openwrtv3/package/network/utils/iptables/Makefile
Jo-Philipp Wich 1c00b6bc7f iptables: reduce binary size
* drop unused lenient restore patch
 * instead of statically linking core extensions, build shared libraries
   for reuse in fw3
 * strip outdated match revisions and aliases to trim down library size

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 45758
2015-05-26 09:16:50 +00:00

548 lines
13 KiB
Makefile

#
# Copyright (C) 2006-2013 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=iptables
PKG_VERSION:=1.4.21
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
PKG_MD5SUM:=536d048c8e8eeebcd9757d0863ebb0c0
PKG_FIXUP:=autoreconf
PKG_INSTALL:=1
PKG_BUILD_PARALLEL:=1
PKG_LICENSE:=GPL-2.0
ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"")
PATCH_DIR:=
endif
include $(INCLUDE_DIR)/package.mk
ifeq ($(DUMP),)
-include $(LINUX_DIR)/.config
include $(INCLUDE_DIR)/netfilter.mk
STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s)
endif
define Package/iptables/Default
SECTION:=net
CATEGORY:=Network
SUBMENU:=Firewall
URL:=http://netfilter.org/
endef
define Package/iptables/Module
$(call Package/iptables/Default)
DEPENDS:=iptables $(1)
endef
define Package/iptables
$(call Package/iptables/Default)
TITLE:=IP firewall administration tool
MENU:=1
DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
endef
define Package/iptables/description
IP firewall administration tool.
Matches:
- icmp
- tcp
- udp
- comment
- conntrack
- limit
- mac
- mark
- multiport
- set
- state
- time
Targets:
- ACCEPT
- CT
- DNAT
- DROP
- REJECT
- LOG
- MARK
- MASQUERADE
- REDIRECT
- SET
- SNAT
- TCPMSS
Tables:
- filter
- mangle
- nat
- raw
endef
define Package/iptables-mod-conntrack-extra
$(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
TITLE:=Extra connection tracking extensions
endef
define Package/iptables-mod-conntrack-extra/description
Extra iptables extensions for connection tracking.
Matches:
- connbytes
- connlimit
- connmark
- recent
- helper
Targets:
- CONNMARK
endef
define Package/iptables-mod-filter
$(call Package/iptables/Module, +kmod-ipt-filter)
TITLE:=Content inspection extensions
endef
define Package/iptables-mod-filter/description
iptables extensions for packet content inspection.
Includes support for:
Matches:
- string
endef
define Package/iptables-mod-ipopt
$(call Package/iptables/Module, +kmod-ipt-ipopt)
TITLE:=IP/Packet option extensions
endef
define Package/iptables-mod-ipopt/description
iptables extensions for matching/changing IP packet options.
Matches:
- dscp
- ecn
- length
- statistic
- tcpmss
- unclean
- hl
Targets:
- DSCP
- CLASSIFY
- ECN
- HL
endef
define Package/iptables-mod-ipsec
$(call Package/iptables/Module, +kmod-ipt-ipsec)
TITLE:=IPsec extensions
endef
define Package/iptables-mod-ipsec/description
iptables extensions for matching ipsec traffic.
Matches:
- ah
- esp
- policy
endef
define Package/iptables-mod-nat-extra
$(call Package/iptables/Module, +kmod-ipt-nat-extra)
TITLE:=Extra NAT extensions
endef
define Package/iptables-mod-nat-extra/description
iptables extensions for extra NAT targets.
Targets:
- MIRROR
- NETMAP
endef
define Package/iptables-mod-ulog
$(call Package/iptables/Module, +kmod-ipt-ulog)
TITLE:=user-space packet logging
endef
define Package/iptables-mod-ulog/description
iptables extensions for user-space packet logging.
Targets:
- ULOG
endef
define Package/iptables-mod-nflog
$(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
TITLE:=Netfilter NFLOG target
endef
define Package/iptables-mod-nflog/description
iptables extension for user-space logging via NFNETLINK.
Includes:
- libxt_NFLOG
endef
define Package/iptables-mod-nfqueue
$(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
TITLE:=Netfilter NFQUEUE target
endef
define Package/iptables-mod-nfqueue/description
iptables extension for user-space queuing via NFNETLINK.
Includes:
- libxt_NFQUEUE
endef
define Package/iptables-mod-hashlimit
$(call Package/iptables/Module, +kmod-ipt-hashlimit)
TITLE:=hashlimit matching
endef
define Package/iptables-mod-hashlimit/description
iptables extensions for hashlimit matching
Matches:
- hashlimit
endef
define Package/iptables-mod-iprange
$(call Package/iptables/Module, +kmod-ipt-iprange)
TITLE:=IP range extension
endef
define Package/iptables-mod-iprange/description
iptables extensions for matching ip ranges.
Matches:
- iprange
endef
define Package/iptables-mod-cluster
$(call Package/iptables/Module, +kmod-ipt-cluster)
TITLE:=Match cluster extension
endef
define Package/iptables-mod-cluster/description
iptables extensions for matching cluster.
Netfilter (IPv4/IPv6) module for matching cluster
This option allows you to build work-load-sharing clusters of
network servers/stateful firewalls without having a dedicated
load-balancing router/server/switch. Basically, this match returns
true when the packet must be handled by this cluster node. Thus,
all nodes see all packets and this match decides which node handles
what packets. The work-load sharing algorithm is based on source
address hashing.
This module is usable for ipv4 and ipv6.
If you select it, it enables kmod-ipt-cluster.
see `iptables -m cluster --help` for more information.
endef
define Package/iptables-mod-clusterip
$(call Package/iptables/Module, +kmod-ipt-clusterip)
TITLE:=Clusterip extension
endef
define Package/iptables-mod-clusterip/description
iptables extensions for CLUSTERIP.
The CLUSTERIP target allows you to build load-balancing clusters of
network servers without having a dedicated load-balancing
router/server/switch.
If you select it, it enables kmod-ipt-clusterip.
see `iptables -j CLUSTERIP --help` for more information.
endef
define Package/iptables-mod-extra
$(call Package/iptables/Module, +kmod-ipt-extra)
TITLE:=Other extra iptables extensions
endef
define Package/iptables-mod-extra/description
Other extra iptables extensions.
Matches:
- addrtype
- condition
- owner
- physdev (if ebtables is enabled)
- pkttype
- quota
endef
define Package/iptables-mod-led
$(call Package/iptables/Module, +kmod-ipt-led)
TITLE:=LED trigger iptables extension
endef
define Package/iptables-mod-led/description
iptables extension for triggering a LED.
Targets:
- LED
endef
define Package/iptables-mod-tproxy
$(call Package/iptables/Module, +kmod-ipt-tproxy)
TITLE:=Transparent proxy iptables extensions
endef
define Package/iptables-mod-tproxy/description
Transparent proxy iptables extensions.
Matches:
- socket
Targets:
- TPROXY
endef
define Package/iptables-mod-tee
$(call Package/iptables/Module, +kmod-ipt-tee)
TITLE:=TEE iptables extensions
endef
define Package/iptables-mod-tee/description
TEE iptables extensions.
Targets:
- TEE
endef
define Package/iptables-mod-u32
$(call Package/iptables/Module, +kmod-ipt-u32)
TITLE:=U32 iptables extensions
endef
define Package/iptables-mod-u32/description
U32 iptables extensions.
Matches:
- u32
endef
define Package/ip6tables
$(call Package/iptables/Default)
DEPENDS:=@IPV6 +kmod-ip6tables +iptables
CATEGORY:=Network
TITLE:=IPv6 firewall administration tool
MENU:=1
endef
define Package/ip6tables-extra
$(call Package/iptables/Default)
DEPENDS:=ip6tables +kmod-ip6tables-extra
TITLE:=IPv6 header matching modules
endef
define Package/ip6tables-mod-extra/description
iptables header matching modules for IPv6
endef
define Package/ip6tables-mod-nat
$(call Package/iptables/Default)
DEPENDS:=ip6tables +kmod-ipt-nat6
TITLE:=IPv6 NAT extensions
endef
define Package/ip6tables-mod-nat/description
iptables extensions for IPv6-NAT targets.
endef
define Package/libiptc
$(call Package/iptables/Default)
SECTION:=libs
CATEGORY:=Libraries
DEPENDS:=+libip4tc +libip6tc +libxtables
TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
endef
define Package/libip4tc
$(call Package/iptables/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE:=IPv4 firewall - shared libiptc library
DEPENDS:=+libxtables
endef
define Package/libip6tc
$(call Package/iptables/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE:=IPv6 firewall - shared libiptc library
DEPENDS:=+libxtables
endef
define Package/libxtables
$(call Package/iptables/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE:=IPv4/IPv6 firewall - shared xtables library
endef
TARGET_CPPFLAGS := \
-I$(PKG_BUILD_DIR)/include \
-I$(LINUX_DIR)/user_headers/include \
$(TARGET_CPPFLAGS)
TARGET_CFLAGS += \
-I$(PKG_BUILD_DIR)/include \
-I$(LINUX_DIR)/user_headers/include \
-ffunction-sections -fdata-sections \
-DNO_LEGACY
TARGET_LDFLAGS += \
-Wl,--gc-sections
CONFIGURE_ARGS += \
--enable-shared \
--enable-devel \
--with-kernel="$(LINUX_DIR)/user_headers" \
--with-xtlibdir=/usr/lib/iptables \
--enable-static \
$(if $(CONFIG_IPV6),,--disable-ipv6)
MAKE_FLAGS := \
$(TARGET_CONFIGURE_OPTS) \
COPT_FLAGS="$(TARGET_CFLAGS)" \
KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
KBUILD_OUTPUT="$(LINUX_DIR)" \
BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include
$(INSTALL_DIR) $(1)/usr/include/iptables
$(INSTALL_DIR) $(1)/usr/include/net/netfilter
# XXX: iptables header fixup, some headers are not installed by iptables anymore
$(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
$(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
$(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
$(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
$(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
# XXX: needed by firewall3
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
endef
define Package/iptables/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/usr/lib/iptables
endef
define Package/ip6tables/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
endef
define Package/libiptc/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
endef
define Package/libip4tc/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
endef
define Package/libip6tc/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
endef
define Package/libxtables/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
endef
define BuildPlugin
define Package/$(1)/install
$(INSTALL_DIR) $$(1)/usr/lib/iptables
for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
$(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
fi; \
done
$(3)
endef
$$(eval $$(call BuildPackage,$(1)))
endef
$(eval $(call BuildPackage,iptables))
$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
$(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
$(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
$(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
$(eval $(call BuildPackage,ip6tables))
$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
$(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
$(eval $(call BuildPackage,libiptc))
$(eval $(call BuildPackage,libip4tc))
$(eval $(call BuildPackage,libip6tc))
$(eval $(call BuildPackage,libxtables))