iptables: default to ip(6)tables-nft

OpenWrt now uses firewall4 (nft) by default,
so iptables should also default to nftables backend.

When multiple packages provide the same virtual package,
opkg pick the first one by alphabetical order,
so we rename iptables-legacy to iptables-zz-legacy and add
iptables-legacy in PROVIDES.

We also need to remove IPTABLES_NFTABLES config as
this cause recursive dependencies.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 35fec487e3)
This commit is contained in:
Etienne Champetier 2022-06-26 04:54:45 +00:00 committed by Hauke Mehrtens
parent e4caacc887
commit fb3b927643

View File

@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=iptables PKG_NAME:=iptables
PKG_VERSION:=1.8.7 PKG_VERSION:=1.8.7
PKG_RELEASE:=6 PKG_RELEASE:=7
PKG_SOURCE_URL:=https://netfilter.org/projects/iptables/files PKG_SOURCE_URL:=https://netfilter.org/projects/iptables/files
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
@ -50,18 +50,18 @@ $(call Package/iptables/Default)
DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libiptext +IPV6:libiptext6 +libxtables DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libiptext +IPV6:libiptext6 +libxtables
endef endef
define Package/iptables-legacy define Package/iptables-zz-legacy
$(call Package/iptables/Default) $(call Package/iptables/Default)
TITLE:=IP firewall administration tool TITLE:=IP firewall administration tool
DEPENDS+= +xtables-legacy DEPENDS+= +xtables-legacy
PROVIDES:=iptables PROVIDES:=iptables iptables-legacy
ALTERNATIVES:=\ ALTERNATIVES:=\
200:/usr/sbin/iptables:/usr/sbin/xtables-legacy-multi \ 200:/usr/sbin/iptables:/usr/sbin/xtables-legacy-multi \
200:/usr/sbin/iptables-restore:/usr/sbin/xtables-legacy-multi \ 200:/usr/sbin/iptables-restore:/usr/sbin/xtables-legacy-multi \
200:/usr/sbin/iptables-save:/usr/sbin/xtables-legacy-multi 200:/usr/sbin/iptables-save:/usr/sbin/xtables-legacy-multi
endef endef
define Package/iptables-legacy/description define Package/iptables-zz-legacy/description
IP firewall administration tool. IP firewall administration tool.
Matches: Matches:
@ -104,7 +104,7 @@ endef
define Package/xtables-nft define Package/xtables-nft
$(call Package/iptables/Default) $(call Package/iptables/Default)
TITLE:=IP firewall administration tool nft TITLE:=IP firewall administration tool nft
DEPENDS:=@IPTABLES_NFTABLES +libnftnl +libiptext +IPV6:libiptext6 +libiptext-nft +kmod-nft-compat DEPENDS:=+libnftnl +libiptext +IPV6:libiptext6 +libiptext-nft +kmod-nft-compat
endef endef
define Package/arptables-nft define Package/arptables-nft
@ -483,12 +483,12 @@ define Package/iptables-mod-checksum/description
iptables extension for the CHECKSUM calculation target iptables extension for the CHECKSUM calculation target
endef endef
define Package/ip6tables-legacy define Package/ip6tables-zz-legacy
$(call Package/iptables/Default) $(call Package/iptables/Default)
DEPENDS:=@IPV6 +kmod-ip6tables +xtables-legacy DEPENDS:=@IPV6 +kmod-ip6tables +xtables-legacy
CATEGORY:=Network CATEGORY:=Network
TITLE:=IPv6 firewall administration tool TITLE:=IPv6 firewall administration tool
PROVIDES:=ip6tables PROVIDES:=ip6tables ip6tables-legacy
ALTERNATIVES:=\ ALTERNATIVES:=\
200:/usr/sbin/ip6tables:/usr/sbin/xtables-legacy-multi \ 200:/usr/sbin/ip6tables:/usr/sbin/xtables-legacy-multi \
200:/usr/sbin/ip6tables-restore:/usr/sbin/xtables-legacy-multi \ 200:/usr/sbin/ip6tables-restore:/usr/sbin/xtables-legacy-multi \
@ -575,7 +575,7 @@ define Package/libiptext-nft
CATEGORY:=Libraries CATEGORY:=Libraries
TITLE:=IPv4/IPv6 firewall - shared libiptext nft library TITLE:=IPv4/IPv6 firewall - shared libiptext nft library
ABI_VERSION:=0 ABI_VERSION:=0
DEPENDS:=@IPTABLES_NFTABLES +libxtables DEPENDS:=+libxtables
endef endef
define Package/libxtables define Package/libxtables
@ -594,12 +594,6 @@ define Package/libxtables/config
default n default n
help help
This enable connlabel support in iptables. This enable connlabel support in iptables.
config IPTABLES_NFTABLES
bool "Enable Nftables support"
default y
help
This enable nftables support in iptables.
endef endef
TARGET_CPPFLAGS := \ TARGET_CPPFLAGS := \
@ -624,7 +618,6 @@ CONFIGURE_ARGS += \
--with-xtlibdir=/usr/lib/iptables \ --with-xtlibdir=/usr/lib/iptables \
--with-xt-lock-name=/var/run/xtables.lock \ --with-xt-lock-name=/var/run/xtables.lock \
$(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \ $(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
$(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \
$(if $(CONFIG_IPV6),,--disable-ipv6) $(if $(CONFIG_IPV6),,--disable-ipv6)
MAKE_FLAGS := \ MAKE_FLAGS := \
@ -677,7 +670,7 @@ define Package/xtables-legacy/install
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-legacy-multi $(1)/usr/sbin/ $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-legacy-multi $(1)/usr/sbin/
endef endef
define Package/iptables-legacy/install define Package/iptables-zz-legacy/install
$(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-legacy{,-restore,-save} $(1)/usr/sbin/ $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-legacy{,-restore,-save} $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/usr/lib/iptables $(INSTALL_DIR) $(1)/usr/lib/iptables
@ -708,7 +701,7 @@ define Package/iptables-nft/install
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore}-translate $(1)/usr/sbin/ $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore}-translate $(1)/usr/sbin/
endef endef
define Package/ip6tables-legacy/install define Package/ip6tables-zz-legacy/install
$(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables-legacy{,-restore,-save} $(1)/usr/sbin/ $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables-legacy{,-restore,-save} $(1)/usr/sbin/
endef endef
@ -771,7 +764,7 @@ $(eval $(call BuildPackage,libiptext))
$(eval $(call BuildPackage,libiptext6)) $(eval $(call BuildPackage,libiptext6))
$(eval $(call BuildPackage,libiptext-nft)) $(eval $(call BuildPackage,libiptext-nft))
$(eval $(call BuildPackage,xtables-legacy)) $(eval $(call BuildPackage,xtables-legacy))
$(eval $(call BuildPackage,iptables-legacy)) $(eval $(call BuildPackage,iptables-zz-legacy))
$(eval $(call BuildPackage,xtables-nft)) $(eval $(call BuildPackage,xtables-nft))
$(eval $(call BuildPackage,arptables-nft)) $(eval $(call BuildPackage,arptables-nft))
$(eval $(call BuildPackage,ebtables-nft)) $(eval $(call BuildPackage,ebtables-nft))
@ -799,7 +792,7 @@ $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
$(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m))) $(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m)))
$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m))) $(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
$(eval $(call BuildPlugin,iptables-mod-checksum,$(IPT_CHECKSUM-m))) $(eval $(call BuildPlugin,iptables-mod-checksum,$(IPT_CHECKSUM-m)))
$(eval $(call BuildPackage,ip6tables-legacy)) $(eval $(call BuildPackage,ip6tables-zz-legacy))
$(eval $(call BuildPackage,ip6tables-nft)) $(eval $(call BuildPackage,ip6tables-nft))
$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m))) $(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
$(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m))) $(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))