projects / openwrt / staging / wigyori.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
iptables: split physdev match out as a separate package
[openwrt/staging/wigyori.git] / package / network / utils / iptables / Makefile
1 #
2 # Copyright (C) 2006-2016 OpenWrt.org
3 #
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
6 #
7
8 include $(TOPDIR)/rules.mk
9 include $(INCLUDE_DIR)/kernel.mk
10
11 PKG_NAME:=iptables
12 PKG_VERSION:=1.6.2
13 PKG_RELEASE:=1
14
15 PKG_SOURCE_PROTO:=git
16 PKG_SOURCE_URL:=https://git.netfilter.org/iptables
17 PKG_SOURCE_VERSION:=c16bdec15137b241586310d0e61bc88cc3726004
18 PKG_MIRROR_HASH:=72e4bec94a56dd600097846c773e1074ff705e38f800ef221db646c064371a53
19
20 PKG_FIXUP:=autoreconf
21
22 PKG_INSTALL:=1
23 PKG_BUILD_PARALLEL:=1
24 PKG_LICENSE:=GPL-2.0
25 PKG_CPE_ID:=cpe:/a:netfilter_core_team:iptables
26
27 include $(INCLUDE_DIR)/package.mk
28 ifeq ($(DUMP),)
29 -include $(LINUX_DIR)/.config
30 include $(INCLUDE_DIR)/netfilter.mk
31 STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | mkhash md5)
32 endif
33
34
35 define Package/iptables/Default
36 SECTION:=net
37 CATEGORY:=Network
38 SUBMENU:=Firewall
39 URL:=http://netfilter.org/
40 endef
41
42 define Package/iptables/Module
43 $(call Package/iptables/Default)
44 DEPENDS:=iptables $(1)
45 endef
46
47 define Package/iptables
48 $(call Package/iptables/Default)
49 TITLE:=IP firewall administration tool
50 MENU:=1
51 DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
52 endef
53
54 define Package/iptables/config
55 config IPTABLES_CONNLABEL
56 bool "Enable Connlabel support"
57 default n
58 help
59 This enable connlabel support in iptables.
60
61 config IPTABLES_NFTABLES
62 bool "Enable Nftables support"
63 default n
64 help
65 This enable nftables support in iptables.
66 endef
67
68 define Package/iptables/description
69 IP firewall administration tool.
70
71 Matches:
72 - icmp
73 - tcp
74 - udp
75 - comment
76 - conntrack
77 - limit
78 - mac
79 - mark
80 - multiport
81 - set
82 - state
83 - time
84
85 Targets:
86 - ACCEPT
87 - CT
88 - DNAT
89 - DROP
90 - REJECT
91 - LOG
92 - MARK
93 - MASQUERADE
94 - REDIRECT
95 - SET
96 - SNAT
97 - TCPMSS
98
99 Tables:
100 - filter
101 - mangle
102 - nat
103 - raw
104
105 endef
106
107 define Package/iptables-mod-conntrack-extra
108 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
109 TITLE:=Extra connection tracking extensions
110 endef
111
112 define Package/iptables-mod-conntrack-extra/description
113 Extra iptables extensions for connection tracking.
114
115 Matches:
116 - connbytes
117 - connlimit
118 - connmark
119 - recent
120 - helper
121
122 Targets:
123 - CONNMARK
124
125 endef
126
127 define Package/iptables-mod-conntrack-label
128 $(call Package/iptables/Module, +kmod-ipt-conntrack-label @IPTABLES_CONNLABEL)
129 TITLE:=Connection tracking labeling extension
130 DEFAULT:=y if IPTABLES_CONNLABEL
131 endef
132
133 define Package/iptables-mod-conntrack-label/description
134 Match and set label(s) on connection tracking entries
135
136 Matches:
137 - connlabel
138
139 endef
140
141 define Package/iptables-mod-filter
142 $(call Package/iptables/Module, +kmod-ipt-filter)
143 TITLE:=Content inspection extensions
144 endef
145
146 define Package/iptables-mod-filter/description
147 iptables extensions for packet content inspection.
148 Includes support for:
149
150 Matches:
151 - string
152
153 endef
154
155 define Package/iptables-mod-ipopt
156 $(call Package/iptables/Module, +kmod-ipt-ipopt)
157 TITLE:=IP/Packet option extensions
158 endef
159
160 define Package/iptables-mod-ipopt/description
161 iptables extensions for matching/changing IP packet options.
162
163 Matches:
164 - dscp
165 - ecn
166 - length
167 - statistic
168 - tcpmss
169 - unclean
170 - hl
171
172 Targets:
173 - DSCP
174 - CLASSIFY
175 - ECN
176 - HL
177
178 endef
179
180 define Package/iptables-mod-ipsec
181 $(call Package/iptables/Module, +kmod-ipt-ipsec)
182 TITLE:=IPsec extensions
183 endef
184
185 define Package/iptables-mod-ipsec/description
186 iptables extensions for matching ipsec traffic.
187
188 Matches:
189 - ah
190 - esp
191 - policy
192
193 endef
194
195 define Package/iptables-mod-nat-extra
196 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
197 TITLE:=Extra NAT extensions
198 endef
199
200 define Package/iptables-mod-nat-extra/description
201 iptables extensions for extra NAT targets.
202
203 Targets:
204 - MIRROR
205 - NETMAP
206 endef
207
208 define Package/iptables-mod-ulog
209 $(call Package/iptables/Module, +kmod-ipt-ulog)
210 TITLE:=user-space packet logging
211 endef
212
213 define Package/iptables-mod-ulog/description
214 iptables extensions for user-space packet logging.
215
216 Targets:
217 - ULOG
218
219 endef
220
221 define Package/iptables-mod-nflog
222 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
223 TITLE:=Netfilter NFLOG target
224 endef
225
226 define Package/iptables-mod-nflog/description
227 iptables extension for user-space logging via NFNETLINK.
228
229 Includes:
230 - libxt_NFLOG
231
232 endef
233
234 define Package/iptables-mod-trace
235 $(call Package/iptables/Module, +kmod-ipt-debug)
236 TITLE:=Netfilter TRACE target
237 endef
238
239 define Package/iptables-mod-trace/description
240 iptables extension for TRACE target
241
242 Includes:
243 - libxt_TRACE
244
245 endef
246
247
248 define Package/iptables-mod-nfqueue
249 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
250 TITLE:=Netfilter NFQUEUE target
251 endef
252
253 define Package/iptables-mod-nfqueue/description
254 iptables extension for user-space queuing via NFNETLINK.
255
256 Includes:
257 - libxt_NFQUEUE
258
259 endef
260
261 define Package/iptables-mod-hashlimit
262 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
263 TITLE:=hashlimit matching
264 endef
265
266 define Package/iptables-mod-hashlimit/description
267 iptables extensions for hashlimit matching
268
269 Matches:
270 - hashlimit
271
272 endef
273
274 define Package/iptables-mod-rpfilter
275 $(call Package/iptables/Module, +kmod-ipt-rpfilter)
276 TITLE:=rpfilter iptables extension
277 endef
278
279 define Package/iptables-mod-rpfilter/description
280 iptables extensions for reverse path filter test on a packet
281
282 Matches:
283 - rpfilter
284
285 endef
286
287 define Package/iptables-mod-iprange
288 $(call Package/iptables/Module, +kmod-ipt-iprange)
289 TITLE:=IP range extension
290 endef
291
292 define Package/iptables-mod-iprange/description
293 iptables extensions for matching ip ranges.
294
295 Matches:
296 - iprange
297
298 endef
299
300 define Package/iptables-mod-cluster
301 $(call Package/iptables/Module, +kmod-ipt-cluster)
302 TITLE:=Match cluster extension
303 endef
304
305 define Package/iptables-mod-cluster/description
306 iptables extensions for matching cluster.
307
308 Netfilter (IPv4/IPv6) module for matching cluster
309 This option allows you to build work-load-sharing clusters of
310 network servers/stateful firewalls without having a dedicated
311 load-balancing router/server/switch. Basically, this match returns
312 true when the packet must be handled by this cluster node. Thus,
313 all nodes see all packets and this match decides which node handles
314 what packets. The work-load sharing algorithm is based on source
315 address hashing.
316
317 This module is usable for ipv4 and ipv6.
318
319 If you select it, it enables kmod-ipt-cluster.
320
321 see `iptables -m cluster --help` for more information.
322 endef
323
324 define Package/iptables-mod-clusterip
325 $(call Package/iptables/Module, +kmod-ipt-clusterip)
326 TITLE:=Clusterip extension
327 endef
328
329 define Package/iptables-mod-clusterip/description
330 iptables extensions for CLUSTERIP.
331 The CLUSTERIP target allows you to build load-balancing clusters of
332 network servers without having a dedicated load-balancing
333 router/server/switch.
334
335 If you select it, it enables kmod-ipt-clusterip.
336
337 see `iptables -j CLUSTERIP --help` for more information.
338 endef
339
340 define Package/iptables-mod-extra
341 $(call Package/iptables/Module, +kmod-ipt-extra)
342 TITLE:=Other extra iptables extensions
343 endef
344
345 define Package/iptables-mod-extra/description
346 Other extra iptables extensions.
347
348 Matches:
349 - addrtype
350 - condition
351 - owner
352 - pkttype
353 - quota
354
355 endef
356
357 define Package/iptables-mod-physdev
358 $(call Package/iptables/Module, +kmod-ipt-physdev)
359 TITLE:=physdev iptables extension
360 endef
361
362 define Package/iptables-mod-physdev/description
363 The iptables physdev match.
364 endef
365
366 define Package/iptables-mod-led
367 $(call Package/iptables/Module, +kmod-ipt-led)
368 TITLE:=LED trigger iptables extension
369 endef
370
371 define Package/iptables-mod-led/description
372 iptables extension for triggering a LED.
373
374 Targets:
375 - LED
376
377 endef
378
379 define Package/iptables-mod-tproxy
380 $(call Package/iptables/Module, +kmod-ipt-tproxy)
381 TITLE:=Transparent proxy iptables extensions
382 endef
383
384 define Package/iptables-mod-tproxy/description
385 Transparent proxy iptables extensions.
386
387 Matches:
388 - socket
389
390 Targets:
391 - TPROXY
392
393 endef
394
395 define Package/iptables-mod-tee
396 $(call Package/iptables/Module, +kmod-ipt-tee)
397 TITLE:=TEE iptables extensions
398 endef
399
400 define Package/iptables-mod-tee/description
401 TEE iptables extensions.
402
403 Targets:
404 - TEE
405
406 endef
407
408 define Package/iptables-mod-u32
409 $(call Package/iptables/Module, +kmod-ipt-u32)
410 TITLE:=U32 iptables extensions
411 endef
412
413 define Package/iptables-mod-u32/description
414 U32 iptables extensions.
415
416 Matches:
417 - u32
418
419 endef
420
421 define Package/iptables-mod-checksum
422 $(call Package/iptables/Module, +kmod-ipt-checksum)
423 TITLE:=IP CHECKSUM target extension
424 endef
425
426 define Package/iptables-mod-checksum/description
427 iptables extension for the CHECKSUM calculation target
428 endef
429
430 define Package/ip6tables
431 $(call Package/iptables/Default)
432 DEPENDS:=@IPV6 +kmod-ip6tables +iptables
433 CATEGORY:=Network
434 TITLE:=IPv6 firewall administration tool
435 MENU:=1
436 endef
437
438
439 define Package/ip6tables-extra
440 $(call Package/iptables/Default)
441 DEPENDS:=ip6tables +kmod-ip6tables-extra
442 TITLE:=IPv6 header matching modules
443 endef
444
445 define Package/ip6tables-mod-extra/description
446 iptables header matching modules for IPv6
447 endef
448
449 define Package/ip6tables-mod-nat
450 $(call Package/iptables/Default)
451 DEPENDS:=ip6tables +kmod-ipt-nat6
452 TITLE:=IPv6 NAT extensions
453 endef
454
455 define Package/ip6tables-mod-nat/description
456 iptables extensions for IPv6-NAT targets.
457 endef
458
459 define Package/libiptc
460 $(call Package/iptables/Default)
461 SECTION:=libs
462 CATEGORY:=Libraries
463 DEPENDS:=+libip4tc +libip6tc +libxtables
464 ABI_VERSION:=$(PKG_VERSION)
465 TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
466 endef
467
468 define Package/libip4tc
469 $(call Package/iptables/Default)
470 SECTION:=libs
471 CATEGORY:=Libraries
472 TITLE:=IPv4 firewall - shared libiptc library
473 ABI_VERSION:=$(PKG_VERSION)
474 DEPENDS:=+libxtables
475 endef
476
477 define Package/libip6tc
478 $(call Package/iptables/Default)
479 SECTION:=libs
480 CATEGORY:=Libraries
481 TITLE:=IPv6 firewall - shared libiptc library
482 ABI_VERSION:=$(PKG_VERSION)
483 DEPENDS:=+libxtables
484 endef
485
486 define Package/libxtables
487 $(call Package/iptables/Default)
488 SECTION:=libs
489 CATEGORY:=Libraries
490 TITLE:=IPv4/IPv6 firewall - shared xtables library
491 ABI_VERSION:=$(PKG_VERSION)
492 DEPENDS:= \
493 +IPTABLES_CONNLABEL:libnetfilter-conntrack \
494 +IPTABLES_NFTABLES:libnftnl
495 endef
496
497 TARGET_CPPFLAGS := \
498 -I$(PKG_BUILD_DIR)/include \
499 -I$(LINUX_DIR)/user_headers/include \
500 $(TARGET_CPPFLAGS)
501
502 TARGET_CFLAGS += \
503 -I$(PKG_BUILD_DIR)/include \
504 -I$(LINUX_DIR)/user_headers/include \
505 -ffunction-sections -fdata-sections \
506 -DNO_LEGACY
507
508 TARGET_LDFLAGS += \
509 -Wl,--gc-sections
510
511 CONFIGURE_ARGS += \
512 --enable-shared \
513 --enable-static \
514 --enable-devel \
515 --with-kernel="$(LINUX_DIR)/user_headers" \
516 --with-xtlibdir=/usr/lib/iptables \
517 --with-xt-lock-name=/var/run/xtables.lock \
518 $(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
519 $(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \
520 $(if $(CONFIG_IPV6),,--disable-ipv6)
521
522 MAKE_FLAGS := \
523 $(TARGET_CONFIGURE_OPTS) \
524 COPT_FLAGS="$(TARGET_CFLAGS)" \
525 KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
526 KBUILD_OUTPUT="$(LINUX_DIR)" \
527 BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
528
529 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
530 define Build/Configure/rebuild
531 $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
532 rm -f $(PKG_BUILD_DIR)/.config_*
533 rm -f $(PKG_BUILD_DIR)/.configured_*
534 touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
535 endef
536 endif
537
538 define Build/Configure
539 $(Build/Configure/rebuild)
540 $(Build/Configure/Default)
541 endef
542
543 define Build/InstallDev
544 $(INSTALL_DIR) $(1)/usr/include
545 $(INSTALL_DIR) $(1)/usr/include/iptables
546 $(INSTALL_DIR) $(1)/usr/include/net/netfilter
547
548 # XXX: iptables header fixup, some headers are not installed by iptables anymore
549 $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
550 $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
551 $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
552 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
553 $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
554
555 $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
556 $(INSTALL_DIR) $(1)/usr/lib
557 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
558 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
559 $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
560 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
561 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
562
563 # XXX: needed by firewall3
564 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
565 endef
566
567 define Package/iptables/install
568 $(INSTALL_DIR) $(1)/usr/sbin
569 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
570 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
571 $(INSTALL_DIR) $(1)/usr/lib/iptables
572 endef
573
574 define Package/ip6tables/install
575 $(INSTALL_DIR) $(1)/usr/sbin
576 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
577 endef
578
579 define Package/libiptc/install
580 $(INSTALL_DIR) $(1)/usr/lib
581 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
582 endef
583
584 define Package/libip4tc/install
585 $(INSTALL_DIR) $(1)/usr/lib
586 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
587 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
588 endef
589
590 define Package/libip6tc/install
591 $(INSTALL_DIR) $(1)/usr/lib
592 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
593 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
594 endef
595
596 define Package/libxtables/install
597 $(INSTALL_DIR) $(1)/usr/lib
598 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
599 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
600 endef
601
602 define BuildPlugin
603 define Package/$(1)/install
604 $(INSTALL_DIR) $$(1)/usr/lib/iptables
605 for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
606 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
607 $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
608 fi; \
609 done
610 $(3)
611 endef
612
613 $$(eval $$(call BuildPackage,$(1)))
614 endef
615
616 $(eval $(call BuildPackage,iptables))
617 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
618 $(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m)))
619 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
620 $(eval $(call BuildPlugin,iptables-mod-physdev,$(IPT_PHYSDEV-m)))
621 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
622 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
623 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
624 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
625 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
626 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
627 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
628 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
629 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
630 $(eval $(call BuildPlugin,iptables-mod-rpfilter,$(IPT_RPFILTER-m)))
631 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
632 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
633 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
634 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
635 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
636 $(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m)))
637 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
638 $(eval $(call BuildPlugin,iptables-mod-checksum,$(IPT_CHECKSUM-m)))
639 $(eval $(call BuildPackage,ip6tables))
640 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
641 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
642 $(eval $(call BuildPackage,libiptc))
643 $(eval $(call BuildPackage,libip4tc))
644 $(eval $(call BuildPackage,libip6tc))
645 $(eval $(call BuildPackage,libxtables))
Staging tree of Zoltan Herpai