diff options
author | Felix Fietkau <nbd@openwrt.org> | 2012-10-10 12:32:29 +0000 |
---|---|---|
committer | Felix Fietkau <nbd@openwrt.org> | 2012-10-10 12:32:29 +0000 |
commit | 405e21d16731b2764ab82aaaadcf36a813b105f7 (patch) | |
tree | c6f9a8402389a5081519b91ce62c4a8cafcb8917 /package/iptables | |
parent | d0ec348ded6f715b43b396b06ccb10599b37969d (diff) | |
download | mtk-20170518-405e21d16731b2764ab82aaaadcf36a813b105f7.zip mtk-20170518-405e21d16731b2764ab82aaaadcf36a813b105f7.tar.gz mtk-20170518-405e21d16731b2764ab82aaaadcf36a813b105f7.tar.bz2 |
packages: sort network related packages into package/network/
SVN-Revision: 33688
Diffstat (limited to 'package/iptables')
26 files changed, 0 insertions, 1886 deletions
diff --git a/package/iptables/Makefile b/package/iptables/Makefile deleted file mode 100644 index ff7d428..0000000 --- a/package/iptables/Makefile +++ /dev/null @@ -1,475 +0,0 @@ -# -# Copyright (C) 2006-2012 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk -include $(INCLUDE_DIR)/kernel.mk - -PKG_NAME:=iptables -PKG_VERSION:=1.4.10 -PKG_RELEASE:=4 - -PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 -PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \ - ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \ - ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \ - ftp://ftp.no.netfilter.org/pub/netfilter/iptables/ - -PKG_FIXUP:=autoreconf -PKG_INSTALL:=1 -PKG_BUILD_PARALLEL:=1 - -ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"") -PATCH_DIR:= -endif - -include $(INCLUDE_DIR)/package.mk -ifeq ($(DUMP),) - -include $(LINUX_DIR)/.config - include $(INCLUDE_DIR)/netfilter.mk - STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s) -endif - - -define Package/iptables/Default - SECTION:=net - CATEGORY:=Network - SUBMENU:=Firewall - URL:=http://netfilter.org/ -endef - -define Package/iptables/Module -$(call Package/iptables/Default) - DEPENDS:=iptables $(1) -endef - -define Package/iptables -$(call Package/iptables/Default) - TITLE:=IPv4 firewall administration tool - MENU:=1 - DEPENDS+= +kmod-ipt-core +libip4tc +libxtables -endef - -define Package/iptables/description -IPv4 firewall administration tool. - - Matches: - - icmp - - tcp - - udp - - comment - - limit - - mac - - multiport - - Targets: - - ACCEPT - - DROP - - REJECT - - LOG - - TCPMSS - - Tables: - - filter - - mangle - -endef - -define Package/iptables-mod-conntrack-extra -$(call Package/iptables/Module, +kmod-ipt-conntrack-extra) - TITLE:=Extra connection tracking extensions -endef - -define Package/iptables-mod-conntrack-extra/description -Extra iptables extensions for connection tracking. - - Matches: - - connbytes - - connmark - - recent - - helper - - Targets: - - CONNMARK - -endef - -define Package/iptables-mod-filter -$(call Package/iptables/Module, +kmod-ipt-filter) - TITLE:=Content inspection extensions -endef - -define Package/iptables-mod-filter/description -iptables extensions for packet content inspection. -Includes support for: - - Matches: - - layer7 - - string - -endef - -define Package/iptables-mod-ipopt -$(call Package/iptables/Module, +kmod-ipt-ipopt) - TITLE:=IP/Packet option extensions -endef - -define Package/iptables-mod-ipopt/description -iptables extensions for matching/changing IP packet options. - - Matches: - - dscp - - ecn - - length - - mark - - statistic - - tcpmss - - time - - unclean - - hl - - Targets: - - DSCP - - CLASSIFY - - ECN - - MARK - - HL - -endef - -define Package/iptables-mod-ipsec -$(call Package/iptables/Module, +kmod-ipt-ipsec) - TITLE:=IPsec extensions -endef - -define Package/iptables-mod-ipsec/description -iptables extensions for matching ipsec traffic. - - Matches: - - ah - - esp - - policy - -endef - -define Package/iptables-mod-ipset -$(call Package/iptables/Module,) - TITLE:=IPset iptables extensions -endef - -define Package/iptables-mod-ipset/description -IPset iptables extensions. - - Matches: - - set - - Targets: - - SET - -endef - -define Package/iptables-mod-nat-extra -$(call Package/iptables/Module, +kmod-ipt-nat-extra) - TITLE:=Extra NAT extensions -endef - -define Package/iptables-mod-nat-extra/description -iptables extensions for extra NAT targets. - - Targets: - - MIRROR - - NETMAP - - REDIRECT -endef - -define Package/iptables-mod-ulog -$(call Package/iptables/Module, +kmod-ipt-ulog) - TITLE:=user-space packet logging -endef - -define Package/iptables-mod-ulog/description -iptables extensions for user-space packet logging. - - Targets: - - ULOG - -endef - -define Package/iptables-mod-hashlimit -$(call Package/iptables/Module, +kmod-ipt-hashlimit) - TITLE:=hashlimit matching -endef - -define Package/iptables-mod-hashlimit/description -iptables extensions for hashlimit matching - - Matches: - - hashlimit - -endef - -define Package/iptables-mod-iprange -$(call Package/iptables/Module, +kmod-ipt-iprange) - TITLE:=IP range extension -endef - -define Package/iptables-mod-iprange/description -iptables extensions for matching ip ranges. - - Matches: - - iprange - -endef - -define Package/iptables-mod-extra -$(call Package/iptables/Module, +kmod-ipt-extra) - TITLE:=Other extra iptables extensions -endef - -define Package/iptables-mod-extra/description -Other extra iptables extensions. - - Matches: - - condition - - owner - - physdev (if ebtables is enabled) - - pkttype - - quota - -endef - -define Package/iptables-mod-led -$(call Package/iptables/Module, +kmod-ipt-led) - TITLE:=LED trigger iptables extension -endef - -define Package/iptables-mod-led/description -iptables extension for triggering a LED. - - Targets: - - LED - -endef - -define Package/iptables-mod-tproxy -$(call Package/iptables/Module, +kmod-ipt-tproxy) - TITLE:=Transparent proxy iptables extensions -endef - -define Package/iptables-mod-tproxy/description -Transparent proxy iptables extensions. - - Matches: - - socket - - Targets: - - TPROXY - -endef - -define Package/iptables-mod-tee -$(call Package/iptables/Module, +kmod-ipt-tee) - TITLE:=TEE iptables extensions -endef - -define Package/iptables-mod-tee/description -TEE iptables extensions. - - Targets: - - TEE - -endef - -define Package/iptables-mod-u32 -$(call Package/iptables/Module, +kmod-ipt-u32) - TITLE:=U32 iptables extensions -endef - -define Package/iptables-mod-u32/description -U32 iptables extensions. - - Matches: - - u32 - -endef - -define Package/ip6tables -$(call Package/iptables/Default) - DEPENDS:=+kmod-ip6tables +libip6tc +libxtables - CATEGORY:=IPv6 - TITLE:=IPv6 firewall administration tool - MENU:=1 -endef - -define Package/libiptc -$(call Package/iptables/Default) - SECTION:=libs - CATEGORY:=Libraries - DEPENDS:=+libip4tc +libip6tc - TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub) -endef - -define Package/libip4tc -$(call Package/iptables/Default) - SECTION:=libs - CATEGORY:=Libraries - TITLE:=IPv4 firewall - shared libiptc library -endef - -define Package/libip6tc -$(call Package/iptables/Default) - SECTION:=libs - CATEGORY:=Libraries - TITLE:=IPv6 firewall - shared libiptc library -endef - -define Package/libxtables - $(call Package/iptables/Default) - SECTION:=libs - CATEGORY:=Libraries - TITLE:=IPv4/IPv6 firewall - shared xtables library -endef - -define Package/libipq - $(call Package/iptables/Default) - SECTION:=libs - CATEGORY:=Libraries - TITLE:=IPv4/IPv6 firewall - shared libipq library -endef - -TARGET_CPPFLAGS := \ - -I$(PKG_BUILD_DIR)/include \ - -I$(LINUX_DIR)/user_headers/include \ - $(TARGET_CPPFLAGS) - -TARGET_CFLAGS += \ - -I$(PKG_BUILD_DIR)/include \ - -I$(LINUX_DIR)/user_headers/include - -CONFIGURE_ARGS += \ - --enable-shared \ - --enable-devel \ - $(if $(CONFIG_IPV6),--enable-ipv6,--disable-ipv6) \ - --enable-libipq \ - --with-kernel="$(LINUX_DIR)/user_headers" \ - --with-xtlibdir=/usr/lib/iptables \ - --enable-static - -MAKE_FLAGS := \ - $(TARGET_CONFIGURE_OPTS) \ - COPT_FLAGS="$(TARGET_CFLAGS)" \ - KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \ - KBUILD_OUTPUT="$(LINUX_DIR)" \ - BUILTIN_MODULES="$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m)))" - -define Build/InstallDev - $(INSTALL_DIR) $(1)/usr/include - $(INSTALL_DIR) $(1)/usr/include/iptables - $(INSTALL_DIR) $(1)/usr/include/net/netfilter - - # XXX: iptables header fixup, some headers are not installed by iptables anymore - $(CP) $(PKG_BUILD_DIR)/include/net/netfilter/*.h $(1)/usr/include/net/netfilter/ - $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/ - $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/ - $(CP) $(PKG_BUILD_DIR)/include/libipq/libipq.h $(1)/usr/include/ - $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/ - $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/ - - $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipq.so* $(1)/usr/lib/ - $(INSTALL_DIR) $(1)/usr/lib/pkgconfig - $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libiptc.pc $(1)/usr/lib/pkgconfig/ -endef - -define Package/iptables/install - $(INSTALL_DIR) $(1)/usr/sbin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(1)/usr/sbin/ - $(LN) iptables $(1)/usr/sbin/iptables-save - $(LN) iptables $(1)/usr/sbin/iptables-restore - $(INSTALL_DIR) $(1)/usr/lib/iptables -endef - -define Package/ip6tables/install - $(INSTALL_DIR) $(1)/usr/sbin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables $(1)/usr/sbin/ - $(LN) ip6tables $(1)/usr/sbin/ip6tables-save - $(LN) ip6tables $(1)/usr/sbin/ip6tables-restore - $(INSTALL_DIR) $(1)/usr/lib/iptables - (cd $(PKG_INSTALL_DIR)/usr/lib/iptables ; \ - $(CP) libip6t_*.so $(1)/usr/lib/iptables/ \ - ) -endef - -define Package/libiptc/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/ -endef - -define Package/libip4tc/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/ -endef - -define Package/libip6tc/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/ -endef - -define Package/libxtables/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/ -endef - -define Package/libipq/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipq.so* $(1)/usr/lib/ -endef - -define BuildPlugin - define Package/$(1)/install - $(INSTALL_DIR) $$(1)/usr/lib/iptables - for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)); do \ - if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \ - fi; \ - done - $(3) - endef - - $$(eval $$(call BuildPackage,$(1))) -endef - -L7_INSTALL:=\ - $(INSTALL_DIR) $$(1)/etc/l7-protocols; \ - $(CP) files/l7/*.pat $$(1)/etc/l7-protocols/ - - -$(eval $(call BuildPackage,iptables)) -$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m))) -$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m))) -$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m),$(L7_INSTALL))) -$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m))) -$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m))) -$(eval $(call BuildPlugin,iptables-mod-ipset,ipt_set ipt_SET)) -$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m))) -$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m))) -$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m))) -$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m))) -$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m))) -$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m))) -$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m))) -$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m))) -$(eval $(call BuildPackage,ip6tables)) -$(eval $(call BuildPackage,libiptc)) -$(eval $(call BuildPackage,libip4tc)) -$(eval $(call BuildPackage,libip6tc)) -$(eval $(call BuildPackage,libxtables)) -$(eval $(call BuildPackage,libipq)) diff --git a/package/iptables/files/l7/aim.pat b/package/iptables/files/l7/aim.pat deleted file mode 100644 index 5c43930..0000000 --- a/package/iptables/files/l7/aim.pat +++ /dev/null @@ -1,28 +0,0 @@ -# AIM - AOL instant messenger (OSCAR and TOC) -# Pattern attributes: good slow notsofast -# Protocol groups: chat proprietary -# Wiki: http://www.protocolinfo.org/wiki/AIM -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# Usually runs on port 5190 -# -# This may also match ICQ traffic. -# -# This pattern has been tested and is believed to work well. - -aim -# See http://gridley.res.carleton.edu/~straitm/final (and various other places) -# The first bit matches OSCAR signon and data commands, but not sure what -# \x03\x0b matches, but it works apparently. -# The next three bits match various parts of the TOC signon process. -# The third one is the magic number "*", then 0x01 for "signon", then up to four -# bytes ("up to" because l7-filter strips out nulls) which contain a sequence -# number (2 bytes) the data length (2 more) and 3 nulls (which don't count), -# then 0x01 for the version number (not sure if there ever has been another -# version) -# The fourth one is a command string, followed by some stuff, then the -# beginning of the "roasted" password - -# This pattern is too slow! - -^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x diff --git a/package/iptables/files/l7/bittorrent.pat b/package/iptables/files/l7/bittorrent.pat deleted file mode 100644 index 4a3ba88..0000000 --- a/package/iptables/files/l7/bittorrent.pat +++ /dev/null @@ -1,25 +0,0 @@ -# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com -# Pattern attributes: good slow594 notsofast undermatch -# Protocol groups: p2p open_source -# Wiki: http://www.protocolinfo.org/wiki/Bittorrent -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# This pattern has been tested and is believed to work well. -# It will, however, not work on bittorrent streams that are encrypted, since -# it's impossible to match (well) encrypted data. - -bittorrent - -# Does not attempt to match the HTTP download of the tracker -# 0x13 is the length of "bittorrent protocol" -# Second two bits match UDP wierdness -# Next bit matches something Azureus does -# Ditto on the next bit. Could also match on "user-agent: azureus", but that's in the next -# packet and perhaps this will match multiple clients. -# bitcomet-specific strings contributed by liangjun. - -# This is not a valid GNU basic regular expression (but that's ok). -^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP] - -# This pattern is "fast", but won't catch as much -#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=) diff --git a/package/iptables/files/l7/edonkey.pat b/package/iptables/files/l7/edonkey.pat deleted file mode 100644 index 75807f8..0000000 --- a/package/iptables/files/l7/edonkey.pat +++ /dev/null @@ -1,37 +0,0 @@ -# eDonkey2000 - P2P filesharing - http://edonkey2000.com and others -# Pattern attributes: good veryfast fast overmatch -# Protocol groups: p2p -# Wiki: http://www.protocolinfo.org/wiki/EDonkey -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4 -# and a long time ago with something else. -# -# In addition to matching what you might expect, this matches much of -# what eMule does when you tell it to only connect to the KAD network. -# I don't quite know what to make of this. - -# Thanks to Matt Skidmore <fox AT woozle.org> - -edonkey - -# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6 -# -# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5. -# As of April 2006, I also see some \xe4. -# -# God this is a mess. What an irritating protocol. -# This will match about 2% of streams with random data in them! -# (But fortunately much fewer than 2% of streams that are other protocols. -# You can test this with the data in ../testing/) - -^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$) - -# matches everything and too much -# ^(\xe3|\xc5|\xd4) - -# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me. - -# bandwidtharbitrator uses -# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey -# no comments to explain what all the mush is, of course... diff --git a/package/iptables/files/l7/fasttrack.pat b/package/iptables/files/l7/fasttrack.pat deleted file mode 100644 index 6ed8ff1..0000000 --- a/package/iptables/files/l7/fasttrack.pat +++ /dev/null @@ -1,23 +0,0 @@ -# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc) -# Pattern attributes: good slow notsofast -# Protocol groups: p2p -# Wiki: http://www.protocolinfo.org/wiki/Fasttrack -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# Tested with Kazaa Lite Resurrection 0.0.7.6F -# -# This appears to match the download connections well, but not the search -# connections (I think they are encrypted :-( ). - -fasttrack -# while this is a valid http request, this will be caught because -# the http pattern matches the response (and therefore the next packet) -# Even so, it's best to put this match earlier in the chain. -# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup - -# This pattern is kinda slow, but not too bad. -^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? - -# This isn't much faster: -#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? - diff --git a/package/iptables/files/l7/ftp.pat b/package/iptables/files/l7/ftp.pat deleted file mode 100644 index 44d97c4..0000000 --- a/package/iptables/files/l7/ftp.pat +++ /dev/null @@ -1,46 +0,0 @@ -# FTP - File Transfer Protocol - RFC 959 -# Pattern attributes: great notsofast fast -# Protocol groups: document_retrieval ietf_internet_standard -# Wiki: http://protocolinfo.org/wiki/FTP -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# Usually runs on port 21. Note that the data stream is on a dynamically -# assigned port, which means that you will need the FTP connection -# tracking module in your kernel to usefully match FTP data transfers. -# -# This pattern is well tested. -# -# Handles the first two things a server should say: -# -# First, the server says it's ready by sending "220". Most servers say -# something after 220, even though they don't have to, and it usually -# includes the string "ftp" (l7-filter is case insensitive). This -# includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP -# Server, and whatever ftp.microsoft.com uses. Almost all servers use only -# ASCII printable characters between the "220" and the "FTP", but non-English -# ones might use others. -# -# The next thing the server sends is a 331. All the above servers also -# send something including "password" after this code. By default, we -# do not match on this because it takes another packet and is more work -# for regexec. - -ftp -# by default, we allow only ASCII -^220[\x09-\x0d -~]*ftp - -# This covers UTF-8 as well -#^220[\x09-\x0d -~\x80-\xfd]*ftp - -# This allows any characters and is about 4x faster than either of the above -# (which are about the same as each other) -#^220.*ftp - -# This is much slower -#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password - -# This pattern is more precise, but takes longer to match. (3 packets vs. 1) -#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331 - -# same as above, but slightly less precise and only takes 2 packets. -#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a diff --git a/package/iptables/files/l7/gnutella.pat b/package/iptables/files/l7/gnutella.pat deleted file mode 100644 index 770ed43..0000000 --- a/package/iptables/files/l7/gnutella.pat +++ /dev/null @@ -1,34 +0,0 @@ -# Gnutella - P2P filesharing -# Pattern attributes: good notsofast notsofast -# Protocol groups: p2p open_source -# Wiki: http://www.protocolinfo.org/wiki/Gnutella -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# This should match both Gnutella and "Gnutella2" ("Mike's protocol") -# -# Various clients use this protocol including Mactella, Shareaza, -# GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare. -# -# This is tested with gtk-gnutella and Shareaza. - -# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver -# http://rfc-gnutella.sf.net/ -# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification -# http://en.wikipedia.org/wiki/Shareaza - -gnutella - -# The first part matches UDP messages - All start with "GND", then have -# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes -# that can be anything, then a fragment number, which must start at 1. -# The rest matches TCP first client message or first server message (in case -# we can't see client messages). Some parts of this are empirical rather than -# document based. Assumes version is between 0.0 and 2.9. (usually is -# 0.4 or 0.6). I'm guessing at many of the user-agents. -# The last bit is emprical and probably only matches Limewire. -^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime) - -# Needlessly precise, at the expense of time -#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime) - - diff --git a/package/iptables/files/l7/http.pat b/package/iptables/files/l7/http.pat deleted file mode 100644 index 5122310..0000000 --- a/package/iptables/files/l7/http.pat +++ /dev/null @@ -1,28 +0,0 @@ -# HTTP - HyperText Transfer Protocol - RFC 2616 -# Pattern attributes: great slow notsofast superset -# Protocol groups: document_retrieval ietf_draft_standard -# Wiki: http://protocolinfo.org/wiki/HTTP -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# Usually runs on port 80 -# -# This pattern has been tested and is believed to work well. -# -# this intentionally catches the response from the server rather than -# the request so that other protocols which use http (like kazaa) can be -# caught based on specific http requests regardless of the ordering of -# filters... also matches posts - -# Sites that serve really long cookies may break this by pushing the -# server response too far away from the beginning of the connection. To -# fix this, increase the kernel's data buffer length. - -http -# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616) -# As specified in rfc 2616 a status code is preceeded and followed by a -# space. -http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019] -# A slightly faster version that might be good enough: -#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019] -# old pattern(s): -#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/) diff --git a/package/iptables/files/l7/ident.pat b/package/iptables/files/l7/ident.pat deleted file mode 100644 index 3205e5e..0000000 --- a/package/iptables/files/l7/ident.pat +++ /dev/null @@ -1,15 +0,0 @@ -# Ident - Identification Protocol - RFC 1413 -# Pattern attributes: good fast fast -# Protocol groups: networking ietf_proposed_standard -# Wiki: http://www.protocolinfo.org/wiki/Ident -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# Usually runs on port 113 -# -# This pattern is believed to work. - -ident -# "number , numberCRLF" possibly without the CR and/or LF. -# ^$ is appropriate because the first packet should never have anything -# else in it. -^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$ diff --git a/package/iptables/files/l7/irc.pat b/package/iptables/files/l7/irc.pat deleted file mode 100644 index e25360c..0000000 --- a/package/iptables/files/l7/irc.pat +++ /dev/null @@ -1,20 +0,0 @@ -# IRC - Internet Relay Chat - RFC 1459 -# Pattern attributes: great veryfast fast -# Protocol groups: chat ietf_proposed_standard -# Wiki: http://www.protocolinfo.org/wiki/IRC -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# Usually runs on port 6666 or 6667 -# Note that chat traffic runs on these ports, but IRC-DCC traffic (which -# can use much more bandwidth) uses a dynamically assigned port, so you -# must have the IRC connection tracking module in your kernel to classify -# this. -# -# This pattern has been tested and is believed to work well. - -irc -# First thing that happens is that the client sends NICK and USER, in -# either order. This allows MIRC color codes (\x02-\x0d instead of -# \x09-\x0d). -^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a) - diff --git a/package/iptables/files/l7/jabber.pat b/package/iptables/files/l7/jabber.pat deleted file mode 100644 index 7c32890..0000000 --- a/package/iptables/files/l7/jabber.pat +++ /dev/null @@ -1,24 +0,0 @@ -# Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org -# Pattern attributes: good notsofast notsofast -# Protocol groups: chat ietf_proposed_standard -# Wiki: http://www.protocolinfo.org/wiki/Jabber -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# This pattern has been tested with Gaim and Gabber. It is only tested -# with non-SSL mode Jabber with no proxies. - -# Thanks to Jan Hudec for some improvements. - -# Jabber seems to take a long time to set up a connection. I'm -# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets -# is this: -# <stream:stream to='12jabber.com' xmlns='jabber:client' -# xmlns:stream='http://etherx.jabber.org/streams'><?xml -# version='1.0'?><stream:stream -# xmlns:stream='http://etherx.jabber.org/streams' id='3f73e951' -# xmlns='jabber:client' from='12jabber.com'> -# -# No mention of my username or password yet, you'll note. - -jabber -<stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=['"]jabber diff --git a/package/iptables/files/l7/msnmessenger.pat b/package/iptables/files/l7/msnmessenger.pat deleted file mode 100644 index 11dfc10..0000000 --- a/package/iptables/files/l7/msnmessenger.pat +++ /dev/null @@ -1,28 +0,0 @@ -# MSN Messenger - Microsoft Network chat client -# Pattern attributes: good slow notsofast -# Protocol groups: chat proprietary -# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# Usually uses TCP port 1863 -# http://www.hypothetic.org/docs/msn/index.php -# http://msnpiki.msnfanatic.com/ -# -# This pattern has been tested and is believed to work well. - -msnmessenger - -# First branch: login -# ver: allow versions up to 99. -# I've never seen a cvr other than cvr0. Maybe this will be trouble later? -# Can't anchor at the beginning because sometimes this is encapsulated in -# HTTP. But either way, the first packet ends like this. -# Second/Third branches: accepting/sending a message -# I will assume that these can also be encapsulated in HTTP, although I have -# not checked. Example of each direction: -# ANS 1 quadong@hotmail.com 1139803431.29427 17522047 -# USR 1 quadong@hotmail.com 530423708.968145.366138 - -# Branches are written entirely separately for better performance. -ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$ - diff --git a/package/iptables/files/l7/ntp.pat b/package/iptables/files/l7/ntp.pat deleted file mode 100644 index 760cfdb..0000000 --- a/package/iptables/files/l7/ntp.pat +++ /dev/null @@ -1,17 +0,0 @@ -# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030 -# Pattern attributes: good fast fast overmatch -# Protocol groups: time_synchronization ietf_draft_standard -# Wiki: http://www.protocolinfo.org/wiki/NTP -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# This pattern is tested and is believed to work. - -# client|server -# Requires the server's timestamp to be in the present or future (of 2005). -# Tested with ntpdate on Linux. -# Assumes version 2, 3 or 4. - -# Note that ntp packets are always 48 bytes, so you should match on that too. - -ntp -^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff]) diff --git a/package/iptables/files/l7/pop3.pat b/package/iptables/files/l7/pop3.pat deleted file mode 100644 index 3ae4c14..0000000 --- a/package/iptables/files/l7/pop3.pat +++ /dev/null @@ -1,50 +0,0 @@ -# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939 -# Pattern attributes: great veryfast fast -# Protocol groups: mail ietf_internet_standard -# Wiki: http://www.protocolinfo.org/wiki/POP -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# This pattern has been tested somewhat. - -# this is a difficult protocol to match because of the relative lack of -# distinguishing information. Read on. -pop3 - -# this the most conservative pattern. It should definitely work. -#^(\+ok|-err) - -# this pattern assumes that the server says _something_ after +ok or -err -# I think this is probably the way to go. -^(\+ok |-err ) - -# more that 90% of servers seem to say "pop" after "+ok", but not all. -#^(\+ok .*pop) - -# Here's another tack. I think this is my second favorite. -#^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command)) - -# this matches the server saying "you have N messages that are M bytes", -# which the client probably asks for early in the session (not tested) -#\+ok [0-9]+ [0-9]+ - -# some sample servers: -# RFC example: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us> -# mail.dreamhost.com: +OK Hello there. -# pop.carleton.edu: +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled) -# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon> -# *.email.umn.edu: +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu> -# mail.yale.edu: +OK POP3 pantheon-po01 v2002.81 server ready -# mail.gustavus.edu: +OK POP3 solen v2001.78 server ready -# mail.reed.edu: +OK POP3 letra.reed.edu v2002.81 server ready -# mail.bowdoin.edu: +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003)) -# pop.colby.edu: +OK Qpopper (version 4.0.5) at basalt starting. -# mail.mac.com: +OK Netscape Messaging Multiplexor ready - -# various error strings: -#-ERR Invalid command. -#-ERR invalid command -#-ERR unimplemented -#-ERR Invalid command, try one of: USER name, PASS string, QUIT -#-ERR Unknown AUTHORIZATION state command -#-ERR Unrecognized command -#-ERR Unknown command: "sadf'". diff --git a/package/iptables/files/l7/smtp.pat b/package/iptables/files/l7/smtp.pat deleted file mode 100644 index 2f5d195..0000000 --- a/package/iptables/files/l7/smtp.pat +++ /dev/null @@ -1,40 +0,0 @@ -# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869) -# Pattern attributes: great notsofast fast -# Protocol groups: mail ietf_internet_standard -# Wiki: http://www.protocolinfo.org/wiki/SMTP -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# usually runs on port 25 -# -# This pattern has been tested and is believed to work well. - -# As usual, no text is required after "220", but all known servers have some -# there. It (almost?) always has string "smtp" in it. The RFC examples -# does not, so we match those too, just in case anyone has copied them -# literally. -# -# Some examples: -# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3 -# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400 -# 220 mail.ut.caldera.com ESMTP -# 220 persephone.pmail.gen.nz ESMTP server ready. -# 220 smtp1.superb.net ESMTP -# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready -# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4 -# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500 -# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3) -# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200 -# 220-mail.email-scan.com ESMTP -# 220 smaug.dreamhost.com ESMTP -# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648) -# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT) -# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700 -# -# RFC examples: -# 220 xyz.com Simple Mail Transfer Service Ready (RFC example) -# 220 dbc.mtview.ca.us SMTP service ready - -smtp -^220[\x09-\x0d -~]* (e?smtp|simple mail) -userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail) -userspace flags=REG_NOSUB REG_EXTENDED diff --git a/package/iptables/files/l7/ssl.pat b/package/iptables/files/l7/ssl.pat deleted file mode 100644 index ae30ee4..0000000 --- a/package/iptables/files/l7/ssl.pat +++ /dev/null @@ -1,16 +0,0 @@ -# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246 -# Pattern attributes: good notsofast fast superset -# Protocol groups: secure ietf_proposed_standard -# Wiki: http://www.protocolinfo.org/wiki/SSL -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# Usually runs on port 443 -# -# This is a superset of validcertssl. For it to match, it must be first. -# -# This pattern has been tested and is believed to work well. - -ssl -# Server Hello with certificate | Client Hello -# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1 -^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b) diff --git a/package/iptables/files/l7/vnc.pat b/package/iptables/files/l7/vnc.pat deleted file mode 100644 index 79d0ae8..0000000 --- a/package/iptables/files/l7/vnc.pat +++ /dev/null @@ -1,23 +0,0 @@ -# VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer -# Pattern attributes: great veryfast fast -# Protocol groups: remote_access -# Wiki: http://www.protocolinfo.org/wiki/VNC -# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE -# -# http://www.realvnc.com/documentation.html -# -# This pattern has been verified with vnc v3.3.7 on WinXP and Linux -# -# Thanks to Trevor Paskett <tpaskett AT cymphonix.com> for this pattern. - -vnc -# Assumes single digit major and minor version numbers -# This message should be all alone in the first packet, so ^$ is appropriate -^rfb 00[1-9]\.00[0-9]\x0a$ - -# This is a more restrictive version which assumes the version numbers -# are ones actually in existance at the time of this writing, i.e. 3.3, -# 3.7 and 3.8 (with some clients wrongly reporting 3.5). It should be -# slightly faster, but probably not worth the extra maintenance. -# ^rfb 003\.00[3578]\x0a$ - diff --git a/package/iptables/patches/002-layer7_2.22.patch b/package/iptables/patches/002-layer7_2.22.patch deleted file mode 100644 index ba4531e..0000000 --- a/package/iptables/patches/002-layer7_2.22.patch +++ /dev/null @@ -1,371 +0,0 @@ ---- /dev/null -+++ b/extensions/libxt_layer7.c -@@ -0,0 +1,368 @@ -+/* -+ Shared library add-on to iptables for layer 7 matching support. -+ -+ By Matthew Strait <quadong@users.sf.net>, Oct 2003-Aug 2008. -+ -+ http://l7-filter.sf.net -+ -+ This program is free software; you can redistribute it and/or -+ modify it under the terms of the GNU General Public License -+ as published by the Free Software Foundation; either version -+ 2 of the License, or (at your option) any later version. -+ http://www.gnu.org/licenses/gpl.txt -+*/ -+ -+#define _GNU_SOURCE -+#include <stdio.h> -+#include <netdb.h> -+#include <string.h> -+#include <stdlib.h> -+#include <getopt.h> -+#include <ctype.h> -+#include <dirent.h> -+ -+#include <xtables.h> -+#include <linux/netfilter/xt_layer7.h> -+ -+#define MAX_FN_LEN 256 -+ -+static char l7dir[MAX_FN_LEN] = "\0"; -+ -+/* Function which prints out usage message. */ -+static void help(void) -+{ -+ printf( -+ "layer7 match options:\n" -+ " --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n" -+ " (--l7dir must be specified before --l7proto if used)\n" -+ "[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat\n"); -+} -+ -+static const struct option opts[] = { -+ { .name = "l7proto", .has_arg = 1, .val = 'p' }, -+ { .name = "l7dir", .has_arg = 1, .val = 'd' }, -+ { .name = NULL } -+}; -+ -+/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */ -+static int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info) -+{ -+ FILE * f; -+ char * line = NULL; -+ size_t len = 0; -+ -+ enum { protocol, pattern, done } datatype = protocol; -+ -+ f = fopen(filename, "r"); -+ -+ if(!f) -+ return 0; -+ -+ while(getline(&line, &len, f) != -1) -+ { -+ if(strlen(line) < 2 || line[0] == '#') -+ continue; -+ -+ /* strip the pesky newline... */ -+ if(line[strlen(line) - 1] == '\n') -+ line[strlen(line) - 1] = '\0'; -+ -+ if(datatype == protocol) -+ { -+ /* Ignore everything on the line beginning with the -+ first space or tab . For instance, this allows the -+ protocol line in http.pat to be "http " (or -+ "http I am so cool") instead of just "http". */ -+ if(strchr(line, ' ')){ -+ char * space = strchr(line, ' '); -+ space[0] = '\0'; -+ } -+ if(strchr(line, '\t')){ -+ char * space = strchr(line, '\t'); -+ space[0] = '\0'; -+ } -+ -+ /* sanity check. First non-comment non-blank -+ line must be the same as the file name. */ -+ if(strcmp(line, protoname)) -+ xtables_error(OTHER_PROBLEM, -+ "Protocol name (%s) doesn't match file name (%s). Bailing out\n", -+ line, filename); -+ -+ if(strlen(line) >= MAX_PROTOCOL_LEN) -+ xtables_error(PARAMETER_PROBLEM, -+ "Protocol name in %s too long!", filename); -+ strncpy(info->protocol, line, MAX_PROTOCOL_LEN); -+ -+ datatype = pattern; -+ } -+ else if(datatype == pattern) -+ { -+ if(strlen(line) >= MAX_PATTERN_LEN) -+ xtables_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename); -+ strncpy(info->pattern, line, MAX_PATTERN_LEN); -+ -+ datatype = done; -+ break; -+ } -+ else -+ xtables_error(OTHER_PROBLEM, "Internal error"); -+ } -+ -+ if(datatype != done) -+ xtables_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename); -+ -+ if(line) free(line); -+ fclose(f); -+ -+ return 1; -+} -+ -+static int hex2dec(char c) -+{ -+ switch (c) -+ { -+ case '0' ... '9': -+ return c - '0'; -+ case 'a' ... 'f': -+ return c - 'a' + 10; -+ case 'A' ... 'F': -+ return c - 'A' + 10; -+ default: -+ xtables_error(OTHER_PROBLEM, "hex2dec: bad value!\n"); -+ return 0; -+ } -+} -+ -+/* takes a string with \xHH escapes and returns one with the characters -+they stand for */ -+static char * pre_process(char * s) -+{ -+ char * result = malloc(strlen(s) + 1); -+ int sindex = 0, rrindex = 0; -+ while( sindex < strlen(s) ) -+ { -+ if( sindex + 3 < strlen(s) && -+ s[sindex] == '\\' && s[sindex+1] == 'x' && -+ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) -+ { -+ /* carefully remember to call tolower here... */ -+ result[rrindex] = tolower( hex2dec(s[sindex + 2])*16 + -+ hex2dec(s[sindex + 3] ) ); -+ -+ switch ( result[rrindex] ) -+ { -+ case 0x24: -+ case 0x28: -+ case 0x29: -+ case 0x2a: -+ case 0x2b: -+ case 0x2e: -+ case 0x3f: -+ case 0x5b: -+ case 0x5c: -+ case 0x5d: -+ case 0x5e: -+ case 0x7c: -+ fprintf(stderr, -+ "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n" -+ "I recommend that you write this as %c or \\%c, depending on what you meant.\n", -+ result[rrindex], s[sindex + 2], s[sindex + 3], result[rrindex], result[rrindex]); -+ break; -+ case 0x00: -+ fprintf(stderr, -+ "Warning: null (\\x00) in layer7 regexp. A null terminates the regexp string!\n"); -+ break; -+ default: -+ break; -+ } -+ -+ -+ sindex += 3; /* 4 total */ -+ } -+ else -+ result[rrindex] = tolower(s[sindex]); -+ -+ sindex++; -+ rrindex++; -+ } -+ result[rrindex] = '\0'; -+ -+ return result; -+} -+ -+#define MAX_SUBDIRS 128 -+static char ** readl7dir(char * dirname) -+{ -+ DIR * scratchdir; -+ struct dirent ** namelist; -+ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *)); -+ -+ int n, d = 1; -+ subdirs[0] = ""; -+ -+ n = scandir(dirname, &namelist, 0, alphasort); -+ -+ if (n < 0) -+ { -+ perror("scandir"); -+ xtables_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname); -+ } -+ else -+ { -+ while(n--) -+ { -+ char fulldirname[MAX_FN_LEN]; -+ -+ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name); -+ -+ if((scratchdir = opendir(fulldirname)) != NULL) -+ { -+ closedir(scratchdir); -+ -+ if(!strcmp(namelist[n]->d_name, ".") || -+ !strcmp(namelist[n]->d_name, "..")) -+ /* do nothing */ ; -+ else -+ { -+ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1); -+ strcpy(subdirs[d], namelist[n]->d_name); -+ d++; -+ if(d >= MAX_SUBDIRS - 1) -+ { -+ fprintf(stderr, -+ "Too many subdirectories, skipping the rest!\n"); -+ break; -+ } -+ } -+ } -+ free(namelist[n]); -+ } -+ free(namelist); -+ } -+ -+ subdirs[d] = NULL; -+ -+ return subdirs; -+} -+ -+static void parse_layer7_protocol(const char *s, struct xt_layer7_info *info) -+{ -+ char filename[MAX_FN_LEN]; -+ char * dir = NULL; -+ char ** subdirs; -+ int n = 0, done = 0; -+ -+ if(strlen(l7dir) > 0) dir = l7dir; -+ else dir = "/etc/l7-protocols"; -+ -+ subdirs = readl7dir(dir); -+ -+ while(subdirs[n] != NULL) -+ { -+ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s); -+ -+ if(c > MAX_FN_LEN) -+ xtables_error(OTHER_PROBLEM, -+ "Filename beginning with %s is too long!\n", filename); -+ -+ /* read in the pattern from the file */ -+ if(parse_protocol_file(filename, s, info)){ -+ done = 1; -+ break; -+ } -+ -+ n++; -+ } -+ -+ if(!done) -+ xtables_error(OTHER_PROBLEM, -+ "Couldn't find a pattern definition file for %s.\n", s); -+ -+ /* process \xHH escapes and tolower everything. (our regex lib has no -+ case insensitivity option.) */ -+ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN); -+} -+ -+/* Function which parses command options; returns true if it ate an option */ -+static int parse(int c, char **argv, int invert, unsigned int *flags, -+ const void *entry, struct xt_entry_match **match) -+{ -+ struct xt_layer7_info *layer7info = -+ (struct xt_layer7_info *)(*match)->data; -+ -+ switch (c) { -+ case 'p': -+ parse_layer7_protocol(argv[optind-1], layer7info); -+ if (invert) -+ layer7info->invert = true; -+ *flags = 1; -+ break; -+ -+ case 'd': -+ if(strlen(argv[optind-1]) >= MAX_FN_LEN) -+ xtables_error(PARAMETER_PROBLEM, "directory name too long\n"); -+ -+ strncpy(l7dir, argv[optind-1], MAX_FN_LEN); -+ -+ *flags = 1; -+ break; -+ -+ default: -+ return 0; -+ } -+ -+ return 1; -+} -+ -+/* Final check; must have specified --l7proto */ -+static void final_check(unsigned int flags) -+{ -+ if (!flags) -+ xtables_error(PARAMETER_PROBLEM, -+ "LAYER7 match: You must specify `--l7proto'"); -+} -+ -+static void print_protocol(char s[], int invert, int numeric) -+{ -+ fputs("l7proto ", stdout); -+ if (invert) fputc('!', stdout); -+ printf("%s ", s); -+} -+ -+/* Prints out the matchinfo. */ -+static void print(const void *ip, -+ const struct xt_entry_match *match, -+ int numeric) -+{ -+ printf("LAYER7 "); -+ print_protocol(((struct xt_layer7_info *)match->data)->protocol, -+ ((struct xt_layer7_info *)match->data)->invert, numeric); -+} -+/* Saves the union ipt_matchinfo in parsable form to stdout. */ -+static void save(const void *ip, const struct xt_entry_match *match) -+{ -+ const struct xt_layer7_info *info = -+ (const struct xt_layer7_info*) match->data; -+ -+ printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol); -+} -+ -+static struct xtables_match layer7 = { -+ .family = AF_INET, -+ .name = "layer7", -+ .version = XTABLES_VERSION, -+ .size = XT_ALIGN(sizeof(struct xt_layer7_info)), -+ .userspacesize = XT_ALIGN(sizeof(struct xt_layer7_info)), -+ .help = &help, -+ .parse = &parse, -+ .final_check = &final_check, -+ .print = &print, -+ .save = &save, -+ .extra_opts = opts -+}; -+ -+void _init(void) -+{ -+ xtables_register_match(&layer7); -+} diff --git a/package/iptables/patches/009-table-alignment.patch b/package/iptables/patches/009-table-alignment.patch deleted file mode 100644 index 53012ab..0000000 --- a/package/iptables/patches/009-table-alignment.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/libiptc/libiptc.c -+++ b/libiptc/libiptc.c -@@ -69,7 +69,7 @@ static const char *hooknames[] = { - struct ipt_error_target - { - STRUCT_ENTRY_TARGET t; -- char error[TABLE_MAXNAMELEN]; -+ char error[FUNCTION_MAXNAMELEN]; - }; - - struct chain_head; diff --git a/package/iptables/patches/010-multiport-linux-2.4-compat.patch b/package/iptables/patches/010-multiport-linux-2.4-compat.patch deleted file mode 100644 index 3b35f7e..0000000 --- a/package/iptables/patches/010-multiport-linux-2.4-compat.patch +++ /dev/null @@ -1,265 +0,0 @@ ---- a/extensions/libxt_multiport.c -+++ b/extensions/libxt_multiport.c -@@ -15,21 +15,6 @@ - #include <linux/netfilter/xt_multiport.h> - - /* Function which prints out usage message. */ --static void multiport_help(void) --{ -- printf( --"multiport match options:\n" --" --source-ports port[,port,port...]\n" --" --sports ...\n" --" match source port(s)\n" --" --destination-ports port[,port,port...]\n" --" --dports ...\n" --" match destination port(s)\n" --" --ports port[,port,port]\n" --" match both source and destination port(s)\n" --" NOTE: this kernel does not support port ranges in multiport.\n"); --} -- - static void multiport_help_v1(void) - { - printf( -@@ -72,26 +57,6 @@ proto_to_name(u_int8_t proto) - } - } - --static unsigned int --parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto) --{ -- char *buffer, *cp, *next; -- unsigned int i; -- -- buffer = strdup(portstring); -- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed"); -- -- for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++) -- { -- next=strchr(cp, ','); -- if (next) *next++='\0'; -- ports[i] = xtables_parse_port(cp, proto); -- } -- if (cp) xtables_error(PARAMETER_PROBLEM, "too many ports specified"); -- free(buffer); -- return i; --} -- - static void - parse_multi_ports_v1(const char *portstring, - struct xt_multiport_v1 *multiinfo, -@@ -155,73 +120,6 @@ check_proto(u_int16_t pnum, u_int8_t inv - /* Function which parses command options; returns true if it - ate an option */ - static int --__multiport_parse(int c, char **argv, int invert, unsigned int *flags, -- struct xt_entry_match **match, u_int16_t pnum, -- u_int8_t invflags) --{ -- const char *proto; -- struct xt_multiport *multiinfo -- = (struct xt_multiport *)(*match)->data; -- -- switch (c) { -- case '1': -- xtables_check_inverse(optarg, &invert, &optind, 0, argv); -- proto = check_proto(pnum, invflags); -- multiinfo->count = parse_multi_ports(optarg, -- multiinfo->ports, proto); -- multiinfo->flags = XT_MULTIPORT_SOURCE; -- break; -- -- case '2': -- xtables_check_inverse(optarg, &invert, &optind, 0, argv); -- proto = check_proto(pnum, invflags); -- multiinfo->count = parse_multi_ports(optarg, -- multiinfo->ports, proto); -- multiinfo->flags = XT_MULTIPORT_DESTINATION; -- break; -- -- case '3': -- xtables_check_inverse(optarg, &invert, &optind, 0, argv); -- proto = check_proto(pnum, invflags); -- multiinfo->count = parse_multi_ports(optarg, -- multiinfo->ports, proto); -- multiinfo->flags = XT_MULTIPORT_EITHER; -- break; -- -- default: -- return 0; -- } -- -- if (invert) -- xtables_error(PARAMETER_PROBLEM, -- "multiport does not support invert"); -- -- if (*flags) -- xtables_error(PARAMETER_PROBLEM, -- "multiport can only have one option"); -- *flags = 1; -- return 1; --} -- --static int --multiport_parse(int c, char **argv, int invert, unsigned int *flags, -- const void *e, struct xt_entry_match **match) --{ -- const struct ipt_entry *entry = e; -- return __multiport_parse(c, argv, invert, flags, match, -- entry->ip.proto, entry->ip.invflags); --} -- --static int --multiport_parse6(int c, char **argv, int invert, unsigned int *flags, -- const void *e, struct xt_entry_match **match) --{ -- const struct ip6t_entry *entry = e; -- return __multiport_parse(c, argv, invert, flags, match, -- entry->ipv6.proto, entry->ipv6.invflags); --} -- --static int - __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags, - struct xt_entry_match **match, u_int16_t pnum, - u_int8_t invflags) -@@ -314,55 +212,6 @@ print_port(u_int16_t port, u_int8_t prot - } - - /* Prints out the matchinfo. */ --static void --__multiport_print(const struct xt_entry_match *match, int numeric, -- u_int16_t proto) --{ -- const struct xt_multiport *multiinfo -- = (const struct xt_multiport *)match->data; -- unsigned int i; -- -- printf("multiport "); -- -- switch (multiinfo->flags) { -- case XT_MULTIPORT_SOURCE: -- printf("sports "); -- break; -- -- case XT_MULTIPORT_DESTINATION: -- printf("dports "); -- break; -- -- case XT_MULTIPORT_EITHER: -- printf("ports "); -- break; -- -- default: -- printf("ERROR "); -- break; -- } -- -- for (i=0; i < multiinfo->count; i++) { -- printf("%s", i ? "," : ""); -- print_port(multiinfo->ports[i], proto, numeric); -- } -- printf(" "); --} -- --static void multiport_print(const void *ip_void, -- const struct xt_entry_match *match, int numeric) --{ -- const struct ipt_ip *ip = ip_void; -- __multiport_print(match, numeric, ip->proto); --} -- --static void multiport_print6(const void *ip_void, -- const struct xt_entry_match *match, int numeric) --{ -- const struct ip6t_ip6 *ip = ip_void; -- __multiport_print(match, numeric, ip->proto); --} -- - static void __multiport_print_v1(const struct xt_entry_match *match, - int numeric, u_int16_t proto) - { -@@ -419,48 +268,6 @@ static void multiport_print6_v1(const vo - } - - /* Saves the union ipt_matchinfo in parsable form to stdout. */ --static void __multiport_save(const struct xt_entry_match *match, -- u_int16_t proto) --{ -- const struct xt_multiport *multiinfo -- = (const struct xt_multiport *)match->data; -- unsigned int i; -- -- switch (multiinfo->flags) { -- case XT_MULTIPORT_SOURCE: -- printf("--sports "); -- break; -- -- case XT_MULTIPORT_DESTINATION: -- printf("--dports "); -- break; -- -- case XT_MULTIPORT_EITHER: -- printf("--ports "); -- break; -- } -- -- for (i=0; i < multiinfo->count; i++) { -- printf("%s", i ? "," : ""); -- print_port(multiinfo->ports[i], proto, 1); -- } -- printf(" "); --} -- --static void multiport_save(const void *ip_void, -- const struct xt_entry_match *match) --{ -- const struct ipt_ip *ip = ip_void; -- __multiport_save(match, ip->proto); --} -- --static void multiport_save6(const void *ip_void, -- const struct xt_entry_match *match) --{ -- const struct ip6t_ip6 *ip = ip_void; -- __multiport_save(match, ip->proto); --} -- - static void __multiport_save_v1(const struct xt_entry_match *match, - u_int16_t proto) - { -@@ -514,34 +321,6 @@ static struct xtables_match multiport_mt - { - .family = NFPROTO_IPV4, - .name = "multiport", -- .revision = 0, -- .version = XTABLES_VERSION, -- .size = XT_ALIGN(sizeof(struct xt_multiport)), -- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), -- .help = multiport_help, -- .parse = multiport_parse, -- .final_check = multiport_check, -- .print = multiport_print, -- .save = multiport_save, -- .extra_opts = multiport_opts, -- }, -- { -- .family = NFPROTO_IPV6, -- .name = "multiport", -- .revision = 0, -- .version = XTABLES_VERSION, -- .size = XT_ALIGN(sizeof(struct xt_multiport)), -- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), -- .help = multiport_help, -- .parse = multiport_parse6, -- .final_check = multiport_check, -- .print = multiport_print6, -- .save = multiport_save6, -- .extra_opts = multiport_opts, -- }, -- { -- .family = NFPROTO_IPV4, -- .name = "multiport", - .version = XTABLES_VERSION, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_multiport_v1)), diff --git a/package/iptables/patches/011-recent-add-reap.patch b/package/iptables/patches/011-recent-add-reap.patch deleted file mode 100644 index 275265b..0000000 --- a/package/iptables/patches/011-recent-add-reap.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001 -From: Tim Gardner <tim.gardner@canonical.com> -Date: Mon, 1 Mar 2010 19:00:29 -0700 -Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation - -Signed-off-by: Tim Gardner <tim.gardner@canonical.com> ---- - extensions/libxt_recent.c | 20 ++++++++++++++++++++ - extensions/libxt_recent.man | 5 +++++ - include/linux/netfilter/xt_recent.h | 7 +++++++ - 3 files changed, 32 insertions(+), 0 deletions(-) - ---- a/extensions/libxt_recent.c -+++ b/extensions/libxt_recent.c -@@ -20,6 +20,7 @@ static const struct option recent_opts[] - {.name = "name", .has_arg = true, .val = 208}, - {.name = "rsource", .has_arg = false, .val = 209}, - {.name = "rdest", .has_arg = false, .val = 210}, -+ {.name = "reap", .has_arg = false, .val = 211}, - XT_GETOPT_TABLEEND, - }; - -@@ -37,6 +38,7 @@ static void recent_help(void) - " --hitcount hits For check and update commands above.\n" - " Specifies that the match will only occur if source address seen hits times.\n" - " May be used in conjunction with the seconds option.\n" -+" --reap Remove entries that have expired. Can only be used with --seconds\n" - " --rttl For check and update commands above.\n" - " Specifies that the match will only occur if the source address and the TTL\n" - " match between this packet and the one which was set.\n" -@@ -63,6 +65,8 @@ static void recent_init(struct xt_entry_ - (XT_RECENT_SET | XT_RECENT_CHECK | \ - XT_RECENT_UPDATE | XT_RECENT_REMOVE) - -+#define XT_RECENT_SECONDS 1 << 31 -+ - static int recent_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) - { -@@ -104,6 +108,7 @@ static int recent_parse(int c, char **ar - - case 204: - info->seconds = atoi(optarg); -+ *flags |= XT_RECENT_SECONDS; - break; - - case 205: -@@ -139,6 +144,11 @@ static int recent_parse(int c, char **ar - info->side = XT_RECENT_DEST; - break; - -+ case 211: -+ info->check_set |= XT_RECENT_REAP; -+ *flags |= XT_RECENT_REAP; -+ break; -+ - default: - return 0; - } -@@ -157,6 +167,12 @@ static void recent_check(unsigned int fl - xtables_error(PARAMETER_PROBLEM, - "recent: --rttl may only be used with --rcheck or " - "--update"); -+ if ((flags & XT_RECENT_REAP) && -+ ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) || -+ (!(flags & XT_RECENT_SECONDS)))) -+ xtables_error(PARAMETER_PROBLEM, -+ "recent: --reap may only be used with --rcheck or " -+ "--update and --seconds"); - } - - static void recent_print(const void *ip, const struct xt_entry_match *match, -@@ -185,6 +201,8 @@ static void recent_print(const void *ip, - printf("side: source "); - if (info->side == XT_RECENT_DEST) - printf("side: dest "); -+ if (info->check_set & XT_RECENT_REAP) -+ printf("reap "); - } - - static void recent_save(const void *ip, const struct xt_entry_match *match) -@@ -211,6 +229,8 @@ static void recent_save(const void *ip, - printf("--rsource "); - if (info->side == XT_RECENT_DEST) - printf("--rdest "); -+ if (info->check_set & XT_RECENT_REAP) -+ printf("--reap "); - } - - static struct xtables_match recent_mt_reg = { ---- a/extensions/libxt_recent.man -+++ b/extensions/libxt_recent.man -@@ -41,6 +41,11 @@ This option must be used in conjunction - \fB\-\-update\fP. When used, this will narrow the match to only happen when the - address is in the list and was seen within the last given number of seconds. - .TP -+\fB\-\-reap\fP \fIreap\fP -+This option must be used in conjunction with \fB\-\-seconds\fP. When used, this -+will remove entries with the most recent timestamp older then \fB\-\-seconds\fP -+since the last packet was received. -+.TP - \fB\-\-hitcount\fP \fIhits\fP - This option must be used in conjunction with one of \fB\-\-rcheck\fP or - \fB\-\-update\fP. When used, this will narrow the match to only happen when the ---- a/include/linux/netfilter/xt_recent.h -+++ b/include/linux/netfilter/xt_recent.h -@@ -23,6 +23,9 @@ enum { - #define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\ - XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP) - -+/* Only allowed with --rcheck and --update */ -+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP) -+ - struct xt_recent_mtinfo { - __u32 seconds; - __u32 hit_count; diff --git a/package/iptables/patches/020-iptables-disable-modprobe.patch b/package/iptables/patches/020-iptables-disable-modprobe.patch deleted file mode 100644 index 338962f..0000000 --- a/package/iptables/patches/020-iptables-disable-modprobe.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- a/xtables.c -+++ b/xtables.c -@@ -305,6 +305,7 @@ static char *get_modprobe(void) - - int xtables_insmod(const char *modname, const char *modprobe, bool quiet) - { -+#if 0 - char *buf = NULL; - char *argv[4]; - int status; -@@ -348,6 +349,7 @@ int xtables_insmod(const char *modname, - free(buf); - if (WIFEXITED(status) && WEXITSTATUS(status) == 0) - return 0; -+#endif - return -1; - } - diff --git a/package/iptables/patches/030-no-libnfnetlink.patch b/package/iptables/patches/030-no-libnfnetlink.patch deleted file mode 100644 index cda9a72..0000000 --- a/package/iptables/patches/030-no-libnfnetlink.patch +++ /dev/null @@ -1,92 +0,0 @@ ---- a/configure -+++ b/configure -@@ -10917,75 +10917,7 @@ $as_echo "no" >&6; } - fi - fi - --pkg_failed=no --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5 --$as_echo_n "checking for libnfnetlink... " >&6; } -- --if test -n "$libnfnetlink_CFLAGS"; then -- pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS" -- elif test -n "$PKG_CONFIG"; then -- if test -n "$PKG_CONFIG" && \ -- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5 -- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5 -- ac_status=$? -- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -- test $ac_status = 0; }; then -- pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null` --else -- pkg_failed=yes --fi -- else -- pkg_failed=untried --fi --if test -n "$libnfnetlink_LIBS"; then -- pkg_cv_libnfnetlink_LIBS="$libnfnetlink_LIBS" -- elif test -n "$PKG_CONFIG"; then -- if test -n "$PKG_CONFIG" && \ -- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5 -- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5 -- ac_status=$? -- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -- test $ac_status = 0; }; then -- pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null` --else -- pkg_failed=yes --fi -- else -- pkg_failed=untried --fi -- -- -- --if test $pkg_failed = yes; then -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 --$as_echo "no" >&6; } -- --if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then -- _pkg_short_errors_supported=yes --else -- _pkg_short_errors_supported=no --fi -- if test $_pkg_short_errors_supported = yes; then -- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libnfnetlink >= 1.0" 2>&1` -- else -- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors "libnfnetlink >= 1.0" 2>&1` -- fi -- # Put the nasty error message in config.log where it belongs -- echo "$libnfnetlink_PKG_ERRORS" >&5 -- -- nfnetlink=0 --elif test $pkg_failed = untried; then -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 --$as_echo "no" >&6; } -- nfnetlink=0 --else -- libnfnetlink_CFLAGS=$pkg_cv_libnfnetlink_CFLAGS -- libnfnetlink_LIBS=$pkg_cv_libnfnetlink_LIBS -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 --$as_echo "yes" >&6; } -- nfnetlink=1 --fi -- if test "$nfnetlink" = 1; then -+if false; then - HAVE_LIBNFNETLINK_TRUE= - HAVE_LIBNFNETLINK_FALSE='#' - else ---- a/configure.ac -+++ b/configure.ac -@@ -79,9 +79,7 @@ AM_CONDITIONAL([ENABLE_LARGEFILE], [test - AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"]) - AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"]) - --PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0], -- [nfnetlink=1], [nfnetlink=0]) --AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1]) -+AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false]) - - regular_CFLAGS="${largefile_cflags} \ - -D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \ diff --git a/package/iptables/patches/100-bash-location.patch b/package/iptables/patches/100-bash-location.patch deleted file mode 100644 index 818246e..0000000 --- a/package/iptables/patches/100-bash-location.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- a/autogen.sh -+++ b/autogen.sh -@@ -1,4 +1,4 @@ --#!/bin/bash -+#!/usr/bin/env bash - - autoreconf -fi; - rm -Rf autom4te*.cache; ---- a/iptables-apply -+++ b/iptables-apply -@@ -1,4 +1,4 @@ --#!/bin/bash -+#!/usr/bin/env bash - # - # iptables-apply -- a safer way to update iptables remotely - # diff --git a/package/iptables/patches/110-linux_3.2_compat.patch b/package/iptables/patches/110-linux_3.2_compat.patch deleted file mode 100644 index 2cdd673..0000000 --- a/package/iptables/patches/110-linux_3.2_compat.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- iptables-1.4.10/include/linux/types.h.orig 2011-11-07 00:08:33.000000000 +0100 -+++ iptables-1.4.10/include/linux/types.h 2011-11-07 00:09:25.000000000 +0100 -@@ -34,5 +34,9 @@ - typedef __u16 __bitwise __sum16; - typedef __u32 __bitwise __wsum; - -+#define __aligned_u64 __u64 __attribute__((aligned(8))) -+#define __aligned_be64 __be64 __attribute__((aligned(8))) -+#define __aligned_le64 __le64 __attribute__((aligned(8))) -+ - #endif /* __ASSEMBLY__ */ - #endif /* _LINUX_TYPES_H */ diff --git a/package/iptables/patches/200-configurable_builtin.patch b/package/iptables/patches/200-configurable_builtin.patch deleted file mode 100644 index 9f9cc38..0000000 --- a/package/iptables/patches/200-configurable_builtin.patch +++ /dev/null @@ -1,56 +0,0 @@ ---- a/extensions/GNUmakefile.in -+++ b/extensions/GNUmakefile.in -@@ -40,9 +40,24 @@ - pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod}) - pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod}) - pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod}) --pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod}) --pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod}) --pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod}) -+ -+ifdef BUILTIN_MODULES -+pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod}) -+pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod}) -+pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod}) -+else -+@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod) -+@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod) -+@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod) -+endif -+ -+pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod)) -+pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod)) -+pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod)) -+ -+pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_static}) -+pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static}) -+pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static}) - pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod}) - pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod}) - pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) -@@ -54,10 +69,10 @@ - targets := libext4.a libext6.a matches4.man matches6.man \ - targets4.man targets6.man - targets_install := --@ENABLE_STATIC_TRUE@ libext4_objs := ${pfx_objs} ${pf4_objs} --@ENABLE_STATIC_TRUE@ libext6_objs := ${pfx_objs} ${pf6_objs} --@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} --@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} -+libext4_objs := ${pfx_objs} ${pf4_objs} -+libext6_objs := ${pfx_objs} ${pf6_objs} -+targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} -+targets_install := $(strip ${targets_install} ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}) - - .SECONDARY: - -@@ -107,8 +122,8 @@ - libext6.a: initext6.o ${libext6_objs} - ${AM_VERBOSE_AR} ${AR} crs $@ $^; - --initext_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ipt_,${pf4_build_mod}) --initext6_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ip6t_,${pf6_build_mod}) -+initext_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ipt_,${pf4_build_static}) -+initext6_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ip6t_,${pf6_build_static}) - - .initext4.dd: FORCE - @echo "${initext_func}" >$@.tmp; \ |