--- package/iptables/Makefile | 6 +- .../patches/010-multiport-linux-2.4-compat.patch | 265 -------------------- package/iptables/patches/011-recent-add-reap.patch | 116 --------- .../patches/020-iptables-disable-modprobe.patch | 8 +- package/iptables/patches/100-bash-location.patch | 12 +- 5 files changed, 9 insertions(+), 398 deletions(-) delete mode 100644 package/iptables/patches/010-multiport-linux-2.4-compat.patch delete mode 100644 package/iptables/patches/011-recent-add-reap.patch
diff --git a/package/iptables/Makefile b/package/iptables/Makefile index 67dedca..7c7d466 100644 --- a/package/iptables/Makefile +++ b/package/iptables/Makefile @@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=iptables -PKG_VERSION:=1.4.10 -PKG_RELEASE:=4 +PKG_VERSION:=1.4.12.1 +PKG_RELEASE:=1 -PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198 +PKG_MD5SUM:=b08a1195ec2c1ebeaf072db3c55fdf43 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \ ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \ diff --git a/package/iptables/patches/010-multiport-linux-2.4-compat.patch b/package/iptables/patches/010-multiport-linux-2.4-compat.patch deleted file mode 100644 index 3b35f7e..0000000 --- a/package/iptables/patches/010-multiport-linux-2.4-compat.patch +++ /dev/null @@ -1,265 +0,0 @@ ---- a/extensions/libxt_multiport.c -+++ b/extensions/libxt_multiport.c -@@ -15,21 +15,6 @@ - #include <linux/netfilter/xt_multiport.h> - - /* Function which prints out usage message. */ --static void multiport_help(void) --{ -- printf( --"multiport match options:\n" --" --source-ports port[,port,port...]\n" --" --sports ...\n" --" match source port(s)\n" --" --destination-ports port[,port,port...]\n" --" --dports ...\n" --" match destination port(s)\n" --" --ports port[,port,port]\n" --" match both source and destination port(s)\n" --" NOTE: this kernel does not support port ranges in multiport.\n"); --} -- - static void multiport_help_v1(void) - { - printf( -@@ -72,26 +57,6 @@ proto_to_name(u_int8_t proto) - } - } - --static unsigned int --parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto) --{ -- char *buffer, *cp, *next; -- unsigned int i; -- -- buffer = strdup(portstring); -- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed"); -- -- for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++) -- { -- next=strchr(cp, ','); -- if (next) *next++='\0'; -- ports[i] = xtables_parse_port(cp, proto); -- } -- if (cp) xtables_error(PARAMETER_PROBLEM, "too many ports specified"); -- free(buffer); -- return i; --} -- - static void - parse_multi_ports_v1(const char *portstring, - struct xt_multiport_v1 *multiinfo, -@@ -155,73 +120,6 @@ check_proto(u_int16_t pnum, u_int8_t inv - /* Function which parses command options; returns true if it - ate an option */ - static int --__multiport_parse(int c, char **argv, int invert, unsigned int *flags, -- struct xt_entry_match **match, u_int16_t pnum, -- u_int8_t invflags) --{ -- const char *proto; -- struct xt_multiport *multiinfo -- = (struct xt_multiport *)(*match)->data; -- -- switch (c) { -- case '1': -- xtables_check_inverse(optarg, &invert, &optind, 0, argv); -- proto = check_proto(pnum, invflags); -- multiinfo->count = parse_multi_ports(optarg, -- multiinfo->ports, proto); -- multiinfo->flags = XT_MULTIPORT_SOURCE; -- break; -- -- case '2': -- xtables_check_inverse(optarg, &invert, &optind, 0, argv); -- proto = check_proto(pnum, invflags); -- multiinfo->count = parse_multi_ports(optarg, -- multiinfo->ports, proto); -- multiinfo->flags = XT_MULTIPORT_DESTINATION; -- break; -- -- case '3': -- xtables_check_inverse(optarg, &invert, &optind, 0, argv); -- proto = check_proto(pnum, invflags); -- multiinfo->count = parse_multi_ports(optarg, -- multiinfo->ports, proto); -- multiinfo->flags = XT_MULTIPORT_EITHER; -- break; -- -- default: -- return 0; -- } -- -- if (invert) -- xtables_error(PARAMETER_PROBLEM, -- "multiport does not support invert"); -- -- if (*flags) -- xtables_error(PARAMETER_PROBLEM, -- "multiport can only have one option"); -- *flags = 1; -- return 1; --} -- --static int --multiport_parse(int c, char **argv, int invert, unsigned int *flags, -- const void *e, struct xt_entry_match **match) --{ -- const struct ipt_entry *entry = e; -- return __multiport_parse(c, argv, invert, flags, match, -- entry->ip.proto, entry->ip.invflags); --} -- --static int --multiport_parse6(int c, char **argv, int invert, unsigned int *flags, -- const void *e, struct xt_entry_match **match) --{ -- const struct ip6t_entry *entry = e; -- return __multiport_parse(c, argv, invert, flags, match, -- entry->ipv6.proto, entry->ipv6.invflags); --} -- --static int - __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags, - struct xt_entry_match **match, u_int16_t pnum, - u_int8_t invflags) -@@ -314,55 +212,6 @@ print_port(u_int16_t port, u_int8_t prot - } - - /* Prints out the matchinfo. */ --static void --__multiport_print(const struct xt_entry_match *match, int numeric, -- u_int16_t proto) --{ -- const struct xt_multiport *multiinfo -- = (const struct xt_multiport *)match->data; -- unsigned int i; -- -- printf("multiport "); -- -- switch (multiinfo->flags) { -- case XT_MULTIPORT_SOURCE: -- printf("sports "); -- break; -- -- case XT_MULTIPORT_DESTINATION: -- printf("dports "); -- break; -- -- case XT_MULTIPORT_EITHER: -- printf("ports "); -- break; -- -- default: -- printf("ERROR "); -- break; -- } -- -- for (i=0; i < multiinfo->count; i++) { -- printf("%s", i ? "," : ""); -- print_port(multiinfo->ports[i], proto, numeric); -- } -- printf(" "); --} -- --static void multiport_print(const void *ip_void, -- const struct xt_entry_match *match, int numeric) --{ -- const struct ipt_ip *ip = ip_void; -- __multiport_print(match, numeric, ip->proto); --} -- --static void multiport_print6(const void *ip_void, -- const struct xt_entry_match *match, int numeric) --{ -- const struct ip6t_ip6 *ip = ip_void; -- __multiport_print(match, numeric, ip->proto); --} -- - static void __multiport_print_v1(const struct xt_entry_match *match, - int numeric, u_int16_t proto) - { -@@ -419,48 +268,6 @@ static void multiport_print6_v1(const vo - } - - /* Saves the union ipt_matchinfo in parsable form to stdout. */ --static void __multiport_save(const struct xt_entry_match *match, -- u_int16_t proto) --{ -- const struct xt_multiport *multiinfo -- = (const struct xt_multiport *)match->data; -- unsigned int i; -- -- switch (multiinfo->flags) { -- case XT_MULTIPORT_SOURCE: -- printf("--sports "); -- break; -- -- case XT_MULTIPORT_DESTINATION: -- printf("--dports "); -- break; -- -- case XT_MULTIPORT_EITHER: -- printf("--ports "); -- break; -- } -- -- for (i=0; i < multiinfo->count; i++) { -- printf("%s", i ? "," : ""); -- print_port(multiinfo->ports[i], proto, 1); -- } -- printf(" "); --} -- --static void multiport_save(const void *ip_void, -- const struct xt_entry_match *match) --{ -- const struct ipt_ip *ip = ip_void; -- __multiport_save(match, ip->proto); --} -- --static void multiport_save6(const void *ip_void, -- const struct xt_entry_match *match) --{ -- const struct ip6t_ip6 *ip = ip_void; -- __multiport_save(match, ip->proto); --} -- - static void __multiport_save_v1(const struct xt_entry_match *match, - u_int16_t proto) - { -@@ -514,34 +321,6 @@ static struct xtables_match multiport_mt - { - .family = NFPROTO_IPV4, - .name = "multiport", -- .revision = 0, -- .version = XTABLES_VERSION, -- .size = XT_ALIGN(sizeof(struct xt_multiport)), -- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), -- .help = multiport_help, -- .parse = multiport_parse, -- .final_check = multiport_check, -- .print = multiport_print, -- .save = multiport_save, -- .extra_opts = multiport_opts, -- }, -- { -- .family = NFPROTO_IPV6, -- .name = "multiport", -- .revision = 0, -- .version = XTABLES_VERSION, -- .size = XT_ALIGN(sizeof(struct xt_multiport)), -- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), -- .help = multiport_help, -- .parse = multiport_parse6, -- .final_check = multiport_check, -- .print = multiport_print6, -- .save = multiport_save6, -- .extra_opts = multiport_opts, -- }, -- { -- .family = NFPROTO_IPV4, -- .name = "multiport", - .version = XTABLES_VERSION, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_multiport_v1)), diff --git a/package/iptables/patches/011-recent-add-reap.patch b/package/iptables/patches/011-recent-add-reap.patch deleted file mode 100644 index 275265b..0000000 --- a/package/iptables/patches/011-recent-add-reap.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001 -From: Tim Gardner <tim.gard...@canonical.com> -Date: Mon, 1 Mar 2010 19:00:29 -0700 -Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation - -Signed-off-by: Tim Gardner <tim.gard...@canonical.com> ---- - extensions/libxt_recent.c | 20 ++++++++++++++++++++ - extensions/libxt_recent.man | 5 +++++ - include/linux/netfilter/xt_recent.h | 7 +++++++ - 3 files changed, 32 insertions(+), 0 deletions(-) - ---- a/extensions/libxt_recent.c -+++ b/extensions/libxt_recent.c -@@ -20,6 +20,7 @@ static const struct option recent_opts[] - {.name = "name", .has_arg = true, .val = 208}, - {.name = "rsource", .has_arg = false, .val = 209}, - {.name = "rdest", .has_arg = false, .val = 210}, -+ {.name = "reap", .has_arg = false, .val = 211}, - XT_GETOPT_TABLEEND, - }; - -@@ -37,6 +38,7 @@ static void recent_help(void) - " --hitcount hits For check and update commands above.\n" - " Specifies that the match will only occur if source address seen hits times.\n" - " May be used in conjunction with the seconds option.\n" -+" --reap Remove entries that have expired. Can only be used with --seconds\n" - " --rttl For check and update commands above.\n" - " Specifies that the match will only occur if the source address and the TTL\n" - " match between this packet and the one which was set.\n" -@@ -63,6 +65,8 @@ static void recent_init(struct xt_entry_ - (XT_RECENT_SET | XT_RECENT_CHECK | \ - XT_RECENT_UPDATE | XT_RECENT_REMOVE) - -+#define XT_RECENT_SECONDS 1 << 31 -+ - static int recent_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) - { -@@ -104,6 +108,7 @@ static int recent_parse(int c, char **ar - - case 204: - info->seconds = atoi(optarg); -+ *flags |= XT_RECENT_SECONDS; - break; - - case 205: -@@ -139,6 +144,11 @@ static int recent_parse(int c, char **ar - info->side = XT_RECENT_DEST; - break; - -+ case 211: -+ info->check_set |= XT_RECENT_REAP; -+ *flags |= XT_RECENT_REAP; -+ break; -+ - default: - return 0; - } -@@ -157,6 +167,12 @@ static void recent_check(unsigned int fl - xtables_error(PARAMETER_PROBLEM, - "recent: --rttl may only be used with --rcheck or " - "--update"); -+ if ((flags & XT_RECENT_REAP) && -+ ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) || -+ (!(flags & XT_RECENT_SECONDS)))) -+ xtables_error(PARAMETER_PROBLEM, -+ "recent: --reap may only be used with --rcheck or " -+ "--update and --seconds"); - } - - static void recent_print(const void *ip, const struct xt_entry_match *match, -@@ -185,6 +201,8 @@ static void recent_print(const void *ip, - printf("side: source "); - if (info->side == XT_RECENT_DEST) - printf("side: dest "); -+ if (info->check_set & XT_RECENT_REAP) -+ printf("reap "); - } - - static void recent_save(const void *ip, const struct xt_entry_match *match) -@@ -211,6 +229,8 @@ static void recent_save(const void *ip, - printf("--rsource "); - if (info->side == XT_RECENT_DEST) - printf("--rdest "); -+ if (info->check_set & XT_RECENT_REAP) -+ printf("--reap "); - } - - static struct xtables_match recent_mt_reg = { ---- a/extensions/libxt_recent.man -+++ b/extensions/libxt_recent.man -@@ -41,6 +41,11 @@ This option must be used in conjunction - \fB\-\-update\fP. When used, this will narrow the match to only happen when the - address is in the list and was seen within the last given number of seconds. - .TP -+\fB\-\-reap\fP \fIreap\fP -+This option must be used in conjunction with \fB\-\-seconds\fP. When used, this -+will remove entries with the most recent timestamp older then \fB\-\-seconds\fP -+since the last packet was received. -+.TP - \fB\-\-hitcount\fP \fIhits\fP - This option must be used in conjunction with one of \fB\-\-rcheck\fP or - \fB\-\-update\fP. When used, this will narrow the match to only happen when the ---- a/include/linux/netfilter/xt_recent.h -+++ b/include/linux/netfilter/xt_recent.h -@@ -23,6 +23,9 @@ enum { - #define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\ - XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP) - -+/* Only allowed with --rcheck and --update */ -+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP) -+ - struct xt_recent_mtinfo { - __u32 seconds; - __u32 hit_count; diff --git a/package/iptables/patches/020-iptables-disable-modprobe.patch b/package/iptables/patches/020-iptables-disable-modprobe.patch index 338962f..9533474 100644 --- a/package/iptables/patches/020-iptables-disable-modprobe.patch +++ b/package/iptables/patches/020-iptables-disable-modprobe.patch @@ -1,6 +1,6 @@ ---- a/xtables.c -+++ b/xtables.c -@@ -305,6 +305,7 @@ static char *get_modprobe(void) +--- a/iptables/xtables.c 2011-10-11 00:12:01.000000000 +0200 ++++ b/iptables/xtables.c 2011-10-11 00:10:53.000000000 +0200 +@@ -335,6 +335,7 @@ static char *get_modprobe(void) int xtables_insmod(const char *modname, const char *modprobe, bool quiet) { @@ -8,7 +8,7 @@ char *buf = NULL; char *argv[4]; int status; -@@ -348,6 +349,7 @@ int xtables_insmod(const char *modname, +@@ -379,6 +380,7 @@ int xtables_insmod(const char *modname, free(buf); if (WIFEXITED(status) && WEXITSTATUS(status) == 0) return 0; diff --git a/package/iptables/patches/100-bash-location.patch b/package/iptables/patches/100-bash-location.patch index 818246e..02ee45b 100644 --- a/package/iptables/patches/100-bash-location.patch +++ b/package/iptables/patches/100-bash-location.patch @@ -1,13 +1,5 @@ ---- a/autogen.sh -+++ b/autogen.sh -@@ -1,4 +1,4 @@ --#!/bin/bash -+#!/usr/bin/env bash - - autoreconf -fi; - rm -Rf autom4te*.cache; ---- a/iptables-apply -+++ b/iptables-apply +--- a/iptables/iptables-apply ++++ b/iptables/iptables-apply @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash -- 1.7.2.5 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel