2 # Copyright (C) 2006-2013 OpenWrt.org
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
8 include $(TOPDIR)/rules.mk
9 include $(INCLUDE_DIR)/kernel.mk
15 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
16 PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
17 ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
18 ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
19 ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
20 PKG_MD5SUM:=536d048c8e8eeebcd9757d0863ebb0c0
27 ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"")
31 include $(INCLUDE_DIR)/package.mk
33 -include $(LINUX_DIR)/.config
34 include $(INCLUDE_DIR)/netfilter.mk
35 STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s)
39 define Package/iptables/Default
43 URL:=http://netfilter.org/
46 define Package/iptables/Module
47 $(call Package/iptables/Default)
48 DEPENDS:=iptables $(1)
51 define Package/iptables
52 $(call Package/iptables/Default)
53 TITLE:=IP firewall administration tool
55 DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
58 define Package/iptables/description
59 IP firewall administration tool.
97 define Package/iptables-mod-conntrack-extra
98 $(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
99 TITLE:=Extra connection tracking extensions
102 define Package/iptables-mod-conntrack-extra/description
103 Extra iptables extensions for connection tracking.
117 define Package/iptables-mod-filter
118 $(call Package/iptables/Module, +kmod-ipt-filter)
119 TITLE:=Content inspection extensions
122 define Package/iptables-mod-filter/description
123 iptables extensions for packet content inspection.
124 Includes support for:
131 define Package/iptables-mod-ipopt
132 $(call Package/iptables/Module, +kmod-ipt-ipopt)
133 TITLE:=IP/Packet option extensions
136 define Package/iptables-mod-ipopt/description
137 iptables extensions for matching/changing IP packet options.
156 define Package/iptables-mod-ipsec
157 $(call Package/iptables/Module, +kmod-ipt-ipsec)
158 TITLE:=IPsec extensions
161 define Package/iptables-mod-ipsec/description
162 iptables extensions for matching ipsec traffic.
171 define Package/iptables-mod-nat-extra
172 $(call Package/iptables/Module, +kmod-ipt-nat-extra)
173 TITLE:=Extra NAT extensions
176 define Package/iptables-mod-nat-extra/description
177 iptables extensions for extra NAT targets.
184 define Package/iptables-mod-ulog
185 $(call Package/iptables/Module, +kmod-ipt-ulog)
186 TITLE:=user-space packet logging
189 define Package/iptables-mod-ulog/description
190 iptables extensions for user-space packet logging.
197 define Package/iptables-mod-nflog
198 $(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
199 TITLE:=Netfilter NFLOG target
202 define Package/iptables-mod-nflog/description
203 iptables extension for user-space logging via NFNETLINK.
210 define Package/iptables-mod-nfqueue
211 $(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
212 TITLE:=Netfilter NFQUEUE target
215 define Package/iptables-mod-nfqueue/description
216 iptables extension for user-space queuing via NFNETLINK.
223 define Package/iptables-mod-hashlimit
224 $(call Package/iptables/Module, +kmod-ipt-hashlimit)
225 TITLE:=hashlimit matching
228 define Package/iptables-mod-hashlimit/description
229 iptables extensions for hashlimit matching
236 define Package/iptables-mod-iprange
237 $(call Package/iptables/Module, +kmod-ipt-iprange)
238 TITLE:=IP range extension
241 define Package/iptables-mod-iprange/description
242 iptables extensions for matching ip ranges.
249 define Package/iptables-mod-cluster
250 $(call Package/iptables/Module, +kmod-ipt-cluster)
251 TITLE:=Match cluster extension
254 define Package/iptables-mod-cluster/description
255 iptables extensions for matching cluster.
257 Netfilter (IPv4/IPv6) module for matching cluster
258 This option allows you to build work-load-sharing clusters of
259 network servers/stateful firewalls without having a dedicated
260 load-balancing router/server/switch. Basically, this match returns
261 true when the packet must be handled by this cluster node. Thus,
262 all nodes see all packets and this match decides which node handles
263 what packets. The work-load sharing algorithm is based on source
266 This module is usable for ipv4 and ipv6.
268 If you select it, it enables kmod-ipt-cluster.
270 see `iptables -m cluster --help` for more information.
273 define Package/iptables-mod-clusterip
274 $(call Package/iptables/Module, +kmod-ipt-clusterip)
275 TITLE:=Clusterip extension
278 define Package/iptables-mod-clusterip/description
279 iptables extensions for CLUSTERIP.
280 The CLUSTERIP target allows you to build load-balancing clusters of
281 network servers without having a dedicated load-balancing
282 router/server/switch.
284 If you select it, it enables kmod-ipt-clusterip.
286 see `iptables -j CLUSTERIP --help` for more information.
289 define Package/iptables-mod-extra
290 $(call Package/iptables/Module, +kmod-ipt-extra)
291 TITLE:=Other extra iptables extensions
294 define Package/iptables-mod-extra/description
295 Other extra iptables extensions.
301 - physdev (if ebtables is enabled)
307 define Package/iptables-mod-led
308 $(call Package/iptables/Module, +kmod-ipt-led)
309 TITLE:=LED trigger iptables extension
312 define Package/iptables-mod-led/description
313 iptables extension for triggering a LED.
320 define Package/iptables-mod-tproxy
321 $(call Package/iptables/Module, +kmod-ipt-tproxy)
322 TITLE:=Transparent proxy iptables extensions
325 define Package/iptables-mod-tproxy/description
326 Transparent proxy iptables extensions.
336 define Package/iptables-mod-tee
337 $(call Package/iptables/Module, +kmod-ipt-tee)
338 TITLE:=TEE iptables extensions
341 define Package/iptables-mod-tee/description
342 TEE iptables extensions.
349 define Package/iptables-mod-u32
350 $(call Package/iptables/Module, +kmod-ipt-u32)
351 TITLE:=U32 iptables extensions
354 define Package/iptables-mod-u32/description
355 U32 iptables extensions.
362 define Package/ip6tables
363 $(call Package/iptables/Default)
364 DEPENDS:=@IPV6 +kmod-ip6tables +iptables
366 TITLE:=IPv6 firewall administration tool
371 define Package/ip6tables-extra
372 $(call Package/iptables/Default)
373 DEPENDS:=ip6tables +kmod-ip6tables-extra
374 TITLE:=IPv6 header matching modules
377 define Package/ip6tables-mod-extra/description
378 iptables header matching modules for IPv6
381 define Package/ip6tables-mod-nat
382 $(call Package/iptables/Default)
383 DEPENDS:=ip6tables +kmod-ipt-nat6
384 TITLE:=IPv6 NAT extensions
387 define Package/ip6tables-mod-nat/description
388 iptables extensions for IPv6-NAT targets.
391 define Package/libiptc
392 $(call Package/iptables/Default)
395 DEPENDS:=+libip4tc +libip6tc +libxtables
396 TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
399 define Package/libip4tc
400 $(call Package/iptables/Default)
403 TITLE:=IPv4 firewall - shared libiptc library
407 define Package/libip6tc
408 $(call Package/iptables/Default)
411 TITLE:=IPv6 firewall - shared libiptc library
415 define Package/libxtables
416 $(call Package/iptables/Default)
419 TITLE:=IPv4/IPv6 firewall - shared xtables library
423 -I$(PKG_BUILD_DIR)/include \
424 -I$(LINUX_DIR)/user_headers/include \
428 -I$(PKG_BUILD_DIR)/include \
429 -I$(LINUX_DIR)/user_headers/include \
430 -ffunction-sections -fdata-sections \
439 --with-kernel="$(LINUX_DIR)/user_headers" \
440 --with-xtlibdir=/usr/lib/iptables \
442 $(if $(CONFIG_IPV6),,--disable-ipv6)
445 $(TARGET_CONFIGURE_OPTS) \
446 COPT_FLAGS="$(TARGET_CFLAGS)" \
447 KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
448 KBUILD_OUTPUT="$(LINUX_DIR)" \
449 BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
451 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
452 define Build/Configure/rebuild
453 $(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
454 rm -f $(PKG_BUILD_DIR)/.config_*
455 rm -f $(PKG_BUILD_DIR)/.configured_*
456 touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
460 define Build/Configure
461 $(Build/Configure/rebuild)
462 $(Build/Configure/Default)
465 define Build/InstallDev
466 $(INSTALL_DIR) $(1)/usr/include
467 $(INSTALL_DIR) $(1)/usr/include/iptables
468 $(INSTALL_DIR) $(1)/usr/include/net/netfilter
470 # XXX: iptables header fixup, some headers are not installed by iptables anymore
471 $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
472 $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
473 $(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
474 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
475 $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
477 $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
478 $(INSTALL_DIR) $(1)/usr/lib
479 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
480 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
481 $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
482 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
483 $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
485 # XXX: needed by firewall3
486 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
489 define Package/iptables/install
490 $(INSTALL_DIR) $(1)/usr/sbin
491 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
492 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
493 $(INSTALL_DIR) $(1)/usr/lib/iptables
496 define Package/ip6tables/install
497 $(INSTALL_DIR) $(1)/usr/sbin
498 $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
501 define Package/libiptc/install
502 $(INSTALL_DIR) $(1)/usr/lib
503 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
506 define Package/libip4tc/install
507 $(INSTALL_DIR) $(1)/usr/lib
508 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
509 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
512 define Package/libip6tc/install
513 $(INSTALL_DIR) $(1)/usr/lib
514 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
515 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
518 define Package/libxtables/install
519 $(INSTALL_DIR) $(1)/usr/lib
520 $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
521 $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
525 define Package/$(1)/install
526 $(INSTALL_DIR) $$(1)/usr/lib/iptables
527 for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
528 if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
529 $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
535 $$(eval $$(call BuildPackage,$(1)))
538 $(eval $(call BuildPackage,iptables))
539 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
540 $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
541 $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
542 $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
543 $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
544 $(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
545 $(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
546 $(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
547 $(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
548 $(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
549 $(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
550 $(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
551 $(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
552 $(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
553 $(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
554 $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
555 $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
556 $(eval $(call BuildPackage,ip6tables))
557 $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
558 $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
559 $(eval $(call BuildPackage,libiptc))
560 $(eval $(call BuildPackage,libip4tc))
561 $(eval $(call BuildPackage,libip6tc))
562 $(eval $(call BuildPackage,libxtables))