The attached patch bumps iptables up to 1.4.13 and adds in support for -m rpfilter (reverse path filtering for both IPv4 and IPv6) implemented since kernel 3.3
This update breaks compatibility with the 2.4 series, if anyone wishes to fix it, feel free. Tested and working on my WNDR3800 - if you use any xtables-addons extensions, ensure you clean out the build dir for it. Signed-off-by: Oliver Smith <[email protected]>
Index: package/iptables/200-configurable_builtin.patch
===================================================================
--- package/iptables/200-configurable_builtin.patch (revision 0)
+++ package/iptables/200-configurable_builtin.patch (revision 0)
@@ -0,0 +1,60 @@
+--- iptables-1.4.13/extensions/GNUmakefile.in.orig 2012-03-27 12:33:02.000000000 +0100
++++ iptables-1.4.13/extensions/GNUmakefile.in 2012-05-11 16:52:55.284079163 +0100
+@@ -44,9 +44,24 @@
+ pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
+ pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod})
+ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
+-pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod})
+-pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod})
+-pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod})
++
++ifdef BUILTIN_MODULES
++pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod})
++pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod})
++pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod})
++else
++@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod)
++@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod)
++@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod)
++endif
++
++pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod))
++pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod))
++pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod))
++
++pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_static})
++pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static})
++pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static})
+ pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
+ pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod})
+ pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod})
+@@ -59,11 +74,11 @@
+ matches4.man matches6.man \
+ targets4.man targets6.man
+ targets_install :=
+-@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
+-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
+-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
+-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++libext_objs := ${pfx_objs}
++libext4_objs := ${pfx_objs} ${pf4_objs}
++libext6_objs := ${pfx_objs} ${pf6_objs}
++targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+
+ .SECONDARY:
+
+@@ -120,9 +135,9 @@
+ libext6.a: initext6.o ${libext6_objs}
+ ${AM_VERBOSE_AR} ${AR} crs $@ $^;
+
+-initext_func := $(addprefix xt_,${pfx_build_mod})
+-initext4_func := $(addprefix ipt_,${pf4_build_mod})
+-initext6_func := $(addprefix ip6t_,${pf6_build_mod})
++initext_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ipt_,${pf4_build_static})
++initext4_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ipt_,${pf4_build_static})
++initext6_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ip6t_,${pf6_build_static})
+
+ .initext.dd: FORCE
+ @echo "${initext_func}" >[email protected]; \
Index: package/iptables/020-iptables-disable-modprobe.patch
===================================================================
--- package/iptables/020-iptables-disable-modprobe.patch (revision 0)
+++ package/iptables/020-iptables-disable-modprobe.patch (revision 0)
@@ -0,0 +1,18 @@
+--- iptables-1.4.13/libxtables/xtables.c.orig 2012-05-11 16:09:10.199822721 +0100
++++ iptables-1.4.13/libxtables/xtables.c 2012-05-11 16:09:28.373816141 +0100
+@@ -336,6 +336,7 @@
+
+ int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
+ {
++#if 0
+ char *buf = NULL;
+ char *argv[4];
+ int status;
+@@ -380,6 +381,7 @@
+ free(buf);
+ if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
+ return 0;
++#endif
+ return -1;
+ }
+
Index: package/iptables/patches/100-bash-location.patch
===================================================================
--- package/iptables/patches/100-bash-location.patch (revision 31674)
+++ package/iptables/patches/100-bash-location.patch (working copy)
@@ -1,16 +0,0 @@
---- a/autogen.sh
-+++ b/autogen.sh
-@@ -1,4 +1,4 @@
--#!/bin/bash
-+#!/usr/bin/env bash
-
- autoreconf -fi;
- rm -Rf autom4te*.cache;
---- a/iptables-apply
-+++ b/iptables-apply
-@@ -1,4 +1,4 @@
--#!/bin/bash
-+#!/usr/bin/env bash
- #
- # iptables-apply -- a safer way to update iptables remotely
- #
Index: package/iptables/patches/110-linux_3.2_compat.patch
===================================================================
--- package/iptables/patches/110-linux_3.2_compat.patch (revision 31674)
+++ package/iptables/patches/110-linux_3.2_compat.patch (working copy)
@@ -1,12 +0,0 @@
---- iptables-1.4.10/include/linux/types.h.orig 2011-11-07 00:08:33.000000000 +0100
-+++ iptables-1.4.10/include/linux/types.h 2011-11-07 00:09:25.000000000 +0100
-@@ -34,5 +34,9 @@
- typedef __u16 __bitwise __sum16;
- typedef __u32 __bitwise __wsum;
-
-+#define __aligned_u64 __u64 __attribute__((aligned(8)))
-+#define __aligned_be64 __be64 __attribute__((aligned(8)))
-+#define __aligned_le64 __le64 __attribute__((aligned(8)))
-+
- #endif /* __ASSEMBLY__ */
- #endif /* _LINUX_TYPES_H */
Index: package/iptables/patches/200-configurable_builtin.patch
===================================================================
--- package/iptables/patches/200-configurable_builtin.patch (revision 31674)
+++ package/iptables/patches/200-configurable_builtin.patch (working copy)
@@ -1,6 +1,6 @@
---- a/extensions/GNUmakefile.in
-+++ b/extensions/GNUmakefile.in
-@@ -40,9 +40,24 @@
+--- iptables-1.4.13/extensions/GNUmakefile.in.orig 2012-03-27 12:33:02.000000000 +0100
++++ iptables-1.4.13/extensions/GNUmakefile.in 2012-05-11 16:52:55.284079163 +0100
+@@ -44,9 +44,24 @@
pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod})
pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
@@ -28,29 +28,33 @@
pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod})
pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod})
-@@ -54,10 +69,10 @@
- targets := libext4.a libext6.a matches4.man matches6.man \
+@@ -59,11 +74,11 @@
+ matches4.man matches6.man \
targets4.man targets6.man
targets_install :=
--@ENABLE_STATIC_TRUE@ libext4_objs := ${pfx_objs} ${pf4_objs}
--@ENABLE_STATIC_TRUE@ libext6_objs := ${pfx_objs} ${pf6_objs}
+-@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
+-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
+-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
-+libext4_objs := ${pfx_objs} ${pf4_objs}
-+libext6_objs := ${pfx_objs} ${pf6_objs}
++libext_objs := ${pfx_objs}
++libext4_objs := ${pf4_objs}
++libext6_objs := ${pf6_objs}
+targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
.SECONDARY:
-@@ -107,8 +122,8 @@
+@@ -120,9 +135,9 @@
libext6.a: initext6.o ${libext6_objs}
${AM_VERBOSE_AR} ${AR} crs $@ $^;
--initext_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ipt_,${pf4_build_mod})
--initext6_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ip6t_,${pf6_build_mod})
-+initext_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ipt_,${pf4_build_static})
-+initext6_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ip6t_,${pf6_build_static})
+-initext_func := $(addprefix xt_,${pfx_build_mod})
+-initext4_func := $(addprefix ipt_,${pf4_build_mod})
+-initext6_func := $(addprefix ip6t_,${pf6_build_mod})
++initext_func := $(addprefix xt_,${pfx_build_static})
++initext4_func := $(addprefix ipt_,${pf4_build_static})
++initext6_func := $(addprefix ip6t_,${pf6_build_static})
- .initext4.dd: FORCE
+ .initext.dd: FORCE
@echo "${initext_func}" >[email protected]; \
Index: package/iptables/patches/020-iptables-disable-modprobe.patch
===================================================================
--- package/iptables/patches/020-iptables-disable-modprobe.patch (revision 31674)
+++ package/iptables/patches/020-iptables-disable-modprobe.patch (working copy)
@@ -1,6 +1,6 @@
---- a/xtables.c
-+++ b/xtables.c
-@@ -305,6 +305,7 @@ static char *get_modprobe(void)
+--- iptables-1.4.13/libxtables/xtables.c.orig 2012-05-11 16:09:10.199822721 +0100
++++ iptables-1.4.13/libxtables/xtables.c 2012-05-11 16:09:28.373816141 +0100
+@@ -336,6 +336,7 @@
int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
{
@@ -8,7 +8,7 @@
char *buf = NULL;
char *argv[4];
int status;
-@@ -348,6 +349,7 @@ int xtables_insmod(const char *modname,
+@@ -380,6 +381,7 @@
free(buf);
if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
return 0;
Index: package/iptables/patches/009-table-alignment.patch
===================================================================
--- package/iptables/patches/009-table-alignment.patch (revision 31674)
+++ package/iptables/patches/009-table-alignment.patch (working copy)
@@ -1,11 +0,0 @@
---- a/libiptc/libiptc.c
-+++ b/libiptc/libiptc.c
-@@ -69,7 +69,7 @@ static const char *hooknames[] = {
- struct ipt_error_target
- {
- STRUCT_ENTRY_TARGET t;
-- char error[TABLE_MAXNAMELEN];
-+ char error[FUNCTION_MAXNAMELEN];
- };
-
- struct chain_head;
Index: package/iptables/patches/030-no-libnfnetlink.patch
===================================================================
--- package/iptables/patches/030-no-libnfnetlink.patch (revision 31674)
+++ package/iptables/patches/030-no-libnfnetlink.patch (working copy)
@@ -1,92 +0,0 @@
---- a/configure
-+++ b/configure
-@@ -10917,75 +10917,7 @@ $as_echo "no" >&6; }
- fi
- fi
-
--pkg_failed=no
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5
--$as_echo_n "checking for libnfnetlink... " >&6; }
--
--if test -n "$libnfnetlink_CFLAGS"; then
-- pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS"
-- elif test -n "$PKG_CONFIG"; then
-- if test -n "$PKG_CONFIG" && \
-- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
-- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
-- ac_status=$?
-- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-- test $ac_status = 0; }; then
-- pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null`
--else
-- pkg_failed=yes
--fi
-- else
-- pkg_failed=untried
--fi
--if test -n "$libnfnetlink_LIBS"; then
-- pkg_cv_libnfnetlink_LIBS="$libnfnetlink_LIBS"
-- elif test -n "$PKG_CONFIG"; then
-- if test -n "$PKG_CONFIG" && \
-- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
-- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
-- ac_status=$?
-- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-- test $ac_status = 0; }; then
-- pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null`
--else
-- pkg_failed=yes
--fi
-- else
-- pkg_failed=untried
--fi
--
--
--
--if test $pkg_failed = yes; then
-- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--
--if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-- _pkg_short_errors_supported=yes
--else
-- _pkg_short_errors_supported=no
--fi
-- if test $_pkg_short_errors_supported = yes; then
-- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libnfnetlink >= 1.0" 2>&1`
-- else
-- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors "libnfnetlink >= 1.0" 2>&1`
-- fi
-- # Put the nasty error message in config.log where it belongs
-- echo "$libnfnetlink_PKG_ERRORS" >&5
--
-- nfnetlink=0
--elif test $pkg_failed = untried; then
-- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
-- nfnetlink=0
--else
-- libnfnetlink_CFLAGS=$pkg_cv_libnfnetlink_CFLAGS
-- libnfnetlink_LIBS=$pkg_cv_libnfnetlink_LIBS
-- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
--$as_echo "yes" >&6; }
-- nfnetlink=1
--fi
-- if test "$nfnetlink" = 1; then
-+if false; then
- HAVE_LIBNFNETLINK_TRUE=
- HAVE_LIBNFNETLINK_FALSE='#'
- else
---- a/configure.ac
-+++ b/configure.ac
-@@ -79,9 +79,7 @@ AM_CONDITIONAL([ENABLE_LARGEFILE], [test
- AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"])
- AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"])
-
--PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
-- [nfnetlink=1], [nfnetlink=0])
--AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1])
-+AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false])
-
- regular_CFLAGS="${largefile_cflags} \
- -D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
Index: package/iptables/patches/011-recent-add-reap.patch
===================================================================
--- package/iptables/patches/011-recent-add-reap.patch (revision 31674)
+++ package/iptables/patches/011-recent-add-reap.patch (working copy)
@@ -1,116 +0,0 @@
-From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001
-From: Tim Gardner <[email protected]>
-Date: Mon, 1 Mar 2010 19:00:29 -0700
-Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation
-
-Signed-off-by: Tim Gardner <[email protected]>
----
- extensions/libxt_recent.c | 20 ++++++++++++++++++++
- extensions/libxt_recent.man | 5 +++++
- include/linux/netfilter/xt_recent.h | 7 +++++++
- 3 files changed, 32 insertions(+), 0 deletions(-)
-
---- a/extensions/libxt_recent.c
-+++ b/extensions/libxt_recent.c
-@@ -20,6 +20,7 @@ static const struct option recent_opts[]
- {.name = "name", .has_arg = true, .val = 208},
- {.name = "rsource", .has_arg = false, .val = 209},
- {.name = "rdest", .has_arg = false, .val = 210},
-+ {.name = "reap", .has_arg = false, .val = 211},
- XT_GETOPT_TABLEEND,
- };
-
-@@ -37,6 +38,7 @@ static void recent_help(void)
- " --hitcount hits For check and update commands above.\n"
- " Specifies that the match will only occur if source address seen hits times.\n"
- " May be used in conjunction with the seconds option.\n"
-+" --reap Remove entries that have expired. Can only be used with --seconds\n"
- " --rttl For check and update commands above.\n"
- " Specifies that the match will only occur if the source address and the TTL\n"
- " match between this packet and the one which was set.\n"
-@@ -63,6 +65,8 @@ static void recent_init(struct xt_entry_
- (XT_RECENT_SET | XT_RECENT_CHECK | \
- XT_RECENT_UPDATE | XT_RECENT_REMOVE)
-
-+#define XT_RECENT_SECONDS 1 << 31
-+
- static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_match **match)
- {
-@@ -104,6 +108,7 @@ static int recent_parse(int c, char **ar
-
- case 204:
- info->seconds = atoi(optarg);
-+ *flags |= XT_RECENT_SECONDS;
- break;
-
- case 205:
-@@ -139,6 +144,11 @@ static int recent_parse(int c, char **ar
- info->side = XT_RECENT_DEST;
- break;
-
-+ case 211:
-+ info->check_set |= XT_RECENT_REAP;
-+ *flags |= XT_RECENT_REAP;
-+ break;
-+
- default:
- return 0;
- }
-@@ -157,6 +167,12 @@ static void recent_check(unsigned int fl
- xtables_error(PARAMETER_PROBLEM,
- "recent: --rttl may only be used with --rcheck or "
- "--update");
-+ if ((flags & XT_RECENT_REAP) &&
-+ ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) ||
-+ (!(flags & XT_RECENT_SECONDS))))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "recent: --reap may only be used with --rcheck or "
-+ "--update and --seconds");
- }
-
- static void recent_print(const void *ip, const struct xt_entry_match *match,
-@@ -185,6 +201,8 @@ static void recent_print(const void *ip,
- printf("side: source ");
- if (info->side == XT_RECENT_DEST)
- printf("side: dest ");
-+ if (info->check_set & XT_RECENT_REAP)
-+ printf("reap ");
- }
-
- static void recent_save(const void *ip, const struct xt_entry_match *match)
-@@ -211,6 +229,8 @@ static void recent_save(const void *ip,
- printf("--rsource ");
- if (info->side == XT_RECENT_DEST)
- printf("--rdest ");
-+ if (info->check_set & XT_RECENT_REAP)
-+ printf("--reap ");
- }
-
- static struct xtables_match recent_mt_reg = {
---- a/extensions/libxt_recent.man
-+++ b/extensions/libxt_recent.man
-@@ -41,6 +41,11 @@ This option must be used in conjunction
- \fB\-\-update\fP. When used, this will narrow the match to only happen when the
- address is in the list and was seen within the last given number of seconds.
- .TP
-+\fB\-\-reap\fP \fIreap\fP
-+This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
-+will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
-+since the last packet was received.
-+.TP
- \fB\-\-hitcount\fP \fIhits\fP
- This option must be used in conjunction with one of \fB\-\-rcheck\fP or
- \fB\-\-update\fP. When used, this will narrow the match to only happen when the
---- a/include/linux/netfilter/xt_recent.h
-+++ b/include/linux/netfilter/xt_recent.h
-@@ -23,6 +23,9 @@ enum {
- #define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
- XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
-
-+/* Only allowed with --rcheck and --update */
-+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
-+
- struct xt_recent_mtinfo {
- __u32 seconds;
- __u32 hit_count;
Index: package/iptables/patches/010-multiport-linux-2.4-compat.patch
===================================================================
--- package/iptables/patches/010-multiport-linux-2.4-compat.patch (revision 31674)
+++ package/iptables/patches/010-multiport-linux-2.4-compat.patch (working copy)
@@ -1,265 +0,0 @@
---- a/extensions/libxt_multiport.c
-+++ b/extensions/libxt_multiport.c
-@@ -15,21 +15,6 @@
- #include <linux/netfilter/xt_multiport.h>
-
- /* Function which prints out usage message. */
--static void multiport_help(void)
--{
-- printf(
--"multiport match options:\n"
--" --source-ports port[,port,port...]\n"
--" --sports ...\n"
--" match source port(s)\n"
--" --destination-ports port[,port,port...]\n"
--" --dports ...\n"
--" match destination port(s)\n"
--" --ports port[,port,port]\n"
--" match both source and destination port(s)\n"
--" NOTE: this kernel does not support port ranges in multiport.\n");
--}
--
- static void multiport_help_v1(void)
- {
- printf(
-@@ -72,26 +57,6 @@ proto_to_name(u_int8_t proto)
- }
- }
-
--static unsigned int
--parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto)
--{
-- char *buffer, *cp, *next;
-- unsigned int i;
--
-- buffer = strdup(portstring);
-- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
--
-- for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
-- {
-- next=strchr(cp, ',');
-- if (next) *next++='\0';
-- ports[i] = xtables_parse_port(cp, proto);
-- }
-- if (cp) xtables_error(PARAMETER_PROBLEM, "too many ports specified");
-- free(buffer);
-- return i;
--}
--
- static void
- parse_multi_ports_v1(const char *portstring,
- struct xt_multiport_v1 *multiinfo,
-@@ -155,73 +120,6 @@ check_proto(u_int16_t pnum, u_int8_t inv
- /* Function which parses command options; returns true if it
- ate an option */
- static int
--__multiport_parse(int c, char **argv, int invert, unsigned int *flags,
-- struct xt_entry_match **match, u_int16_t pnum,
-- u_int8_t invflags)
--{
-- const char *proto;
-- struct xt_multiport *multiinfo
-- = (struct xt_multiport *)(*match)->data;
--
-- switch (c) {
-- case '1':
-- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-- proto = check_proto(pnum, invflags);
-- multiinfo->count = parse_multi_ports(optarg,
-- multiinfo->ports, proto);
-- multiinfo->flags = XT_MULTIPORT_SOURCE;
-- break;
--
-- case '2':
-- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-- proto = check_proto(pnum, invflags);
-- multiinfo->count = parse_multi_ports(optarg,
-- multiinfo->ports, proto);
-- multiinfo->flags = XT_MULTIPORT_DESTINATION;
-- break;
--
-- case '3':
-- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-- proto = check_proto(pnum, invflags);
-- multiinfo->count = parse_multi_ports(optarg,
-- multiinfo->ports, proto);
-- multiinfo->flags = XT_MULTIPORT_EITHER;
-- break;
--
-- default:
-- return 0;
-- }
--
-- if (invert)
-- xtables_error(PARAMETER_PROBLEM,
-- "multiport does not support invert");
--
-- if (*flags)
-- xtables_error(PARAMETER_PROBLEM,
-- "multiport can only have one option");
-- *flags = 1;
-- return 1;
--}
--
--static int
--multiport_parse(int c, char **argv, int invert, unsigned int *flags,
-- const void *e, struct xt_entry_match **match)
--{
-- const struct ipt_entry *entry = e;
-- return __multiport_parse(c, argv, invert, flags, match,
-- entry->ip.proto, entry->ip.invflags);
--}
--
--static int
--multiport_parse6(int c, char **argv, int invert, unsigned int *flags,
-- const void *e, struct xt_entry_match **match)
--{
-- const struct ip6t_entry *entry = e;
-- return __multiport_parse(c, argv, invert, flags, match,
-- entry->ipv6.proto, entry->ipv6.invflags);
--}
--
--static int
- __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags,
- struct xt_entry_match **match, u_int16_t pnum,
- u_int8_t invflags)
-@@ -314,55 +212,6 @@ print_port(u_int16_t port, u_int8_t prot
- }
-
- /* Prints out the matchinfo. */
--static void
--__multiport_print(const struct xt_entry_match *match, int numeric,
-- u_int16_t proto)
--{
-- const struct xt_multiport *multiinfo
-- = (const struct xt_multiport *)match->data;
-- unsigned int i;
--
-- printf("multiport ");
--
-- switch (multiinfo->flags) {
-- case XT_MULTIPORT_SOURCE:
-- printf("sports ");
-- break;
--
-- case XT_MULTIPORT_DESTINATION:
-- printf("dports ");
-- break;
--
-- case XT_MULTIPORT_EITHER:
-- printf("ports ");
-- break;
--
-- default:
-- printf("ERROR ");
-- break;
-- }
--
-- for (i=0; i < multiinfo->count; i++) {
-- printf("%s", i ? "," : "");
-- print_port(multiinfo->ports[i], proto, numeric);
-- }
-- printf(" ");
--}
--
--static void multiport_print(const void *ip_void,
-- const struct xt_entry_match *match, int numeric)
--{
-- const struct ipt_ip *ip = ip_void;
-- __multiport_print(match, numeric, ip->proto);
--}
--
--static void multiport_print6(const void *ip_void,
-- const struct xt_entry_match *match, int numeric)
--{
-- const struct ip6t_ip6 *ip = ip_void;
-- __multiport_print(match, numeric, ip->proto);
--}
--
- static void __multiport_print_v1(const struct xt_entry_match *match,
- int numeric, u_int16_t proto)
- {
-@@ -419,48 +268,6 @@ static void multiport_print6_v1(const vo
- }
-
- /* Saves the union ipt_matchinfo in parsable form to stdout. */
--static void __multiport_save(const struct xt_entry_match *match,
-- u_int16_t proto)
--{
-- const struct xt_multiport *multiinfo
-- = (const struct xt_multiport *)match->data;
-- unsigned int i;
--
-- switch (multiinfo->flags) {
-- case XT_MULTIPORT_SOURCE:
-- printf("--sports ");
-- break;
--
-- case XT_MULTIPORT_DESTINATION:
-- printf("--dports ");
-- break;
--
-- case XT_MULTIPORT_EITHER:
-- printf("--ports ");
-- break;
-- }
--
-- for (i=0; i < multiinfo->count; i++) {
-- printf("%s", i ? "," : "");
-- print_port(multiinfo->ports[i], proto, 1);
-- }
-- printf(" ");
--}
--
--static void multiport_save(const void *ip_void,
-- const struct xt_entry_match *match)
--{
-- const struct ipt_ip *ip = ip_void;
-- __multiport_save(match, ip->proto);
--}
--
--static void multiport_save6(const void *ip_void,
-- const struct xt_entry_match *match)
--{
-- const struct ip6t_ip6 *ip = ip_void;
-- __multiport_save(match, ip->proto);
--}
--
- static void __multiport_save_v1(const struct xt_entry_match *match,
- u_int16_t proto)
- {
-@@ -514,34 +321,6 @@ static struct xtables_match multiport_mt
- {
- .family = NFPROTO_IPV4,
- .name = "multiport",
-- .revision = 0,
-- .version = XTABLES_VERSION,
-- .size = XT_ALIGN(sizeof(struct xt_multiport)),
-- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
-- .help = multiport_help,
-- .parse = multiport_parse,
-- .final_check = multiport_check,
-- .print = multiport_print,
-- .save = multiport_save,
-- .extra_opts = multiport_opts,
-- },
-- {
-- .family = NFPROTO_IPV6,
-- .name = "multiport",
-- .revision = 0,
-- .version = XTABLES_VERSION,
-- .size = XT_ALIGN(sizeof(struct xt_multiport)),
-- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
-- .help = multiport_help,
-- .parse = multiport_parse6,
-- .final_check = multiport_check,
-- .print = multiport_print6,
-- .save = multiport_save6,
-- .extra_opts = multiport_opts,
-- },
-- {
-- .family = NFPROTO_IPV4,
-- .name = "multiport",
- .version = XTABLES_VERSION,
- .revision = 1,
- .size = XT_ALIGN(sizeof(struct xt_multiport_v1)),
Index: package/iptables/Makefile
===================================================================
--- package/iptables/Makefile (revision 31674)
+++ package/iptables/Makefile (working copy)
@@ -9,10 +9,10 @@
include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=iptables
-PKG_VERSION:=1.4.10
+PKG_VERSION:=1.4.13
PKG_RELEASE:=4
-PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198
+PKG_MD5SUM:=40a15608ec57b50e9377cace546dd115
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
@@ -110,6 +110,7 @@
Matches:
- layer7
- string
+ - rpfilter
endef
@@ -391,17 +392,19 @@
define Package/iptables/install
$(INSTALL_DIR) $(1)/usr/sbin
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(1)/usr/sbin/
- $(LN) iptables $(1)/usr/sbin/iptables-save
- $(LN) iptables $(1)/usr/sbin/iptables-restore
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
+ $(LN) xtables-multi $(1)/usr/sbin/iptables
+ $(LN) xtables-multi $(1)/usr/sbin/iptables-save
+ $(LN) xtables-multi $(1)/usr/sbin/iptables-restore
$(INSTALL_DIR) $(1)/usr/lib/iptables
endef
define Package/ip6tables/install
$(INSTALL_DIR) $(1)/usr/sbin
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables $(1)/usr/sbin/
- $(LN) ip6tables $(1)/usr/sbin/ip6tables-save
- $(LN) ip6tables $(1)/usr/sbin/ip6tables-restore
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
+ $(LN) xtables-multi $(1)/usr/sbin/ip6tables
+ $(LN) xtables-multi $(1)/usr/sbin/ip6tables-save
+ $(LN) xtables-multi $(1)/usr/sbin/ip6tables-restore
$(INSTALL_DIR) $(1)/usr/lib/iptables
(cd $(PKG_INSTALL_DIR)/usr/lib/iptables ; \
$(CP) libip6t_*.so $(1)/usr/lib/iptables/ \
Index: include/netfilter.mk
===================================================================
--- include/netfilter.mk (revision 31674)
+++ include/netfilter.mk (working copy)
@@ -30,7 +30,8 @@
$(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_MANGLE, $(P_V4)iptable_mangle),))
# userland only
-$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CORE,CONFIG_IP_NF_IPTABLES, xt_standard ipt_icmp xt_tcp xt_udp xt_comment)))
+$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CORE,CONFIG_IP_NF_IPTABLES, ipt_icmp)))
+$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CORE,CONFIG_NETFILTER_XTABLES, xt_standard xt_tcp xt_udp xt_comment)))
$(eval $(call nf_add,IPT_CORE,CONFIG_IP_NF_MATCH_LIMIT, $(P_V4)ipt_limit))
$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_LIMIT, $(P_XT)xt_limit))
@@ -66,7 +67,6 @@
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_NETFILTER_XT_MATCH_CONNTRACK, $(P_XT)xt_conntrack))
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_NETFILTER_XT_TARGET_CT, $(P_XT)xt_CT))
-
# conntrack-extra
$(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_IP_NF_MATCH_CONNBYTES, $(P_V4)ipt_connbytes))
@@ -107,6 +107,8 @@
$(eval $(call nf_add,IPT_FILTER,CONFIG_IP_NF_MATCH_LAYER7, $(P_V4)ipt_layer7))
$(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_LAYER7, $(P_XT)xt_layer7))
$(eval $(call nf_add,IPT_FILTER,CONFIG_IP_NF_MATCH_STRING, $(P_V4)ipt_string))
+$(eval $(call nf_add,IPT_FILTER,CONFIG_IP_NF_MATCH_RPFILTER, $(P_V4)ipt_rpfilter))
+$(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_RPFILTER, $(P_XT)xt_rpfilter))
$(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_STRING, $(P_XT)xt_string))
@@ -192,6 +194,7 @@
$(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_MATCH_OWNER, $(P_V6)ip6t_owner))
$(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_MATCH_OPTS, $(P_V6)ip6t_hbh))
$(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_MATCH_RT, $(P_V6)ip6t_rt))
+$(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_MATCH_RPFILTER, $(P_V6)ip6t_rpfilter))
$(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_TARGET_LOG, $(P_V6)ip6t_LOG))
$(eval $(call nf_add,IPT_IPV6,CONFIG_IP6_NF_TARGET_REJECT, $(P_V6)ip6t_REJECT))
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
