[openwrt/openwrt] iptables: rework ip(6)tables-nft dependencies

LEDE Commits lede-commits at lists.infradead.org
Wed Feb 2 15:14:17 PST 2022 

hauke pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/b0bd6599e840c443d8ccb8759315e4dd006fd6aa

commit b0bd6599e840c443d8ccb8759315e4dd006fd6aa
Author: Etienne Champetier <champetier.etienne at gmail.com>
AuthorDate: Wed Jan 26 14:33:52 2022 -0500

    iptables: rework ip(6)tables-nft dependencies
    
    according to iptables-nft man page,
    "These tools use the libxtables framework extensions and hook to the nf_tables
    kernel subsystem using the nft_compat module."
    
    This means that to work, iptables-nft needs the same modules as
    iptables legacy except the ip(6)table-{filter,mangle,nat,raw}
    ip_tables, ip6tables.
    When those modules are loaded iptables-nft-save output contains
    "# Warning: iptables-legacy tables present, use iptables-legacy-save to see them"
    But as long as it's empty it should not be a problem.
    
    To have nft properly display the rules created by ip(6)tables-nft we need
    all iptables targets and matches to be built as extension and not built-in
    (/usr/lib/iptables/libip(6)t_*.so)
    
    When switching a package to iptables-nft, you need to keep the
    iptables-mod-* dependencies
    
    This patch does minimal changes:
    - remove the direct iptables-nft -> iptables dependency
    - and more important add nft-compat dependency
    
    The rule
    iptables-nft -A OUTPUT -d 8.8.8.8 -m comment --comment "aaa" -j REJECT
    becomes
    table ip filter {
            chain OUTPUT {
                    type filter hook output priority filter; policy accept;
                    ip daddr 8.8.8.8 # xt_comment counter packets 0 bytes 0 # xt_REJECT
            }
    }
    
    Signed-off-by: Etienne Champetier <champetier.etienne at gmail.com>
---
 package/network/utils/iptables/Makefile | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
index 2ba30eeca8..853bff39c6 100644
--- a/package/network/utils/iptables/Makefile
+++ b/package/network/utils/iptables/Makefile
@@ -41,7 +41,7 @@ endef
 
 define Package/iptables/Module
 $(call Package/iptables/Default)
-  DEPENDS:=iptables $(1)
+  DEPENDS:=+iptables $(1)
 endef
 
 define Package/iptables
@@ -108,7 +108,7 @@ endef
 define Package/iptables-nft
 $(call Package/iptables/Default)
   TITLE:=IP firewall administration tool nft
-  DEPENDS:=iptables @IPTABLES_NFTABLES +libxtables-nft
+  DEPENDS:=@IPTABLES_NFTABLES +libxtables-nft +libip4tc +IPV6:libip6tc +kmod-ipt-core +kmod-nft-compat
 endef
 
 define Package/iptables-nft/description
@@ -454,7 +454,7 @@ endef
 
 define Package/ip6tables-nft
 $(call Package/iptables/Default)
-  DEPENDS:=ip6tables @IPTABLES_NFTABLES +libxtables-nft
+  DEPENDS:=@IPV6 +kmod-ip6tables +iptables-nft
   TITLE:=IP firewall administration tool nft
 endef
 
@@ -522,7 +522,7 @@ define Package/libxtables-nft
  CATEGORY:=Libraries
  TITLE:=IPv4/IPv6 firewall - shared xtables nft library
  ABI_VERSION:=12
- DEPENDS:=libxtables
+ DEPENDS:=+libxtables
 endef
 
 TARGET_CPPFLAGS := \

More information about the lede-commits mailing list