From: Etienne Champetier Date: Tue, 1 Mar 2022 04:14:48 +0000 (-0500) Subject: iptables: add {arp,eb}tables-nft X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=66bb6dde36c22d3fb305f2d75741efd715ffeccc;p=openwrt%2Fstaging%2Fnbd.git iptables: add {arp,eb}tables-nft Add a patch to add some missing init_extensions{a,b}() calls Package lib{arp,eb}t_*.so Signed-off-by: Etienne Champetier --- diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile index 0220ddf1a5..095a485e39 100644 --- a/package/network/utils/iptables/Makefile +++ b/package/network/utils/iptables/Makefile @@ -107,6 +107,28 @@ $(call Package/iptables/Default) DEPENDS:=@IPTABLES_NFTABLES +libnftnl +libiptext +IPV6:libiptext6 +libiptext-nft +kmod-nft-compat endef +define Package/arptables-nft +$(call Package/iptables/Default) + DEPENDS:=+kmod-nft-arp +xtables-nft +kmod-arptables + TITLE:=ARP firewall administration tool nft + PROVIDES:=arptables + ALTERNATIVES:=\ + 300:/usr/sbin/arptables:/usr/sbin/xtables-nft-multi \ + 300:/usr/sbin/arptables-restore:/usr/sbin/xtables-nft-multi \ + 300:/usr/sbin/arptables-save:/usr/sbin/xtables-nft-multi +endef + +define Package/ebtables-nft +$(call Package/iptables/Default) + DEPENDS:=+kmod-nft-bridge +xtables-nft +kmod-ebtables + TITLE:=Bridge firewall administration tool nft + PROVIDES:=ebtables + ALTERNATIVES:=\ + 300:/usr/sbin/ebtables:/usr/sbin/xtables-nft-multi \ + 300:/usr/sbin/ebtables-restore:/usr/sbin/xtables-nft-multi \ + 300:/usr/sbin/ebtables-save:/usr/sbin/xtables-nft-multi +endef + define Package/iptables-nft $(call Package/iptables/Default) TITLE:=IP firewall administration tool nft @@ -666,6 +688,20 @@ define Package/xtables-nft/install $(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-nft-multi $(1)/usr/sbin/ endef +define Package/arptables-nft/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/arptables-nft{,-restore,-save} $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/usr/lib/iptables + $(CP) $(PKG_BUILD_DIR)/extensions/libarpt_*.so $(1)/usr/lib/iptables/ +endef + +define Package/ebtables-nft/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ebtables-nft{,-restore,-save} $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/usr/lib/iptables + $(CP) $(PKG_BUILD_DIR)/extensions/libebt_*.so $(1)/usr/lib/iptables/ +endef + define Package/iptables-nft/install $(INSTALL_DIR) $(1)/usr/sbin $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-nft{,-restore,-save} $(1)/usr/sbin/ @@ -737,6 +773,8 @@ $(eval $(call BuildPackage,libiptext-nft)) $(eval $(call BuildPackage,xtables-legacy)) $(eval $(call BuildPackage,iptables-legacy)) $(eval $(call BuildPackage,xtables-nft)) +$(eval $(call BuildPackage,arptables-nft)) +$(eval $(call BuildPackage,ebtables-nft)) $(eval $(call BuildPackage,iptables-nft)) $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m))) $(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m))) diff --git a/package/network/utils/iptables/patches/002-xtables-Call-init_extensions_a_b.patch b/package/network/utils/iptables/patches/002-xtables-Call-init_extensions_a_b.patch new file mode 100644 index 0000000000..0d7226ccd5 --- /dev/null +++ b/package/network/utils/iptables/patches/002-xtables-Call-init_extensions_a_b.patch @@ -0,0 +1,107 @@ +A modified version of this patch was commited upstream +as part of a fixup series +https://bugzilla.netfilter.org/show_bug.cgi?id=1593 +https://git.netfilter.org/iptables/commit/?id=0836524f093c0fd9c39604a46a949e43d9b47ef2 + +--- a/iptables/xtables-monitor.c ++++ b/iptables/xtables-monitor.c +@@ -629,6 +629,8 @@ int xtables_monitor_main(int argc, char + init_extensions(); + init_extensions4(); + init_extensions6(); ++ init_extensionsa(); ++ init_extensionsb(); + #endif + + if (nft_init(&h, AF_INET, xtables_ipv4)) { +--- a/iptables/xtables-restore.c ++++ b/iptables/xtables-restore.c +@@ -368,9 +368,17 @@ xtables_restore_main(int family, const c + #endif + break; + case NFPROTO_ARP: ++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); ++ init_extensionsa(); ++#endif + tables = xtables_arp; + break; + case NFPROTO_BRIDGE: ++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); ++ init_extensionsb(); ++#endif + tables = xtables_bridge; + break; + default: +--- a/iptables/xtables-save.c ++++ b/iptables/xtables-save.c +@@ -208,9 +208,17 @@ xtables_save_main(int family, int argc, + d.commit = true; + break; + case NFPROTO_ARP: ++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); ++ init_extensionsa(); ++#endif + tables = xtables_arp; + break; + case NFPROTO_BRIDGE: { ++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); ++ init_extensionsb(); ++#endif + const char *ctr = getenv("EBTABLES_SAVE_COUNTER"); + + if (!(d.format & FMT_NOCOUNTS)) { +--- a/iptables/xtables-standalone.c ++++ b/iptables/xtables-standalone.c +@@ -58,6 +58,8 @@ xtables_main(int family, const char *pro + init_extensions(); + init_extensions4(); + init_extensions6(); ++ init_extensionsa(); ++ init_extensionsb(); + #endif + + if (nft_init(&h, family, xtables_ipv4) < 0) { +--- a/iptables/xtables-translate.c ++++ b/iptables/xtables-translate.c +@@ -474,9 +474,17 @@ static int xtables_xlate_main_common(str + tables = xtables_ipv4; + break; + case NFPROTO_ARP: ++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); ++ init_extensionsa(); ++#endif + tables = xtables_arp; + break; + case NFPROTO_BRIDGE: ++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); ++ init_extensionsb(); ++#endif + tables = xtables_bridge; + break; + default: +--- a/iptables/xtables-arp.c ++++ b/iptables/xtables-arp.c +@@ -438,6 +438,7 @@ int nft_init_arp(struct nft_handle *h, c + } + + #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); + init_extensionsa(); + #endif + +--- a/iptables/xtables-eb.c ++++ b/iptables/xtables-eb.c +@@ -685,6 +685,7 @@ int nft_init_eb(struct nft_handle *h, co + } + + #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) ++ init_extensions(); + init_extensionsb(); + #endif +