OpenWrt/redmi-ax3000
1
0
Fork 0
mirror of https://github.com/hzyitc/openwrt-redmi-ax3000 synced 2025-10-30 07:50:32 +08:00
Code Issues Packages Projects Releases Wiki Activity

iptables: update to 1.8.10

Browse Source 
Source archive format changed to tar.xz

Removed upstreamed
  020-treewide-use-uint-instead-of-u_int.patch
  030-revert-fix-build-for-missing-ETH_ALEN-definition.patch
  040-xshared-Fix-build-for-Werror-format-security.patch
  050-build-fix-error-during-out-of-tree-build.patch
  060-libxtables-unexport-init_extensions-declarations.patch
  070-extensions-string-Review-parse_string-function.patch
  104-nft-track-each-register-individually.patch

Manually rebased
  600-shared-libext.patch

Change netfiletr.mk due to module name change
  https://git.netfilter.org/iptables/commit/?id=f30c5edce0413b2b2346c7f58e801f10f6e9bc5a

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16641
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit is contained in:
Ivan Pavlov
2024-10-08 23:41:27 +03:00
committed by Hauke Mehrtens
parent 8f1332d275
commit e1d6013935
16 changed files with 53 additions and 1486 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/netfilter.mk
View File

@ -183,7 +183,7 @@ $(eval $(if $(NF_KMOD),$(call nf_add,IPT_NAT6,CONFIG_IP6_NF_NAT, $(P_V6)ip6table
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_NAT6,CONFIG_IP6_NF_TARGET_NPT, $(P_V6)ip6t_NPT),))
# userland only
$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_NAT,CONFIG_NF_NAT, ipt_SNAT ipt_DNAT)))
$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_NAT,CONFIG_NF_NAT, ipt_NAT)))
$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_NAT6,CONFIG_IP6_NF_TARGET_NPT, ip6t_DNPT ip6t_SNPT)))
$(eval $(call nf_add,IPT_NAT,CONFIG_NETFILTER_XT_TARGET_MASQUERADE, $(P_XT)xt_MASQUERADE))

8
package/network/utils/iptables/Makefile
View File

@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=iptables
PKG_VERSION:=1.8.8
PKG_RELEASE:=3
PKG_VERSION:=1.8.10
PKG_RELEASE:=1
PKG_SOURCE_URL:=https://netfilter.org/projects/iptables/files
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_HASH:=71c75889dc710676631553eb1511da0177bbaaf1b551265b912d236c3f51859f
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_HASH:=5cc255c189356e317d070755ce9371eb63a1b783c34498fb8c30264f3cc59c9c
PKG_FIXUP:=autoreconf
PKG_FLAGS:=nonshared

4
package/network/utils/iptables/patches/010-add-set-dscpmark-support.patch
View File

@ -334,7 +334,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
static int connmark_tg_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
@@ -639,6 +876,66 @@ static int connmark_tg_xlate_v2(struct x
@@ -644,6 +881,66 @@ static int connmark_tg_xlate_v2(struct x
return 1;
}
@ -401,7 +401,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
static struct xtables_target connmark_tg_reg[] = {
{
.family = NFPROTO_UNSPEC,
@@ -687,6 +984,22 @@ static struct xtables_target connmark_tg
@@ -692,6 +989,22 @@ static struct xtables_target connmark_tg
.x6_options = connmark_tg_opts_v2,
.xlate = connmark_tg_xlate_v2,
},

144
package/network/utils/iptables/patches/020-treewide-use-uint-instead-of-u_int.patch
View File

@ -1,144 +0,0 @@
From f319389525b066b7dc6d389c88f16a0df3b8f189 Mon Sep 17 00:00:00 2001
From: Nick Hainke <vincent@systemli.org>
Date: Mon, 16 May 2022 18:16:41 +0200
Subject: treewide: use uint* instead of u_int*
Gcc complains about missing types. Some commits introduced u_int* instead
of uint*. Use uint treewide.
Fixes errors in the form of:
In file included from xtables-legacy-multi.c:5:
xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'?
83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
| ^~~~~~~~~
| uint16_t
make[6]: *** [Makefile:712: xtables_legacy_multi-xtables-legacy-multi.o] Error 1
Avoid libipq API breakage by adjusting libipq.h include accordingly. For
arpt_mangle.h kernel uAPI header, apply same change as in kernel commit
e91ded8db5747 ("uapi: netfilter_arp: use __u8 instead of u_int8_t").
Signed-off-by: Nick Hainke <vincent@systemli.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
extensions/libxt_conntrack.c | 2 +-
include/libipq/libipq.h | 8 ++++----
include/libiptc/libxtc.h | 2 +-
include/linux/netfilter_arp/arpt_mangle.h | 2 +-
iptables/xshared.c | 2 +-
iptables/xshared.h | 2 +-
libipq/ipq_create_handle.3 | 2 +-
libipq/ipq_set_mode.3 | 2 +-
8 files changed, 11 insertions(+), 11 deletions(-)
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -778,7 +778,7 @@ matchinfo_print(const void *ip, const st
static void
conntrack_dump_ports(const char *prefix, const char *opt,
- u_int16_t port_low, u_int16_t port_high)
+ uint16_t port_low, uint16_t port_high)
{
if (port_high == 0 || port_low == port_high)
printf(" %s%s %u", prefix, opt, port_low);
--- a/include/libipq/libipq.h
+++ b/include/libipq/libipq.h
@@ -24,7 +24,7 @@
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
-#include <sys/types.h>
+#include <stdint.h>
#include <sys/socket.h>
#include <sys/uio.h>
#include <asm/types.h>
@@ -48,19 +48,19 @@ typedef unsigned long ipq_id_t;
struct ipq_handle
{
int fd;
- u_int8_t blocking;
+ uint8_t blocking;
struct sockaddr_nl local;
struct sockaddr_nl peer;
};
-struct ipq_handle *ipq_create_handle(u_int32_t flags, u_int32_t protocol);
+struct ipq_handle *ipq_create_handle(uint32_t flags, uint32_t protocol);
int ipq_destroy_handle(struct ipq_handle *h);
ssize_t ipq_read(const struct ipq_handle *h,
unsigned char *buf, size_t len, int timeout);
-int ipq_set_mode(const struct ipq_handle *h, u_int8_t mode, size_t len);
+int ipq_set_mode(const struct ipq_handle *h, uint8_t mode, size_t len);
ipq_packet_msg_t *ipq_get_packet(const unsigned char *buf);
--- a/include/libiptc/libxtc.h
+++ b/include/libiptc/libxtc.h
@@ -10,7 +10,7 @@ extern "C" {
#endif
#ifndef XT_MIN_ALIGN
-/* xt_entry has pointers and u_int64_t's in it, so if you align to
+/* xt_entry has pointers and uint64_t's in it, so if you align to
it, you'll also align to any crazy matches and targets someone
might write */
#define XT_MIN_ALIGN (__alignof__(struct xt_entry))
--- a/include/linux/netfilter_arp/arpt_mangle.h
+++ b/include/linux/netfilter_arp/arpt_mangle.h
@@ -13,7 +13,7 @@ struct arpt_mangle
union {
struct in_addr tgt_ip;
} u_t;
- u_int8_t flags;
+ __u8 flags;
int target;
};
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1025,7 +1025,7 @@ static const int inverse_for_options[NUM
};
void
-set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
+set_option(unsigned int *options, unsigned int option, uint16_t *invflg,
bool invert)
{
if (*options & option)
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -80,7 +80,7 @@ struct xtables_target;
#define IPT_INV_ARPHRD 0x0800
void
-set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
+set_option(unsigned int *options, unsigned int option, uint16_t *invflg,
bool invert);
/**
--- a/libipq/ipq_create_handle.3
+++ b/libipq/ipq_create_handle.3
@@ -24,7 +24,7 @@ ipq_create_handle, ipq_destroy_handle \(
.br
.B #include <libipq.h>
.sp
-.BI "struct ipq_handle *ipq_create_handle(u_int32_t " flags ", u_int32_t " protocol ");"
+.BI "struct ipq_handle *ipq_create_handle(uint32_t " flags ", uint32_t " protocol ");"
.br
.BI "int ipq_destroy_handle(struct ipq_handle *" h );
.SH DESCRIPTION
--- a/libipq/ipq_set_mode.3
+++ b/libipq/ipq_set_mode.3
@@ -24,7 +24,7 @@ ipq_set_mode \(em set the ip_queue queui
.br
.B #include <libipq.h>
.sp
-.BI "int ipq_set_mode(const struct ipq_handle *" h ", u_int8_t " mode ", size_t " range );
+.BI "int ipq_set_mode(const struct ipq_handle *" h ", uint8_t " mode ", size_t " range );
.SH DESCRIPTION
The
.B ipq_set_mode

60
package/network/utils/iptables/patches/030-revert-fix-build-for-missing-ETH_ALEN-definition.patch
View File

@ -1,60 +0,0 @@
From 0e7cf0ad306cdf95dc3c28d15a254532206a888e Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 18 May 2022 16:04:09 +0200
Subject: Revert "fix build for missing ETH_ALEN definition"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This reverts commit c5d9a723b5159a28f547b577711787295a14fd84 as it broke
compiling against musl libc. Might be a bug in the latter, but for the
time being try to please both by avoiding the include and instead
defining ETH_ALEN if unset.
While being at it, move netinet/ether.h include up.
Fixes: 1bdb5535f561a ("libxtables: Extend MAC address printing/parsing support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Maciej Żenczykowski <maze@google.com>
---
libxtables/xtables.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -28,6 +28,7 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <netinet/ether.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/statfs.h>
@@ -45,7 +46,6 @@
#include <xtables.h>
#include <limits.h> /* INT_MAX in ip_tables.h/ip6_tables.h */
-#include <linux/if_ether.h> /* ETH_ALEN */
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <libiptc/libxtc.h>
@@ -72,6 +72,10 @@
#define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
#endif
+#ifndef ETH_ALEN
+#define ETH_ALEN 6
+#endif
+
/* we need this for ip6?tables-restore. ip6?tables-restore.c sets line to the
* current line of the input file, in order to give a more precise error
* message. ip6?tables itself doesn't need this, so it is initialized to the
@@ -2245,8 +2249,6 @@ void xtables_print_num(uint64_t number,
printf(FMT("%4lluT ","%lluT "), (unsigned long long)number);
}
-#include <netinet/ether.h>
-
static const unsigned char mac_type_unicast[ETH_ALEN] = {};
static const unsigned char msk_type_unicast[ETH_ALEN] = {1};
static const unsigned char mac_type_multicast[ETH_ALEN] = {1};

23
package/network/utils/iptables/patches/040-xshared-Fix-build-for-Werror-format-security.patch
View File

@ -1,23 +0,0 @@
From b72eb12ea5a61df0655ad99d5048994e916be83a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 13 May 2022 16:51:58 +0200
Subject: [PATCH] xshared: Fix build for -Werror=format-security
Gcc complains about the omitted format string.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/xshared.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct
return;
if (args->family != NFPROTO_ARP)
- xtables_error(PARAMETER_PROBLEM, msg);
+ xtables_error(PARAMETER_PROBLEM, "%s", msg);
fprintf(stderr, "%s", msg);
}

28
package/network/utils/iptables/patches/050-build-fix-error-during-out-of-tree-build.patch
View File

@ -1,28 +0,0 @@
From 0ebf52fc951b2a4d98a166afb34af4f364bbeece Mon Sep 17 00:00:00 2001
From: Ben Brown <ben@demerara.io>
Date: Wed, 25 May 2022 16:26:13 +0100
Subject: build: Fix error during out of tree build
Fixes the following error:
../../libxtables/xtables.c:52:10: fatal error: libiptc/linux_list.h: No such file or directory
52 | #include <libiptc/linux_list.h>
Fixes: f58b0d7406451 ("libxtables: Implement notargets hash table")
Signed-off-by: Ben Brown <ben@demerara.io>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
libxtables/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/libxtables/Makefile.am
+++ b/libxtables/Makefile.am
@@ -1,7 +1,7 @@
# -*- Makefile -*-
AM_CFLAGS = ${regular_CFLAGS}
-AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables ${kinclude_CPPFLAGS}
+AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables -I${top_srcdir} ${kinclude_CPPFLAGS}
lib_LTLIBRARIES = libxtables.la
libxtables_la_SOURCES = xtables.c xtoptions.c getethertype.c

82
package/network/utils/iptables/patches/060-libxtables-unexport-init_extensions-declarations.patch
View File

@ -1,82 +0,0 @@
From ef108943f69a6e20533d58823740d3f0534ea8ec Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 1 Jun 2022 19:15:06 +0200
Subject: libxtables: Unexport init_extensions*() declarations
The functions are used for static builds to initialize extensions after
libxtables init. Regular library users should not need them, but the
empty declarations introduced in #else case (and therefore present in
user's env) may clash with existing symbol names.
Avoid problems and guard the whole block declaring the function
prototypes and mangling extensions' _init functions by XTABLES_INTERNAL.
Reported-by: Nick Hainke <vincent@systemli.org>
Fixes: 6c689b639cf8e ("Simplify static build extension loading")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/xtables.h | 44 ++++++++++++++++++++++----------------------
1 file changed, 22 insertions(+), 22 deletions(-)
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -585,27 +585,6 @@ static inline void xtables_print_mark_ma
xtables_print_val_mask(mark, mask, NULL);
}
-#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
-# ifdef _INIT
-# undef _init
-# define _init _INIT
-# endif
- extern void init_extensions(void);
- extern void init_extensions4(void);
- extern void init_extensions6(void);
- extern void init_extensionsa(void);
- extern void init_extensionsb(void);
-#else
-# define _init __attribute__((constructor)) _INIT
-# define EMPTY_FUNC_DEF(x) static inline void x(void) {}
- EMPTY_FUNC_DEF(init_extensions)
- EMPTY_FUNC_DEF(init_extensions4)
- EMPTY_FUNC_DEF(init_extensions6)
- EMPTY_FUNC_DEF(init_extensionsa)
- EMPTY_FUNC_DEF(init_extensionsb)
-# undef EMPTY_FUNC_DEF
-#endif
-
extern const struct xtables_pprot xtables_chain_protos[];
extern uint16_t xtables_parse_protocol(const char *s);
@@ -663,9 +642,30 @@ void xtables_announce_chain(const char *
# define ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x)))
# endif
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+# ifdef _INIT
+# undef _init
+# define _init _INIT
+# endif
+ extern void init_extensions(void);
+ extern void init_extensions4(void);
+ extern void init_extensions6(void);
+ extern void init_extensionsa(void);
+ extern void init_extensionsb(void);
+#else
+# define _init __attribute__((constructor)) _INIT
+# define EMPTY_FUNC_DEF(x) static inline void x(void) {}
+ EMPTY_FUNC_DEF(init_extensions)
+ EMPTY_FUNC_DEF(init_extensions4)
+ EMPTY_FUNC_DEF(init_extensions6)
+ EMPTY_FUNC_DEF(init_extensionsa)
+ EMPTY_FUNC_DEF(init_extensionsb)
+# undef EMPTY_FUNC_DEF
+#endif
+
extern void _init(void);
-#endif
+#endif /* XTABLES_INTERNAL */
#ifdef __cplusplus
} /* extern "C" */

40
package/network/utils/iptables/patches/070-extensions-string-Review-parse_string-function.patch
View File

@ -1,40 +0,0 @@
From da5b32fb4656ab69fe1156eb7e36c7c961839e8a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 8 Jun 2022 13:45:13 +0200
Subject: [PATCH] extensions: string: Review parse_string() function
* Compare against sizeof(info->pattern) which is more clear than having
to know that this buffer is of size XT_STRING_MAX_PATTERN_SIZE
* Invert the check and error early to reduce indenting
* Pass info->patlen to memcpy() to avoid reading past end of 's'
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
extensions/libxt_string.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -78,14 +78,13 @@ static void string_init(struct xt_entry_
static void
parse_string(const char *s, struct xt_string_info *info)
-{
+{
/* xt_string does not need \0 at the end of the pattern */
- if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) {
- memcpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
- info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE);
- return;
- }
- xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
+ if (strlen(s) > sizeof(info->pattern))
+ xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
+
+ info->patlen = strnlen(s, sizeof(info->pattern));
+ memcpy(info->pattern, s, info->patlen);
}
static void

4
package/network/utils/iptables/patches/101-remove-check-already.patch
View File

@ -1,6 +1,6 @@
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1093,12 +1093,6 @@ void xtables_register_match(struct xtabl
@@ -1095,12 +1095,6 @@ void xtables_register_match(struct xtabl
struct xtables_match **pos;
bool seen_myself = false;
@ -13,7 +13,7 @@
if (me->version == NULL) {
fprintf(stderr, "%s: match %s<%u> is missing a version\n",
xt_params->program_name, me->name, me->revision);
@@ -1277,12 +1271,6 @@ void xtables_register_target(struct xtab
@@ -1279,12 +1273,6 @@ void xtables_register_target(struct xtab
struct xtables_target **pos;
bool seen_myself = false;

6
package/network/utils/iptables/patches/102-iptables-disable-modprobe.patch
View File

@ -1,6 +1,6 @@
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -476,7 +476,7 @@ char *xtables_strdup(const char *s)
@@ -475,7 +475,7 @@ char *xtables_strdup(const char *s)
return dup;
}
@ -9,7 +9,7 @@
{
int procfile;
char *ret;
@@ -511,6 +511,7 @@ static char *get_modprobe(void)
@@ -505,6 +505,7 @@ static char *get_modprobe(void)
int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
{
@ -17,7 +17,7 @@
char *buf = NULL;
char *argv[4];
int status;
@@ -545,6 +546,7 @@ int xtables_insmod(const char *modname,
@@ -539,6 +540,7 @@ int xtables_insmod(const char *modname,
free(buf);
if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
return 0;

2
package/network/utils/iptables/patches/103-optional-xml.patch
View File

@ -1,6 +1,6 @@
--- a/iptables/xtables-legacy-multi.c
+++ b/iptables/xtables-legacy-multi.c
@@ -32,8 +32,10 @@ static const struct subcommand multi_sub
@@ -28,8 +28,10 @@ static const struct subcommand multi_sub
#endif

1054
package/network/utils/iptables/patches/104-nft-track-each-register-individually.patch
View File

File diff suppressed because it is too large Load Diff

6
package/network/utils/iptables/patches/200-configurable_builtin.patch
View File

@ -60,7 +60,7 @@
.SECONDARY:
@@ -163,11 +183,11 @@ libext4.a: initext4.o ${libext4_objs}
@@ -170,11 +190,11 @@ libext4.a: initext4.o ${libext4_objs}
libext6.a: initext6.o ${libext6_objs}
${AM_VERBOSE_AR} ${AR} crs $@ $^;
@ -75,5 +75,5 @@
+initext4_func := $(addprefix ipt_,${pf4_build_static})
+initext6_func := $(addprefix ip6t_,${pf6_build_static})
.initext.dd: FORCE
@echo "${initext_func}" >$@.tmp; \
initexts := ext exta extb ext4 ext6
initext_depfiles = $(patsubst %,.init%.dd,${initexts})

66
package/network/utils/iptables/patches/600-shared-libext.patch
View File

@ -9,7 +9,7 @@
targets_install :=
libext_objs := ${pfx_objs}
libext_ebt_objs := ${pfb_objs}
@@ -132,7 +132,7 @@ clean:
@@ -133,7 +133,7 @@ clean:
distclean: clean
init%.o: init%.c
@ -18,7 +18,7 @@
-include .*.d
@@ -166,22 +166,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
@@ -173,22 +173,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
# handling code in the Makefiles.
#
lib%.o: ${srcdir}/lib%.c
@ -54,49 +54,47 @@
initextb_func := $(addprefix ebt_,${pfb_build_static})
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -7,19 +7,22 @@ BUILT_SOURCES =
@@ -7,7 +7,7 @@ AM_LDFLAGS = ${regular_LDFLAGS}
BUILT_SOURCES =
xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c
xtables_legacy_multi_CFLAGS = ${AM_CFLAGS}
-xtables_legacy_multi_LDADD = ../extensions/libext.a
+xtables_legacy_multi_LDADD =
+xtables_legacy_multi_LDFLAGS = -L../extensions/ -liptext
common_sources = iptables-xml.c xtables-multi.h xshared.c xshared.h
-common_ldadd = ../extensions/libext.a ../libxtables/libxtables.la -lm
+common_ldadd = ../libxtables/libxtables.la -lm
common_cflags = ${AM_CFLAGS}
if ENABLE_STATIC
xtables_legacy_multi_CFLAGS += -DALL_INCLUSIVE
endif
common_cflags += -DALL_INCLUSIVE
@@ -17,15 +17,18 @@ xtables_legacy_multi_SOURCES = ${common
iptables-restore.c iptables-save.c
xtables_legacy_multi_CFLAGS = ${common_cflags}
xtables_legacy_multi_LDADD = ${common_ldadd}
+xtables_legacy_multi_LDFLAGS = -L../extensions/ -liptext
if ENABLE_IPV4
xtables_legacy_multi_SOURCES += iptables-standalone.c iptables.c
xtables_legacy_multi_SOURCES += iptables-standalone.c iptables.c iptables-multi.h
xtables_legacy_multi_CFLAGS += -DENABLE_IPV4
-xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a
+xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la
+xtables_legacy_multi_LDFLAGS += -liptext4
endif
if ENABLE_IPV6
xtables_legacy_multi_SOURCES += ip6tables-standalone.c ip6tables.c
xtables_legacy_multi_SOURCES += ip6tables-standalone.c ip6tables.c ip6tables-multi.h
xtables_legacy_multi_CFLAGS += -DENABLE_IPV6
-xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a
+xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la
+xtables_legacy_multi_LDFLAGS += -liptext6
endif
xtables_legacy_multi_SOURCES += xshared.c iptables-restore.c iptables-save.c
xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm
@@ -28,7 +31,8 @@ xtables_legacy_multi_LDADD += ../libxt
if ENABLE_NFTABLES
xtables_nft_multi_SOURCES = xtables-nft-multi.c iptables-xml.c
xtables_nft_multi_CFLAGS = ${AM_CFLAGS}
-xtables_nft_multi_LDADD = ../extensions/libext.a ../extensions/libext_ebt.a
+xtables_nft_multi_LDADD =
+xtables_nft_multi_LDFLAGS = -L../extensions/ -liptext -liptext_ebt
if ENABLE_STATIC
xtables_nft_multi_CFLAGS += -DALL_INCLUSIVE
endif
@@ -42,7 +46,8 @@ xtables_nft_multi_SOURCES += xtables-sav
xtables-eb-standalone.c xtables-eb.c \
xtables-eb-translate.c \
xtables-translate.c
-xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ../extensions/libext4.a ../extensions/libext6.a ../extensions/libext_ebt.a ../extensions/libext_arpt.a
+xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS}
+xtables_nft_multi_LDFLAGS += -liptext4 -liptext6 -liptext_arpt
xtables_nft_multi_SOURCES += xshared.c
xtables_nft_multi_LDADD += ../libxtables/libxtables.la -lm
endif
# iptables using nf_tables api
@@ -33,12 +36,9 @@ if ENABLE_NFTABLES
xtables_nft_multi_SOURCES = ${common_sources} xtables-nft-multi.c
xtables_nft_multi_CFLAGS = ${common_cflags}
xtables_nft_multi_LDADD = ${common_ldadd} \
- ../extensions/libext_arpt.a \
- ../extensions/libext_ebt.a \
- ../extensions/libext4.a \
- ../extensions/libext6.a \
${libmnl_LIBS} ${libnftnl_LIBS} \
${libnetfilter_conntrack_LIBS}
+xtables_nft_multi_LDFLAGS = -L../extensions/ -liptext -liptext_arpt -liptext_ebt -liptext4 -liptext6
xtables_nft_multi_CFLAGS += -DENABLE_NFTABLES -DENABLE_IPV4 -DENABLE_IPV6
xtables_nft_multi_SOURCES += nft.c nft.h \
nft-arp.c nft-ipv4.c nft-ipv6.c \

10
package/network/utils/iptables/patches/700-disable-legacy-revisions.patch
View File

@ -1,6 +1,6 @@
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1399,6 +1399,7 @@ static int conntrack3_mt6_xlate(struct x
@@ -1385,6 +1385,7 @@ static int conntrack3_mt6_xlate(struct x
}
static struct xtables_match conntrack_mt_reg[] = {
@ -8,7 +8,7 @@
{
.version = XTABLES_VERSION,
.name = "conntrack",
@@ -1474,6 +1475,7 @@ static struct xtables_match conntrack_mt
@@ -1460,6 +1461,7 @@ static struct xtables_match conntrack_mt
.alias = conntrack_print_name_alias,
.x6_options = conntrack2_mt_opts,
},
@ -16,7 +16,7 @@
{
.version = XTABLES_VERSION,
.name = "conntrack",
@@ -1506,6 +1508,7 @@ static struct xtables_match conntrack_mt
@@ -1492,6 +1494,7 @@ static struct xtables_match conntrack_mt
.x6_options = conntrack3_mt_opts,
.xlate = conntrack3_mt6_xlate,
},
@ -24,7 +24,7 @@
{
.family = NFPROTO_UNSPEC,
.name = "state",
@@ -1536,6 +1539,8 @@ static struct xtables_match conntrack_mt
@@ -1522,6 +1525,8 @@ static struct xtables_match conntrack_mt
.x6_parse = state_ct23_parse,
.x6_options = state_opts,
},
@ -33,7 +33,7 @@
{
.family = NFPROTO_UNSPEC,
.name = "state",
@@ -1565,6 +1570,7 @@ static struct xtables_match conntrack_mt
@@ -1551,6 +1556,7 @@ static struct xtables_match conntrack_mt
.x6_parse = state_parse,
.x6_options = state_opts,
},