include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=iptables
-PKG_VERSION:=1.8.2
-PKG_RELEASE:=3
+PKG_VERSION:=1.8.3
+PKG_RELEASE:=1
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://git.netfilter.org/iptables
-PKG_SOURCE_VERSION:=bba6bc692b0e6137e13881a1f398c134822e9f83
-PKG_MIRROR_HASH:=23a61d2a23fc0d587029690ef2564625d78fba4b2d90117edaf5b9eaf55bb7f9
+PKG_SOURCE_URL:=https://netfilter.org/projects/iptables/files
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_HASH:=a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80
PKG_FIXUP:=autoreconf
PKG_FLAGS:=nonshared
SECTION:=net
CATEGORY:=Network
SUBMENU:=Firewall
- URL:=http://netfilter.org/
+ URL:=https://netfilter.org/
endef
define Package/iptables/Module
SECTION:=libs
CATEGORY:=Libraries
TITLE:=IPv4 firewall - shared libiptc library
- ABI_VERSION:=0
+ ABI_VERSION:=2
DEPENDS:=+libxtables
endef
SECTION:=libs
CATEGORY:=Libraries
TITLE:=IPv6 firewall - shared libiptc library
- ABI_VERSION:=0
+ ABI_VERSION:=2
DEPENDS:=+libxtables
endef
+++ /dev/null
-From 907e429d7548157016cd51aba4adc5d0c7d9f816 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg@pld-linux.org>
-Date: Wed, 14 Nov 2018 07:35:28 +0100
-Subject: extensions: format-security fixes in libip[6]t_icmp
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
-introduced support for gcc feature to check format string against passed
-argument. This commit adds missing bits to extenstions's libipt_icmp.c
-and libip6t_icmp6.c that were causing build to fail.
-
-Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
-Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- extensions/libip6t_icmp6.c | 4 ++--
- extensions/libipt_icmp.c | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
---- a/extensions/libip6t_icmp6.c
-+++ b/extensions/libip6t_icmp6.c
-@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(str
- type_name = icmp6_type_xlate(icmptype);
-
- if (type_name) {
-- xt_xlate_add(xl, type_name);
-+ xt_xlate_add(xl, "%s", type_name);
- } else {
- for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
- if (icmpv6_codes[i].type == icmptype &&
-@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(str
- break;
-
- if (i != ARRAY_SIZE(icmpv6_codes))
-- xt_xlate_add(xl, icmpv6_codes[i].name);
-+ xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
- else
- return 0;
- }
---- a/extensions/libipt_icmp.c
-+++ b/extensions/libipt_icmp.c
-@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(str
- if (icmp_codes[i].type == icmptype &&
- icmp_codes[i].code_min == code_min &&
- icmp_codes[i].code_max == code_max) {
-- xt_xlate_add(xl, icmp_codes[i].name);
-+ xt_xlate_add(xl, "%s", icmp_codes[i].name);
- return 1;
- }
- }
+++ /dev/null
-From 8d9d7e4b9ef4c6e6abab2cf35c747d7ca36824bd Mon Sep 17 00:00:00 2001
-From: Baruch Siach <baruch@tkos.co.il>
-Date: Fri, 16 Nov 2018 09:30:33 +0200
-Subject: include: fix build with kernel headers before 4.2
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Commit 672accf1530 (include: update kernel netfilter header files)
-updated linux/netfilter.h and brought with it the update from kernel
-commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h
-from netns headers). This triggers conflict of headers that is fixed in
-kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with
-netinet/in.h) included in kernel version 4.2. For earlier kernel headers
-we need a workaround that prevents the headers conflict.
-
-Fixes the following build failure:
-
-In file included from .../sysroot/usr/include/netinet/ip.h:25:0,
- from ../include/libiptc/ipt_kernel_headers.h:8,
- from ../include/libiptc/libiptc.h:6,
- from libip4tc.c:29:
-.../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’
- IPPROTO_IP = 0, /* Dummy protocol for TCP */
- ^
-.../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here
- IPPROTO_IP = 0, /* Dummy protocol for TCP. */
- ^~~~~~~~~~
-
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
-Signed-off-by: Florian Westphal <fw@strlen.de>
----
- include/linux/netfilter.h | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/include/linux/netfilter.h
-+++ b/include/linux/netfilter.h
-@@ -3,8 +3,10 @@
-
- #include <linux/types.h>
-
-+#ifndef _NETINET_IN_H
- #include <linux/in.h>
- #include <linux/in6.h>
-+#endif
- #include <limits.h>
-
- /* Responses from hook functions. */
+++ /dev/null
-From 51d374ba41ae4f1bb851228c06b030b83dd2092f Mon Sep 17 00:00:00 2001
-From: Baruch Siach <baruch@tkos.co.il>
-Date: Tue, 13 Nov 2018 19:22:08 +0200
-Subject: ebtables: vlan: fix userspace/kernel headers collision
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Build with musl libc fails because of conflicting struct ethhdr
-definitions:
-
-In file included from .../sysroot/usr/include/net/ethernet.h:10:0,
- from ../iptables/nft-bridge.h:8,
- from libebt_vlan.c:18:
-.../sysroot/usr/include/netinet/if_ether.h:107:8: error: redefinition of ‘struct ethhdr’
- struct ethhdr {
- ^~~~~~
-In file included from libebt_vlan.c:16:0:
-.../sysroot/usr/include/linux/if_ether.h:160:8: note: originally defined here
- struct ethhdr {
- ^~~~~~
-
-Include the userspace header first for the definition suppression logic
-to do the right thing.
-
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- extensions/libebt_vlan.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/extensions/libebt_vlan.c
-+++ b/extensions/libebt_vlan.c
-@@ -12,6 +12,7 @@
- #include <getopt.h>
- #include <ctype.h>
- #include <xtables.h>
-+#include <netinet/if_ether.h>
- #include <linux/netfilter_bridge/ebt_vlan.h>
- #include <linux/if_ether.h>
- #include "iptables/nft.h"
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
-@@ -887,12 +887,6 @@ static void xtables_check_options(const
+@@ -903,12 +903,6 @@ static void xtables_check_options(const
void xtables_register_match(struct xtables_match *me)
{
if (me->version == NULL) {
fprintf(stderr, "%s: match %s<%u> is missing a version\n",
xt_params->program_name, me->name, me->revision);
-@@ -1080,12 +1074,6 @@ void xtables_register_matches(struct xta
+@@ -1096,12 +1090,6 @@ void xtables_register_matches(struct xta
void xtables_register_target(struct xtables_target *me)
{
--- a/iptables/xtables-legacy-multi.c
+++ b/iptables/xtables-legacy-multi.c
-@@ -31,8 +31,10 @@ static const struct subcommand multi_sub
+@@ -32,8 +32,10 @@ static const struct subcommand multi_sub
#endif
+pfa_objs := $(patsubst %,libarpt_%.o,${pfa_build_static})
+pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static})
+pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static})
- pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks})
+ pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
pfb_solibs := $(patsubst %,libebt_%.so,${pfb_build_mod})
pfa_solibs := $(patsubst %,libarpt_%.so,${pfa_build_mod})
-@@ -67,13 +87,13 @@ pf6_solibs := $(patsubst %,libip6t_%.
+@@ -68,14 +88,14 @@ pfx_symlink_files := $(patsubst %,libxt_
#
targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man
targets_install :=
-@ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs}
-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
--@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
+-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
+-@ENABLE_STATIC_FALSE@ symlinks_install := ${pfx_symlink_files}
+libext_objs := ${pfx_objs}
+libext_ebt_objs := ${pfb_objs}
+libext_arpt_objs := ${pfa_objs}
+libext4_objs := ${pf4_objs}
+libext6_objs := ${pf6_objs}
-+targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
++targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
+targets_install := $(strip ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs})
++symlinks_install := ${pfx_symlink_files}
.SECONDARY:
-@@ -141,11 +161,11 @@ libext4.a: initext4.o ${libext4_objs}
+@@ -148,11 +168,11 @@ libext4.a: initext4.o ${libext4_objs}
libext6.a: initext6.o ${libext6_objs}
${AM_VERBOSE_AR} ${AR} crs $@ $^;
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
-@@ -85,7 +85,7 @@ pf6_solibs := $(patsubst %,libip6t_%.
+@@ -86,7 +86,7 @@ pfx_symlink_files := $(patsubst %,libxt_
#
# Building blocks
#
targets_install :=
libext_objs := ${pfx_objs}
libext_ebt_objs := ${pfb_objs}
-@@ -112,7 +112,7 @@ clean:
+@@ -119,7 +119,7 @@ clean:
distclean: clean
init%.o: init%.c
-include .*.d
-@@ -144,22 +144,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
+@@ -151,22 +151,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
# handling code in the Makefiles.
#
lib%.o: ${srcdir}/lib%.c
initextb_func := $(addprefix ebt_,${pfb_build_static})
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
-@@ -8,7 +8,8 @@ BUILT_SOURCES =
+@@ -8,19 +8,22 @@ BUILT_SOURCES =
xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c
xtables_legacy_multi_CFLAGS = ${AM_CFLAGS}
if ENABLE_STATIC
xtables_legacy_multi_CFLAGS += -DALL_INCLUSIVE
endif
-@@ -16,13 +17,15 @@ if ENABLE_IPV4
- xtables_legacy_multi_SOURCES += iptables-save.c iptables-restore.c \
- iptables-standalone.c iptables.c
+ if ENABLE_IPV4
+ xtables_legacy_multi_SOURCES += iptables-standalone.c iptables.c
xtables_legacy_multi_CFLAGS += -DENABLE_IPV4
-xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a
+xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la
+xtables_legacy_multi_LDFLAGS += -liptext4
endif
if ENABLE_IPV6
- xtables_legacy_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \
- ip6tables-standalone.c ip6tables.c
+ xtables_legacy_multi_SOURCES += ip6tables-standalone.c ip6tables.c
xtables_legacy_multi_CFLAGS += -DENABLE_IPV6
-xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a
+xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la
+xtables_legacy_multi_LDFLAGS += -liptext6
endif
- xtables_legacy_multi_SOURCES += xshared.c
+ xtables_legacy_multi_SOURCES += xshared.c iptables-restore.c iptables-save.c
xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm
-@@ -32,7 +35,8 @@ if ENABLE_NFTABLES
+@@ -30,7 +33,8 @@ if ENABLE_NFTABLES
BUILT_SOURCES += xtables-config-parser.h
xtables_nft_multi_SOURCES = xtables-nft-multi.c iptables-xml.c
xtables_nft_multi_CFLAGS = ${AM_CFLAGS}
if ENABLE_STATIC
xtables_nft_multi_CFLAGS += -DALL_INCLUSIVE
endif
-@@ -47,7 +51,8 @@ xtables_nft_multi_SOURCES += xtables-sav
+@@ -45,7 +49,8 @@ xtables_nft_multi_SOURCES += xtables-sav
xtables-eb-standalone.c xtables-eb.c \
xtables-eb-translate.c \
xtables-translate.c