Initial commit

2025-06-24 16:03:39 +02:00
commit f3256cdaf2
6949 changed files with 1441681 additions and 0 deletions
--- a/package/network/utils/iptables/patches/101-remove-check-already.patch
+++ b/package/network/utils/iptables/patches/101-remove-check-already.patch
@@ -0,0 +1,28 @@
+--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
+@@ -903,12 +903,6 @@ static void xtables_check_options(const
+ 
+ void xtables_register_match(struct xtables_match *me)
+ {
+-	if (me->next) {
+-		fprintf(stderr, "%s: match \"%s\" already registered\n",
+-			xt_params->program_name, me->name);
+-		exit(1);
+-	}
+-
+ 	if (me->version == NULL) {
+ 		fprintf(stderr, "%s: match %s<%u> is missing a version\n",
+ 		        xt_params->program_name, me->name, me->revision);
+@@ -1096,12 +1090,6 @@ void xtables_register_matches(struct xta
+ 
+ void xtables_register_target(struct xtables_target *me)
+ {
+-	if (me->next) {
+-		fprintf(stderr, "%s: target \"%s\" already registered\n",
+-			xt_params->program_name, me->name);
+-		exit(1);
+-	}
+-
+ 	if (me->version == NULL) {
+ 		fprintf(stderr, "%s: target %s<%u> is missing a version\n",
+ 		        xt_params->program_name, me->name, me->revision);
--- a/package/network/utils/iptables/patches/102-iptables-disable-modprobe.patch
+++ b/package/network/utils/iptables/patches/102-iptables-disable-modprobe.patch
@@ -0,0 +1,18 @@
+--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
+@@ -360,6 +360,7 @@ static char *get_modprobe(void)
+ 
+ int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
+ {
+#if 0
+ 	char *buf = NULL;
+ 	char *argv[4];
+ 	int status;
+@@ -394,6 +395,7 @@ int xtables_insmod(const char *modname,
+ 	free(buf);
+ 	if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
+ 		return 0;
+#endif
+ 	return -1;
+ }
+ 
--- a/package/network/utils/iptables/patches/103-optional-xml.patch
+++ b/package/network/utils/iptables/patches/103-optional-xml.patch
@@ -0,0 +1,13 @@
+--- a/iptables/xtables-legacy-multi.c
+++ b/iptables/xtables-legacy-multi.c
+@@ -32,8 +32,10 @@ static const struct subcommand multi_sub
+ 
+ 
+ #endif
+#ifdef ENABLE_XML
+ 	{"iptables-xml",        iptables_xml_main},
+ 	{"xml",                 iptables_xml_main},
+#endif
+ #ifdef ENABLE_IPV6
+ 	{"ip6tables",           ip6tables_main},
+ 	{"main6",               ip6tables_main},
--- a/package/network/utils/iptables/patches/200-configurable_builtin.patch
+++ b/package/network/utils/iptables/patches/200-configurable_builtin.patch
@@ -0,0 +1,79 @@
+--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
+@@ -50,11 +50,31 @@ pfb_build_mod := $(filter-out @blacklist
+ pfa_build_mod := $(filter-out @blacklist_modules@ @blacklist_a_modules@,${pfa_build_mod})
+ pf4_build_mod := $(filter-out @blacklist_modules@ @blacklist_4_modules@,${pf4_build_mod})
+ pf6_build_mod := $(filter-out @blacklist_modules@ @blacklist_6_modules@,${pf6_build_mod})
+-pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_mod})
+-pfb_objs      := $(patsubst %,libebt_%.o,${pfb_build_mod})
+-pfa_objs      := $(patsubst %,libarpt_%.o,${pfa_build_mod})
+-pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_mod})
+-pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_mod})
+ifdef BUILTIN_MODULES
+pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod})
+pfb_build_static := $(filter $(BUILTIN_MODULES),${pfb_build_mod})
+pfa_build_static := $(filter $(BUILTIN_MODULES),${pfa_build_mod})
+pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod})
+pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod})
+else
+@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod)
+@ENABLE_STATIC_TRUE@ pfb_build_static := $(pfb_build_mod)
+@ENABLE_STATIC_TRUE@ pfa_build_static := $(pfa_build_mod)
+@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod)
+@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod)
+endif
+
+pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod))
+pfb_build_mod := $(filter-out $(pfb_build_static),$(pfb_build_mod))
+pfa_build_mod := $(filter-out $(pfa_build_static),$(pfa_build_mod))
+pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod))
+pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod))
+
+pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_static})
+pfb_objs      := $(patsubst %,libebt_%.o,${pfb_build_static})
+pfa_objs      := $(patsubst %,libarpt_%.o,${pfa_build_static})
+pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_static})
+pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_static})
+ pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod})
+ pfb_solibs    := $(patsubst %,libebt_%.so,${pfb_build_mod})
+ pfa_solibs    := $(patsubst %,libarpt_%.so,${pfa_build_mod})
+@@ -68,14 +88,14 @@ pfx_symlink_files := $(patsubst %,libxt_
+ #
+ targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man
+ targets_install :=
+-@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
+-@ENABLE_STATIC_TRUE@ libext_ebt_objs := ${pfb_objs}
+-@ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs}
+-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
+-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
+-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
+-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
+-@ENABLE_STATIC_FALSE@ symlinks_install := ${pfx_symlink_files}
+libext_objs := ${pfx_objs}
+libext_ebt_objs := ${pfb_objs}
+libext_arpt_objs := ${pfa_objs}
+libext4_objs := ${pf4_objs}
+libext6_objs := ${pf6_objs}
+targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
+targets_install := $(strip ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs})
+symlinks_install := ${pfx_symlink_files}
+ 
+ .SECONDARY:
+ 
+@@ -148,11 +168,11 @@ libext4.a: initext4.o ${libext4_objs}
+ libext6.a: initext6.o ${libext6_objs}
+ 	${AM_VERBOSE_AR} ${AR} crs $@ $^;
+ 
+-initext_func  := $(addprefix xt_,${pfx_build_mod})
+-initextb_func := $(addprefix ebt_,${pfb_build_mod})
+-initexta_func := $(addprefix arpt_,${pfa_build_mod})
+-initext4_func := $(addprefix ipt_,${pf4_build_mod})
+-initext6_func := $(addprefix ip6t_,${pf6_build_mod})
+initext_func  := $(addprefix xt_,${pfx_build_static})
+initextb_func := $(addprefix ebt_,${pfb_build_static})
+initexta_func := $(addprefix arpt_,${pfa_build_static})
+initext4_func := $(addprefix ipt_,${pf4_build_static})
+initext6_func := $(addprefix ip6t_,${pf6_build_static})
+ 
+ .initext.dd: FORCE
+ 	@echo "${initext_func}" >$@.tmp; \
--- a/package/network/utils/iptables/patches/600-shared-libext.patch
+++ b/package/network/utils/iptables/patches/600-shared-libext.patch
@@ -0,0 +1,102 @@
+--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
+@@ -86,7 +86,7 @@ pfx_symlink_files := $(patsubst %,libxt_
+ #
+ # Building blocks
+ #
+-targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man
+targets := libiptext.so libiptext4.so libiptext6.so libiptext_ebt.so libiptext_arpt.so matches.man targets.man
+ targets_install :=
+ libext_objs := ${pfx_objs}
+ libext_ebt_objs := ${pfb_objs}
+@@ -119,7 +119,7 @@ clean:
+ distclean: clean
+ 
+ init%.o: init%.c
+-	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init ${CFLAGS} -o $@ -c $<;
+	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init  -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+ 
+ -include .*.d
+ 
+@@ -151,22 +151,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
+ #	handling code in the Makefiles.
+ #
+ lib%.o: ${srcdir}/lib%.c
+-	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<;
+	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+ 
+-libext.a: initext.o ${libext_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
+libiptext.so: initext.o ${libext_objs}
+	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD});
+ 
+-libext_ebt.a: initextb.o ${libext_ebt_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
+libiptext_ebt.so: initextb.o ${libext_ebt_objs}
+	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD});
+ 
+-libext_arpt.a: initexta.o ${libext_arpt_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
+libiptext_arpt.so: initexta.o ${libext_arpt_objs}
+	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD});
+ 
+-libext4.a: initext4.o ${libext4_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
+libiptext4.so: initext4.o ${libext4_objs}
+	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD});
+ 
+-libext6.a: initext6.o ${libext6_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
+libiptext6.so: initext6.o ${libext6_objs}
+	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD});
+ 
+ initext_func  := $(addprefix xt_,${pfx_build_static})
+ initextb_func := $(addprefix ebt_,${pfb_build_static})
+--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
+@@ -8,19 +8,22 @@ BUILT_SOURCES =
+ 
+ xtables_legacy_multi_SOURCES  = xtables-legacy-multi.c iptables-xml.c
+ xtables_legacy_multi_CFLAGS   = ${AM_CFLAGS}
+-xtables_legacy_multi_LDADD    = ../extensions/libext.a
+xtables_legacy_multi_LDADD    =
+xtables_legacy_multi_LDFLAGS  = -L../extensions/ -liptext
+ if ENABLE_STATIC
+ xtables_legacy_multi_CFLAGS  += -DALL_INCLUSIVE
+ endif
+ if ENABLE_IPV4
+ xtables_legacy_multi_SOURCES += iptables-standalone.c iptables.c
+ xtables_legacy_multi_CFLAGS  += -DENABLE_IPV4
+-xtables_legacy_multi_LDADD   += ../libiptc/libip4tc.la ../extensions/libext4.a
+xtables_legacy_multi_LDADD   += ../libiptc/libip4tc.la
+xtables_legacy_multi_LDFLAGS += -liptext4
+ endif
+ if ENABLE_IPV6
+ xtables_legacy_multi_SOURCES += ip6tables-standalone.c ip6tables.c
+ xtables_legacy_multi_CFLAGS  += -DENABLE_IPV6
+-xtables_legacy_multi_LDADD   += ../libiptc/libip6tc.la ../extensions/libext6.a
+xtables_legacy_multi_LDADD   += ../libiptc/libip6tc.la
+xtables_legacy_multi_LDFLAGS += -liptext6
+ endif
+ xtables_legacy_multi_SOURCES += xshared.c iptables-restore.c iptables-save.c
+ xtables_legacy_multi_LDADD   += ../libxtables/libxtables.la -lm
+@@ -30,7 +33,8 @@ if ENABLE_NFTABLES
+ BUILT_SOURCES += xtables-config-parser.h
+ xtables_nft_multi_SOURCES  = xtables-nft-multi.c iptables-xml.c
+ xtables_nft_multi_CFLAGS   = ${AM_CFLAGS}
+-xtables_nft_multi_LDADD    = ../extensions/libext.a ../extensions/libext_ebt.a
+xtables_nft_multi_LDADD    =
+xtables_nft_multi_LDFLAGS  = -L../extensions/ -liptext -liptext_ebt
+ if ENABLE_STATIC
+ xtables_nft_multi_CFLAGS  += -DALL_INCLUSIVE
+ endif
+@@ -45,7 +49,8 @@ xtables_nft_multi_SOURCES += xtables-sav
+ 				xtables-eb-standalone.c xtables-eb.c \
+ 				xtables-eb-translate.c \
+ 				xtables-translate.c
+-xtables_nft_multi_LDADD   += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ../extensions/libext4.a ../extensions/libext6.a ../extensions/libext_ebt.a ../extensions/libext_arpt.a
+xtables_nft_multi_LDADD   += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS}
+xtables_nft_multi_LDFLAGS += -liptext4 -liptext6 -liptext_arpt
+ # yacc and lex generate dirty code
+ xtables_nft_multi-xtables-config-parser.o xtables_nft_multi-xtables-config-syntax.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls
+ xtables_nft_multi_SOURCES += xshared.c
--- a/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch
+++ b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch
@@ -0,0 +1,95 @@
+--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
+@@ -1389,6 +1389,7 @@ static int conntrack3_mt6_xlate(struct x
+ }
+ 
+ static struct xtables_match conntrack_mt_reg[] = {
+#ifndef NO_LEGACY
+ 	{
+ 		.version       = XTABLES_VERSION,
+ 		.name          = "conntrack",
+@@ -1464,6 +1465,7 @@ static struct xtables_match conntrack_mt
+ 		.alias	       = conntrack_print_name_alias,
+ 		.x6_options    = conntrack2_mt_opts,
+ 	},
+#endif
+ 	{
+ 		.version       = XTABLES_VERSION,
+ 		.name          = "conntrack",
+@@ -1496,6 +1498,7 @@ static struct xtables_match conntrack_mt
+ 		.x6_options    = conntrack3_mt_opts,
+ 		.xlate	       = conntrack3_mt6_xlate,
+ 	},
+#ifndef NO_LEGACY
+ 	{
+ 		.family        = NFPROTO_UNSPEC,
+ 		.name          = "state",
+@@ -1526,6 +1529,8 @@ static struct xtables_match conntrack_mt
+ 		.x6_parse      = state_ct23_parse,
+ 		.x6_options    = state_opts,
+ 	},
+#endif
+#ifndef NO_LEGACY
+ 	{
+ 		.family        = NFPROTO_UNSPEC,
+ 		.name          = "state",
+@@ -1555,6 +1560,7 @@ static struct xtables_match conntrack_mt
+ 		.x6_parse      = state_parse,
+ 		.x6_options    = state_opts,
+ 	},
+#endif
+ };
+ 
+ void _init(void)
+--- a/extensions/libxt_CT.c
+++ b/extensions/libxt_CT.c
+@@ -349,6 +349,7 @@ static void notrack_ct2_tg_init(struct x
+ }
+ 
+ static struct xtables_target ct_target_reg[] = {
+#ifndef NO_LEGACY
+ 	{
+ 		.family		= NFPROTO_UNSPEC,
+ 		.name		= "CT",
+@@ -374,6 +375,7 @@ static struct xtables_target ct_target_r
+ 		.x6_parse	= ct_parse_v1,
+ 		.x6_options	= ct_opts_v1,
+ 	},
+#endif
+ 	{
+ 		.family		= NFPROTO_UNSPEC,
+ 		.name		= "CT",
+@@ -388,6 +390,7 @@ static struct xtables_target ct_target_r
+ 		.x6_parse	= ct_parse_v1,
+ 		.x6_options	= ct_opts_v1,
+ 	},
+#ifndef NO_LEGACY
+ 	{
+ 		.family        = NFPROTO_UNSPEC,
+ 		.name          = "NOTRACK",
+@@ -425,6 +428,7 @@ static struct xtables_target ct_target_r
+ 		.revision      = 0,
+ 		.version       = XTABLES_VERSION,
+ 	},
+#endif
+ };
+ 
+ void _init(void)
+--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
+@@ -571,6 +571,7 @@ static int multiport_xlate6_v1(struct xt
+ }
+ 
+ static struct xtables_match multiport_mt_reg[] = {
+#ifndef NO_LEGACY
+ 	{
+ 		.family        = NFPROTO_IPV4,
+ 		.name          = "multiport",
+@@ -601,6 +602,7 @@ static struct xtables_match multiport_mt
+ 		.x6_options    = multiport_opts,
+ 		.xlate         = multiport_xlate6,
+ 	},
+#endif
+ 	{
+ 		.family        = NFPROTO_IPV4,
+ 		.name          = "multiport",
--- a/package/network/utils/iptables/patches/800-flowoffload_target.patch
+++ b/package/network/utils/iptables/patches/800-flowoffload_target.patch
@@ -0,0 +1,95 @@
+--- /dev/null
+++ b/extensions/libxt_FLOWOFFLOAD.c
+@@ -0,0 +1,72 @@
+#include <stdio.h>
+#include <xtables.h>
+#include <linux/netfilter/xt_FLOWOFFLOAD.h>
+
+enum {
+    O_HW,
+};
+
+static void offload_help(void)
+{
+	printf(
+"FLOWOFFLOAD target options:\n"
+" --hw				Enable hardware offload\n"
+	);
+}
+
+static const struct xt_option_entry offload_opts[] = {
+	{.name = "hw", .id = O_HW, .type = XTTYPE_NONE},
+	XTOPT_TABLEEND,
+};
+
+static void offload_parse(struct xt_option_call *cb)
+{
+	struct xt_flowoffload_target_info *info = cb->data;
+
+	xtables_option_parse(cb);
+	switch (cb->entry->id) {
+	case O_HW:
+		info->flags |= XT_FLOWOFFLOAD_HW;
+		break;
+	}
+}
+
+static void offload_print(const void *ip, const struct xt_entry_target *target, int numeric)
+{
+	const struct xt_flowoffload_target_info *info =
+		(const struct xt_flowoffload_target_info *)target->data;
+
+	printf(" FLOWOFFLOAD");
+	if (info->flags & XT_FLOWOFFLOAD_HW)
+		printf(" hw");
+}
+
+static void offload_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_flowoffload_target_info *info =
+		(const struct xt_flowoffload_target_info *)target->data;
+
+	if (info->flags & XT_FLOWOFFLOAD_HW)
+		printf(" --hw");
+}
+
+static struct xtables_target offload_tg_reg[] = {
+	{
+		.family		= NFPROTO_UNSPEC,
+		.name		= "FLOWOFFLOAD",
+		.revision	= 0,
+		.version	= XTABLES_VERSION,
+		.size		= XT_ALIGN(sizeof(struct xt_flowoffload_target_info)),
+		.userspacesize	= sizeof(struct xt_flowoffload_target_info),
+		.help		= offload_help,
+		.print		= offload_print,
+		.save		= offload_save,
+		.x6_parse	= offload_parse,
+		.x6_options	= offload_opts,
+	},
+};
+
+void _init(void)
+{
+	xtables_register_targets(offload_tg_reg, ARRAY_SIZE(offload_tg_reg));
+}
+--- /dev/null
+++ b/include/linux/netfilter/xt_FLOWOFFLOAD.h
+@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+#ifndef _XT_FLOWOFFLOAD_H
+#define _XT_FLOWOFFLOAD_H
+
+#include <linux/types.h>
+
+enum {
+	XT_FLOWOFFLOAD_HW	= 1 << 0,
+
+	XT_FLOWOFFLOAD_MASK	= XT_FLOWOFFLOAD_HW
+};
+
+struct xt_flowoffload_target_info {
+	__u32 flags;
+};
+
+#endif /* _XT_FLOWOFFLOAD_H */