package/network/utils/iptables/Makefile

   1 #
   2 # Copyright (C) 2006-2016 OpenWrt.org
   3 #
   4 # This is free software, licensed under the GNU General Public License v2.
   5 # See /LICENSE for more information.
   6 #
   7
   8 include $(TOPDIR)/rules.mk
   9 include $(INCLUDE_DIR)/kernel.mk
  10
  11 PKG_NAME:=iptables
  12 PKG_VERSION:=1.6.1
  13 PKG_RELEASE:=1
  14
  15 PKG_SOURCE_PROTO:=git
  16 PKG_SOURCE_URL:=https://git.netfilter.org/iptables
  17 PKG_SOURCE_VERSION:=7df66f1c13563cfbab75246b009ce36f69ee4487
  18 PKG_MIRROR_HASH:=22f15ef41fd8e3724bedcee666b7b6a3491d2d038d580ef1fb032718dcb73f14
  19
  20 PKG_FIXUP:=autoreconf
  21
  22 PKG_INSTALL:=1
  23 PKG_BUILD_PARALLEL:=1
  24 PKG_LICENSE:=GPL-2.0
  25
  26 include $(INCLUDE_DIR)/package.mk
  27 ifeq ($(DUMP),)
  28   -include $(LINUX_DIR)/.config
  29   include $(INCLUDE_DIR)/netfilter.mk
  30   STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | mkhash md5)
  31 endif
  32
  33
  34 define Package/iptables/Default
  35   SECTION:=net
  36   CATEGORY:=Network
  37   SUBMENU:=Firewall
  38   URL:=http://netfilter.org/
  39 endef
  40
  41 define Package/iptables/Module
  42 $(call Package/iptables/Default)
  43   DEPENDS:=iptables $(1)
  44 endef
  45
  46 define Package/iptables
  47 $(call Package/iptables/Default)
  48   TITLE:=IP firewall administration tool
  49   MENU:=1
  50   DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
  51 endef
  52
  53 define Package/iptables/config
  54   config IPTABLES_CONNLABEL
  55         bool "Enable Connlabel support"
  56         default n
  57         help
  58                 This enable connlabel support in iptables.
  59
  60   config IPTABLES_NFTABLES
  61         bool "Enable Nftables support"
  62         default n
  63         help
  64                 This enable nftables support in iptables.
  65 endef
  66
  67 define Package/iptables/description
  68 IP firewall administration tool.
  69
  70  Matches:
  71   - icmp
  72   - tcp
  73   - udp
  74   - comment
  75   - conntrack
  76   - limit
  77   - mac
  78   - mark
  79   - multiport
  80   - set
  81   - state
  82   - time
  83
  84  Targets:
  85   - ACCEPT
  86   - CT
  87   - DNAT
  88   - DROP
  89   - REJECT
  90   - LOG
  91   - MARK
  92   - MASQUERADE
  93   - REDIRECT
  94   - SET
  95   - SNAT
  96   - TCPMSS
  97
  98  Tables:
  99   - filter
 100   - mangle
 101   - nat
 102   - raw
 103
 104 endef
 105
 106 define Package/iptables-mod-conntrack-extra
 107 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
 108   TITLE:=Extra connection tracking extensions
 109 endef
 110
 111 define Package/iptables-mod-conntrack-extra/description
 112 Extra iptables extensions for connection tracking.
 113
 114  Matches:
 115   - connbytes
 116   - connlimit
 117   - connmark
 118   - recent
 119   - helper
 120
 121  Targets:
 122   - CONNMARK
 123
 124 endef
 125
 126 define Package/iptables-mod-filter
 127 $(call Package/iptables/Module, +kmod-ipt-filter)
 128   TITLE:=Content inspection extensions
 129 endef
 130
 131 define Package/iptables-mod-filter/description
 132 iptables extensions for packet content inspection.
 133 Includes support for:
 134
 135  Matches:
 136   - string
 137
 138 endef
 139
 140 define Package/iptables-mod-ipopt
 141 $(call Package/iptables/Module, +kmod-ipt-ipopt)
 142   TITLE:=IP/Packet option extensions
 143 endef
 144
 145 define Package/iptables-mod-ipopt/description
 146 iptables extensions for matching/changing IP packet options.
 147
 148  Matches:
 149   - dscp
 150   - ecn
 151   - length
 152   - statistic
 153   - tcpmss
 154   - unclean
 155   - hl
 156
 157  Targets:
 158   - DSCP
 159   - CLASSIFY
 160   - ECN
 161   - HL
 162
 163 endef
 164
 165 define Package/iptables-mod-ipsec
 166 $(call Package/iptables/Module, +kmod-ipt-ipsec)
 167   TITLE:=IPsec extensions
 168 endef
 169
 170 define Package/iptables-mod-ipsec/description
 171 iptables extensions for matching ipsec traffic.
 172
 173  Matches:
 174   - ah
 175   - esp
 176   - policy
 177
 178 endef
 179
 180 define Package/iptables-mod-nat-extra
 181 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
 182   TITLE:=Extra NAT extensions
 183 endef
 184
 185 define Package/iptables-mod-nat-extra/description
 186 iptables extensions for extra NAT targets.
 187
 188  Targets:
 189   - MIRROR
 190   - NETMAP
 191 endef
 192
 193 define Package/iptables-mod-ulog
 194 $(call Package/iptables/Module, +kmod-ipt-ulog)
 195   TITLE:=user-space packet logging
 196 endef
 197
 198 define Package/iptables-mod-ulog/description
 199 iptables extensions for user-space packet logging.
 200
 201  Targets:
 202   - ULOG
 203
 204 endef
 205
 206 define Package/iptables-mod-nflog
 207 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
 208   TITLE:=Netfilter NFLOG target
 209 endef
 210
 211 define Package/iptables-mod-nflog/description
 212  iptables extension for user-space logging via NFNETLINK.
 213
 214  Includes:
 215   - libxt_NFLOG
 216
 217 endef
 218
 219 define Package/iptables-mod-nfqueue
 220 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
 221   TITLE:=Netfilter NFQUEUE target
 222 endef
 223
 224 define Package/iptables-mod-nfqueue/description
 225  iptables extension for user-space queuing via NFNETLINK.
 226
 227  Includes:
 228   - libxt_NFQUEUE
 229
 230 endef
 231
 232 define Package/iptables-mod-hashlimit
 233 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
 234   TITLE:=hashlimit matching
 235 endef
 236
 237 define Package/iptables-mod-hashlimit/description
 238 iptables extensions for hashlimit matching
 239
 240  Matches:
 241   - hashlimit
 242
 243 endef
 244
 245 define Package/iptables-mod-iprange
 246 $(call Package/iptables/Module, +kmod-ipt-iprange)
 247   TITLE:=IP range extension
 248 endef
 249
 250 define Package/iptables-mod-iprange/description
 251 iptables extensions for matching ip ranges.
 252
 253  Matches:
 254   - iprange
 255
 256 endef
 257
 258 define Package/iptables-mod-cluster
 259 $(call Package/iptables/Module, +kmod-ipt-cluster)
 260   TITLE:=Match cluster extension
 261 endef
 262
 263 define Package/iptables-mod-cluster/description
 264 iptables extensions for matching cluster.
 265
 266  Netfilter (IPv4/IPv6) module for matching cluster
 267  This option allows you to build work-load-sharing clusters of
 268  network servers/stateful firewalls without having a dedicated
 269  load-balancing router/server/switch. Basically, this match returns
 270  true when the packet must be handled by this cluster node. Thus,
 271  all nodes see all packets and this match decides which node handles
 272  what packets. The work-load sharing algorithm is based on source
 273  address hashing.
 274
 275  This module is usable for ipv4 and ipv6.
 276
 277  If you select it, it enables kmod-ipt-cluster.
 278
 279  see `iptables -m cluster --help` for more information.
 280 endef
 281
 282 define Package/iptables-mod-clusterip
 283 $(call Package/iptables/Module, +kmod-ipt-clusterip)
 284   TITLE:=Clusterip extension
 285 endef
 286
 287 define Package/iptables-mod-clusterip/description
 288 iptables extensions for CLUSTERIP.
 289  The CLUSTERIP target allows you to build load-balancing clusters of
 290  network servers without having a dedicated load-balancing
 291  router/server/switch.
 292
 293  If you select it, it enables kmod-ipt-clusterip.
 294
 295  see `iptables -j CLUSTERIP --help` for more information.
 296 endef
 297
 298 define Package/iptables-mod-extra
 299 $(call Package/iptables/Module, +kmod-ipt-extra)
 300   TITLE:=Other extra iptables extensions
 301 endef
 302
 303 define Package/iptables-mod-extra/description
 304 Other extra iptables extensions.
 305
 306  Matches:
 307   - addrtype
 308   - condition
 309   - owner
 310   - physdev (if ebtables is enabled)
 311   - pkttype
 312   - quota
 313
 314 endef
 315
 316 define Package/iptables-mod-led
 317 $(call Package/iptables/Module, +kmod-ipt-led)
 318   TITLE:=LED trigger iptables extension
 319 endef
 320
 321 define Package/iptables-mod-led/description
 322 iptables extension for triggering a LED.
 323
 324  Targets:
 325   - LED
 326
 327 endef
 328
 329 define Package/iptables-mod-tproxy
 330 $(call Package/iptables/Module, +kmod-ipt-tproxy)
 331   TITLE:=Transparent proxy iptables extensions
 332 endef
 333
 334 define Package/iptables-mod-tproxy/description
 335 Transparent proxy iptables extensions.
 336
 337  Matches:
 338   - socket
 339
 340  Targets:
 341   - TPROXY
 342
 343 endef
 344
 345 define Package/iptables-mod-tee
 346 $(call Package/iptables/Module, +kmod-ipt-tee)
 347   TITLE:=TEE iptables extensions
 348 endef
 349
 350 define Package/iptables-mod-tee/description
 351 TEE iptables extensions.
 352
 353  Targets:
 354   - TEE
 355
 356 endef
 357
 358 define Package/iptables-mod-u32
 359 $(call Package/iptables/Module, +kmod-ipt-u32)
 360   TITLE:=U32 iptables extensions
 361 endef
 362
 363 define Package/iptables-mod-u32/description
 364 U32 iptables extensions.
 365
 366  Matches:
 367   - u32
 368
 369 endef
 370
 371 define Package/ip6tables
 372 $(call Package/iptables/Default)
 373   DEPENDS:=@IPV6 +kmod-ip6tables +iptables
 374   CATEGORY:=Network
 375   TITLE:=IPv6 firewall administration tool
 376   MENU:=1
 377 endef
 378
 379
 380 define Package/ip6tables-extra
 381 $(call Package/iptables/Default)
 382   DEPENDS:=ip6tables +kmod-ip6tables-extra
 383   TITLE:=IPv6 header matching modules
 384 endef
 385
 386 define Package/ip6tables-mod-extra/description
 387 iptables header matching modules for IPv6
 388 endef
 389
 390 define Package/ip6tables-mod-nat
 391 $(call Package/iptables/Default)
 392   DEPENDS:=ip6tables +kmod-ipt-nat6
 393   TITLE:=IPv6 NAT extensions
 394 endef
 395
 396 define Package/ip6tables-mod-nat/description
 397 iptables extensions for IPv6-NAT targets.
 398 endef
 399
 400 define Package/libiptc
 401 $(call Package/iptables/Default)
 402   SECTION:=libs
 403   CATEGORY:=Libraries
 404   DEPENDS:=+libip4tc +libip6tc +libxtables
 405   TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
 406 endef
 407
 408 define Package/libip4tc
 409 $(call Package/iptables/Default)
 410   SECTION:=libs
 411   CATEGORY:=Libraries
 412   TITLE:=IPv4 firewall - shared libiptc library
 413   DEPENDS:=+libxtables
 414 endef
 415
 416 define Package/libip6tc
 417 $(call Package/iptables/Default)
 418   SECTION:=libs
 419   CATEGORY:=Libraries
 420   TITLE:=IPv6 firewall - shared libiptc library
 421   DEPENDS:=+libxtables
 422 endef
 423
 424 define Package/libxtables
 425  $(call Package/iptables/Default)
 426  SECTION:=libs
 427  CATEGORY:=Libraries
 428  TITLE:=IPv4/IPv6 firewall - shared xtables library
 429  DEPENDS:= \
 430         +IPTABLES_CONNLABEL:libnetfilter-conntrack \
 431         +IPTABLES_NFTABLES:libnfnetlink
 432 endef
 433
 434 TARGET_CPPFLAGS := \
 435         -I$(PKG_BUILD_DIR)/include \
 436         -I$(LINUX_DIR)/user_headers/include \
 437         $(TARGET_CPPFLAGS)
 438
 439 TARGET_CFLAGS += \
 440         -I$(PKG_BUILD_DIR)/include \
 441         -I$(LINUX_DIR)/user_headers/include \
 442         -ffunction-sections -fdata-sections \
 443         -DNO_LEGACY
 444
 445 TARGET_LDFLAGS += \
 446         -Wl,--gc-sections
 447
 448 CONFIGURE_ARGS += \
 449         --enable-shared \
 450         --enable-static \
 451         --enable-devel \
 452         --with-kernel="$(LINUX_DIR)/user_headers" \
 453         --with-xtlibdir=/usr/lib/iptables \
 454         $(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
 455         $(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \
 456         $(if $(CONFIG_IPV6),,--disable-ipv6)
 457
 458 MAKE_FLAGS := \
 459         $(TARGET_CONFIGURE_OPTS) \
 460         COPT_FLAGS="$(TARGET_CFLAGS)" \
 461         KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
 462         KBUILD_OUTPUT="$(LINUX_DIR)" \
 463         BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
 464
 465 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
 466   define Build/Configure/rebuild
 467         $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
 468         rm -f $(PKG_BUILD_DIR)/.config_*
 469         rm -f $(PKG_BUILD_DIR)/.configured_*
 470         touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
 471   endef
 472 endif
 473
 474 define Build/Configure
 475 $(Build/Configure/rebuild)
 476 $(Build/Configure/Default)
 477 endef
 478
 479 define Build/InstallDev
 480         $(INSTALL_DIR) $(1)/usr/include
 481         $(INSTALL_DIR) $(1)/usr/include/iptables
 482         $(INSTALL_DIR) $(1)/usr/include/net/netfilter
 483
 484         # XXX: iptables header fixup, some headers are not installed by iptables anymore
 485         $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
 486         $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
 487         $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
 488         $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
 489         $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
 490
 491         $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
 492         $(INSTALL_DIR) $(1)/usr/lib
 493         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
 494         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
 495         $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
 496         $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
 497         $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
 498
 499         # XXX: needed by firewall3
 500         $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
 501 endef
 502
 503 define Package/iptables/install
 504         $(INSTALL_DIR) $(1)/usr/sbin
 505         $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
 506         $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
 507         $(INSTALL_DIR) $(1)/usr/lib/iptables
 508 endef
 509
 510 define Package/ip6tables/install
 511         $(INSTALL_DIR) $(1)/usr/sbin
 512         $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
 513 endef
 514
 515 define Package/libiptc/install
 516         $(INSTALL_DIR) $(1)/usr/lib
 517         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
 518 endef
 519
 520 define Package/libip4tc/install
 521         $(INSTALL_DIR) $(1)/usr/lib
 522         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
 523         $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
 524 endef
 525
 526 define Package/libip6tc/install
 527         $(INSTALL_DIR) $(1)/usr/lib
 528         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
 529         $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
 530 endef
 531
 532 define Package/libxtables/install
 533         $(INSTALL_DIR) $(1)/usr/lib
 534         $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
 535         $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
 536 endef
 537
 538 define BuildPlugin
 539   define Package/$(1)/install
 540         $(INSTALL_DIR) $$(1)/usr/lib/iptables
 541         for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
 542                 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
 543                         $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
 544                 fi; \
 545         done
 546         $(3)
 547   endef
 548
 549   $$(eval $$(call BuildPackage,$(1)))
 550 endef
 551
 552 $(eval $(call BuildPackage,iptables))
 553 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
 554 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
 555 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
 556 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
 557 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
 558 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
 559 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
 560 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
 561 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
 562 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
 563 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
 564 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
 565 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
 566 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
 567 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
 568 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
 569 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
 570 $(eval $(call BuildPackage,ip6tables))
 571 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
 572 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
 573 $(eval $(call BuildPackage,libiptc))
 574 $(eval $(call BuildPackage,libip4tc))
 575 $(eval $(call BuildPackage,libip6tc))
 576 $(eval $(call BuildPackage,libxtables))