iptables: revert r40916
[openwrt/svn-archive/archive.git] / package / network / utils / iptables / Makefile
1 #
2 # Copyright (C) 2006-2013 OpenWrt.org
3 #
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
6 #
7
8 include $(TOPDIR)/rules.mk
9 include $(INCLUDE_DIR)/kernel.mk
10
11 PKG_NAME:=iptables
12 PKG_VERSION:=1.4.21
13 PKG_RELEASE:=1
14
15 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
16 PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
17 ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
18 ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
19 ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
20 PKG_MD5SUM:=536d048c8e8eeebcd9757d0863ebb0c0
21
22 PKG_FIXUP:=autoreconf
23 PKG_INSTALL:=1
24 PKG_BUILD_PARALLEL:=1
25 PKG_LICENSE:=GPL-2.0
26
27 ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"")
28 PATCH_DIR:=
29 endif
30
31 include $(INCLUDE_DIR)/package.mk
32 ifeq ($(DUMP),)
33 -include $(LINUX_DIR)/.config
34 include $(INCLUDE_DIR)/netfilter.mk
35 STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s)
36 endif
37
38
39 define Package/iptables/Default
40 SECTION:=net
41 CATEGORY:=Network
42 SUBMENU:=Firewall
43 URL:=http://netfilter.org/
44 endef
45
46 define Package/iptables/Module
47 $(call Package/iptables/Default)
48 DEPENDS:=iptables $(1)
49 endef
50
51 define Package/iptables
52 $(call Package/iptables/Default)
53 TITLE:=IP firewall administration tool
54 MENU:=1
55 DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
56 endef
57
58 define Package/iptables/description
59 IP firewall administration tool.
60
61 Matches:
62 - icmp
63 - tcp
64 - udp
65 - comment
66 - conntrack
67 - limit
68 - mac
69 - mark
70 - multiport
71 - set
72 - state
73 - time
74
75 Targets:
76 - ACCEPT
77 - CT
78 - DNAT
79 - DROP
80 - REJECT
81 - LOG
82 - MARK
83 - MASQUERADE
84 - REDIRECT
85 - SET
86 - SNAT
87 - TCPMSS
88
89 Tables:
90 - filter
91 - mangle
92 - nat
93 - raw
94
95 endef
96
97 define Package/iptables-mod-conntrack-extra
98 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
99 TITLE:=Extra connection tracking extensions
100 endef
101
102 define Package/iptables-mod-conntrack-extra/description
103 Extra iptables extensions for connection tracking.
104
105 Matches:
106 - connbytes
107 - connlimit
108 - connmark
109 - recent
110 - helper
111
112 Targets:
113 - CONNMARK
114
115 endef
116
117 define Package/iptables-mod-filter
118 $(call Package/iptables/Module, +kmod-ipt-filter)
119 TITLE:=Content inspection extensions
120 endef
121
122 define Package/iptables-mod-filter/description
123 iptables extensions for packet content inspection.
124 Includes support for:
125
126 Matches:
127 - layer7
128 - string
129
130 endef
131
132 define Package/iptables-mod-ipopt
133 $(call Package/iptables/Module, +kmod-ipt-ipopt)
134 TITLE:=IP/Packet option extensions
135 endef
136
137 define Package/iptables-mod-ipopt/description
138 iptables extensions for matching/changing IP packet options.
139
140 Matches:
141 - dscp
142 - ecn
143 - length
144 - statistic
145 - tcpmss
146 - unclean
147 - hl
148
149 Targets:
150 - DSCP
151 - CLASSIFY
152 - ECN
153 - HL
154
155 endef
156
157 define Package/iptables-mod-ipsec
158 $(call Package/iptables/Module, +kmod-ipt-ipsec)
159 TITLE:=IPsec extensions
160 endef
161
162 define Package/iptables-mod-ipsec/description
163 iptables extensions for matching ipsec traffic.
164
165 Matches:
166 - ah
167 - esp
168 - policy
169
170 endef
171
172 define Package/iptables-mod-nat-extra
173 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
174 TITLE:=Extra NAT extensions
175 endef
176
177 define Package/iptables-mod-nat-extra/description
178 iptables extensions for extra NAT targets.
179
180 Targets:
181 - MIRROR
182 - NETMAP
183 endef
184
185 define Package/iptables-mod-ulog
186 $(call Package/iptables/Module, +kmod-ipt-ulog)
187 TITLE:=user-space packet logging
188 endef
189
190 define Package/iptables-mod-ulog/description
191 iptables extensions for user-space packet logging.
192
193 Targets:
194 - ULOG
195
196 endef
197
198 define Package/iptables-mod-nflog
199 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
200 TITLE:=Netfilter NFLOG target
201 endef
202
203 define Package/iptables-mod-nflog/description
204 iptables extension for user-space logging via NFNETLINK.
205
206 Includes:
207 - libxt_NFLOG
208
209 endef
210
211 define Package/iptables-mod-nfqueue
212 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
213 TITLE:=Netfilter NFQUEUE target
214 endef
215
216 define Package/iptables-mod-nfqueue/description
217 iptables extension for user-space queuing via NFNETLINK.
218
219 Includes:
220 - libxt_NFQUEUE
221
222 endef
223
224 define Package/iptables-mod-hashlimit
225 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
226 TITLE:=hashlimit matching
227 endef
228
229 define Package/iptables-mod-hashlimit/description
230 iptables extensions for hashlimit matching
231
232 Matches:
233 - hashlimit
234
235 endef
236
237 define Package/iptables-mod-iprange
238 $(call Package/iptables/Module, +kmod-ipt-iprange)
239 TITLE:=IP range extension
240 endef
241
242 define Package/iptables-mod-iprange/description
243 iptables extensions for matching ip ranges.
244
245 Matches:
246 - iprange
247
248 endef
249
250 define Package/iptables-mod-cluster
251 $(call Package/iptables/Module, +kmod-ipt-cluster)
252 TITLE:=Match cluster extension
253 endef
254
255 define Package/iptables-mod-cluster/description
256 iptables extensions for matching cluster.
257
258 Netfilter (IPv4/IPv6) module for matching cluster
259 This option allows you to build work-load-sharing clusters of
260 network servers/stateful firewalls without having a dedicated
261 load-balancing router/server/switch. Basically, this match returns
262 true when the packet must be handled by this cluster node. Thus,
263 all nodes see all packets and this match decides which node handles
264 what packets. The work-load sharing algorithm is based on source
265 address hashing.
266
267 This module is usable for ipv4 and ipv6.
268
269 If you select it, it enables kmod-ipt-cluster.
270
271 see `iptables -m cluster --help` for more information.
272 endef
273
274 define Package/iptables-mod-clusterip
275 $(call Package/iptables/Module, +kmod-ipt-clusterip)
276 TITLE:=Clusterip extension
277 endef
278
279 define Package/iptables-mod-clusterip/description
280 iptables extensions for CLUSTERIP.
281 The CLUSTERIP target allows you to build load-balancing clusters of
282 network servers without having a dedicated load-balancing
283 router/server/switch.
284
285 If you select it, it enables kmod-ipt-clusterip.
286
287 see `iptables -j CLUSTERIP --help` for more information.
288 endef
289
290 define Package/iptables-mod-extra
291 $(call Package/iptables/Module, +kmod-ipt-extra)
292 TITLE:=Other extra iptables extensions
293 endef
294
295 define Package/iptables-mod-extra/description
296 Other extra iptables extensions.
297
298 Matches:
299 - addrtype
300 - condition
301 - owner
302 - physdev (if ebtables is enabled)
303 - pkttype
304 - quota
305
306 endef
307
308 define Package/iptables-mod-led
309 $(call Package/iptables/Module, +kmod-ipt-led)
310 TITLE:=LED trigger iptables extension
311 endef
312
313 define Package/iptables-mod-led/description
314 iptables extension for triggering a LED.
315
316 Targets:
317 - LED
318
319 endef
320
321 define Package/iptables-mod-tproxy
322 $(call Package/iptables/Module, +kmod-ipt-tproxy)
323 TITLE:=Transparent proxy iptables extensions
324 endef
325
326 define Package/iptables-mod-tproxy/description
327 Transparent proxy iptables extensions.
328
329 Matches:
330 - socket
331
332 Targets:
333 - TPROXY
334
335 endef
336
337 define Package/iptables-mod-tee
338 $(call Package/iptables/Module, +kmod-ipt-tee)
339 TITLE:=TEE iptables extensions
340 endef
341
342 define Package/iptables-mod-tee/description
343 TEE iptables extensions.
344
345 Targets:
346 - TEE
347
348 endef
349
350 define Package/iptables-mod-u32
351 $(call Package/iptables/Module, +kmod-ipt-u32)
352 TITLE:=U32 iptables extensions
353 endef
354
355 define Package/iptables-mod-u32/description
356 U32 iptables extensions.
357
358 Matches:
359 - u32
360
361 endef
362
363 define Package/ip6tables
364 $(call Package/iptables/Default)
365 DEPENDS:=@IPV6 +kmod-ip6tables +iptables
366 CATEGORY:=Network
367 TITLE:=IPv6 firewall administration tool
368 MENU:=1
369 endef
370
371
372 define Package/ip6tables-extra
373 $(call Package/iptables/Default)
374 DEPENDS:=ip6tables +kmod-ip6tables-extra
375 TITLE:=IPv6 header matching modules
376 endef
377
378 define Package/ip6tables-mod-extra/description
379 iptables header matching modules for IPv6
380 endef
381
382 define Package/ip6tables-mod-nat
383 $(call Package/iptables/Default)
384 DEPENDS:=ip6tables +kmod-ipt-nat6
385 TITLE:=IPv6 NAT extensions
386 endef
387
388 define Package/ip6tables-mod-nat/description
389 iptables extensions for IPv6-NAT targets.
390 endef
391
392 define Package/libiptc
393 $(call Package/iptables/Default)
394 SECTION:=libs
395 CATEGORY:=Libraries
396 DEPENDS:=+libip4tc +libip6tc
397 TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
398 endef
399
400 define Package/libip4tc
401 $(call Package/iptables/Default)
402 SECTION:=libs
403 CATEGORY:=Libraries
404 TITLE:=IPv4 firewall - shared libiptc library
405 endef
406
407 define Package/libip6tc
408 $(call Package/iptables/Default)
409 SECTION:=libs
410 CATEGORY:=Libraries
411 TITLE:=IPv6 firewall - shared libiptc library
412 endef
413
414 define Package/libxtables
415 $(call Package/iptables/Default)
416 SECTION:=libs
417 CATEGORY:=Libraries
418 TITLE:=IPv4/IPv6 firewall - shared xtables library
419 endef
420
421 TARGET_CPPFLAGS := \
422 -I$(PKG_BUILD_DIR)/include \
423 -I$(LINUX_DIR)/user_headers/include \
424 $(TARGET_CPPFLAGS)
425
426 TARGET_CFLAGS += \
427 -I$(PKG_BUILD_DIR)/include \
428 -I$(LINUX_DIR)/user_headers/include \
429 -ffunction-sections -fdata-sections
430
431 TARGET_LDFLAGS += \
432 -Wl,--gc-sections
433
434 CONFIGURE_ARGS += \
435 --enable-shared \
436 --enable-devel \
437 --with-kernel="$(LINUX_DIR)/user_headers" \
438 --with-xtlibdir=/usr/lib/iptables \
439 --enable-static \
440 $(if $(CONFIG_IPV6),,--disable-ipv6)
441
442 MAKE_FLAGS := \
443 $(TARGET_CONFIGURE_OPTS) \
444 COPT_FLAGS="$(TARGET_CFLAGS)" \
445 KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
446 KBUILD_OUTPUT="$(LINUX_DIR)" \
447 BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
448
449 define Build/InstallDev
450 $(INSTALL_DIR) $(1)/usr/include
451 $(INSTALL_DIR) $(1)/usr/include/iptables
452 $(INSTALL_DIR) $(1)/usr/include/net/netfilter
453
454 # XXX: iptables header fixup, some headers are not installed by iptables anymore
455 $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
456 $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
457 $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
458 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
459 $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
460
461 $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
462 $(INSTALL_DIR) $(1)/usr/lib
463 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
464 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
465 $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
466 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
467 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
468
469 # XXX: needed by firewall3
470 $(INSTALL_DIR) $(1)/usr/lib/iptables
471 $(CP) $(PKG_BUILD_DIR)/extensions/libext*.a $(1)/usr/lib/iptables/
472 endef
473
474 define Package/iptables/install
475 $(INSTALL_DIR) $(1)/usr/sbin
476 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
477 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
478 $(INSTALL_DIR) $(1)/usr/lib/iptables
479 endef
480
481 define Package/ip6tables/install
482 $(INSTALL_DIR) $(1)/usr/sbin
483 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
484 endef
485
486 define Package/libiptc/install
487 $(INSTALL_DIR) $(1)/usr/lib
488 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
489 endef
490
491 define Package/libip4tc/install
492 $(INSTALL_DIR) $(1)/usr/lib
493 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
494 endef
495
496 define Package/libip6tc/install
497 $(INSTALL_DIR) $(1)/usr/lib
498 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
499 endef
500
501 define Package/libxtables/install
502 $(INSTALL_DIR) $(1)/usr/lib
503 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
504 endef
505
506 define BuildPlugin
507 define Package/$(1)/install
508 $(INSTALL_DIR) $$(1)/usr/lib/iptables
509 for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
510 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
511 $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
512 fi; \
513 done
514 $(3)
515 endef
516
517 $$(eval $$(call BuildPackage,$(1)))
518 endef
519
520 L7_INSTALL:=\
521 $(INSTALL_DIR) $$(1)/etc/l7-protocols; \
522 $(CP) files/l7/*.pat $$(1)/etc/l7-protocols/
523
524
525 $(eval $(call BuildPackage,iptables))
526 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
527 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
528 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m),$(L7_INSTALL)))
529 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
530 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
531 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
532 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
533 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
534 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
535 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
536 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
537 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
538 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
539 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
540 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
541 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
542 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
543 $(eval $(call BuildPackage,ip6tables))
544 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
545 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
546 $(eval $(call BuildPackage,libiptc))
547 $(eval $(call BuildPackage,libip4tc))
548 $(eval $(call BuildPackage,libip6tc))
549 $(eval $(call BuildPackage,libxtables))