projects / openwrt / svn-archive / archive.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
iptables: reduce binary size
[openwrt/svn-archive/archive.git] / package / network / utils / iptables / Makefile
1 #
2 # Copyright (C) 2006-2013 OpenWrt.org
3 #
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
6 #
7
8 include $(TOPDIR)/rules.mk
9 include $(INCLUDE_DIR)/kernel.mk
10
11 PKG_NAME:=iptables
12 PKG_VERSION:=1.4.21
13 PKG_RELEASE:=1
14
15 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
16 PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
17 ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
18 ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
19 ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
20 PKG_MD5SUM:=536d048c8e8eeebcd9757d0863ebb0c0
21
22 PKG_FIXUP:=autoreconf
23 PKG_INSTALL:=1
24 PKG_BUILD_PARALLEL:=1
25 PKG_LICENSE:=GPL-2.0
26
27 ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"")
28 PATCH_DIR:=
29 endif
30
31 include $(INCLUDE_DIR)/package.mk
32 ifeq ($(DUMP),)
33 -include $(LINUX_DIR)/.config
34 include $(INCLUDE_DIR)/netfilter.mk
35 STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s)
36 endif
37
38
39 define Package/iptables/Default
40 SECTION:=net
41 CATEGORY:=Network
42 SUBMENU:=Firewall
43 URL:=http://netfilter.org/
44 endef
45
46 define Package/iptables/Module
47 $(call Package/iptables/Default)
48 DEPENDS:=iptables $(1)
49 endef
50
51 define Package/iptables
52 $(call Package/iptables/Default)
53 TITLE:=IP firewall administration tool
54 MENU:=1
55 DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
56 endef
57
58 define Package/iptables/description
59 IP firewall administration tool.
60
61 Matches:
62 - icmp
63 - tcp
64 - udp
65 - comment
66 - conntrack
67 - limit
68 - mac
69 - mark
70 - multiport
71 - set
72 - state
73 - time
74
75 Targets:
76 - ACCEPT
77 - CT
78 - DNAT
79 - DROP
80 - REJECT
81 - LOG
82 - MARK
83 - MASQUERADE
84 - REDIRECT
85 - SET
86 - SNAT
87 - TCPMSS
88
89 Tables:
90 - filter
91 - mangle
92 - nat
93 - raw
94
95 endef
96
97 define Package/iptables-mod-conntrack-extra
98 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
99 TITLE:=Extra connection tracking extensions
100 endef
101
102 define Package/iptables-mod-conntrack-extra/description
103 Extra iptables extensions for connection tracking.
104
105 Matches:
106 - connbytes
107 - connlimit
108 - connmark
109 - recent
110 - helper
111
112 Targets:
113 - CONNMARK
114
115 endef
116
117 define Package/iptables-mod-filter
118 $(call Package/iptables/Module, +kmod-ipt-filter)
119 TITLE:=Content inspection extensions
120 endef
121
122 define Package/iptables-mod-filter/description
123 iptables extensions for packet content inspection.
124 Includes support for:
125
126 Matches:
127 - string
128
129 endef
130
131 define Package/iptables-mod-ipopt
132 $(call Package/iptables/Module, +kmod-ipt-ipopt)
133 TITLE:=IP/Packet option extensions
134 endef
135
136 define Package/iptables-mod-ipopt/description
137 iptables extensions for matching/changing IP packet options.
138
139 Matches:
140 - dscp
141 - ecn
142 - length
143 - statistic
144 - tcpmss
145 - unclean
146 - hl
147
148 Targets:
149 - DSCP
150 - CLASSIFY
151 - ECN
152 - HL
153
154 endef
155
156 define Package/iptables-mod-ipsec
157 $(call Package/iptables/Module, +kmod-ipt-ipsec)
158 TITLE:=IPsec extensions
159 endef
160
161 define Package/iptables-mod-ipsec/description
162 iptables extensions for matching ipsec traffic.
163
164 Matches:
165 - ah
166 - esp
167 - policy
168
169 endef
170
171 define Package/iptables-mod-nat-extra
172 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
173 TITLE:=Extra NAT extensions
174 endef
175
176 define Package/iptables-mod-nat-extra/description
177 iptables extensions for extra NAT targets.
178
179 Targets:
180 - MIRROR
181 - NETMAP
182 endef
183
184 define Package/iptables-mod-ulog
185 $(call Package/iptables/Module, +kmod-ipt-ulog)
186 TITLE:=user-space packet logging
187 endef
188
189 define Package/iptables-mod-ulog/description
190 iptables extensions for user-space packet logging.
191
192 Targets:
193 - ULOG
194
195 endef
196
197 define Package/iptables-mod-nflog
198 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
199 TITLE:=Netfilter NFLOG target
200 endef
201
202 define Package/iptables-mod-nflog/description
203 iptables extension for user-space logging via NFNETLINK.
204
205 Includes:
206 - libxt_NFLOG
207
208 endef
209
210 define Package/iptables-mod-nfqueue
211 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
212 TITLE:=Netfilter NFQUEUE target
213 endef
214
215 define Package/iptables-mod-nfqueue/description
216 iptables extension for user-space queuing via NFNETLINK.
217
218 Includes:
219 - libxt_NFQUEUE
220
221 endef
222
223 define Package/iptables-mod-hashlimit
224 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
225 TITLE:=hashlimit matching
226 endef
227
228 define Package/iptables-mod-hashlimit/description
229 iptables extensions for hashlimit matching
230
231 Matches:
232 - hashlimit
233
234 endef
235
236 define Package/iptables-mod-iprange
237 $(call Package/iptables/Module, +kmod-ipt-iprange)
238 TITLE:=IP range extension
239 endef
240
241 define Package/iptables-mod-iprange/description
242 iptables extensions for matching ip ranges.
243
244 Matches:
245 - iprange
246
247 endef
248
249 define Package/iptables-mod-cluster
250 $(call Package/iptables/Module, +kmod-ipt-cluster)
251 TITLE:=Match cluster extension
252 endef
253
254 define Package/iptables-mod-cluster/description
255 iptables extensions for matching cluster.
256
257 Netfilter (IPv4/IPv6) module for matching cluster
258 This option allows you to build work-load-sharing clusters of
259 network servers/stateful firewalls without having a dedicated
260 load-balancing router/server/switch. Basically, this match returns
261 true when the packet must be handled by this cluster node. Thus,
262 all nodes see all packets and this match decides which node handles
263 what packets. The work-load sharing algorithm is based on source
264 address hashing.
265
266 This module is usable for ipv4 and ipv6.
267
268 If you select it, it enables kmod-ipt-cluster.
269
270 see `iptables -m cluster --help` for more information.
271 endef
272
273 define Package/iptables-mod-clusterip
274 $(call Package/iptables/Module, +kmod-ipt-clusterip)
275 TITLE:=Clusterip extension
276 endef
277
278 define Package/iptables-mod-clusterip/description
279 iptables extensions for CLUSTERIP.
280 The CLUSTERIP target allows you to build load-balancing clusters of
281 network servers without having a dedicated load-balancing
282 router/server/switch.
283
284 If you select it, it enables kmod-ipt-clusterip.
285
286 see `iptables -j CLUSTERIP --help` for more information.
287 endef
288
289 define Package/iptables-mod-extra
290 $(call Package/iptables/Module, +kmod-ipt-extra)
291 TITLE:=Other extra iptables extensions
292 endef
293
294 define Package/iptables-mod-extra/description
295 Other extra iptables extensions.
296
297 Matches:
298 - addrtype
299 - condition
300 - owner
301 - physdev (if ebtables is enabled)
302 - pkttype
303 - quota
304
305 endef
306
307 define Package/iptables-mod-led
308 $(call Package/iptables/Module, +kmod-ipt-led)
309 TITLE:=LED trigger iptables extension
310 endef
311
312 define Package/iptables-mod-led/description
313 iptables extension for triggering a LED.
314
315 Targets:
316 - LED
317
318 endef
319
320 define Package/iptables-mod-tproxy
321 $(call Package/iptables/Module, +kmod-ipt-tproxy)
322 TITLE:=Transparent proxy iptables extensions
323 endef
324
325 define Package/iptables-mod-tproxy/description
326 Transparent proxy iptables extensions.
327
328 Matches:
329 - socket
330
331 Targets:
332 - TPROXY
333
334 endef
335
336 define Package/iptables-mod-tee
337 $(call Package/iptables/Module, +kmod-ipt-tee)
338 TITLE:=TEE iptables extensions
339 endef
340
341 define Package/iptables-mod-tee/description
342 TEE iptables extensions.
343
344 Targets:
345 - TEE
346
347 endef
348
349 define Package/iptables-mod-u32
350 $(call Package/iptables/Module, +kmod-ipt-u32)
351 TITLE:=U32 iptables extensions
352 endef
353
354 define Package/iptables-mod-u32/description
355 U32 iptables extensions.
356
357 Matches:
358 - u32
359
360 endef
361
362 define Package/ip6tables
363 $(call Package/iptables/Default)
364 DEPENDS:=@IPV6 +kmod-ip6tables +iptables
365 CATEGORY:=Network
366 TITLE:=IPv6 firewall administration tool
367 MENU:=1
368 endef
369
370
371 define Package/ip6tables-extra
372 $(call Package/iptables/Default)
373 DEPENDS:=ip6tables +kmod-ip6tables-extra
374 TITLE:=IPv6 header matching modules
375 endef
376
377 define Package/ip6tables-mod-extra/description
378 iptables header matching modules for IPv6
379 endef
380
381 define Package/ip6tables-mod-nat
382 $(call Package/iptables/Default)
383 DEPENDS:=ip6tables +kmod-ipt-nat6
384 TITLE:=IPv6 NAT extensions
385 endef
386
387 define Package/ip6tables-mod-nat/description
388 iptables extensions for IPv6-NAT targets.
389 endef
390
391 define Package/libiptc
392 $(call Package/iptables/Default)
393 SECTION:=libs
394 CATEGORY:=Libraries
395 DEPENDS:=+libip4tc +libip6tc +libxtables
396 TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
397 endef
398
399 define Package/libip4tc
400 $(call Package/iptables/Default)
401 SECTION:=libs
402 CATEGORY:=Libraries
403 TITLE:=IPv4 firewall - shared libiptc library
404 DEPENDS:=+libxtables
405 endef
406
407 define Package/libip6tc
408 $(call Package/iptables/Default)
409 SECTION:=libs
410 CATEGORY:=Libraries
411 TITLE:=IPv6 firewall - shared libiptc library
412 DEPENDS:=+libxtables
413 endef
414
415 define Package/libxtables
416 $(call Package/iptables/Default)
417 SECTION:=libs
418 CATEGORY:=Libraries
419 TITLE:=IPv4/IPv6 firewall - shared xtables library
420 endef
421
422 TARGET_CPPFLAGS := \
423 -I$(PKG_BUILD_DIR)/include \
424 -I$(LINUX_DIR)/user_headers/include \
425 $(TARGET_CPPFLAGS)
426
427 TARGET_CFLAGS += \
428 -I$(PKG_BUILD_DIR)/include \
429 -I$(LINUX_DIR)/user_headers/include \
430 -ffunction-sections -fdata-sections \
431 -DNO_LEGACY
432
433 TARGET_LDFLAGS += \
434 -Wl,--gc-sections
435
436 CONFIGURE_ARGS += \
437 --enable-shared \
438 --enable-devel \
439 --with-kernel="$(LINUX_DIR)/user_headers" \
440 --with-xtlibdir=/usr/lib/iptables \
441 --enable-static \
442 $(if $(CONFIG_IPV6),,--disable-ipv6)
443
444 MAKE_FLAGS := \
445 $(TARGET_CONFIGURE_OPTS) \
446 COPT_FLAGS="$(TARGET_CFLAGS)" \
447 KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
448 KBUILD_OUTPUT="$(LINUX_DIR)" \
449 BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
450
451 define Build/InstallDev
452 $(INSTALL_DIR) $(1)/usr/include
453 $(INSTALL_DIR) $(1)/usr/include/iptables
454 $(INSTALL_DIR) $(1)/usr/include/net/netfilter
455
456 # XXX: iptables header fixup, some headers are not installed by iptables anymore
457 $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
458 $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
459 $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
460 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
461 $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
462
463 $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
464 $(INSTALL_DIR) $(1)/usr/lib
465 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
466 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
467 $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
468 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
469 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
470
471 # XXX: needed by firewall3
472 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
473 endef
474
475 define Package/iptables/install
476 $(INSTALL_DIR) $(1)/usr/sbin
477 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
478 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
479 $(INSTALL_DIR) $(1)/usr/lib/iptables
480 endef
481
482 define Package/ip6tables/install
483 $(INSTALL_DIR) $(1)/usr/sbin
484 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
485 endef
486
487 define Package/libiptc/install
488 $(INSTALL_DIR) $(1)/usr/lib
489 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
490 endef
491
492 define Package/libip4tc/install
493 $(INSTALL_DIR) $(1)/usr/lib
494 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
495 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
496 endef
497
498 define Package/libip6tc/install
499 $(INSTALL_DIR) $(1)/usr/lib
500 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
501 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
502 endef
503
504 define Package/libxtables/install
505 $(INSTALL_DIR) $(1)/usr/lib
506 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
507 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
508 endef
509
510 define BuildPlugin
511 define Package/$(1)/install
512 $(INSTALL_DIR) $$(1)/usr/lib/iptables
513 for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
514 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
515 $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
516 fi; \
517 done
518 $(3)
519 endef
520
521 $$(eval $$(call BuildPackage,$(1)))
522 endef
523
524 $(eval $(call BuildPackage,iptables))
525 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
526 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
527 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
528 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
529 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
530 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
531 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
532 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
533 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
534 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
535 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
536 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
537 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
538 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
539 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
540 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
541 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
542 $(eval $(call BuildPackage,ip6tables))
543 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
544 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
545 $(eval $(call BuildPackage,libiptc))
546 $(eval $(call BuildPackage,libip4tc))
547 $(eval $(call BuildPackage,libip6tc))
548 $(eval $(call BuildPackage,libxtables))
OpenWrt SVN history