Changeset 36e3a1c in freewrt for package/iptables

Timestamp:

Aug 30, 2025, 5:37:23 AM (3 months ago)

Author:

Waldemar Brodkorb <wbx@…>

Branches:

freewrt_2_0

Children:

df9a3e9

Parents:

2400aa1

git-author:

Waldemar Brodkorb <wbx@…> (08/29/25 23:42:41)

git-committer:

Waldemar Brodkorb <wbx@…> (08/30/25 05:37:23)

Message:

iptables: rework and simplify

Location:

package/iptables

Files:

• Config.in (modified) (2 diffs)
• Makefile (modified) (4 diffs)
• ipkg/iptables-mod-conntrack.control (modified) (1 diff)
• ipkg/iptables-mod-extra.control (deleted)
• ipkg/iptables-mod-filter.control (deleted)
• ipkg/iptables-mod-imq.control (deleted)
• ipkg/iptables-mod-ipopt.control (deleted)
• ipkg/iptables-mod-ipsec.control (deleted)
• ipkg/iptables-mod-masquerade.control (added)
• ipkg/iptables-mod-nat.control (modified) (1 diff)
• ipkg/iptables-mod-reject.control (modified) (1 diff)
• ipkg/iptables-mod-tcpmss.control (added)
• ipkg/iptables-mod-ulog.control (deleted)

package/iptables/Config.in

@@ -41 +41 @@
         depends FWRT_PACKAGE_IPTABLES
         help
-          Iptables (IPv4) extensions for connection tracking
+          Iptables extensions for connection tracking
+
+config FWRT_PACKAGE_IPTABLES_MOD_NAT
+        prompt   "iptables-mod-nat................ Iptables extensions for network address translation"
+        tristate
+        default n
+        depends FWRT_PACKAGE_IPTABLES
+        help
+          Iptables extensions for network address translation
+
+config FWRT_PACKAGE_IPTABLES_MOD_MASQUERADE
+        prompt   "iptables-mod-masquerade......... Iptables extensions for masquerading"
+        tristate
+        default n
+        depends FWRT_PACKAGE_IPTABLES
+        select FWRT_PACKAGE_IPTABLES_MOD_NAT
+        help
+          Iptables extensions for masquerading
 
 config FWRT_PACKAGE_IPTABLES_MOD_REJECT
@@ -49 +66 @@
         depends FWRT_PACKAGE_IPTABLES
         help
-          Iptables (IPv4) extensions for REJECT target
+          Iptables extensions for REJECT target
 
-config FWRT_PACKAGE_IPTABLES_MOD_FILTER
-        prompt   "iptables-mod-filter............. Iptables extension for packet content inspection"
+config FWRT_PACKAGE_IPTABLES_MOD_TCPMSS
+        prompt   "iptables-mod-tcpmss............. Iptables extensions for TCP MSS"
         tristate
         default n
         depends FWRT_PACKAGE_IPTABLES
-        select FWRT_PACKAGE_KMOD_IPT_FILTER
         help
-          Iptables (IPv4) extension for packet content inspection
+          Iptables extensions for TCP MSS target
 
-          Includes:
-            * libipt_ipp2p
-            * libipt_layer7
-
-config FWRT_PACKAGE_IPTABLES_MOD_IMQ
-        prompt "iptables-mod-imq................ Iptables extensions for Intermediate Queuing Device QoS-support"
-        tristate
-        default n
-        depends FWRT_PACKAGE_IPTABLES
-        select FWRT_PACKAGE_KMOD_IMQ
-        help
-          Iptables (IPv4) extensions for Intermediate Queuing Device QoS-support
-
-          Includes:
-            * libipt_IMQ
-
-config FWRT_PACKAGE_IPTABLES_MOD_IPOPT
-        prompt   "iptables-mod-ipopt.............. Iptables extensions for matching/changing IP packet options"
-        tristate
-        default n
-        depends FWRT_PACKAGE_IPTABLES
-        select FWRT_PACKAGE_KMOD_IPT_IPOPT
-        help
-          Extra Iptables (IPv4) extensions for matching/changing IP packet options
-
-          Includes:
-            * libipt_CLASSIFY
-            * libipt_dscp/DSCP
-            * libipt_ecn/ECN
-            * libipt_length
-            * libipt_mac
-            * libipt_NETMAP
-            * libipt_tcpmms
-            * libipt_time
-            * libipt_tos/TOS
-            * libipt_ttl/TTL
-            * libipt_unclean
-
-config FWRT_PACKAGE_IPTABLES_MOD_IPSEC
-        prompt   "iptables-mod-ipsec.............. Iptables extensions for matching special IPsec packets"
-        tristate
-        default n
-        depends FWRT_PACKAGE_IPTABLES
-        select FWRT_PACKAGE_KMOD_IPT_IPSEC
-        help
-          Iptables (IPv4) extensions for matching special IPsec packets
-
-          Includes:
-            * libipt_ah
-            * libipt_esp
-
-config FWRT_PACKAGE_IPTABLES_MOD_NAT
-        prompt   "iptables-mod-nat................ Iptables extensions for different NAT targets"
-        tristate
-        default n
-        depends FWRT_PACKAGE_IPTABLES
-        select FWRT_PACKAGE_KMOD_IPT_NAT
-        help
-          Iptables (IPv4) extensions for different NAT targets
-
-          Includes:
-            * libipt_REDIRECT
-
-config FWRT_PACKAGE_IPTABLES_MOD_ULOG
-        prompt   "iptables-mod-ulog............... Iptables extensions for user-space packet logging"
-        tristate
-        default n
-        depends FWRT_PACKAGE_IPTABLES
-        select FWRT_PACKAGE_KMOD_IPT_ULOG
-        help
-          Iptables (IPv4) extensions for user-space packet logging
-
-          Includes:
-            * libipt_ULOG
-
-config FWRT_PACKAGE_IPTABLES_MOD_EXTRA
-        prompt   "iptables-mod-extra.............. Other extra Iptables extensions"
-        tristate
-        default n
-        depends FWRT_PACKAGE_IPTABLES
-        select FWRT_PACKAGE_KMOD_IPT_EXTRA
-        help
-          Other extra Iptables (IPv4) extensions
-
-          Includes:
-            * libipt_limit
-            * libipt_owner
-            * libipt_physdev
-            * libipt_pkttype
-            * libipt_recent
-            * libipt_LOG
 
 config FWRT_PACKAGE_IPTABLES_UTILS

package/iptables/Makefile

@@ -13 +13 @@
 PKG_SOURCE:=            $(PKG_NAME)-$(PKG_VERSION).tar.xz
 
-define IPKG_plugin_template
-
-$$(IPKG_$(1)):
-        install -m0755 -d $$(IDIR_$(1))/usr/lib/xtables
-        for m in $(2); do \
-                $(INSTALL_DATA) $(WRKINST)/usr/lib/xtables/lib$$$${m}.so $$(IDIR_$(1))/usr/lib/xtables/ ; \
-        done
-        @[ -z "$(3)" ] || $(MAKE) $(3)
-        $(RSTRIP) $$(IDIR_$(1))
-        $(IPKG_BUILD) $$(IDIR_$(1)) $(PACKAGE_DIR)
-
-endef
-
 include $(TOPDIR)/mk/package.mk
 include $(LINUX_DIR)/.config
-include $(TOPDIR)/mk/netfilter.mk
 
 $(eval $(call PKG_template,IPTABLES,iptables,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
@@ -37 +23 @@
 $(eval $(call PKG_template,IPTABLES_MOD_CONNTRACK,iptables-mod-conntrack,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
 $(eval $(call PKG_template,IPTABLES_MOD_REJECT,iptables-mod-reject,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
+$(eval $(call PKG_template,IPTABLES_MOD_NAT,iptables-mod-nat,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
+$(eval $(call PKG_template,IPTABLES_MOD_MASQUERADE,iptables-mod-masquerade,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
 $(eval $(call PKG_template,IPTABLES_MOD_TCPMSS,iptables-mod-tcpmss,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
-$(eval $(call PKG_template,IPTABLES_MOD_EXTRA,iptables-mod-extra,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
-$(eval $(call PKG_template,IPTABLES_MOD_FILTER,iptables-mod-filter,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
-$(eval $(call PKG_template,IPTABLES_MOD_IMQ,iptables-mod-imq,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
-$(eval $(call PKG_template,IPTABLES_MOD_IPOPT,iptables-mod-ipopt,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
-$(eval $(call PKG_template,IPTABLES_MOD_IPSEC,iptables-mod-ipsec,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
-$(eval $(call PKG_template,IPTABLES_MOD_NAT,iptables-mod-nat,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
-$(eval $(call PKG_template,IPTABLES_MOD_ULOG,iptables-mod-ulog,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
-
-$(eval $(call IPKG_plugin_template,IPTABLES_MOD_CONNTRACK,$(IPT_CONNTRACK-m)))
-$(eval $(call IPKG_plugin_template,IPTABLES_MOD_REJECT,$(IPT_REJECT-m)))
-$(eval $(call IPKG_plugin_template,IPTABLES_MOD_TCPMSS,$(IPT_TCPMSS-m)))
-$(eval $(call IPKG_plugin_template,IPTABLES_MOD_EXTRA,$(IPT_EXTRA-m)))
-$(eval $(call IPKG_plugin_template,IPTABLES_MOD_FILTER,$(IPT_FILTER-m),layer7-install))
-$(eval $(call IPKG_plugin_template,IPTABLES_MOD_IMQ,$(IPT_IMQ-m)))
-$(eval $(call IPKG_plugin_template,IPTABLES_MOD_IPOPT,$(IPT_IPOPT-m)))
-$(eval $(call IPKG_plugin_template,IPTABLES_MOD_IPSEC,$(IPT_IPSEC-m)))
-$(eval $(call IPKG_plugin_template,IPTABLES_MOD_NAT,$(IPT_NAT-m)))
-$(eval $(call IPKG_plugin_template,IPTABLES_MOD_ULOG,$(IPT_ULOG-m)))
 
 $(WRKBUILD)/.configured:
@@ -89 +59 @@
         $(IPKG_BUILD) $(IDIR_IPTABLES) $(PACKAGE_DIR)
 
+$(IPKG_IPTABLES_MOD_CONNTRACK):
+        $(INSTALL_DIR) $(IDIR_IPTABLES_MOD_CONNTRACK)/usr/lib/xtables
+        (cd $(WRKINST)/usr/lib/xtables ; \
+                $(INSTALL_DATA) libxt_conntrack.so $(IDIR_IPTABLES_MOD_CONNTRACK)/usr/lib/xtables/ \
+        )
+        $(RSTRIP) $(IDIR_IPTABLES_MOD_CONNTRACK)
+        $(IPKG_BUILD) $(IDIR_IPTABLES_MOD_CONNTRACK) $(PACKAGE_DIR)
+
+$(IPKG_IPTABLES_MOD_NAT):
+        $(INSTALL_DIR) $(IDIR_IPTABLES_MOD_NAT)/usr/lib/xtables
+        (cd $(WRKINST)/usr/lib/xtables ; \
+                $(INSTALL_DATA) libxt_NAT.so $(IDIR_IPTABLES_MOD_NAT)/usr/lib/xtables/ \
+        )
+        $(RSTRIP) $(IDIR_IPTABLES_MOD_NAT)
+        $(IPKG_BUILD) $(IDIR_IPTABLES_MOD_NAT) $(PACKAGE_DIR)
+
+$(IPKG_IPTABLES_MOD_MASQUERADE):
+        $(INSTALL_DIR) $(IDIR_IPTABLES_MOD_MASQUERADE)/usr/lib/xtables
+        (cd $(WRKINST)/usr/lib/xtables ; \
+                $(CP) libxt_MASQUERADE.so $(IDIR_IPTABLES_MOD_MASQUERADE)/usr/lib/xtables/ \
+        )
+        $(RSTRIP) $(IDIR_IPTABLES_MOD_MASQUERADE)
+        $(IPKG_BUILD) $(IDIR_IPTABLES_MOD_MASQUERADE) $(PACKAGE_DIR)
+
+$(IPKG_IPTABLES_MOD_REJECT):
+        $(INSTALL_DIR) $(IDIR_IPTABLES_MOD_REJECT)/usr/lib/xtables
+        (cd $(WRKINST)/usr/lib/xtables ; \
+                $(CP) libipt_REJECT.so $(IDIR_IPTABLES_MOD_REJECT)/usr/lib/xtables/ \
+        )
+        $(RSTRIP) $(IDIR_IPTABLES_MOD_REJECT)
+        $(IPKG_BUILD) $(IDIR_IPTABLES_MOD_REJECT) $(PACKAGE_DIR)
+
+$(IPKG_IPTABLES_MOD_TCPMSS):
+        $(INSTALL_DIR) $(IDIR_IPTABLES_MOD_TCPMSS)/usr/lib/xtables
+        (cd $(WRKINST)/usr/lib/xtables ; \
+                $(CP) libxt_tcpmss.so libxt_TCPMSS.so $(IDIR_IPTABLES_MOD_TCPMSS)/usr/lib/xtables/ \
+        )
+        $(RSTRIP) $(IDIR_IPTABLES_MOD_TCPMSS)
+        $(IPKG_BUILD) $(IDIR_IPTABLES_MOD_TCPMSS) $(PACKAGE_DIR)
+
+
 $(IPKG_IPTABLES_FIREWALL_SCRIPT):
         $(INSTALL_DIR) $(IDIR_IPTABLES_FIREWALL_SCRIPT)/etc/init.d
@@ -111 +122 @@
         $(RSTRIP) $(IDIR_IP6TABLES)
         $(IPKG_BUILD) $(IDIR_IP6TABLES) $(PACKAGE_DIR)
-
-layer7-install:
-        $(INSTALL_DIR) $(IDIR_IPTABLES_MOD_FILTER)/etc/l7-protocols
-        $(INSTALL_DATA) files/l7/*.pat $(IDIR_IPTABLES_MOD_FILTER)/etc/l7-protocols/

package/iptables/ipkg/iptables-mod-conntrack.control

@@ -2 +2 @@
 Priority: optional
 Section: net
-Depends: iptables, kmod-ipt-conntrack
+Depends: iptables, kmod-iptables-conntrack
 Description: Iptables (IPv4) extensions for connection tracking

package/iptables/ipkg/iptables-mod-nat.control

@@ -2 +2 @@
 Priority: optional
 Section: net
-Depends: iptables, kmod-ipt-nat
+Depends: iptables, kmod-iptables-nat
 Description: Iptables (IPv4) extensions for different NAT targets

package/iptables/ipkg/iptables-mod-reject.control

@@ -2 +2 @@
 Priority: optional
 Section: net
-Depends: iptables
-Description: Iptables (IPv4) extensions for REJECT target
+Depends: iptables, kmod-iptables-reject
+Description: Iptables (IPv4) extensions for REJECT targets