--- /dev/null
+From 2f2fde48594ec34e93ab409cd83442efe58e10ad Mon Sep 17 00:00:00 2001
+From: Brendan Heading <brendanheading@gmail.com>
+Date: Mon, 31 Aug 2015 15:24:44 +0100
+Subject: [PATCH 3/3] fix build with musl
+
+Add needed headers they are just not needed for glibc6+ but also
+for musl
+Define additional TCOPTS if not there
+
+u_initX types are in sys/types.h be explicit about it
+
+Upstream-Status: Pending
+
+bh: this is a copy of the patch at the link below, modified to remove
+the changes to include/libiptc/ipt_kernel_headers.h as these are
+already integrated in the upstream tree. See :
+
+http://lists.openembedded.org/pipermail/openembedded-core/2015-April/103613.html
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Brendan Heading <brendanheading@gmail.com>
+---
+ extensions/libxt_TCPOPTSTRIP.c | 15 +++++++++++++++
+ include/linux/netfilter_ipv4/ip_tables.h | 1 +
+ 2 files changed, 16 insertions(+)
+
+diff --git a/extensions/libxt_TCPOPTSTRIP.c b/extensions/libxt_TCPOPTSTRIP.c
+index 6897857..8a170b2 100644
+--- a/extensions/libxt_TCPOPTSTRIP.c
++++ b/extensions/libxt_TCPOPTSTRIP.c
+@@ -12,6 +12,21 @@
+ #ifndef TCPOPT_MD5SIG
+ # define TCPOPT_MD5SIG 19
+ #endif
++#ifndef TCPOPT_MAXSEG
++# define TCPOPT_MAXSEG 2
++#endif
++#ifndef TCPOPT_WINDOW
++# define TCPOPT_WINDOW 3
++#endif
++#ifndef TCPOPT_SACK_PERMITTED
++# define TCPOPT_SACK_PERMITTED 4
++#endif
++#ifndef TCPOPT_SACK
++# define TCPOPT_SACK 5
++#endif
++#ifndef TCPOPT_TIMESTAMP
++# define TCPOPT_TIMESTAMP 8
++#endif
+
+ enum {
+ O_STRIP_OPTION = 0,
+diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
+index 57fd82a..4807246 100644
+--- a/include/linux/netfilter_ipv4/ip_tables.h
++++ b/include/linux/netfilter_ipv4/ip_tables.h
+@@ -15,6 +15,7 @@
+ #ifndef _IPTABLES_H
+ #define _IPTABLES_H
+
++#include <sys/types.h>
+ #include <linux/types.h>
+
+ #include <linux/netfilter_ipv4.h>
+--
+2.4.3
+
+++ /dev/null
-From 76e230e41947576efb96e86e605bb84015cdb287 Mon Sep 17 00:00:00 2001
-From: Jan Engelhardt <jengelh@inai.de>
-Date: Tue, 13 Aug 2013 19:02:06 +0000
-Subject: iptables: link against libnetfilter_conntrack
-
-Linking currently fails in --enable-static case:
-
-../extensions/libext.a(libxt_connlabel.o): In function `connlabel_get_name':
-iptables/extensions/libxt_connlabel.c:57: undefined reference to `nfct_labelmap_get_name'
-[..]
-It's libxtables.la(libxt_connlabel.o) using libnetfilter_conntrack.
-
-If libnetfilter_conntrack is not found, @libnetfilter_conntrack_CFLAGS@
-and @libnetfilter_conntrack_LIBS@ (and their ${} ones) should be empty,
-therefore producing no harm to include unconditionally.
-
-[Gustavo: update for iptables 1.4.21]
-Reported-and-tested-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-Signed-off-by: Florian Westphal <fw@strlen.de>
----
-diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
-index 14e7c57..780e715 100644
---- a/extensions/GNUmakefile.in
-+++ b/extensions/GNUmakefile.in
-@@ -21,7 +21,7 @@ regular_CPPFLAGS = @regular_CPPFLAGS@
- kinclude_CPPFLAGS = @kinclude_CPPFLAGS@
-
- AM_CFLAGS = ${regular_CFLAGS}
--AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include ${kinclude_CPPFLAGS} ${CPPFLAGS}
-+AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include ${kinclude_CPPFLAGS} ${CPPFLAGS} @libnetfilter_conntrack_CFLAGS@
- AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
- AM_LDFLAGS = @noundef_LDFLAGS@
-
-@@ -93,7 +93,7 @@ lib%.so: lib%.oo
- ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD};
-
- lib%.oo: ${srcdir}/lib%.c
-- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} ${$*_CFLAGADD} -o $@ -c $<;
-+ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
-
- libxt_NOTRACK.so: libxt_CT.so
- ln -fs $< $@
-@@ -103,9 +103,7 @@ libxt_state.so: libxt_conntrack.so
- # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
- xt_RATEEST_LIBADD = -lm
- xt_statistic_LIBADD = -lm
--@HAVE_LIBNETFILTER_CONNTRACK_TRUE@xt_connlabel_LIBADD = @libnetfilter_conntrack_LIBS@
--
--@HAVE_LIBNETFILTER_CONNTRACK_TRUE@xt_connlabel_CFLAGADD = @libnetfilter_conntrack_CFLAGS@
-+xt_connlabel_LIBADD = @libnetfilter_conntrack_LIBS@
-
- #
- # Static bits
-diff --git a/libxtables/Makefile.am b/libxtables/Makefile.am
-index c5795fe..4267cb5 100644
---- a/libxtables/Makefile.am
-+++ b/libxtables/Makefile.am
-@@ -10,7 +10,7 @@ libxtables_la_LIBADD =
- if ENABLE_STATIC
- # With --enable-static, shipped extensions are linked into the main executable,
- # so we need all the LIBADDs here too
--libxtables_la_LIBADD += -lm
-+libxtables_la_LIBADD += -lm ${libnetfilter_conntrack_LIBS}
- endif
- if ENABLE_SHARED
- libxtables_la_CFLAGS = ${AM_CFLAGS}
---
-cgit v0.9.2
+++ /dev/null
-From 2efdcf332a40431c6584970bb0c68712d14d409b Mon Sep 17 00:00:00 2001
-From: Gustavo Zacarias <gustavo@zacarias.com.ar>
-Date: Wed, 27 Nov 2013 10:18:11 -0300
-Subject: [PATCH] iptables/ip(6)tables-save.c: remove dlfcn.h include
-
-It's not required and breaks on static-only uClibc builds which don't
-have the header file.
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
----
- iptables/ip6tables-save.c | 4 ----
- iptables/iptables-save.c | 4 ----
- 2 files changed, 8 deletions(-)
-
-diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
-index d819b30..a86a64a 100644
---- a/iptables/ip6tables-save.c
-+++ b/iptables/ip6tables-save.c
-@@ -18,10 +18,6 @@
- #include "ip6tables.h"
- #include "ip6tables-multi.h"
-
--#ifndef NO_SHARED_LIBS
--#include <dlfcn.h>
--#endif
--
- static int show_counters = 0;
-
- static const struct option options[] = {
-diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
-index e599fce..2999c7f 100644
---- a/iptables/iptables-save.c
-+++ b/iptables/iptables-save.c
-@@ -17,10 +17,6 @@
- #include "iptables.h"
- #include "iptables-multi.h"
-
--#ifndef NO_SHARED_LIBS
--#include <dlfcn.h>
--#endif
--
- static int show_counters = 0;
-
- static const struct option options[] = {
---
-1.8.3.2
-
+++ /dev/null
-From a9214a0b718812d823a933ad580a96a3bf5f4dc6 Mon Sep 17 00:00:00 2001
-From: Felix Janda <felix.janda@posteo.de>
-Date: Sat, 2 May 2015 21:51:01 +0200
-Subject: [PATCH 1/3] consistently use <errno.h>
-
-On glibc, <sys/errno.h> is a synomym for <errno.h>.
-<errno.h> is specified by POSIX, so use that.
-
-Fixes compilation error with musl libc
-
-Backported from :
-http://git.netfilter.org/iptables/commit/?id=043e52bc42021f71b85229f6d78bf7e75b282765
-
-Upstream-Status: backport
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Brendan Heading <brendanheading@gmail.com>
----
- iptables/ip6tables-restore.c | 2 +-
- iptables/ip6tables-save.c | 2 +-
- iptables/iptables-restore.c | 2 +-
- iptables/iptables-save.c | 2 +-
- iptables/iptables-xml.c | 2 +-
- 5 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
-index b8b9e0d..0927e6d 100644
---- a/iptables/ip6tables-restore.c
-+++ b/iptables/ip6tables-restore.c
-@@ -9,7 +9,7 @@
- */
-
- #include <getopt.h>
--#include <sys/errno.h>
-+#include <errno.h>
- #include <stdbool.h>
- #include <string.h>
- #include <stdio.h>
-diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
-index d819b30..f0349d3 100644
---- a/iptables/ip6tables-save.c
-+++ b/iptables/ip6tables-save.c
-@@ -6,7 +6,7 @@
- * This code is distributed under the terms of GNU GPL v2
- */
- #include <getopt.h>
--#include <sys/errno.h>
-+#include <errno.h>
- #include <stdio.h>
- #include <fcntl.h>
- #include <stdlib.h>
-diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
-index 8c942ff..d00b9e7 100644
---- a/iptables/iptables-restore.c
-+++ b/iptables/iptables-restore.c
-@@ -6,7 +6,7 @@
- */
-
- #include <getopt.h>
--#include <sys/errno.h>
-+#include <errno.h>
- #include <stdbool.h>
- #include <string.h>
- #include <stdio.h>
-diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
-index e599fce..3fbdb77 100644
---- a/iptables/iptables-save.c
-+++ b/iptables/iptables-save.c
-@@ -6,7 +6,7 @@
- *
- */
- #include <getopt.h>
--#include <sys/errno.h>
-+#include <errno.h>
- #include <stdio.h>
- #include <fcntl.h>
- #include <stdlib.h>
-diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
-index 9628447..695cd67 100644
---- a/iptables/iptables-xml.c
-+++ b/iptables/iptables-xml.c
-@@ -7,7 +7,7 @@
- */
-
- #include <getopt.h>
--#include <sys/errno.h>
-+#include <errno.h>
- #include <string.h>
- #include <stdio.h>
- #include <stdlib.h>
---
-2.4.3
-
+++ /dev/null
-From 401673e9d37ea1e6da0bc335b1d7a2bbf445c690 Mon Sep 17 00:00:00 2001
-From: Felix Janda <felix.janda@posteo.de>
-Date: Sat, 2 May 2015 21:51:38 +0200
-Subject: [PATCH 2/3] include: remove libc5 support code
-
-Current code makes the assumption that !defined(__GLIBC__) means libc5
-which is very unlikely the case nowadays.
-
-Fixes compile error because of conflict between kernel and musl headers.
-
-Backported from :
-http://git.netfilter.org/iptables/commit/?id=0bb1859e2d6dd79a0a59c3ee65f6a78cba118b86
-
-Upstream-Status: backport
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Brendan Heading <brendanheading@gmail.com>
----
- include/libiptc/ipt_kernel_headers.h | 12 ------------
- 1 file changed, 12 deletions(-)
-
-diff --git a/include/libiptc/ipt_kernel_headers.h b/include/libiptc/ipt_kernel_headers.h
-index 18861fe..a5963e9 100644
---- a/include/libiptc/ipt_kernel_headers.h
-+++ b/include/libiptc/ipt_kernel_headers.h
-@@ -5,7 +5,6 @@
-
- #include <limits.h>
-
--#if defined(__GLIBC__) && __GLIBC__ == 2
- #include <netinet/ip.h>
- #include <netinet/in.h>
- #include <netinet/ip_icmp.h>
-@@ -13,15 +12,4 @@
- #include <netinet/udp.h>
- #include <net/if.h>
- #include <sys/types.h>
--#else /* libc5 */
--#include <sys/socket.h>
--#include <linux/ip.h>
--#include <linux/in.h>
--#include <linux/if.h>
--#include <linux/icmp.h>
--#include <linux/tcp.h>
--#include <linux/udp.h>
--#include <linux/types.h>
--#include <linux/in6.h>
--#endif
- #endif
---
-2.4.3
-
+++ /dev/null
-From 2f2fde48594ec34e93ab409cd83442efe58e10ad Mon Sep 17 00:00:00 2001
-From: Brendan Heading <brendanheading@gmail.com>
-Date: Mon, 31 Aug 2015 15:24:44 +0100
-Subject: [PATCH 3/3] fix build with musl
-
-Add needed headers they are just not needed for glibc6+ but also
-for musl
-Define additional TCOPTS if not there
-
-u_initX types are in sys/types.h be explicit about it
-
-Upstream-Status: Pending
-
-bh: this is a copy of the patch at the link below, modified to remove
-the changes to include/libiptc/ipt_kernel_headers.h as these are
-already integrated in the upstream tree. See :
-
-http://lists.openembedded.org/pipermail/openembedded-core/2015-April/103613.html
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Signed-off-by: Brendan Heading <brendanheading@gmail.com>
----
- extensions/libxt_TCPOPTSTRIP.c | 15 +++++++++++++++
- include/linux/netfilter_ipv4/ip_tables.h | 1 +
- 2 files changed, 16 insertions(+)
-
-diff --git a/extensions/libxt_TCPOPTSTRIP.c b/extensions/libxt_TCPOPTSTRIP.c
-index 6897857..8a170b2 100644
---- a/extensions/libxt_TCPOPTSTRIP.c
-+++ b/extensions/libxt_TCPOPTSTRIP.c
-@@ -12,6 +12,21 @@
- #ifndef TCPOPT_MD5SIG
- # define TCPOPT_MD5SIG 19
- #endif
-+#ifndef TCPOPT_MAXSEG
-+# define TCPOPT_MAXSEG 2
-+#endif
-+#ifndef TCPOPT_WINDOW
-+# define TCPOPT_WINDOW 3
-+#endif
-+#ifndef TCPOPT_SACK_PERMITTED
-+# define TCPOPT_SACK_PERMITTED 4
-+#endif
-+#ifndef TCPOPT_SACK
-+# define TCPOPT_SACK 5
-+#endif
-+#ifndef TCPOPT_TIMESTAMP
-+# define TCPOPT_TIMESTAMP 8
-+#endif
-
- enum {
- O_STRIP_OPTION = 0,
-diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
-index 57fd82a..4807246 100644
---- a/include/linux/netfilter_ipv4/ip_tables.h
-+++ b/include/linux/netfilter_ipv4/ip_tables.h
-@@ -15,6 +15,7 @@
- #ifndef _IPTABLES_H
- #define _IPTABLES_H
-
-+#include <sys/types.h>
- #include <linux/types.h>
-
- #include <linux/netfilter_ipv4.h>
---
-2.4.3
-
+++ /dev/null
-From 825fbda5482a7d5ec5a6619c81fe07ff865c7d6e Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Fri, 5 Sep 2014 20:45:56 +0200
-Subject: extensions: libxt_connlabel: do not open config file from _init hook
-
-else, static builds will print this for every iptables invocation,
-even 'iptables -L'. Delay open until we need to translate a mapping.
-
-Reported-by: Thomas De Schampheleire <patrickdepinguin@gmail.com>
-Signed-off-by: Florian Westphal <fw@strlen.de>
-[Thomas De Schampheleire: import unchanged into Buildroot]
-Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
-
-diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c
-index c84a167..1f83095 100644
---- a/extensions/libxt_connlabel.c
-+++ b/extensions/libxt_connlabel.c
-@@ -29,11 +29,26 @@ static const struct xt_option_entry connlabel_mt_opts[] = {
- XTOPT_TABLEEND,
- };
-
-+/* cannot do this via _init, else static builds might spew error message
-+ * for every iptables invocation.
-+ */
-+static void connlabel_open(void)
-+{
-+ if (map)
-+ return;
-+
-+ map = nfct_labelmap_new(NULL);
-+ if (!map && errno)
-+ xtables_error(RESOURCE_PROBLEM, "cannot open connlabel.conf: %s\n",
-+ strerror(errno));
-+}
-+
- static void connlabel_mt_parse(struct xt_option_call *cb)
- {
- struct xt_connlabel_mtinfo *info = cb->data;
- int tmp;
-
-+ connlabel_open();
- xtables_option_parse(cb);
-
- switch (cb->entry->id) {
-@@ -54,7 +69,11 @@ static void connlabel_mt_parse(struct xt_option_call *cb)
-
- static const char *connlabel_get_name(int b)
- {
-- const char *name = nfct_labelmap_get_name(map, b);
-+ const char *name;
-+
-+ connlabel_open();
-+
-+ name = nfct_labelmap_get_name(map, b);
- if (name && strcmp(name, ""))
- return name;
- return NULL;
-@@ -114,11 +133,5 @@ static struct xtables_match connlabel_mt_reg = {
-
- void _init(void)
- {
-- map = nfct_labelmap_new(NULL);
-- if (!map) {
-- fprintf(stderr, "cannot open connlabel.conf, not registering '%s' match: %s\n",
-- connlabel_mt_reg.name, strerror(errno));
-- return;
-- }
- xtables_register_match(&connlabel_mt_reg);
- }
---
-cgit v0.10.1
-
config BR2_PACKAGE_IPTABLES
bool "iptables"
help
- Linux kernel (2.4+) firewall, NAT, and packet mangling tools.
+ Linux kernel firewall, NAT, and packet mangling tools.
- http://www.iptables.org/
+ http://www.netfilter.org/projects/iptables/index.html
+
+if BR2_PACKAGE_IPTABLES
+
+config BR2_PACKAGE_IPTABLES_BPF_NFSYNPROXY
+ bool "bpfc and nfsynproxy"
+ select BR2_PACKAGE_LIBPCAP
+ help
+ Build bpf compiler and nfsynproxy configuration tool.
+
+config BR2_PACKAGE_IPTABLES_NFTABLES
+ bool "nftables compat"
+ # uses dlfcn
+ depends on !BR2_STATIC_LIBS
+ depends on BR2_USE_WCHAR
+ depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_4
+ select BR2_PACKAGE_LIBMNL
+ select BR2_PACKAGE_LIBNFTNL
+ help
+ Build nftables compat utilities.
+
+comment "nftables compat needs a toolchain w/ wchar, dynamic library, headers >= 3.4"
+ depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_4 || \
+ !BR2_USE_WCHAR || BR2_STATIC_LIBS
+
+endif
-# From ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.21.tar.bz2.{md5sum,sha1sum}
-md5 536d048c8e8eeebcd9757d0863ebb0c0 iptables-1.4.21.tar.bz2
-sha1 85d4160537546a23a7e42bc26dd7ee62a0ede4c8 iptables-1.4.21.tar.bz2
+# From ftp://ftp.netfilter.org/pub/iptables/iptables-1.6.0.tar.bz2.{md5sum,sha1sum}
+md5 27ba3451cb622467fc9267a176f19a31 iptables-1.6.0.tar.bz2
+sha1 21a694e75b0d6863cc001f85fb15915d12b8cc22 iptables-1.6.0.tar.bz2
#
################################################################################
-IPTABLES_VERSION = 1.4.21
+IPTABLES_VERSION = 1.6.0
IPTABLES_SOURCE = iptables-$(IPTABLES_VERSION).tar.bz2
IPTABLES_SITE = http://ftp.netfilter.org/pub/iptables
IPTABLES_INSTALL_STAGING = YES
# Building static causes ugly warnings on some plugins
IPTABLES_CONF_OPTS = --libexecdir=/usr/lib --with-kernel=$(STAGING_DIR)/usr \
$(if $(BR2_STATIC_LIBS),,--disable-static)
-# Because of iptables-01-fix-static-link.patch
-IPTABLES_AUTORECONF = YES
# For connlabel match
ifeq ($(BR2_PACKAGE_LIBNETFILTER_CONNTRACK),y)
IPTABLES_DEPENDENCIES += libnfnetlink
endif
-define IPTABLES_TARGET_SYMLINK_CREATE
- ln -sf xtables-multi $(TARGET_DIR)/usr/sbin/iptables
- ln -sf xtables-multi $(TARGET_DIR)/usr/sbin/iptables-save
- ln -sf xtables-multi $(TARGET_DIR)/usr/sbin/iptables-restore
-endef
-
-define IPTABLES_TARGET_IPV6_SYMLINK_CREATE
- ln -sf xtables-multi $(TARGET_DIR)/usr/sbin/ip6tables
- ln -sf xtables-multi $(TARGET_DIR)/usr/sbin/ip6tables-save
- ln -sf xtables-multi $(TARGET_DIR)/usr/sbin/ip6tables-restore
-endef
-
-IPTABLES_POST_INSTALL_TARGET_HOOKS += IPTABLES_TARGET_SYMLINK_CREATE
+# For iptables-compat tools
+ifeq ($(BR2_PACKAGE_IPTABLES_NFTABLES),y)
+IPTABLES_CONF_OPTS += --enable-nftables
+IPTABLES_DEPENDENCIES += host-bison host-flex libmnl libnftnl
+else
+IPTABLES_CONF_OPTS += --disable-nftables
+endif
-IPTABLES_POST_INSTALL_TARGET_HOOKS += IPTABLES_TARGET_IPV6_SYMLINK_CREATE
+# bpf compiler support and nfsynproxy tool
+ifeq ($(BR2_PACKAGE_IPTABLES_BPF_NFSYNPROXY),y)
+IPTABLES_CONF_OPTS += --enable-bpf-compiler --enable-nfsynproxy
+IPTABLES_DEPENDENCIES += libpcap
+else
+IPTABLES_CONF_OPTS += --disable-bpf-compiler --disable-nfsynproxy
+endif
$(eval $(autotools-package))
projects / buildroot.git / commitdiff