - LED
313
314 endef
315
316 define Package/iptables-mod-tproxy
317 $(call Package/iptables/Module, +kmod-ipt-tproxy)
318 TITLE:=Transparent proxy iptables extensions
319 endef
320
321 define Package/iptables-mod-tproxy/description
322 Transparent proxy iptables extensions.
323
324 Matches:
325 - socket
326
327 Targets:
328 - TPROXY
329
330 endef
331
332 define Package/iptables-mod-tee
333 $(call Package/iptables/Module, +kmod-ipt-tee)
334 TITLE:=TEE iptables extensions
335 endef
336
337 define Package/iptables-mod-tee/description
338 TEE iptables extensions.
339
340 Targets:
341 - TEE
342
343 endef
344
345 define Package/iptables-mod-u32
346 $(call Package/iptables/Module, +kmod-ipt-u32)
347 TITLE:=U32 iptables extensions
348 endef
349
350 define Package/iptables-mod-u32/description
351 U32 iptables extensions.
352
353 Matches:
354 - u32
355
356 endef
357
358 define Package/ip6tables
359 $(call Package/iptables/Default)
360 DEPENDS:=@IPV6 +kmod-ip6tables +iptables
361 CATEGORY:=Network
362 TITLE:=IPv6 firewall administration tool
363 MENU:=1
364 endef
365
366
367 define Package/ip6tables-extra
368 $(call Package/iptables/Default)
369 DEPENDS:=ip6tables +kmod-ip6tables-extra
370 TITLE:=IPv6 header matching modules
371 endef
372
373 define Package/ip6tables-mod-extra/description
374 iptables header matching modules for IPv6
375 endef
376
377 define Package/ip6tables-mod-nat
378 $(call Package/iptables/Default)
379 DEPENDS:=ip6tables +kmod-ipt-nat6
380 TITLE:=IPv6 NAT extensions
381 endef
382
383 define Package/ip6tables-mod-nat/description
384 iptables extensions for IPv6-NAT targets.
385 endef
386
387 define Package/libiptc
388 $(call Package/iptables/Default)
389 SECTION:=libs
390 CATEGORY:=Libraries
391 DEPENDS:=+libip4tc +libip6tc +libxtables
392 TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
393 endef
394
395 define Package/libip4tc
396 $(call Package/iptables/Default)
397 SECTION:=libs
398 CATEGORY:=Libraries
399 TITLE:=IPv4 firewall - shared libiptc library
400 DEPENDS:=+libxtables
401 endef
402
403 define Package/libip6tc
404 $(call Package/iptables/Default)
405 SECTION:=libs
406 CATEGORY:=Libraries
407 TITLE:=IPv6 firewall - shared libiptc library
408 DEPENDS:=+libxtables
409 endef
410
411 define Package/libxtables
412 $(call Package/iptables/Default)
413 SECTION:=libs
414 CATEGORY:=Libraries
415 TITLE:=IPv4/IPv6 firewall - shared xtables library
416 endef
417
418 TARGET_CPPFLAGS := \
419 -I$(PKG_BUILD_DIR)/include \
420 -I$(LINUX_DIR)/user_headers/include \
421 $(TARGET_CPPFLAGS)
422
423 TARGET_CFLAGS += \
424 -I$(PKG_BUILD_DIR)/include \
425 -I$(LINUX_DIR)/user_headers/include \
426 -ffunction-sections -fdata-sections \
427 -DNO_LEGACY
428
429 TARGET_LDFLAGS += \
430 -Wl,--gc-sections
431
432 CONFIGURE_ARGS += \
433 --enable-shared \
434 --enable-devel \
435 --with-kernel="$(LINUX_DIR)/user_headers" \
436 --with-xtlibdir=/usr/lib/iptables \
437 --enable-static \
438 $(if $(CONFIG_IPV6),,--disable-ipv6)
439
440 MAKE_FLAGS := \
441 $(TARGET_CONFIGURE_OPTS) \
442 COPT_FLAGS="$(TARGET_CFLAGS)" \
443 KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
444 KBUILD_OUTPUT="$(LINUX_DIR)" \
445 BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
446
447 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
448 define Build/Configure/rebuild
449 $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
450 rm -f $(PKG_BUILD_DIR)/.config_*
451 rm -f $(PKG_BUILD_DIR)/.configured_*
452 touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
453 endef
454 endif
455
456 define Build/Configure
457 $(Build/Configure/rebuild)
458 $(Build/Configure/Default)
459 endef
460
461 define Build/InstallDev
462 $(INSTALL_DIR) $(1)/usr/include
463 $(INSTALL_DIR) $(1)/usr/include/iptables
464 $(INSTALL_DIR) $(1)/usr/include/net/netfilter
465
466 # XXX: iptables header fixup, some headers are not installed by iptables anymore
467 $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
468 $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
469 $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
470 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
471 $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
472
473 $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
474 $(INSTALL_DIR) $(1)/usr/lib
475 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
476 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
477 $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
478 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
479 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
480
481 # XXX: needed by firewall3
482 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
483 endef
484
485 define Package/iptables/install
486 $(INSTALL_DIR) $(1)/usr/sbin
487 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
488 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
489 $(INSTALL_DIR) $(1)/usr/lib/iptables
490 endef
491
492 define Package/ip6tables/install
493 $(INSTALL_DIR) $(1)/usr/sbin
494 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
495 endef
496
497 define Package/libiptc/install
498 $(INSTALL_DIR) $(1)/usr/lib
499 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
500 endef
501
502 define Package/libip4tc/install
503 $(INSTALL_DIR) $(1)/usr/lib
504 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
505 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
506 endef
507
508 define Package/libip6tc/install
509 $(INSTALL_DIR) $(1)/usr/lib
510 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
511 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
512 endef
513
514 define Package/libxtables/install
515 $(INSTALL_DIR) $(1)/usr/lib
516 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
517 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
518 endef
519
520 define BuildPlugin
521 define Package/$(1)/install
522 $(INSTALL_DIR) $$(1)/usr/lib/iptables
523 for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
524 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
525 $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
526 fi; \
527 done
528 $(3)
529 endef
530
531 $$(eval $$(call BuildPackage,$(1)))
532 endef
533
534 $(eval $(call BuildPackage,iptables))
535 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
536 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
537 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
538 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
539 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
540 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
541 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
542 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
543 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
544 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
545 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
546 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
547 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
548 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
549 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
550 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
551 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
552 $(eval $(call BuildPackage,ip6tables))
553 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
554 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
555 $(eval $(call BuildPackage,libiptc))
556 $(eval $(call BuildPackage,libip4tc))
557 $(eval $(call BuildPackage,libip6tc))
558 $(eval $(call BuildPackage,libxtables))