1#
2# Copyright (C) 2006-2012 OpenWrt.org
3#
4# This is free software, licensed under the GNU General Public License v2.
5# See /LICENSE for more information.
6#
7
8include $(TOPDIR)/rules.mk
9include $(INCLUDE_DIR)/kernel.mk
10
11PKG_NAME:=iptables
12PKG_VERSION:=1.4.10
13PKG_RELEASE:=4
14
15PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198
16PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
17PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
18	ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
19	ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
20	ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
21
22PKG_FIXUP:=autoreconf
23PKG_INSTALL:=1
24PKG_BUILD_PARALLEL:=1
25
26include $(INCLUDE_DIR)/package.mk
27ifeq ($(DUMP),)
28  -include $(LINUX_DIR)/.config
29  include $(INCLUDE_DIR)/netfilter.mk
30  STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s)
31endif
32
33
34define Package/iptables/Default
35  SECTION:=net
36  CATEGORY:=Network
37  SUBMENU:=Firewall
38  URL:=http://netfilter.org/
39endef
40
41define Package/iptables/Module
42$(call Package/iptables/Default)
43  DEPENDS:=iptables $(1)
44endef
45
46define Package/iptables
47$(call Package/iptables/Default)
48  TITLE:=IPv4 firewall administration tool
49  MENU:=1
50  DEPENDS+= +kmod-ipt-core +libip4tc +libxtables
51endef
52
53define Package/iptables/description
54IPv4 firewall administration tool.
55
56 Matches:
57  - icmp
58  - tcp
59  - udp
60  - comment
61  - limit
62  - mac
63  - multiport
64
65 Targets:
66  - ACCEPT
67  - DROP
68  - REJECT
69  - LOG
70  - TCPMSS
71
72 Tables:
73  - filter
74  - mangle
75
76endef
77
78define Package/iptables-mod-conntrack-extra
79$(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
80  TITLE:=Extra connection tracking extensions
81endef
82
83define Package/iptables-mod-conntrack-extra/description
84Extra iptables extensions for connection tracking.
85
86 Matches:
87  - connbytes
88  - connmark
89  - recent
90  - helper
91
92 Targets:
93  - CONNMARK
94
95endef
96
97define Package/iptables-mod-conntrack-qos
98$(call Package/iptables/Module, +kmod-ipt-conntrack-qos)
99  TITLE:=QoS connection tracking extensions
100endef
101
102define Package/iptables-mod-conntrack-qos/description
103QoS iptables extensions for connection tracking.
104
105 Targets:
106  - DSCPREMARK
107  - VLANTAG
108
109endef
110
111define Package/iptables-mod-filter
112$(call Package/iptables/Module, +kmod-ipt-filter)
113  TITLE:=Content inspection extensions
114endef
115
116define Package/iptables-mod-filter/description
117iptables extensions for packet content inspection.
118Includes support for:
119
120 Matches:
121  - layer7
122  - string
123
124endef
125
126define Package/iptables-mod-ipopt
127$(call Package/iptables/Module, +kmod-ipt-ipopt)
128  TITLE:=IP/Packet option extensions
129endef
130
131define Package/iptables-mod-ipopt/description
132iptables extensions for matching/changing IP packet options.
133
134 Matches:
135  - dscp
136  - ecn
137  - length
138  - mark
139  - statistic
140  - tcpmss
141  - time
142  - unclean
143  - hl
144
145 Targets:
146  - DSCP
147  - CLASSIFY
148  - ECN
149  - MARK
150  - HL
151
152endef
153
154define Package/iptables-mod-ipsec
155$(call Package/iptables/Module, +kmod-ipt-ipsec)
156  TITLE:=IPsec extensions
157endef
158
159define Package/iptables-mod-ipsec/description
160iptables extensions for matching ipsec traffic.
161
162 Matches:
163  - ah
164  - esp
165  - policy
166
167endef
168
169define Package/iptables-mod-ipset
170$(call Package/iptables/Module,)
171  TITLE:=IPset iptables extensions
172endef
173
174define Package/iptables-mod-ipset/description
175IPset iptables extensions.
176
177 Matches:
178  - set
179
180 Targets:
181  - SET
182
183endef
184
185define Package/iptables-mod-nat-extra
186$(call Package/iptables/Module, +kmod-ipt-nat-extra)
187  TITLE:=Extra NAT extensions
188endef
189
190define Package/iptables-mod-nat-extra/description
191iptables extensions for extra NAT targets.
192
193 Targets:
194  - MIRROR
195  - NETMAP
196  - REDIRECT
197endef
198
199define Package/iptables-mod-ulog
200$(call Package/iptables/Module, +kmod-ipt-ulog)
201  TITLE:=user-space packet logging
202endef
203
204define Package/iptables-mod-ulog/description
205iptables extensions for user-space packet logging.
206
207 Targets:
208  - ULOG
209
210endef
211
212define Package/iptables-mod-hashlimit
213$(call Package/iptables/Module, +kmod-ipt-hashlimit)
214  TITLE:=hashlimit matching
215endef
216
217define Package/iptables-mod-hashlimit/description
218iptables extensions for hashlimit matching
219
220 Matches:
221  - hashlimit
222
223endef
224
225define Package/iptables-mod-iprange
226$(call Package/iptables/Module, +kmod-ipt-iprange)
227  TITLE:=IP range extension
228endef
229
230define Package/iptables-mod-iprange/description
231iptables extensions for matching ip ranges.
232
233 Matches:
234  - iprange
235
236endef
237
238define Package/iptables-mod-extra
239$(call Package/iptables/Module, +kmod-ipt-extra)
240  TITLE:=Other extra iptables extensions
241endef
242
243define Package/iptables-mod-extra/description
244Other extra iptables extensions.
245
246 Matches:
247  - condition
248  - owner
249  - physdev (if ebtables is enabled)
250  - pkttype
251  - quota
252
253endef
254
255define Package/iptables-mod-led
256$(call Package/iptables/Module, +kmod-ipt-led)
257  TITLE:=LED trigger iptables extension
258endef
259
260define Package/iptables-mod-led/description
261iptables extension for triggering a LED.
262
263 Targets:
264  - LED
265
266endef
267
268define Package/iptables-mod-tproxy
269$(call Package/iptables/Module, +kmod-ipt-tproxy)
270  TITLE:=Transparent proxy iptables extensions
271endef
272
273define Package/iptables-mod-tproxy/description
274Transparent proxy iptables extensions.
275
276 Matches:
277  - socket
278
279 Targets:
280  - TPROXY
281
282endef
283
284define Package/iptables-mod-tee
285$(call Package/iptables/Module, +kmod-ipt-tee)
286  TITLE:=TEE iptables extensions
287endef
288
289define Package/iptables-mod-tee/description
290TEE iptables extensions.
291
292 Targets:
293  - TEE
294
295endef
296
297define Package/iptables-mod-u32
298$(call Package/iptables/Module, +kmod-ipt-u32)
299  TITLE:=U32 iptables extensions
300endef
301
302define Package/iptables-mod-u32/description
303U32 iptables extensions.
304
305 Matches:
306  - u32
307
308endef
309
310define Package/iptables-mod-mark2prio
311$(call Package/iptables/Module, +kmod-ipt-mark2prio)
312  TITLE:=mark2prio extension
313endef
314
315define Package/iptables-mod-ct-sctp
316$(call Package/iptables/Module, +kmod-ipt-ct-sctp)
317  TITLE:=SCTP conntrack extension
318endef
319
320define Package/iptables-mod-sctp
321$(call Package/iptables/Module, +kmod-ipt-sctp)
322  TITLE:=SCTP iptables extension
323endef
324
325define Package/ip6tables
326$(call Package/iptables/Default)
327  DEPENDS:=+kmod-ip6tables +libip6tc +libxtables
328  CATEGORY:=IPv6
329  TITLE:=IPv6 firewall administration tool
330  MENU:=1
331endef
332
333define Package/libiptc
334$(call Package/iptables/Default)
335  SECTION:=libs
336  CATEGORY:=Libraries
337  DEPENDS:=+libip4tc +libip6tc
338  TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
339endef
340
341define Package/libip4tc
342$(call Package/iptables/Default)
343  SECTION:=libs
344  CATEGORY:=Libraries
345  TITLE:=IPv4 firewall - shared libiptc library
346endef
347
348define Package/libip6tc
349$(call Package/iptables/Default)
350  SECTION:=libs
351  CATEGORY:=Libraries
352  TITLE:=IPv6 firewall - shared libiptc library
353endef
354
355define Package/libxtables
356 $(call Package/iptables/Default)
357 SECTION:=libs
358 CATEGORY:=Libraries
359 TITLE:=IPv4/IPv6 firewall - shared xtables library
360endef
361
362define Package/libipq
363  $(call Package/iptables/Default)
364  SECTION:=libs
365  CATEGORY:=Libraries
366  TITLE:=IPv4/IPv6 firewall - shared libipq library
367endef
368
369TARGET_CPPFLAGS := \
370	-I$(PKG_BUILD_DIR)/include \
371	-I$(LINUX_DIR)/user_headers/include \
372	$(TARGET_CPPFLAGS)
373
374TARGET_CFLAGS += \
375	-I$(PKG_BUILD_DIR)/include \
376	-I$(LINUX_DIR)/user_headers/include
377
378CONFIGURE_ARGS += \
379	--enable-shared \
380	--enable-devel \
381	$(if $(CONFIG_IPV6),--enable-ipv6,--disable-ipv6) \
382	--enable-libipq \
383	--with-kernel="$(LINUX_DIR)/user_headers" \
384	--with-xtlibdir=/usr/lib/iptables \
385	--enable-static
386
387MAKE_FLAGS := \
388	$(TARGET_CONFIGURE_OPTS) \
389	COPT_FLAGS="$(TARGET_CFLAGS)" \
390	KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
391	KBUILD_OUTPUT="$(LINUX_DIR)" \
392	BUILTIN_MODULES="$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_CONNTRACK_QOS-m) $(IPT_NAT-m)))"
393
394define Build/InstallDev
395	$(INSTALL_DIR) $(1)/usr/include
396	$(INSTALL_DIR) $(1)/usr/include/iptables
397	$(INSTALL_DIR) $(1)/usr/include/net/netfilter
398
399	# XXX: iptables header fixup, some headers are not installed by iptables anymore
400	$(CP) $(PKG_BUILD_DIR)/include/net/netfilter/*.h $(1)/usr/include/net/netfilter/
401	$(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
402	$(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
403	$(CP) $(PKG_BUILD_DIR)/include/libipq/libipq.h $(1)/usr/include/
404	$(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
405	$(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
406
407	$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
408	$(INSTALL_DIR) $(1)/usr/lib
409	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
410	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
411	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libipq.so* $(1)/usr/lib/
412	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
413	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
414	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libiptc.pc $(1)/usr/lib/pkgconfig/
415endef
416
417define Package/iptables/install
418	$(INSTALL_DIR) $(1)/usr/sbin
419	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(1)/usr/sbin/
420	$(LN) iptables $(1)/usr/sbin/iptables-save
421	$(LN) iptables $(1)/usr/sbin/iptables-restore
422	$(INSTALL_DIR) $(1)/usr/lib/iptables
423endef
424
425define Package/ip6tables/install
426	$(INSTALL_DIR) $(1)/usr/sbin
427	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables $(1)/usr/sbin/
428	$(LN) ip6tables $(1)/usr/sbin/ip6tables-save
429	$(LN) ip6tables $(1)/usr/sbin/ip6tables-restore
430	$(INSTALL_DIR) $(1)/usr/lib/iptables
431	(cd $(PKG_INSTALL_DIR)/usr/lib/iptables ; \
432		$(CP) libip6t_*.so $(1)/usr/lib/iptables/ \
433	)
434endef
435
436define Package/libiptc/install
437	$(INSTALL_DIR) $(1)/usr/lib
438	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
439endef
440
441define Package/libip4tc/install
442	$(INSTALL_DIR) $(1)/usr/lib
443	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
444endef
445
446define Package/libip6tc/install
447	$(INSTALL_DIR) $(1)/usr/lib
448	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
449endef
450
451define Package/libxtables/install
452	$(INSTALL_DIR) $(1)/usr/lib
453	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
454endef
455
456define Package/libipq/install
457	$(INSTALL_DIR) $(1)/usr/lib
458	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libipq.so* $(1)/usr/lib/
459endef
460
461define BuildPlugin
462  define Package/$(1)/install
463	$(INSTALL_DIR) $$(1)/usr/lib/iptables
464	for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)); do \
465		if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
466			$(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
467		fi; \
468	done
469	$(3)
470  endef
471
472  $$(eval $$(call BuildPackage,$(1)))
473endef
474
475L7_INSTALL:=\
476	$(INSTALL_DIR) $$(1)/etc/l7-protocols; \
477	$(CP) files/l7/*.pat $$(1)/etc/l7-protocols/
478
479
480$(eval $(call BuildPackage,iptables))
481$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
482$(eval $(call BuildPlugin,iptables-mod-conntrack-qos,$(IPT_CONNTRACK_QOS-m)))
483$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
484$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m),$(L7_INSTALL)))
485$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
486$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
487$(eval $(call BuildPlugin,iptables-mod-ipset,ipt_set ipt_SET))
488$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
489$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
490$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
491$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
492$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
493$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
494$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
495$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
496$(eval $(call BuildPlugin,iptables-mod-mark2prio,$(IPT_MARK2PRIO-m)))
497$(eval $(call BuildPlugin,iptables-mod-ct-sctp,$(IPT_CT_SCTP-m)))
498$(eval $(call BuildPlugin,iptables-mod-sctp,$(IPT_SCTP-m)))
499$(eval $(call BuildPackage,ip6tables))
500$(eval $(call BuildPackage,libiptc))
501$(eval $(call BuildPackage,libip4tc))
502$(eval $(call BuildPackage,libip6tc))
503$(eval $(call BuildPackage,libxtables))
504$(eval $(call BuildPackage,libipq))
505