Commit Graph

52 Commits

Author SHA1 Message Date
Alin Nastac
7408cdaa31 netfilter: add bpf match support
Add xt_bpf modules to {kmod-ipt,iptables-mod}-filter.

Match using Linux Socket Filter. Expects a BPF program in decimal
format. This is the format generated by the nfbpf_compile utility.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
(backported from ab07ae2f27)
2018-12-18 09:44:01 +01:00
John Crispin
f27e0b6bc4 iptables: set nonshared flag
this makes sure that offloading support is properly included for v4.14 targets.

Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit ebe1216c7c)
2018-06-22 11:47:17 +02:00
Matthias Schiffer
177fa14340
iptables: split physdev match out as a separate package
Split physdev match out of ipt-extra to allow installing ipt-extra without
pulling in br-netfilter.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-04-09 19:41:48 +02:00
Ansuel Smith
2805402f86 iptables: update to 1.6.2
459b6932 policy: add nft translation for simple policy none/strict use case
255e55b7 tests: xlate-test: no need to require superuser privileges
6990bbc5 extensions: hashlimit: remove space before burst in translation to nft
13ecaeb0 extensions: hashlimit: Rename 'flow table' keyword to meter
c252a2b0 extensions: Add test for cluster nft translation
bda1daa4 extensions: ip6t_{S,D}NAT: add more tests
88fa4543 extensions: ip6t_{S,D}NAT: multiple to-dst/to-src arguments not reported
64a0e098 extensions: libxt_cluster: Add translation to nft
6067208f extensions: add support for 'srh' match
0f387b07 extensions: hashlimit: fix incorrect burst in translations
1ffe6a74 extensions: libxt_hashlimit: Do not print default timeout and burst
27de281d extensions: Add macro _DEFAULT_SOURCE.
75364151 iptables: Remove const qualifier from struct option.
8b0da213 iptables: masquerade: add randomize-full support
e64db006 iptables: patch to correct linker flag sequence
033eac81 extensions: libxt_tcpmss: Add test case for invalid ranges.
505bfa11 iptables: xtables-eb: Remove const qualifier from struct option
a6d6821a iptables: extensions: Fix MARK target help
71de414c libxt_sctp: fix array out of range in print_chunk
1a32381a extensions: add tests for ipcomp protocol
4bd51770 tests: xlate: print output in same way as nft-test.py
d0e3d95f libxt_recent: Remove ineffective checks for info->name
23e6ed71 libxt_TOS: add tests for translation infrastructure
9564595e Update .gitignore
bebce197 iptables: iptables-compat translation for TCPMSS
dbbab0aa extensions: libxt_tcpmss: Detect invalid ranges
0e958281 iptables-translate: add test file for TCPMSS extension
de3c68b6 iptables-compat: do not allow to delete populated user define chains
f4b80ce7 iptables: change large file support handling
f5b46c2f iptables: Constify option struct
21ba5b38 ip{,6}tables-restore: Don't accept wait-interval without wait
60e0ffd3 ip{,6}tables-restore: Don't ignore missing wait-interval value
af468b6e utils: Add a man page for nfnl_osf
1773dcaa utils: nfnl_osf: Fix synopsis in help text
895ce096 extensions: libxt_bpf: fix missing __NR_bpf declaration
3c633296 xtables-compat-restore: fix translation of mangle's OUTPUT
1c32e560 netfilter: xt_hashlimit: add rate match mode
b5331f88 xtables-compat: fix memory leak when listing
91ae12e3 xtables-compat-restore: fix several memory leaks
79e1edd1 iptables-xml: Fix segfault on jump without a target
c49a93f1 xtables-translate: fix double space before comment
79fa7cc2 libip6t_icmp6: xlate: remove leftover space
8e62f572 tests: xlate: generalize owner
8d994bcf iptables: Add file output option to iptables-save
f8e5ebc5 iptables: Fix crash on malformed iptables-restore
80d8bfaa iptables: insist that the lock is held.
c29d99c8 libxtables: Display weird character warning for wildcards
1fe96cfb tests: xlate: check if it is being run as root
3f92b259 tests: xlate: remove python 3.5 dependency
d89dc47a iptables-restore/save: exit when given an unknown option
65801d02 iptables-restore.8: document -w/-W options
9cd3adbe iptables-restore/ip6tables-restore: add --version/-V argument
1ec1fb7a extensions: libxt_hashlimit: fix 64-bit printf formats
27f69f4a iptables: extensions: Remove typedef in struct.
340105fa tests: add regression tests for xtables-translate
b669e184 extensions: libxt_TOS: Add translation to nft
b2a84476 iptables: Remove unnecessary braces.
2963a8df iptables: Remove explicit static variables initalization.
1cf4ba6f iptables: Constify option struct
999eaa24 iptables-restore: support acquiring the lock.
6e2e169e iptables: remove duplicated argument parsing code
836846f0 iptables: move XT_LOCK_NAME from CFLAGS to config.h.
b91af533 iptables: set the path of the lock file via a configure option.
0e94eb2e iptables-translate: print nft iff there are more expanded rules to print
48ad179b libxtables: abolish AI_CANONNAME
9f50bbdf libxtables: remove unnecessary nesting from host_to_ip(6)addr
c6df55d6 iptables-translate: print nft command for each expand rules via dns names
82dacbb8 xtables-translate: Avoid querying the kernel
9f972f45 extensions: libxt_addrtype: Add translation to nft
2c8e251e utils: nfsynproxy: fix build with musl libc
9b8cb756 libiptc: don't set_changed() when checking rules with module jumps
eb66632d extensions: libxt_hashlimit: Add translation to nft
72bb3dbf xshared: using the blocking file lock request when we wait indefinitely
24f81746 xshared: do not lock again and again if "-w" option is not specified
fc3c3b4e libxt_hashlimit: add new unit test to catch kernel bug
516d9191 iptables: update pf.os

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2018-02-23 19:15:54 +01:00
Kristian Evensen
2d27ebbb93 iptables: Support building connlabel module
It is currently possible to enable connlabel-support in iptables.
However, in order for connlabel to work properly, the kernel module must
also be present. This patch adds support for building the
connlabel-module, and selects it by default when connlabel-support is
enabled.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
2018-02-13 10:01:52 +01:00
Yousong Zhou
e6de92cdcc iptables: make kmod-ipt-debug part of default ALL build
The iptables TRACE target is only available in raw table that's why the
dependency was moved from iptables-mod-trace into kmod-ipt-debug

Fixes FS#1219

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2018-01-26 15:29:02 +08:00
Alexander Couzens
c61a239514
add PKG_CPE_ID ids to package and tools
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/

Thanks to swalker for CPE to package mapping and
keep tracking CVEs.

Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-11-17 02:24:35 +01:00
Denis Osvald
ee791fa4ab netfilter, iptables: add optional CHECKSUM module
Signed-off-by: Denis Osvald <denis.osvald@sartura.hr>
2017-11-06 16:39:41 +01:00
Martin Wetterwald
378e1a4858 iptables: Fix target TRACE issue
The package kmod-ipt-debug builds the module xt_TRACE, which allows
users to use '-j TRACE' as target in the chain PREROUTING of the table
raw in iptables.

The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so
that this feature which is implemented deep inside the linux IP stack
(for example in sk_buff) is compiled.

But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals
that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which
fails as this dynamic library is not present on the system.

I created the package iptables-mod-trace which takes care of that, and
target TRACE now works!

https://dev.openwrt.org/ticket/16694
https://dev.openwrt.org/ticket/19661

Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com>
[Jo-Philipp Wich: also remove trace extension from builtin extension list
                  and depend on kmod-ipt-raw since its required for rules]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
2017-10-27 02:31:33 +02:00
Alin Nastac
d8748e537f netfilter: add iptables-mod-rpfilter package
Unlike /proc/sys/net/ipv4/conf/INTF/rp_filter flag, rule iptables -t raw
-I PREROUTING -m rpfilter --invert -j DROP prevents conntrack table to
become full when a packet flood with randomly selected source IP addresses
is received from the lan side.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
2017-07-11 22:09:57 +02:00
Ansuel Smith
e80a041348 iptables: fix wrong depends for nftables support (FS#707)
The dep for the nftables support was wrong, if someone actually enable
that option gain a compilation error. This fix this problem.

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2017-04-22 21:33:46 +02:00
Felix Fietkau
5e2d15b4a6 iptables: set ABI_VERSION to force rebuild of dependent packages
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-04-12 10:51:36 +02:00
Ansuel Smith
98e43b13a7 iptables: bump to 1.6.1
Switch to git repo
Removed musl patch
Refreshed existing patch

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup]
2017-04-12 10:51:29 +02:00
Felix Fietkau
84bd74057f build: use mkhash to replace various quirky md5sum/openssl calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-05 11:09:12 +01:00
Felix Fietkau
720b99215d treewide: clean up download hashes
Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-16 22:39:22 +01:00
Felix Fietkau
3f1c0c8ef7 iptables: using external kernel tree should not alter patch behaviour.
iptables is the only exception in the package tree, causing patch
behaviour to be inconsistent on this package.

Signed-off-by: Rick van der Zwet <rick.vanderzwet@anywi.com>

SVN-Revision: 48643
2016-02-07 13:29:27 +00:00
Jo-Philipp Wich
eda1ea9eaa iptables: improve iptables listing output of xt_id match
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 48478
2016-01-24 18:01:40 +00:00
Felix Fietkau
3c8827fa7f iptables: fix rebuild errors on configuration changes
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48314
2016-01-18 13:21:32 +00:00
Jo-Philipp Wich
1c00b6bc7f iptables: reduce binary size
* drop unused lenient restore patch
 * instead of statically linking core extensions, build shared libraries
   for reuse in fw3
 * strip outdated match revisions and aliases to trim down library size

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 45758
2015-05-26 09:16:50 +00:00
Felix Fietkau
6057a09ae6 iptables: remove layer7 leftovers (#19506)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45481
2015-04-17 18:52:24 +00:00
Felix Fietkau
4e4060138a iptables: remove layer7 support
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45424
2015-04-13 22:23:19 +00:00
John Crispin
7872f4e1dc iptables: revert r40916
it causes problems with newer iptables when ipv6 is disabled as iptc uncoditionally links ip6tc

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45350
2015-04-10 08:31:06 +00:00
Felix Fietkau
9a2cf10c33 netfilter: Enable compiling iptables match cluster
This patch adds the userspace and kernelspace for

- match NETFILTER_XT_MATCH_CLUSTER
  This match can be used to deploy gateway and back-end load-sharing clusters.
- target IP_NF_TARGET_CLUSTERIP
  This module allows you to configure a simple cluster of nodes
  that share a certain IP and MAC address
  without an explicit load balancer in front of them.
  Connections are statically distributed between the nodes in this cluster.

This is used i.e. by strongswan-ha.

Signed-off-by: Christian Scheele <cs@embedd.com>

SVN-Revision: 43174
2014-11-03 22:01:45 +00:00
John Crispin
74a3a77bcd license info - revert r43155
turns out that r43155 adds duplicate info.

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 43167
2014-11-03 09:56:44 +00:00
John Crispin
c10d97484a Add more license tags with SPDX identifiers
Note, that licensing stuff is a nightmare: many packages does not clearly
state their licenses, and often multiple source files are simply copied
together - each with different licensing information in the file headers.

I tried hard to ensure, that the license information extracted into the OpenWRT's
makefiles fit the "spirit" of the packages, e.g. such small packages which
come without a dedicated source archive "inherites" the OpenWRT's own license
in my opinion.

However, I can not garantee that I always picked the correct information
and/or did not miss license information.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

SVN-Revision: 43155
2014-11-03 08:01:08 +00:00
Steven Barth
bec9d38fa4 Add a few SPDX tags
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 43151
2014-11-02 12:20:54 +00:00
Steven Barth
ddbd2cf781 iptables: add kmod-ipt-nf* to dependency list of iptables-mod-nf*.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

SVN-Revision: 42034
2014-08-07 12:32:33 +00:00
Steven Barth
9f2a17103f iptables: NFLOG and NFQUEUE targets' full support
NFLOG and NFQUEUE targets' full support for iptables.

Includes all needed kernel modules (Xtables's and Netlink's)
 and userspace libraries.
All added kernel modules can be individually disabled,
 all other new libraries get their own individual packages.

Reported-by: Fabian Hugelshofer <hugelshofer2006@gmx.ch>
Reported-by: Rainer Poisel <rainer.poisel@fhstp.ac.at>
Reported-by: Derek LaHousse <dlahouss@mtu.edu>
Signed-off-by: Guillaume Déflache <guillaume.deflache@ibwag.com>

SVN-Revision: 42022
2014-08-07 04:42:22 +00:00
Jo-Philipp Wich
1c891e0d45 iptables: pass --disable-ipv6 is CONFIG_IPV6 is unset
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 41458
2014-07-02 11:39:24 +00:00
Felix Fietkau
4b241e9827 netfilter: split off header matching modules not used by the default config (reduces rootfs size and memory usage)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 40983
2014-06-02 18:13:38 +00:00
John Crispin
af4769e298 iptables: Makefile: only build ip6tc, if IPv6 is enabled
when disabling ipv6, the iptables build breaks without a manul clean or this patch

Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com>

SVN-Revision: 40916
2014-06-02 12:43:25 +00:00
Steven Barth
97ea9e3c2a iptables/netfilter: add connlimit to conntrack-extra
SVN-Revision: 39878
2014-03-11 14:58:00 +00:00
Steven Barth
09fd40c28f iptables: bump to 1.4.21
SVN-Revision: 39877
2014-03-11 14:57:55 +00:00
Steven Barth
0a85c59040 netfilter: Add IPv6-NAT support for kernel and ipt Thanks to Berni, Adam Novak and Sedat Dilek for patches and inspiration
SVN-Revision: 37866
2013-09-01 17:59:48 +00:00
Steven Barth
3e647ac9b6 iptables: Update to 1.4.20
SVN-Revision: 37865
2013-09-01 13:46:10 +00:00
Steven Barth
0444e32acd Bump iptables version
SVN-Revision: 37329
2013-07-15 06:12:07 +00:00
Jo-Philipp Wich
e94cf1c72b iptables: install libext*.a into staging dir
SVN-Revision: 36867
2013-06-06 14:02:24 +00:00
Steven Barth
56a3396bf2 iptables: bump to 1.4.19.1
SVN-Revision: 36760
2013-05-29 14:58:04 +00:00
Jo-Philipp Wich
8df6cd005c netfilter: move time, mark, set matches and MARK, REDIRECT, SET targets into base iptables package - drop iptables-mod-ipset
SVN-Revision: 36683
2013-05-21 12:58:15 +00:00
Jo-Philipp Wich
a9a9644efd iptables: use -ffunction-sections, -fdata-sections and --gc-sections
SVN-Revision: 36680
2013-05-21 10:15:10 +00:00
Felix Fietkau
d481486aad package: fold the IPv6 menu into Network
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 36634
2013-05-14 15:02:31 +00:00
Jo-Philipp Wich
a0b655b8f2 Fix install of iptables pkg-config files.
libiptc.pc depends on libip[4|6]tc.pc, thus all of those need to be
installed.
Should fix collectd build and thus #13146; which should make collectd
appear in snapshots again.

Signed-off-by: Danny Baumann <dannybaumann@web.de>

SVN-Revision: 36509
2013-05-02 08:10:55 +00:00
Steven Barth
5a9c2c77b4 iptables: don't use --enable-ipv6 if IPv6 is disabled
SVN-Revision: 36125
2013-03-25 11:22:12 +00:00
Steven Barth
62ea398cd8 iptables: Add missing IPv6 builtin modules
SVN-Revision: 35898
2013-03-07 08:48:41 +00:00
Steven Barth
9779b0b88c iptables: redo update to 1.4.18 with old linking-behaviour
SVN-Revision: 35896
2013-03-06 17:05:34 +00:00
Steven Barth
bacd71648b Revert "iptables: update to 1.4.18" due to toolchain-issue: binaries cause segfaults when stripped on ar71xx
SVN-Revision: 35894
2013-03-06 12:55:48 +00:00
Steven Barth
d023a08753 iptables: update to 1.4.18
SVN-Revision: 35892
2013-03-05 20:51:57 +00:00
Jo-Philipp Wich
eeaf2c0b5a iptables: fix bad PKG_RELEASE in previous commit
SVN-Revision: 35569
2013-02-11 22:14:38 +00:00
Jo-Philipp Wich
916902b1d2 iptables: add --lenient switch to iptables-restore and ip6tables-restore that allows to skip erroneous lines
SVN-Revision: 35568
2013-02-11 21:58:42 +00:00
Jo-Philipp Wich
03a50b9087 netfilter.mk: add addrtype match to iptables-mod-extra (kmod-ipt-extra)
SVN-Revision: 35155
2013-01-14 16:12:56 +00:00