[openwrt/openwrt] iptables: add {arp,eb}tables-nft

LEDE Commits lede-commits at lists.infradead.org
Sat Mar 19 09:30:41 PDT 2022 

hauke pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/66bb6dde36c22d3fb305f2d75741efd715ffeccc

commit 66bb6dde36c22d3fb305f2d75741efd715ffeccc
Author: Etienne Champetier <champetier.etienne at gmail.com>
AuthorDate: Mon Feb 28 23:14:48 2022 -0500

    iptables: add {arp,eb}tables-nft
    
    Add a patch to add some missing init_extensions{a,b}() calls
    Package lib{arp,eb}t_*.so
    
    Signed-off-by: Etienne Champetier <champetier.etienne at gmail.com>
---
 package/network/utils/iptables/Makefile            |  38 ++++++++
 .../002-xtables-Call-init_extensions_a_b.patch     | 107 +++++++++++++++++++++
 2 files changed, 145 insertions(+)

diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
index 0220ddf1a5..095a485e39 100644
--- a/package/network/utils/iptables/Makefile
+++ b/package/network/utils/iptables/Makefile
@@ -107,6 +107,28 @@ $(call Package/iptables/Default)
   DEPENDS:=@IPTABLES_NFTABLES +libnftnl +libiptext +IPV6:libiptext6 +libiptext-nft +kmod-nft-compat
 endef
 
+define Package/arptables-nft
+$(call Package/iptables/Default)
+  DEPENDS:=+kmod-nft-arp +xtables-nft +kmod-arptables
+  TITLE:=ARP firewall administration tool nft
+  PROVIDES:=arptables
+  ALTERNATIVES:=\
+    300:/usr/sbin/arptables:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/arptables-restore:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/arptables-save:/usr/sbin/xtables-nft-multi
+endef
+
+define Package/ebtables-nft
+$(call Package/iptables/Default)
+  DEPENDS:=+kmod-nft-bridge +xtables-nft +kmod-ebtables
+  TITLE:=Bridge firewall administration tool nft
+  PROVIDES:=ebtables
+  ALTERNATIVES:=\
+    300:/usr/sbin/ebtables:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/ebtables-restore:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/ebtables-save:/usr/sbin/xtables-nft-multi
+endef
+
 define Package/iptables-nft
 $(call Package/iptables/Default)
   TITLE:=IP firewall administration tool nft
@@ -666,6 +688,20 @@ define Package/xtables-nft/install
 	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-nft-multi $(1)/usr/sbin/
 endef
 
+define Package/arptables-nft/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/arptables-nft{,-restore,-save} $(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+	$(CP) $(PKG_BUILD_DIR)/extensions/libarpt_*.so $(1)/usr/lib/iptables/
+endef
+
+define Package/ebtables-nft/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ebtables-nft{,-restore,-save} $(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+	$(CP) $(PKG_BUILD_DIR)/extensions/libebt_*.so $(1)/usr/lib/iptables/
+endef
+
 define Package/iptables-nft/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-nft{,-restore,-save} $(1)/usr/sbin/
@@ -737,6 +773,8 @@ $(eval $(call BuildPackage,libiptext-nft))
 $(eval $(call BuildPackage,xtables-legacy))
 $(eval $(call BuildPackage,iptables-legacy))
 $(eval $(call BuildPackage,xtables-nft))
+$(eval $(call BuildPackage,arptables-nft))
+$(eval $(call BuildPackage,ebtables-nft))
 $(eval $(call BuildPackage,iptables-nft))
 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
 $(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m)))
diff --git a/package/network/utils/iptables/patches/002-xtables-Call-init_extensions_a_b.patch b/package/network/utils/iptables/patches/002-xtables-Call-init_extensions_a_b.patch
new file mode 100644
index 0000000000..0d7226ccd5
--- /dev/null
+++ b/package/network/utils/iptables/patches/002-xtables-Call-init_extensions_a_b.patch
@@ -0,0 +1,107 @@
+A modified version of this patch was commited upstream
+as part of a fixup series
+https://bugzilla.netfilter.org/show_bug.cgi?id=1593
+https://git.netfilter.org/iptables/commit/?id=0836524f093c0fd9c39604a46a949e43d9b47ef2
+
+--- a/iptables/xtables-monitor.c
++++ b/iptables/xtables-monitor.c
+@@ -629,6 +629,8 @@ int xtables_monitor_main(int argc, char
+ 	init_extensions();
+ 	init_extensions4();
+ 	init_extensions6();
++	init_extensionsa();
++	init_extensionsb();
+ #endif
+ 
+ 	if (nft_init(&h, AF_INET, xtables_ipv4)) {
+--- a/iptables/xtables-restore.c
++++ b/iptables/xtables-restore.c
+@@ -368,9 +368,17 @@ xtables_restore_main(int family, const c
+ #endif
+ 		break;
+ 	case NFPROTO_ARP:
++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
++		init_extensions();
++		init_extensionsa();
++#endif
+ 		tables = xtables_arp;
+ 		break;
+ 	case NFPROTO_BRIDGE:
++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
++		init_extensions();
++		init_extensionsb();
++#endif
+ 		tables = xtables_bridge;
+ 		break;
+ 	default:
+--- a/iptables/xtables-save.c
++++ b/iptables/xtables-save.c
+@@ -208,9 +208,17 @@ xtables_save_main(int family, int argc,
+ 		d.commit = true;
+ 		break;
+ 	case NFPROTO_ARP:
++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
++		init_extensions();
++		init_extensionsa();
++#endif
+ 		tables = xtables_arp;
+ 		break;
+ 	case NFPROTO_BRIDGE: {
++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
++		init_extensions();
++		init_extensionsb();
++#endif
+ 		const char *ctr = getenv("EBTABLES_SAVE_COUNTER");
+ 
+ 		if (!(d.format & FMT_NOCOUNTS)) {
+--- a/iptables/xtables-standalone.c
++++ b/iptables/xtables-standalone.c
+@@ -58,6 +58,8 @@ xtables_main(int family, const char *pro
+ 	init_extensions();
+ 	init_extensions4();
+ 	init_extensions6();
++	init_extensionsa();
++	init_extensionsb();
+ #endif
+ 
+ 	if (nft_init(&h, family, xtables_ipv4) < 0) {
+--- a/iptables/xtables-translate.c
++++ b/iptables/xtables-translate.c
+@@ -474,9 +474,17 @@ static int xtables_xlate_main_common(str
+ 		tables = xtables_ipv4;
+ 		break;
+ 	case NFPROTO_ARP:
++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
++		init_extensions();
++		init_extensionsa();
++#endif
+ 		tables = xtables_arp;
+ 		break;
+ 	case NFPROTO_BRIDGE:
++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
++		init_extensions();
++		init_extensionsb();
++#endif
+ 		tables = xtables_bridge;
+ 		break;
+ 	default:
+--- a/iptables/xtables-arp.c
++++ b/iptables/xtables-arp.c
+@@ -438,6 +438,7 @@ int nft_init_arp(struct nft_handle *h, c
+ 	}
+ 
+ #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
++	init_extensions();
+ 	init_extensionsa();
+ #endif
+ 
+--- a/iptables/xtables-eb.c
++++ b/iptables/xtables-eb.c
+@@ -685,6 +685,7 @@ int nft_init_eb(struct nft_handle *h, co
+ 	}
+ 
+ #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
++	init_extensions();
+ 	init_extensionsb();
+ #endif
+

More information about the lede-commits mailing list