Initial commit

package/network/utils/iptables/Makefile

@@ -0,0 +1,781 @@
+#
+# Copyright (C) 2006-2016 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=iptables
+PKG_VERSION:=1.8.8
+PKG_RELEASE:=2
+
+PKG_SOURCE_URL:=https://netfilter.org/projects/iptables/files
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_HASH:=71c75889dc710676631553eb1511da0177bbaaf1b551265b912d236c3f51859f
+
+PKG_FIXUP:=autoreconf
+PKG_FLAGS:=nonshared
+
+PKG_INSTALL:=1
+PKG_BUILD_FLAGS:=gc-sections no-lto
+PKG_BUILD_PARALLEL:=1
+PKG_LICENSE:=GPL-2.0
+PKG_CPE_ID:=cpe:/a:netfilter:iptables
+
+include $(INCLUDE_DIR)/package.mk
+ifeq ($(DUMP),)
+  -include $(LINUX_DIR)/.config
+  include $(INCLUDE_DIR)/netfilter.mk
+  STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell grep 'NETFILTER' $(LINUX_DIR)/.config | $(MKHASH) md5)
+endif
+
+
+define Package/iptables/Default
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=Firewall
+  URL:=https://netfilter.org/
+endef
+
+define Package/iptables/Module
+$(call Package/iptables/Default)
+  DEPENDS:=+libxtables $(1)
+endef
+
+define Package/xtables-legacy
+$(call Package/iptables/Default)
+  TITLE:=IP firewall administration tool
+  DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libiptext +IPV6:libiptext6 +libxtables
+endef
+
+define Package/iptables-zz-legacy
+$(call Package/iptables/Default)
+  TITLE:=IP firewall administration tool
+  DEPENDS+= +xtables-legacy
+  PROVIDES:=iptables iptables-legacy
+  ALTERNATIVES:=\
+    200:/usr/sbin/iptables:/usr/sbin/xtables-legacy-multi \
+    200:/usr/sbin/iptables-restore:/usr/sbin/xtables-legacy-multi \
+    200:/usr/sbin/iptables-save:/usr/sbin/xtables-legacy-multi
+endef
+
+define Package/iptables-zz-legacy/description
+IP firewall administration tool.
+
+ Matches:
+  - icmp
+  - tcp
+  - udp
+  - comment
+  - conntrack
+  - limit
+  - mac
+  - mark
+  - multiport
+  - set
+  - state
+  - time
+
+ Targets:
+  - ACCEPT
+  - CT
+  - DNAT
+  - DROP
+  - REJECT
+  - FLOWOFFLOAD
+  - LOG
+  - MARK
+  - MASQUERADE
+  - REDIRECT
+  - SET
+  - SNAT
+  - TCPMSS
+
+ Tables:
+  - filter
+  - mangle
+  - nat
+  - raw
+
+endef
+
+define Package/xtables-nft
+$(call Package/iptables/Default)
+  TITLE:=IP firewall administration tool nft
+  DEPENDS:=+libnftnl +libiptext +IPV6:libiptext6 +libiptext-nft +kmod-nft-compat
+endef
+
+define Package/arptables-nft
+$(call Package/iptables/Default)
+  DEPENDS:=+kmod-nft-arp +xtables-nft +kmod-arptables
+  TITLE:=ARP firewall administration tool nft
+  PROVIDES:=arptables
+  ALTERNATIVES:=\
+    300:/usr/sbin/arptables:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/arptables-restore:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/arptables-save:/usr/sbin/xtables-nft-multi
+endef
+
+define Package/ebtables-nft
+$(call Package/iptables/Default)
+  DEPENDS:=+kmod-nft-bridge +xtables-nft +kmod-ebtables
+  TITLE:=Bridge firewall administration tool nft
+  PROVIDES:=ebtables
+  ALTERNATIVES:=\
+    300:/usr/sbin/ebtables:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/ebtables-restore:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/ebtables-save:/usr/sbin/xtables-nft-multi
+endef
+
+define Package/iptables-nft
+$(call Package/iptables/Default)
+  TITLE:=IP firewall administration tool nft
+  DEPENDS:=+kmod-ipt-core +xtables-nft
+  PROVIDES:=iptables
+  ALTERNATIVES:=\
+    300:/usr/sbin/iptables:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/iptables-restore:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/iptables-save:/usr/sbin/xtables-nft-multi
+endef
+
+define Package/iptables-nft/description
+Extra iptables nftables nft binaries.
+  iptables-nft
+  iptables-nft-restore
+  iptables-nft-save
+  iptables-translate
+  iptables-restore-translate
+endef
+
+define Package/iptables-mod-conntrack-extra
+$(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
+  TITLE:=Extra connection tracking extensions
+endef
+
+define Package/iptables-mod-conntrack-extra/description
+Extra iptables extensions for connection tracking.
+
+ Matches:
+  - connbytes
+  - connlimit
+  - connmark
+  - recent
+  - helper
+
+ Targets:
+  - CONNMARK
+
+endef
+
+define Package/iptables-mod-conntrack-label
+$(call Package/iptables/Module, +kmod-ipt-conntrack-label @IPTABLES_CONNLABEL)
+  TITLE:=Connection tracking labeling extension
+  DEFAULT:=y if IPTABLES_CONNLABEL
+endef
+
+define Package/iptables-mod-conntrack-label/description
+Match and set label(s) on connection tracking entries
+
+ Matches:
+  - connlabel
+
+endef
+
+define Package/iptables-mod-filter
+$(call Package/iptables/Module, +kmod-ipt-filter)
+  TITLE:=Content inspection extensions
+endef
+
+define Package/iptables-mod-filter/description
+iptables extensions for packet content inspection.
+Includes support for:
+
+ Matches:
+  - string
+  - bpf
+
+endef
+
+define Package/iptables-mod-ipopt
+$(call Package/iptables/Module, +kmod-ipt-ipopt)
+  TITLE:=IP/Packet option extensions
+endef
+
+define Package/iptables-mod-ipopt/description
+iptables extensions for matching/changing IP packet options.
+
+ Matches:
+  - dscp
+  - ecn
+  - length
+  - statistic
+  - tcpmss
+  - unclean
+  - hl
+
+ Targets:
+  - DSCP
+  - CLASSIFY
+  - ECN
+  - HL
+
+endef
+
+define Package/iptables-mod-ipsec
+$(call Package/iptables/Module, +kmod-ipt-ipsec)
+  TITLE:=IPsec extensions
+endef
+
+define Package/iptables-mod-ipsec/description
+iptables extensions for matching ipsec traffic.
+
+ Matches:
+  - ah
+  - esp
+  - policy
+
+endef
+
+define Package/iptables-mod-nat-extra
+$(call Package/iptables/Module, +kmod-ipt-nat-extra)
+  TITLE:=Extra NAT extensions
+endef
+
+define Package/iptables-mod-nat-extra/description
+iptables extensions for extra NAT targets.
+
+ Targets:
+  - MIRROR
+  - NETMAP
+endef
+
+define Package/iptables-mod-nflog
+$(call Package/iptables/Module, +kmod-nfnetlink-log +kmod-ipt-nflog)
+  TITLE:=Netfilter NFLOG target
+endef
+
+define Package/iptables-mod-nflog/description
+ iptables extension for user-space logging via NFNETLINK.
+
+ Includes:
+  - libxt_NFLOG
+
+endef
+
+define Package/iptables-mod-trace
+$(call Package/iptables/Module, +kmod-ipt-debug)
+  TITLE:=Netfilter TRACE target
+endef
+
+define Package/iptables-mod-trace/description
+ iptables extension for TRACE target
+
+ Includes:
+  - libxt_TRACE
+
+endef
+
+
+define Package/iptables-mod-nfqueue
+$(call Package/iptables/Module, +kmod-nfnetlink-queue +kmod-ipt-nfqueue)
+  TITLE:=Netfilter NFQUEUE target
+endef
+
+define Package/iptables-mod-nfqueue/description
+ iptables extension for user-space queuing via NFNETLINK.
+
+ Includes:
+  - libxt_NFQUEUE
+
+endef
+
+define Package/iptables-mod-hashlimit
+$(call Package/iptables/Module, +kmod-ipt-hashlimit)
+  TITLE:=hashlimit matching
+endef
+
+define Package/iptables-mod-hashlimit/description
+iptables extensions for hashlimit matching
+
+ Matches:
+  - hashlimit
+
+endef
+
+define Package/iptables-mod-rpfilter
+$(call Package/iptables/Module, +kmod-ipt-rpfilter)
+  TITLE:=rpfilter iptables extension
+endef
+
+define Package/iptables-mod-rpfilter/description
+iptables extensions for reverse path filter test on a packet
+
+ Matches:
+  - rpfilter
+
+endef
+
+define Package/iptables-mod-iprange
+$(call Package/iptables/Module, +kmod-ipt-iprange)
+  TITLE:=IP range extension
+endef
+
+define Package/iptables-mod-iprange/description
+iptables extensions for matching ip ranges.
+
+ Matches:
+  - iprange
+
+endef
+
+define Package/iptables-mod-cluster
+$(call Package/iptables/Module, +kmod-ipt-cluster)
+  TITLE:=Match cluster extension
+endef
+
+define Package/iptables-mod-cluster/description
+iptables extensions for matching cluster.
+
+ Netfilter (IPv4/IPv6) module for matching cluster
+ This option allows you to build work-load-sharing clusters of
+ network servers/stateful firewalls without having a dedicated
+ load-balancing router/server/switch. Basically, this match returns
+ true when the packet must be handled by this cluster node. Thus,
+ all nodes see all packets and this match decides which node handles
+ what packets. The work-load sharing algorithm is based on source
+ address hashing.
+
+ This module is usable for ipv4 and ipv6.
+
+ If you select it, it enables kmod-ipt-cluster.
+
+ see `iptables -m cluster --help` for more information.
+endef
+
+define Package/iptables-mod-clusterip
+$(call Package/iptables/Module, +kmod-ipt-clusterip)
+  TITLE:=Clusterip extension
+endef
+
+define Package/iptables-mod-clusterip/description
+iptables extensions for CLUSTERIP.
+ The CLUSTERIP target allows you to build load-balancing clusters of
+ network servers without having a dedicated load-balancing
+ router/server/switch.
+
+ If you select it, it enables kmod-ipt-clusterip.
+
+ see `iptables -j CLUSTERIP --help` for more information.
+endef
+
+define Package/iptables-mod-extra
+$(call Package/iptables/Module, +kmod-ipt-extra)
+  TITLE:=Other extra iptables extensions
+endef
+
+define Package/iptables-mod-extra/description
+Other extra iptables extensions.
+
+ Matches:
+  - addrtype
+  - condition
+  - owner
+  - pkttype
+  - quota
+
+endef
+
+define Package/iptables-mod-physdev
+$(call Package/iptables/Module, +kmod-ipt-physdev)
+  TITLE:=physdev iptables extension
+endef
+
+define Package/iptables-mod-physdev/description
+The iptables physdev match.
+endef
+
+define Package/iptables-mod-led
+$(call Package/iptables/Module, +kmod-ipt-led)
+  TITLE:=LED trigger iptables extension
+endef
+
+define Package/iptables-mod-led/description
+iptables extension for triggering a LED.
+
+ Targets:
+  - LED
+
+endef
+
+define Package/iptables-mod-socket
+$(call Package/iptables/Module, +kmod-ipt-socket)
+  TITLE:=Socket match iptables extensions
+endef
+
+define Package/iptables-mod-socket/description
+Socket match iptables extensions.
+
+ Matches:
+  - socket
+
+endef
+
+define Package/iptables-mod-tproxy
+$(call Package/iptables/Module, +kmod-ipt-tproxy)
+  TITLE:=Transparent proxy iptables extensions
+endef
+
+define Package/iptables-mod-tproxy/description
+Transparent proxy iptables extensions.
+
+ Targets:
+  - TPROXY
+
+endef
+
+define Package/iptables-mod-tee
+$(call Package/iptables/Module, +kmod-ipt-tee)
+  TITLE:=TEE iptables extensions
+endef
+
+define Package/iptables-mod-tee/description
+TEE iptables extensions.
+
+ Targets:
+  - TEE
+
+endef
+
+define Package/iptables-mod-u32
+$(call Package/iptables/Module, +kmod-ipt-u32)
+  TITLE:=U32 iptables extensions
+endef
+
+define Package/iptables-mod-u32/description
+U32 iptables extensions.
+
+ Matches:
+  - u32
+
+endef
+
+define Package/iptables-mod-checksum
+$(call Package/iptables/Module, +kmod-ipt-checksum)
+  TITLE:=IP CHECKSUM target extension
+endef
+
+define Package/iptables-mod-checksum/description
+iptables extension for the CHECKSUM calculation target
+endef
+
+define Package/ip6tables-zz-legacy
+$(call Package/iptables/Default)
+  DEPENDS:=@IPV6 +kmod-ip6tables +xtables-legacy
+  CATEGORY:=Network
+  TITLE:=IPv6 firewall administration tool
+  PROVIDES:=ip6tables ip6tables-legacy
+  ALTERNATIVES:=\
+    200:/usr/sbin/ip6tables:/usr/sbin/xtables-legacy-multi \
+    200:/usr/sbin/ip6tables-restore:/usr/sbin/xtables-legacy-multi \
+    200:/usr/sbin/ip6tables-save:/usr/sbin/xtables-legacy-multi
+endef
+
+define Package/ip6tables-nft
+$(call Package/iptables/Default)
+  DEPENDS:=@IPV6 +kmod-ip6tables +xtables-nft
+  TITLE:=IP firewall administration tool nft
+  PROVIDES:=ip6tables
+  ALTERNATIVES:=\
+    300:/usr/sbin/ip6tables:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/ip6tables-restore:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/ip6tables-save:/usr/sbin/xtables-nft-multi
+endef
+
+define Package/ip6tables-nft/description
+Extra ip6tables nftables nft binaries.
+  ip6tables-nft
+  ip6tables-nft-restore
+  ip6tables-nft-save
+  ip6tables-translate
+  ip6tables-restore-translate
+endef
+
+define Package/ip6tables-extra
+$(call Package/iptables/Default)
+  DEPENDS:=+libxtables +kmod-ip6tables-extra
+  TITLE:=IPv6 header matching modules
+endef
+
+define Package/ip6tables-extra/description
+iptables header matching modules for IPv6
+endef
+
+define Package/ip6tables-mod-nat
+$(call Package/iptables/Default)
+  DEPENDS:=+libxtables +kmod-ipt-nat6
+  TITLE:=IPv6 NAT extensions
+endef
+
+define Package/ip6tables-mod-nat/description
+iptables extensions for IPv6-NAT targets.
+endef
+
+define Package/libip4tc
+$(call Package/iptables/Default)
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=IPv4 firewall - shared libiptc library
+  ABI_VERSION:=2
+endef
+
+define Package/libip6tc
+$(call Package/iptables/Default)
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=IPv6 firewall - shared libiptc library
+  ABI_VERSION:=2
+endef
+
+define Package/libiptext
+ $(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ TITLE:=IPv4 firewall - shared libiptext library
+ ABI_VERSION:=0
+ DEPENDS:=+libxtables
+endef
+
+define Package/libiptext6
+ $(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ TITLE:=IPv6 firewall - shared libiptext library
+ ABI_VERSION:=0
+ DEPENDS:=+libxtables
+endef
+
+define Package/libiptext-nft
+ $(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ TITLE:=IPv4/IPv6 firewall - shared libiptext nft library
+ ABI_VERSION:=0
+ DEPENDS:=+libxtables
+endef
+
+define Package/libxtables
+ $(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ TITLE:=IPv4/IPv6 firewall - shared xtables library
+ MENU:=1
+ ABI_VERSION:=12
+ DEPENDS:=+IPTABLES_CONNLABEL:libnetfilter-conntrack
+endef
+
+define Package/libxtables/config
+  config IPTABLES_CONNLABEL
+	bool "Enable Connlabel support"
+	default n
+	help
+		This enable connlabel support in iptables.
+endef
+
+TARGET_CPPFLAGS := \
+	-I$(PKG_BUILD_DIR)/include \
+	-I$(LINUX_DIR)/user_headers/include \
+	$(TARGET_CPPFLAGS)
+
+TARGET_CFLAGS += \
+	-I$(PKG_BUILD_DIR)/include \
+	-I$(LINUX_DIR)/user_headers/include \
+	-DNO_LEGACY
+
+CONFIGURE_ARGS += \
+	--enable-shared \
+	--enable-static \
+	--enable-devel \
+	--with-kernel="$(LINUX_DIR)/user_headers" \
+	--with-xtlibdir=/usr/lib/iptables \
+	--with-xt-lock-name=/var/run/xtables.lock \
+	$(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
+	$(if $(CONFIG_IPV6),,--disable-ipv6)
+
+MAKE_FLAGS := \
+	$(TARGET_CONFIGURE_OPTS) \
+	COPT_FLAGS="$(TARGET_CFLAGS)" \
+	KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
+	KBUILD_OUTPUT="$(LINUX_DIR)" \
+	BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
+
+ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
+  define Build/Configure/rebuild
+	$(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.\?o -or -name \*.a | $(XARGS) rm -f
+	rm -f $(PKG_BUILD_DIR)/.config_*
+	rm -f $(PKG_BUILD_DIR)/.configured_*
+	touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
+  endef
+endif
+
+define Build/Configure
+$(Build/Configure/rebuild)
+$(Build/Configure/Default)
+endef
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include
+	$(INSTALL_DIR) $(1)/usr/include/iptables
+	$(INSTALL_DIR) $(1)/usr/include/net/netfilter
+
+	# XXX: iptables header fixup, some headers are not installed by iptables anymore
+	$(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
+	$(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
+
+	$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
+
+	# XXX: needed by firewall3
+	$(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
+endef
+
+define Package/xtables-legacy/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-legacy-multi $(1)/usr/sbin/
+endef
+
+define Package/iptables-zz-legacy/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-legacy{,-restore,-save} $(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+endef
+
+define Package/xtables-nft/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-nft-multi $(1)/usr/sbin/
+endef
+
+define Package/arptables-nft/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/arptables-nft{,-restore,-save} $(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+	$(CP) $(PKG_BUILD_DIR)/extensions/libarpt_*.so $(1)/usr/lib/iptables/
+endef
+
+define Package/ebtables-nft/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ebtables-nft{,-restore,-save} $(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+	$(CP) $(PKG_BUILD_DIR)/extensions/libebt_*.so $(1)/usr/lib/iptables/
+endef
+
+define Package/iptables-nft/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-nft{,-restore,-save} $(1)/usr/sbin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore}-translate $(1)/usr/sbin/
+endef
+
+define Package/ip6tables-zz-legacy/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables-legacy{,-restore,-save} $(1)/usr/sbin/
+endef
+
+define Package/ip6tables-nft/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables-nft{,-restore,-save} $(1)/usr/sbin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore}-translate $(1)/usr/sbin/
+endef
+
+define Package/libip4tc/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so.* $(1)/usr/lib/
+endef
+
+define Package/libip6tc/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so.* $(1)/usr/lib/
+endef
+
+define Package/libiptext/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
+	$(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
+endef
+
+define Package/libiptext6/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
+endef
+
+define Package/libiptext-nft/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_BUILD_DIR)/extensions/libiptext_*.so $(1)/usr/lib/
+endef
+
+define Package/libxtables/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so.* $(1)/usr/lib/
+endef
+
+define BuildPlugin
+  define Package/$(1)/install
+	$(INSTALL_DIR) $$(1)/usr/lib/iptables
+	for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
+		if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
+			$(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
+		fi; \
+	done
+	$(3)
+  endef
+
+  $$(eval $$(call BuildPackage,$(1)))
+endef
+
+$(eval $(call BuildPackage,libxtables))
+$(eval $(call BuildPackage,libip4tc))
+$(eval $(call BuildPackage,libip6tc))
+$(eval $(call BuildPackage,libiptext))
+$(eval $(call BuildPackage,libiptext6))
+$(eval $(call BuildPackage,libiptext-nft))
+$(eval $(call BuildPackage,xtables-legacy))
+$(eval $(call BuildPackage,xtables-nft))
+$(eval $(call BuildPackage,arptables-nft))
+$(eval $(call BuildPackage,ebtables-nft))
+$(eval $(call BuildPackage,iptables-nft))
+$(eval $(call BuildPackage,iptables-zz-legacy))
+$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m)))
+$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-physdev,$(IPT_PHYSDEV-m)))
+$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
+$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
+$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
+$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
+$(eval $(call BuildPlugin,iptables-mod-cluster,$(IPT_CLUSTER-m)))
+$(eval $(call BuildPlugin,iptables-mod-clusterip,$(IPT_CLUSTERIP-m)))
+$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
+$(eval $(call BuildPlugin,iptables-mod-rpfilter,$(IPT_RPFILTER-m)))
+$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
+$(eval $(call BuildPlugin,iptables-mod-socket,$(IPT_SOCKET-m)))
+$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
+$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
+$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
+$(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
+$(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m)))
+$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
+$(eval $(call BuildPlugin,iptables-mod-checksum,$(IPT_CHECKSUM-m)))
+$(eval $(call BuildPackage,ip6tables-nft))
+$(eval $(call BuildPackage,ip6tables-zz-legacy))
+$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
+$(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
+

package/network/utils/iptables/patches/010-add-set-dscpmark-support.patch

@@ -0,0 +1,452 @@
+From 74267bacce0c43e5038b0377cb7c08f1ad9d50a3 Mon Sep 17 00:00:00 2001
+From: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Date: Sat, 23 Mar 2019 10:21:03 +0000
+Subject: [PATCH] iptables: connmark - add set-dscpmark option for openwrt
+
+Naive user space front end to xt_connmark 'setdscp' option.
+
+iptables -A QOS_MARK_eth0 -t mangle -j CONNMARK --set-dscpmark 0xfc000000/0x01000000
+
+This version has a hack to support a backport to 4.14
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ extensions/libxt_CONNMARK.c           | 315 +++++++++++++++++++++++++-
+ include/linux/netfilter/xt_connmark.h |  10 +
+ 2 files changed, 324 insertions(+), 1 deletion(-)
+
+--- a/extensions/libxt_CONNMARK.c
++++ b/extensions/libxt_CONNMARK.c
+@@ -22,6 +22,7 @@
+ #include <stdbool.h>
+ #include <stdint.h>
+ #include <stdio.h>
++#include <strings.h>
+ #include <xtables.h>
+ #include <linux/netfilter/xt_CONNMARK.h>
+ 
+@@ -49,6 +50,7 @@ enum {
+ 	O_CTMASK,
+ 	O_NFMASK,
+ 	O_MASK,
++	O_DSCP_MARK,
+ 	F_SET_MARK         = 1 << O_SET_MARK,
+ 	F_SAVE_MARK        = 1 << O_SAVE_MARK,
+ 	F_RESTORE_MARK     = 1 << O_RESTORE_MARK,
+@@ -61,8 +63,10 @@ enum {
+ 	F_CTMASK           = 1 << O_CTMASK,
+ 	F_NFMASK           = 1 << O_NFMASK,
+ 	F_MASK             = 1 << O_MASK,
++	F_DSCP_MARK	   = 1 << O_DSCP_MARK,
+ 	F_OP_ANY           = F_SET_MARK | F_SAVE_MARK | F_RESTORE_MARK |
+-	                     F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK,
++	                     F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK |
++			     F_DSCP_MARK,
+ };
+ 
+ static const char *const xt_connmark_shift_ops[] = {
+@@ -114,6 +118,8 @@ static const struct xt_option_entry conn
+ 	 .excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, nfmask)},
+ 	{.name = "mask", .id = O_MASK, .type = XTTYPE_UINT32,
+ 	 .excl = F_CTMASK | F_NFMASK},
++	{.name = "set-dscpmark", .id = O_DSCP_MARK, .type = XTTYPE_MARKMASK32,
++	 .excl = F_OP_ANY},
+ 	XTOPT_TABLEEND,
+ };
+ #undef s
+@@ -148,6 +154,38 @@ static const struct xt_option_entry conn
+ };
+ #undef s
+ 
++#define s struct xt_connmark_tginfo3
++static const struct xt_option_entry connmark_tg_opts_v3[] = {
++	{.name = "set-xmark", .id = O_SET_XMARK, .type = XTTYPE_MARKMASK32,
++	 .excl = F_OP_ANY},
++	{.name = "set-mark", .id = O_SET_MARK, .type = XTTYPE_MARKMASK32,
++	 .excl = F_OP_ANY},
++	{.name = "and-mark", .id = O_AND_MARK, .type = XTTYPE_UINT32,
++	 .excl = F_OP_ANY},
++	{.name = "or-mark", .id = O_OR_MARK, .type = XTTYPE_UINT32,
++	 .excl = F_OP_ANY},
++	{.name = "xor-mark", .id = O_XOR_MARK, .type = XTTYPE_UINT32,
++	 .excl = F_OP_ANY},
++	{.name = "save-mark", .id = O_SAVE_MARK, .type = XTTYPE_NONE,
++	 .excl = F_OP_ANY},
++	{.name = "restore-mark", .id = O_RESTORE_MARK, .type = XTTYPE_NONE,
++	 .excl = F_OP_ANY},
++	{.name = "left-shift-mark", .id = O_LEFT_SHIFT_MARK, .type = XTTYPE_UINT8,
++	 .min = 0, .max = 32},
++	{.name = "right-shift-mark", .id = O_RIGHT_SHIFT_MARK, .type = XTTYPE_UINT8,
++	 .min = 0, .max = 32},
++	{.name = "ctmask", .id = O_CTMASK, .type = XTTYPE_UINT32,
++	 .excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, ctmask)},
++	{.name = "nfmask", .id = O_NFMASK, .type = XTTYPE_UINT32,
++	 .excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, nfmask)},
++	{.name = "mask", .id = O_MASK, .type = XTTYPE_UINT32,
++	 .excl = F_CTMASK | F_NFMASK},
++	{.name = "set-dscpmark", .id = O_DSCP_MARK, .type = XTTYPE_MARKMASK32,
++	 .excl = F_OP_ANY},
++	XTOPT_TABLEEND,
++};
++#undef s
++
+ static void connmark_tg_help(void)
+ {
+ 	printf(
+@@ -175,6 +213,15 @@ static void connmark_tg_help_v2(void)
+ );
+ }
+ 
++static void connmark_tg_help_v3(void)
++{
++	connmark_tg_help_v2();
++	printf(
++"  --set-dscpmark value/mask        Save DSCP to conntrack mark value\n"
++);
++}
++
++
+ static void connmark_tg_init(struct xt_entry_target *target)
+ {
+ 	struct xt_connmark_tginfo1 *info = (void *)target->data;
+@@ -199,6 +246,16 @@ static void connmark_tg_init_v2(struct x
+ 	info->shift_bits = 0;
+ }
+ 
++static void connmark_tg_init_v3(struct xt_entry_target *target)
++{
++	struct xt_connmark_tginfo3 *info;
++
++	connmark_tg_init_v2(target);
++	info = (void *)target->data;
++
++	info->func = 0;
++}
++
+ static void CONNMARK_parse(struct xt_option_call *cb)
+ {
+ 	struct xt_connmark_target_info *markinfo = cb->data;
+@@ -253,6 +310,23 @@ static void connmark_tg_parse(struct xt_
+ 		info->ctmark = cb->val.u32;
+ 		info->ctmask = 0;
+ 		break;
++	case O_DSCP_MARK:
++/* we sneaky sneaky this.  nfmask isn't used by the set mark functionality
++ * and by default is set to uint32max.  We can use the top bit as a flag
++ * that we're in DSCP_MARK submode of SET_MARK, if set then it's normal
++ * if unset then we're in DSCP_MARK
++ */
++		info->mode   = XT_CONNMARK_SET;
++		info->ctmark = cb->val.mark;
++		info->ctmask = cb->val.mask;
++		info->nfmask = info->ctmark ? ffs(info->ctmark) - 1 : 0;
++		/* need 6 contiguous bits */
++		if ((~0 & (info->ctmark >> info->nfmask)) != 0x3f)
++			xtables_error(PARAMETER_PROBLEM,
++				"CONNMARK set-dscpmark: need 6 contiguous dscpmask bits");
++		if (info->ctmark & info->ctmask)
++			xtables_error(PARAMETER_PROBLEM,
++				"CONNMARK set-dscpmark: dscpmask/statemask bits overlap");
+ 	case O_SAVE_MARK:
+ 		info->mode = XT_CONNMARK_SAVE;
+ 		break;
+@@ -320,6 +394,78 @@ static void connmark_tg_parse_v2(struct
+ 	}
+ }
+ 
++static void connmark_tg_parse_v3(struct xt_option_call *cb)
++{
++	struct xt_connmark_tginfo3 *info = cb->data;
++
++	xtables_option_parse(cb);
++	switch (cb->entry->id) {
++	case O_SET_XMARK:
++		info->mode   = XT_CONNMARK_SET;
++		info->func   = XT_CONNMARK_VALUE;
++		info->ctmark = cb->val.mark;
++		info->ctmask = cb->val.mask;
++		break;
++	case O_SET_MARK:
++		info->mode   = XT_CONNMARK_SET;
++		info->func   = XT_CONNMARK_VALUE;
++		info->ctmark = cb->val.mark;
++		info->ctmask = cb->val.mark | cb->val.mask;
++		break;
++	case O_AND_MARK:
++		info->mode   = XT_CONNMARK_SET;
++		info->func   = XT_CONNMARK_VALUE;
++		info->ctmark = 0;
++		info->ctmask = ~cb->val.u32;
++		break;
++	case O_OR_MARK:
++		info->mode   = XT_CONNMARK_SET;
++		info->func   = XT_CONNMARK_VALUE;
++		info->ctmark = cb->val.u32;
++		info->ctmask = cb->val.u32;
++		break;
++	case O_XOR_MARK:
++		info->mode   = XT_CONNMARK_SET;
++		info->func   = XT_CONNMARK_VALUE;
++		info->ctmark = cb->val.u32;
++		info->ctmask = 0;
++		break;
++	case O_DSCP_MARK:
++		info->mode   = XT_CONNMARK_SET;
++		info->func   = XT_CONNMARK_DSCP;
++		info->ctmark = cb->val.mark;
++		info->ctmask = cb->val.mask;
++		info->shift_bits = info->ctmark ? ffs(info->ctmark) - 1 : 0;
++		/* need 6 contiguous bits */
++		if ((~0 & (info->ctmark >> info->shift_bits)) != 0x3f)
++			xtables_error(PARAMETER_PROBLEM,
++				"CONNMARK set-dscpmark: need 6 contiguous dscpmask bits");
++		if (info->ctmark & info->ctmask)
++			xtables_error(PARAMETER_PROBLEM,
++				"CONNMARK set-dscpmark: dscpmask/statemask bits overlap");
++		break;
++	case O_SAVE_MARK:
++		info->mode = XT_CONNMARK_SAVE;
++		break;
++	case O_RESTORE_MARK:
++		info->mode = XT_CONNMARK_RESTORE;
++		break;
++	case O_MASK:
++		info->nfmask = info->ctmask = cb->val.u32;
++		break;
++	case O_LEFT_SHIFT_MARK:
++		info->shift_dir = D_SHIFT_LEFT;
++		info->shift_bits = cb->val.u8;
++		break;
++	case O_RIGHT_SHIFT_MARK:
++		info->shift_dir = D_SHIFT_RIGHT;
++		info->shift_bits = cb->val.u8;
++		break;
++	default:
++		break;
++	}
++}
++
+ static void connmark_tg_check(struct xt_fcheck_call *cb)
+ {
+ 	if (!(cb->xflags & F_OP_ANY))
+@@ -463,6 +609,65 @@ connmark_tg_print_v2(const void *ip, con
+ 	}
+ }
+ 
++static void
++connmark_tg_print_v3(const void *ip, const struct xt_entry_target *target,
++                  int numeric)
++{
++	const struct xt_connmark_tginfo3 *info = (const void *)target->data;
++	const char *shift_op = xt_connmark_shift_ops[info->shift_dir];
++
++	switch (info->mode) {
++	case XT_CONNMARK_SET:
++		if (info->func & XT_CONNMARK_DSCP) {
++			printf(" CONNMARK DSCP 0x%x/0x%x",
++			       info->ctmark, info->ctmask);
++		}
++		if (info->func & XT_CONNMARK_VALUE) {
++			if (info->ctmark == 0)
++				printf(" CONNMARK and 0x%x",
++				       (unsigned int)(uint32_t)~info->ctmask);
++			else if (info->ctmark == info->ctmask)
++				printf(" CONNMARK or 0x%x", info->ctmark);
++			else if (info->ctmask == 0)
++				printf(" CONNMARK xor 0x%x", info->ctmark);
++			else if (info->ctmask == 0xFFFFFFFFU)
++				printf(" CONNMARK set 0x%x", info->ctmark);
++			else
++				printf(" CONNMARK xset 0x%x/0x%x",
++				       info->ctmark, info->ctmask);
++		}
++		break;
++	case XT_CONNMARK_SAVE:
++		if (info->nfmask == UINT32_MAX && info->ctmask == UINT32_MAX)
++			printf(" CONNMARK save");
++		else if (info->nfmask == info->ctmask)
++			printf(" CONNMARK save mask 0x%x", info->nfmask);
++		else
++			printf(" CONNMARK save nfmask 0x%x ctmask ~0x%x",
++			       info->nfmask, info->ctmask);
++		break;
++	case XT_CONNMARK_RESTORE:
++		if (info->ctmask == UINT32_MAX && info->nfmask == UINT32_MAX)
++			printf(" CONNMARK restore");
++		else if (info->ctmask == info->nfmask)
++			printf(" CONNMARK restore mask 0x%x", info->ctmask);
++		else
++			printf(" CONNMARK restore ctmask 0x%x nfmask ~0x%x",
++			       info->ctmask, info->nfmask);
++		break;
++
++	default:
++		printf(" ERROR: UNKNOWN CONNMARK MODE");
++		break;
++	}
++
++	if (info->mode <= XT_CONNMARK_RESTORE &&
++	    !(info->mode == XT_CONNMARK_SET && info->func == XT_CONNMARK_DSCP) &&
++	    info->shift_bits != 0) {
++		printf(" %s %u", shift_op, info->shift_bits);
++	}
++}
++
+ static void CONNMARK_save(const void *ip, const struct xt_entry_target *target)
+ {
+ 	const struct xt_connmark_target_info *markinfo =
+@@ -548,6 +753,38 @@ connmark_tg_save_v2(const void *ip, cons
+ 	}
+ }
+ 
++static void
++connmark_tg_save_v3(const void *ip, const struct xt_entry_target *target)
++{
++	const struct xt_connmark_tginfo3 *info = (const void *)target->data;
++	const char *shift_op = xt_connmark_shift_ops[info->shift_dir];
++
++	switch (info->mode) {
++	case XT_CONNMARK_SET:
++		if (info->func & XT_CONNMARK_VALUE)
++			printf(" --set-xmark 0x%x/0x%x", info->ctmark, info->ctmask);
++		if (info->func & XT_CONNMARK_DSCP)
++			printf(" --set-dscpmark 0x%x/0x%x", info->ctmark, info->ctmask);
++		break;
++	case XT_CONNMARK_SAVE:
++		printf(" --save-mark --nfmask 0x%x --ctmask 0x%x",
++		       info->nfmask, info->ctmask);
++		break;
++	case XT_CONNMARK_RESTORE:
++		printf(" --restore-mark --nfmask 0x%x --ctmask 0x%x",
++		       info->nfmask, info->ctmask);
++		break;
++	default:
++		printf(" ERROR: UNKNOWN CONNMARK MODE");
++		break;
++	}
++	if (info->mode <= XT_CONNMARK_RESTORE &&
++	    !(info->mode == XT_CONNMARK_SET && info->func == XT_CONNMARK_DSCP) &&
++	    info->shift_bits != 0) {
++		printf(" --%s %u", shift_op, info->shift_bits);
++	}
++}
++
+ static int connmark_tg_xlate(struct xt_xlate *xl,
+ 			     const struct xt_xlate_tg_params *params)
+ {
+@@ -639,6 +876,66 @@ static int connmark_tg_xlate_v2(struct x
+ 
+ 	return 1;
+ }
++
++static int connmark_tg_xlate_v3(struct xt_xlate *xl,
++			     const struct xt_xlate_tg_params *params)
++{
++	const struct xt_connmark_tginfo3 *info =
++		(const void *)params->target->data;
++	const char *shift_op = xt_connmark_shift_ops[info->shift_dir];
++
++	switch (info->mode) {
++	case XT_CONNMARK_SET:
++		xt_xlate_add(xl, "ct mark set ");
++		if (info->func & XT_CONNMARK_VALUE) {
++			if (info->ctmask == 0xFFFFFFFFU)
++				xt_xlate_add(xl, "0x%x ", info->ctmark);
++			else if (info->ctmark == 0)
++				xt_xlate_add(xl, "ct mark and 0x%x", ~info->ctmask);
++			else if (info->ctmark == info->ctmask)
++				xt_xlate_add(xl, "ct mark or 0x%x",
++					     info->ctmark);
++			else if (info->ctmask == 0)
++				xt_xlate_add(xl, "ct mark xor 0x%x",
++					     info->ctmark);
++			else
++				xt_xlate_add(xl, "ct mark xor 0x%x and 0x%x",
++					     info->ctmark, ~info->ctmask);
++		}
++		if (info->func & XT_CONNMARK_DSCP) {
++/* FIXME the nftables syntax would go here if only we knew what it was */
++			xt_xlate_add(xl, "ct mark set typeof(ct mark) ip dscp "
++					 "<< %u or 0x%x", info->shift_bits,
++					     info->ctmask);
++		}
++		break;
++	case XT_CONNMARK_SAVE:
++		xt_xlate_add(xl, "ct mark set mark");
++		if (!(info->nfmask == UINT32_MAX &&
++		    info->ctmask == UINT32_MAX)) {
++			if (info->nfmask == info->ctmask)
++				xt_xlate_add(xl, " and 0x%x", info->nfmask);
++		}
++		break;
++	case XT_CONNMARK_RESTORE:
++		xt_xlate_add(xl, "meta mark set ct mark");
++		if (!(info->nfmask == UINT32_MAX &&
++		    info->ctmask == UINT32_MAX)) {
++			if (info->nfmask == info->ctmask)
++				xt_xlate_add(xl, " and 0x%x", info->nfmask);
++		}
++		break;
++	}
++
++	if (info->mode <= XT_CONNMARK_RESTORE &&
++	    !(info->mode == XT_CONNMARK_SET && info->func == XT_CONNMARK_DSCP) &&
++	    info->shift_bits != 0) {
++		xt_xlate_add(xl, " %s %u", shift_op, info->shift_bits);
++	}
++
++	return 1;
++}
++
+ static struct xtables_target connmark_tg_reg[] = {
+ 	{
+ 		.family        = NFPROTO_UNSPEC,
+@@ -687,6 +984,22 @@ static struct xtables_target connmark_tg
+ 		.x6_options    = connmark_tg_opts_v2,
+ 		.xlate         = connmark_tg_xlate_v2,
+ 	},
++	{
++		.version       = XTABLES_VERSION,
++		.name          = "CONNMARK",
++		.revision      = 3,
++		.family        = NFPROTO_UNSPEC,
++		.size          = XT_ALIGN(sizeof(struct xt_connmark_tginfo3)),
++		.userspacesize = XT_ALIGN(sizeof(struct xt_connmark_tginfo3)),
++		.help          = connmark_tg_help_v3,
++		.init          = connmark_tg_init_v3,
++		.print         = connmark_tg_print_v3,
++		.save          = connmark_tg_save_v3,
++		.x6_parse      = connmark_tg_parse_v3,
++		.x6_fcheck     = connmark_tg_check,
++		.x6_options    = connmark_tg_opts_v3,
++		.xlate         = connmark_tg_xlate_v3,
++	},
+ };
+ 
+ void _init(void)
+--- a/include/linux/netfilter/xt_connmark.h
++++ b/include/linux/netfilter/xt_connmark.h
+@@ -18,6 +18,11 @@ enum {
+ 	XT_CONNMARK_RESTORE
+ };
+ 
++enum {
++	XT_CONNMARK_VALUE	= (1 << 0),
++	XT_CONNMARK_DSCP	= (1 << 1)
++};
++
+ struct xt_connmark_tginfo1 {
+ 	__u32 ctmark, ctmask, nfmask;
+ 	__u8 mode;
+@@ -28,6 +33,11 @@ struct xt_connmark_tginfo2 {
+ 	__u8 shift_dir, shift_bits, mode;
+ };
+ 
++struct xt_connmark_tginfo3 {
++	__u32 ctmark, ctmask, nfmask;
++	__u8 shift_dir, shift_bits, mode, func;
++};
++
+ struct xt_connmark_mtinfo1 {
+ 	__u32 mark, mask;
+ 	__u8 invert;

package/network/utils/iptables/patches/020-treewide-use-uint-instead-of-u_int.patch

@@ -0,0 +1,144 @@
+From f319389525b066b7dc6d389c88f16a0df3b8f189 Mon Sep 17 00:00:00 2001
+From: Nick Hainke <vincent@systemli.org>
+Date: Mon, 16 May 2022 18:16:41 +0200
+Subject: treewide: use uint* instead of u_int*
+
+Gcc complains about missing types. Some commits introduced u_int* instead
+of uint*. Use uint treewide.
+
+Fixes errors in the form of:
+In file included from xtables-legacy-multi.c:5:
+xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'?
+    83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
+        |                                                        ^~~~~~~~~
+        |                                                        uint16_t
+make[6]: *** [Makefile:712: xtables_legacy_multi-xtables-legacy-multi.o] Error 1
+
+Avoid libipq API breakage by adjusting libipq.h include accordingly. For
+arpt_mangle.h kernel uAPI header, apply same change as in kernel commit
+e91ded8db5747 ("uapi: netfilter_arp: use __u8 instead of u_int8_t").
+
+Signed-off-by: Nick Hainke <vincent@systemli.org>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ extensions/libxt_conntrack.c              | 2 +-
+ include/libipq/libipq.h                   | 8 ++++----
+ include/libiptc/libxtc.h                  | 2 +-
+ include/linux/netfilter_arp/arpt_mangle.h | 2 +-
+ iptables/xshared.c                        | 2 +-
+ iptables/xshared.h                        | 2 +-
+ libipq/ipq_create_handle.3                | 2 +-
+ libipq/ipq_set_mode.3                     | 2 +-
+ 8 files changed, 11 insertions(+), 11 deletions(-)
+
+--- a/extensions/libxt_conntrack.c
++++ b/extensions/libxt_conntrack.c
+@@ -778,7 +778,7 @@ matchinfo_print(const void *ip, const st
+ 
+ static void
+ conntrack_dump_ports(const char *prefix, const char *opt,
+-		     u_int16_t port_low, u_int16_t port_high)
++		     uint16_t port_low, uint16_t port_high)
+ {
+ 	if (port_high == 0 || port_low == port_high)
+ 		printf(" %s%s %u", prefix, opt, port_low);
+--- a/include/libipq/libipq.h
++++ b/include/libipq/libipq.h
+@@ -24,7 +24,7 @@
+ #include <errno.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+-#include <sys/types.h>
++#include <stdint.h>
+ #include <sys/socket.h>
+ #include <sys/uio.h>
+ #include <asm/types.h>
+@@ -48,19 +48,19 @@ typedef unsigned long ipq_id_t;
+ struct ipq_handle
+ {
+ 	int fd;
+-	u_int8_t blocking;
++	uint8_t blocking;
+ 	struct sockaddr_nl local;
+ 	struct sockaddr_nl peer;
+ };
+ 
+-struct ipq_handle *ipq_create_handle(u_int32_t flags, u_int32_t protocol);
++struct ipq_handle *ipq_create_handle(uint32_t flags, uint32_t protocol);
+ 
+ int ipq_destroy_handle(struct ipq_handle *h);
+ 
+ ssize_t ipq_read(const struct ipq_handle *h,
+                 unsigned char *buf, size_t len, int timeout);
+ 
+-int ipq_set_mode(const struct ipq_handle *h, u_int8_t mode, size_t len);
++int ipq_set_mode(const struct ipq_handle *h, uint8_t mode, size_t len);
+ 
+ ipq_packet_msg_t *ipq_get_packet(const unsigned char *buf);
+ 
+--- a/include/libiptc/libxtc.h
++++ b/include/libiptc/libxtc.h
+@@ -10,7 +10,7 @@ extern "C" {
+ #endif
+ 
+ #ifndef XT_MIN_ALIGN
+-/* xt_entry has pointers and u_int64_t's in it, so if you align to
++/* xt_entry has pointers and uint64_t's in it, so if you align to
+    it, you'll also align to any crazy matches and targets someone
+    might write */
+ #define XT_MIN_ALIGN (__alignof__(struct xt_entry))
+--- a/include/linux/netfilter_arp/arpt_mangle.h
++++ b/include/linux/netfilter_arp/arpt_mangle.h
+@@ -13,7 +13,7 @@ struct arpt_mangle
+ 	union {
+ 		struct in_addr tgt_ip;
+ 	} u_t;
+-	u_int8_t flags;
++	__u8 flags;
+ 	int target;
+ };
+ 
+--- a/iptables/xshared.c
++++ b/iptables/xshared.c
+@@ -1025,7 +1025,7 @@ static const int inverse_for_options[NUM
+ };
+ 
+ void
+-set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
++set_option(unsigned int *options, unsigned int option, uint16_t *invflg,
+ 	   bool invert)
+ {
+ 	if (*options & option)
+--- a/iptables/xshared.h
++++ b/iptables/xshared.h
+@@ -80,7 +80,7 @@ struct xtables_target;
+ #define IPT_INV_ARPHRD		0x0800
+ 
+ void
+-set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
++set_option(unsigned int *options, unsigned int option, uint16_t *invflg,
+ 	   bool invert);
+ 
+ /**
+--- a/libipq/ipq_create_handle.3
++++ b/libipq/ipq_create_handle.3
+@@ -24,7 +24,7 @@ ipq_create_handle, ipq_destroy_handle \(
+ .br
+ .B #include <libipq.h>
+ .sp
+-.BI "struct ipq_handle *ipq_create_handle(u_int32_t " flags ", u_int32_t " protocol ");"
++.BI "struct ipq_handle *ipq_create_handle(uint32_t " flags ", uint32_t " protocol ");"
+ .br
+ .BI "int ipq_destroy_handle(struct ipq_handle *" h );
+ .SH DESCRIPTION
+--- a/libipq/ipq_set_mode.3
++++ b/libipq/ipq_set_mode.3
+@@ -24,7 +24,7 @@ ipq_set_mode \(em set the ip_queue queui
+ .br
+ .B #include <libipq.h>
+ .sp
+-.BI "int ipq_set_mode(const struct ipq_handle *" h ", u_int8_t " mode ", size_t " range );
++.BI "int ipq_set_mode(const struct ipq_handle *" h ", uint8_t " mode ", size_t " range );
+ .SH DESCRIPTION
+ The
+ .B ipq_set_mode

package/network/utils/iptables/patches/030-revert-fix-build-for-missing-ETH_ALEN-definition.patch

@@ -0,0 +1,60 @@
+From 0e7cf0ad306cdf95dc3c28d15a254532206a888e Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 18 May 2022 16:04:09 +0200
+Subject: Revert "fix build for missing ETH_ALEN definition"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit c5d9a723b5159a28f547b577711787295a14fd84 as it broke
+compiling against musl libc. Might be a bug in the latter, but for the
+time being try to please both by avoiding the include and instead
+defining ETH_ALEN if unset.
+
+While being at it, move netinet/ether.h include up.
+
+Fixes: 1bdb5535f561a ("libxtables: Extend MAC address printing/parsing support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Reviewed-by: Maciej Żenczykowski <maze@google.com>
+---
+ libxtables/xtables.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/libxtables/xtables.c
++++ b/libxtables/xtables.c
+@@ -28,6 +28,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <netinet/ether.h>
+ #include <sys/socket.h>
+ #include <sys/stat.h>
+ #include <sys/statfs.h>
+@@ -45,7 +46,6 @@
+ 
+ #include <xtables.h>
+ #include <limits.h> /* INT_MAX in ip_tables.h/ip6_tables.h */
+-#include <linux/if_ether.h> /* ETH_ALEN */
+ #include <linux/netfilter_ipv4/ip_tables.h>
+ #include <linux/netfilter_ipv6/ip6_tables.h>
+ #include <libiptc/libxtc.h>
+@@ -72,6 +72,10 @@
+ #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
+ #endif
+ 
++#ifndef ETH_ALEN
++#define ETH_ALEN 6
++#endif
++
+ /* we need this for ip6?tables-restore.  ip6?tables-restore.c sets line to the
+  * current line of the input file, in order  to give a more precise error
+  * message.  ip6?tables itself doesn't need this, so it is initialized to the
+@@ -2245,8 +2249,6 @@ void xtables_print_num(uint64_t number,
+ 	printf(FMT("%4lluT ","%lluT "), (unsigned long long)number);
+ }
+ 
+-#include <netinet/ether.h>
+-
+ static const unsigned char mac_type_unicast[ETH_ALEN] =   {};
+ static const unsigned char msk_type_unicast[ETH_ALEN] =   {1};
+ static const unsigned char mac_type_multicast[ETH_ALEN] = {1};

package/network/utils/iptables/patches/040-xshared-Fix-build-for-Werror-format-security.patch

@@ -0,0 +1,23 @@
+From b72eb12ea5a61df0655ad99d5048994e916be83a Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 13 May 2022 16:51:58 +0200
+Subject: [PATCH] xshared: Fix build for -Werror=format-security
+
+Gcc complains about the omitted format string.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ iptables/xshared.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/iptables/xshared.c
++++ b/iptables/xshared.c
+@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct
+ 		return;
+ 
+ 	if (args->family != NFPROTO_ARP)
+-		xtables_error(PARAMETER_PROBLEM, msg);
++		xtables_error(PARAMETER_PROBLEM, "%s", msg);
+ 
+ 	fprintf(stderr, "%s", msg);
+ }

package/network/utils/iptables/patches/050-build-fix-error-during-out-of-tree-build.patch

@@ -0,0 +1,28 @@
+From 0ebf52fc951b2a4d98a166afb34af4f364bbeece Mon Sep 17 00:00:00 2001
+From: Ben Brown <ben@demerara.io>
+Date: Wed, 25 May 2022 16:26:13 +0100
+Subject: build: Fix error during out of tree build
+
+Fixes the following error:
+
+    ../../libxtables/xtables.c:52:10: fatal error: libiptc/linux_list.h: No such file or directory
+       52 | #include <libiptc/linux_list.h>
+
+Fixes: f58b0d7406451 ("libxtables: Implement notargets hash table")
+Signed-off-by: Ben Brown <ben@demerara.io>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ libxtables/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/libxtables/Makefile.am
++++ b/libxtables/Makefile.am
+@@ -1,7 +1,7 @@
+ # -*- Makefile -*-
+ 
+ AM_CFLAGS   = ${regular_CFLAGS}
+-AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables ${kinclude_CPPFLAGS}
++AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables -I${top_srcdir} ${kinclude_CPPFLAGS}
+ 
+ lib_LTLIBRARIES       = libxtables.la
+ libxtables_la_SOURCES = xtables.c xtoptions.c getethertype.c

package/network/utils/iptables/patches/060-libxtables-unexport-init_extensions-declarations.patch

@@ -0,0 +1,82 @@
+From ef108943f69a6e20533d58823740d3f0534ea8ec Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 1 Jun 2022 19:15:06 +0200
+Subject: libxtables: Unexport init_extensions*() declarations
+
+The functions are used for static builds to initialize extensions after
+libxtables init. Regular library users should not need them, but the
+empty declarations introduced in #else case (and therefore present in
+user's env) may clash with existing symbol names.
+
+Avoid problems and guard the whole block declaring the function
+prototypes and mangling extensions' _init functions by XTABLES_INTERNAL.
+
+Reported-by: Nick Hainke <vincent@systemli.org>
+Fixes: 6c689b639cf8e ("Simplify static build extension loading")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ include/xtables.h | 44 ++++++++++++++++++++++----------------------
+ 1 file changed, 22 insertions(+), 22 deletions(-)
+
+--- a/include/xtables.h
++++ b/include/xtables.h
+@@ -585,27 +585,6 @@ static inline void xtables_print_mark_ma
+ 	xtables_print_val_mask(mark, mask, NULL);
+ }
+ 
+-#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+-#	ifdef _INIT
+-#		undef _init
+-#		define _init _INIT
+-#	endif
+-	extern void init_extensions(void);
+-	extern void init_extensions4(void);
+-	extern void init_extensions6(void);
+-	extern void init_extensionsa(void);
+-	extern void init_extensionsb(void);
+-#else
+-#	define _init __attribute__((constructor)) _INIT
+-#	define EMPTY_FUNC_DEF(x) static inline void x(void) {}
+-	EMPTY_FUNC_DEF(init_extensions)
+-	EMPTY_FUNC_DEF(init_extensions4)
+-	EMPTY_FUNC_DEF(init_extensions6)
+-	EMPTY_FUNC_DEF(init_extensionsa)
+-	EMPTY_FUNC_DEF(init_extensionsb)
+-#	undef EMPTY_FUNC_DEF
+-#endif
+-
+ extern const struct xtables_pprot xtables_chain_protos[];
+ extern uint16_t xtables_parse_protocol(const char *s);
+ 
+@@ -663,9 +642,30 @@ void xtables_announce_chain(const char *
+ #		define ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x)))
+ #	endif
+ 
++#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
++#	ifdef _INIT
++#		undef _init
++#		define _init _INIT
++#	endif
++	extern void init_extensions(void);
++	extern void init_extensions4(void);
++	extern void init_extensions6(void);
++	extern void init_extensionsa(void);
++	extern void init_extensionsb(void);
++#else
++#	define _init __attribute__((constructor)) _INIT
++#	define EMPTY_FUNC_DEF(x) static inline void x(void) {}
++	EMPTY_FUNC_DEF(init_extensions)
++	EMPTY_FUNC_DEF(init_extensions4)
++	EMPTY_FUNC_DEF(init_extensions6)
++	EMPTY_FUNC_DEF(init_extensionsa)
++	EMPTY_FUNC_DEF(init_extensionsb)
++#	undef EMPTY_FUNC_DEF
++#endif
++
+ extern void _init(void);
+ 
+-#endif
++#endif /* XTABLES_INTERNAL */
+ 
+ #ifdef __cplusplus
+ } /* extern "C" */

package/network/utils/iptables/patches/070-extensions-string-Review-parse_string-function.patch

@@ -0,0 +1,40 @@
+From da5b32fb4656ab69fe1156eb7e36c7c961839e8a Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 8 Jun 2022 13:45:13 +0200
+Subject: [PATCH] extensions: string: Review parse_string() function
+
+* Compare against sizeof(info->pattern) which is more clear than having
+  to know that this buffer is of size XT_STRING_MAX_PATTERN_SIZE
+
+* Invert the check and error early to reduce indenting
+
+* Pass info->patlen to memcpy() to avoid reading past end of 's'
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ extensions/libxt_string.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/extensions/libxt_string.c
++++ b/extensions/libxt_string.c
+@@ -78,14 +78,13 @@ static void string_init(struct xt_entry_
+ 
+ static void
+ parse_string(const char *s, struct xt_string_info *info)
+-{	
++{
+ 	/* xt_string does not need \0 at the end of the pattern */
+-	if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) {
+-		memcpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
+-		info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE);
+-		return;
+-	}
+-	xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
++	if (strlen(s) > sizeof(info->pattern))
++		xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
++
++	info->patlen = strnlen(s, sizeof(info->pattern));
++	memcpy(info->pattern, s, info->patlen);
+ }
+ 
+ static void

package/network/utils/iptables/patches/101-remove-check-already.patch

@@ -0,0 +1,28 @@
+--- a/libxtables/xtables.c
++++ b/libxtables/xtables.c
+@@ -1093,12 +1093,6 @@ void xtables_register_match(struct xtabl
+ 	struct xtables_match **pos;
+ 	bool seen_myself = false;
+ 
+-	if (me->next) {
+-		fprintf(stderr, "%s: match \"%s\" already registered\n",
+-			xt_params->program_name, me->name);
+-		exit(1);
+-	}
+-
+ 	if (me->version == NULL) {
+ 		fprintf(stderr, "%s: match %s<%u> is missing a version\n",
+ 		        xt_params->program_name, me->name, me->revision);
+@@ -1277,12 +1271,6 @@ void xtables_register_target(struct xtab
+ 	struct xtables_target **pos;
+ 	bool seen_myself = false;
+ 
+-	if (me->next) {
+-		fprintf(stderr, "%s: target \"%s\" already registered\n",
+-			xt_params->program_name, me->name);
+-		exit(1);
+-	}
+-
+ 	if (me->version == NULL) {
+ 		fprintf(stderr, "%s: target %s<%u> is missing a version\n",
+ 		        xt_params->program_name, me->name, me->revision);

package/network/utils/iptables/patches/102-iptables-disable-modprobe.patch

@@ -0,0 +1,27 @@
+--- a/libxtables/xtables.c
++++ b/libxtables/xtables.c
+@@ -476,7 +476,7 @@ char *xtables_strdup(const char *s)
+ 	return dup;
+ }
+ 
+-static char *get_modprobe(void)
++__attribute__((unused)) static char *get_modprobe(void)
+ {
+ 	int procfile;
+ 	char *ret;
+@@ -511,6 +511,7 @@ static char *get_modprobe(void)
+ 
+ int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
+ {
++#if 0
+ 	char *buf = NULL;
+ 	char *argv[4];
+ 	int status;
+@@ -545,6 +546,7 @@ int xtables_insmod(const char *modname,
+ 	free(buf);
+ 	if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
+ 		return 0;
++#endif
+ 	return -1;
+ }
+ 

package/network/utils/iptables/patches/103-optional-xml.patch

@@ -0,0 +1,13 @@
+--- a/iptables/xtables-legacy-multi.c
++++ b/iptables/xtables-legacy-multi.c
+@@ -32,8 +32,10 @@ static const struct subcommand multi_sub
+ 
+ 
+ #endif
++#ifdef ENABLE_XML
+ 	{"iptables-xml",        iptables_xml_main},
+ 	{"xml",                 iptables_xml_main},
++#endif
+ #ifdef ENABLE_IPV6
+ 	{"ip6tables",           ip6tables_main},
+ 	{"main6",               ip6tables_main},

package/network/utils/iptables/patches/200-configurable_builtin.patch

@@ -0,0 +1,79 @@
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -50,11 +50,31 @@ pfb_build_mod := $(filter-out @blacklist
+ pfa_build_mod := $(filter-out @blacklist_modules@ @blacklist_a_modules@,${pfa_build_mod})
+ pf4_build_mod := $(filter-out @blacklist_modules@ @blacklist_4_modules@,${pf4_build_mod})
+ pf6_build_mod := $(filter-out @blacklist_modules@ @blacklist_6_modules@,${pf6_build_mod})
+-pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_mod})
+-pfb_objs      := $(patsubst %,libebt_%.o,${pfb_build_mod})
+-pfa_objs      := $(patsubst %,libarpt_%.o,${pfa_build_mod})
+-pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_mod})
+-pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_mod})
++ifdef BUILTIN_MODULES
++pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod})
++pfb_build_static := $(filter $(BUILTIN_MODULES),${pfb_build_mod})
++pfa_build_static := $(filter $(BUILTIN_MODULES),${pfa_build_mod})
++pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod})
++pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod})
++else
++@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod)
++@ENABLE_STATIC_TRUE@ pfb_build_static := $(pfb_build_mod)
++@ENABLE_STATIC_TRUE@ pfa_build_static := $(pfa_build_mod)
++@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod)
++@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod)
++endif
++
++pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod))
++pfb_build_mod := $(filter-out $(pfb_build_static),$(pfb_build_mod))
++pfa_build_mod := $(filter-out $(pfa_build_static),$(pfa_build_mod))
++pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod))
++pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod))
++
++pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_static})
++pfb_objs      := $(patsubst %,libebt_%.o,${pfb_build_static})
++pfa_objs      := $(patsubst %,libarpt_%.o,${pfa_build_static})
++pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_static})
++pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_static})
+ pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod})
+ pfb_solibs    := $(patsubst %,libebt_%.so,${pfb_build_mod})
+ pfa_solibs    := $(patsubst %,libarpt_%.so,${pfa_build_mod})
+@@ -68,14 +88,14 @@ pfx_symlink_files := $(patsubst %,libxt_
+ #
+ targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man
+ targets_install :=
+-@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
+-@ENABLE_STATIC_TRUE@ libext_ebt_objs := ${pfb_objs}
+-@ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs}
+-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
+-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
+-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
+-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
+-@ENABLE_STATIC_FALSE@ symlinks_install := ${pfx_symlink_files}
++libext_objs := ${pfx_objs}
++libext_ebt_objs := ${pfb_objs}
++libext_arpt_objs := ${pfa_objs}
++libext4_objs := ${pf4_objs}
++libext6_objs := ${pf6_objs}
++targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
++targets_install := $(strip ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs})
++symlinks_install := ${pfx_symlink_files}
+ 
+ .SECONDARY:
+ 
+@@ -163,11 +183,11 @@ libext4.a: initext4.o ${libext4_objs}
+ libext6.a: initext6.o ${libext6_objs}
+ 	${AM_VERBOSE_AR} ${AR} crs $@ $^;
+ 
+-initext_func  := $(addprefix xt_,${pfx_build_mod})
+-initextb_func := $(addprefix ebt_,${pfb_build_mod})
+-initexta_func := $(addprefix arpt_,${pfa_build_mod})
+-initext4_func := $(addprefix ipt_,${pf4_build_mod})
+-initext6_func := $(addprefix ip6t_,${pf6_build_mod})
++initext_func  := $(addprefix xt_,${pfx_build_static})
++initextb_func := $(addprefix ebt_,${pfb_build_static})
++initexta_func := $(addprefix arpt_,${pfa_build_static})
++initext4_func := $(addprefix ipt_,${pf4_build_static})
++initext6_func := $(addprefix ip6t_,${pf6_build_static})
+ 
+ .initext.dd: FORCE
+ 	@echo "${initext_func}" >$@.tmp; \

package/network/utils/iptables/patches/600-shared-libext.patch

@@ -0,0 +1,102 @@
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -86,7 +86,7 @@ pfx_symlink_files := $(patsubst %,libxt_
+ #
+ # Building blocks
+ #
+-targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man
++targets := libiptext.so libiptext4.so libiptext6.so libiptext_ebt.so libiptext_arpt.so matches.man targets.man
+ targets_install :=
+ libext_objs := ${pfx_objs}
+ libext_ebt_objs := ${pfb_objs}
+@@ -132,7 +132,7 @@ clean:
+ distclean: clean
+ 
+ init%.o: init%.c
+-	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init ${CFLAGS} -o $@ -c $<;
++	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init  -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+ 
+ -include .*.d
+ 
+@@ -166,22 +166,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
+ #	handling code in the Makefiles.
+ #
+ lib%.o: ${srcdir}/lib%.c
+-	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<;
++	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+ 
+-libext.a: initext.o ${libext_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
++libiptext.so: initext.o ${libext_objs}
++	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD});
+ 
+-libext_ebt.a: initextb.o ${libext_ebt_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
++libiptext_ebt.so: initextb.o ${libext_ebt_objs}
++	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD});
+ 
+-libext_arpt.a: initexta.o ${libext_arpt_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
++libiptext_arpt.so: initexta.o ${libext_arpt_objs}
++	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD});
+ 
+-libext4.a: initext4.o ${libext4_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
++libiptext4.so: initext4.o ${libext4_objs}
++	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD});
+ 
+-libext6.a: initext6.o ${libext6_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
++libiptext6.so: initext6.o ${libext6_objs}
++	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables $(foreach obj,$^,${$(patsubst lib%.o,%,$(obj))_LIBADD});
+ 
+ initext_func  := $(addprefix xt_,${pfx_build_static})
+ initextb_func := $(addprefix ebt_,${pfb_build_static})
+--- a/iptables/Makefile.am
++++ b/iptables/Makefile.am
+@@ -7,19 +7,22 @@ BUILT_SOURCES =
+ 
+ xtables_legacy_multi_SOURCES  = xtables-legacy-multi.c iptables-xml.c
+ xtables_legacy_multi_CFLAGS   = ${AM_CFLAGS}
+-xtables_legacy_multi_LDADD    = ../extensions/libext.a
++xtables_legacy_multi_LDADD    =
++xtables_legacy_multi_LDFLAGS  = -L../extensions/ -liptext
+ if ENABLE_STATIC
+ xtables_legacy_multi_CFLAGS  += -DALL_INCLUSIVE
+ endif
+ if ENABLE_IPV4
+ xtables_legacy_multi_SOURCES += iptables-standalone.c iptables.c
+ xtables_legacy_multi_CFLAGS  += -DENABLE_IPV4
+-xtables_legacy_multi_LDADD   += ../libiptc/libip4tc.la ../extensions/libext4.a
++xtables_legacy_multi_LDADD   += ../libiptc/libip4tc.la
++xtables_legacy_multi_LDFLAGS += -liptext4
+ endif
+ if ENABLE_IPV6
+ xtables_legacy_multi_SOURCES += ip6tables-standalone.c ip6tables.c
+ xtables_legacy_multi_CFLAGS  += -DENABLE_IPV6
+-xtables_legacy_multi_LDADD   += ../libiptc/libip6tc.la ../extensions/libext6.a
++xtables_legacy_multi_LDADD   += ../libiptc/libip6tc.la
++xtables_legacy_multi_LDFLAGS += -liptext6
+ endif
+ xtables_legacy_multi_SOURCES += xshared.c iptables-restore.c iptables-save.c
+ xtables_legacy_multi_LDADD   += ../libxtables/libxtables.la -lm
+@@ -28,7 +31,8 @@ xtables_legacy_multi_LDADD   += ../libxt
+ if ENABLE_NFTABLES
+ xtables_nft_multi_SOURCES  = xtables-nft-multi.c iptables-xml.c
+ xtables_nft_multi_CFLAGS   = ${AM_CFLAGS}
+-xtables_nft_multi_LDADD    = ../extensions/libext.a ../extensions/libext_ebt.a
++xtables_nft_multi_LDADD    =
++xtables_nft_multi_LDFLAGS  = -L../extensions/ -liptext -liptext_ebt
+ if ENABLE_STATIC
+ xtables_nft_multi_CFLAGS  += -DALL_INCLUSIVE
+ endif
+@@ -42,7 +46,8 @@ xtables_nft_multi_SOURCES += xtables-sav
+ 				xtables-eb-standalone.c xtables-eb.c \
+ 				xtables-eb-translate.c \
+ 				xtables-translate.c
+-xtables_nft_multi_LDADD   += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ../extensions/libext4.a ../extensions/libext6.a ../extensions/libext_ebt.a ../extensions/libext_arpt.a
++xtables_nft_multi_LDADD   += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS}
++xtables_nft_multi_LDFLAGS += -liptext4 -liptext6 -liptext_arpt
+ xtables_nft_multi_SOURCES += xshared.c
+ xtables_nft_multi_LDADD   += ../libxtables/libxtables.la -lm
+ endif

package/network/utils/iptables/patches/700-disable-legacy-revisions.patch

@@ -0,0 +1,95 @@
+--- a/extensions/libxt_conntrack.c
++++ b/extensions/libxt_conntrack.c
+@@ -1399,6 +1399,7 @@ static int conntrack3_mt6_xlate(struct x
+ }
+ 
+ static struct xtables_match conntrack_mt_reg[] = {
++#ifndef NO_LEGACY
+ 	{
+ 		.version       = XTABLES_VERSION,
+ 		.name          = "conntrack",
+@@ -1474,6 +1475,7 @@ static struct xtables_match conntrack_mt
+ 		.alias	       = conntrack_print_name_alias,
+ 		.x6_options    = conntrack2_mt_opts,
+ 	},
++#endif
+ 	{
+ 		.version       = XTABLES_VERSION,
+ 		.name          = "conntrack",
+@@ -1506,6 +1508,7 @@ static struct xtables_match conntrack_mt
+ 		.x6_options    = conntrack3_mt_opts,
+ 		.xlate	       = conntrack3_mt6_xlate,
+ 	},
++#ifndef NO_LEGACY
+ 	{
+ 		.family        = NFPROTO_UNSPEC,
+ 		.name          = "state",
+@@ -1536,6 +1539,8 @@ static struct xtables_match conntrack_mt
+ 		.x6_parse      = state_ct23_parse,
+ 		.x6_options    = state_opts,
+ 	},
++#endif
++#ifndef NO_LEGACY
+ 	{
+ 		.family        = NFPROTO_UNSPEC,
+ 		.name          = "state",
+@@ -1565,6 +1570,7 @@ static struct xtables_match conntrack_mt
+ 		.x6_parse      = state_parse,
+ 		.x6_options    = state_opts,
+ 	},
++#endif
+ };
+ 
+ void _init(void)
+--- a/extensions/libxt_CT.c
++++ b/extensions/libxt_CT.c
+@@ -363,6 +363,7 @@ static int xlate_ct1_tg(struct xt_xlate
+ }
+ 
+ static struct xtables_target ct_target_reg[] = {
++#ifndef NO_LEGACY
+ 	{
+ 		.family		= NFPROTO_UNSPEC,
+ 		.name		= "CT",
+@@ -388,6 +389,7 @@ static struct xtables_target ct_target_r
+ 		.x6_parse	= ct_parse_v1,
+ 		.x6_options	= ct_opts_v1,
+ 	},
++#endif
+ 	{
+ 		.family		= NFPROTO_UNSPEC,
+ 		.name		= "CT",
+@@ -403,6 +405,7 @@ static struct xtables_target ct_target_r
+ 		.x6_options	= ct_opts_v1,
+ 		.xlate		= xlate_ct1_tg,
+ 	},
++#ifndef NO_LEGACY
+ 	{
+ 		.family        = NFPROTO_UNSPEC,
+ 		.name          = "NOTRACK",
+@@ -441,6 +444,7 @@ static struct xtables_target ct_target_r
+ 		.revision      = 0,
+ 		.version       = XTABLES_VERSION,
+ 	},
++#endif
+ };
+ 
+ void _init(void)
+--- a/extensions/libxt_multiport.c
++++ b/extensions/libxt_multiport.c
+@@ -591,6 +591,7 @@ static int multiport_xlate6_v1(struct xt
+ }
+ 
+ static struct xtables_match multiport_mt_reg[] = {
++#ifndef NO_LEGACY
+ 	{
+ 		.family        = NFPROTO_IPV4,
+ 		.name          = "multiport",
+@@ -621,6 +622,7 @@ static struct xtables_match multiport_mt
+ 		.x6_options    = multiport_opts,
+ 		.xlate         = multiport_xlate6,
+ 	},
++#endif
+ 	{
+ 		.family        = NFPROTO_IPV4,
+ 		.name          = "multiport",

package/network/utils/iptables/patches/800-flowoffload_target.patch

@@ -0,0 +1,95 @@
+--- /dev/null
++++ b/extensions/libxt_FLOWOFFLOAD.c
+@@ -0,0 +1,72 @@
++#include <stdio.h>
++#include <xtables.h>
++#include <linux/netfilter/xt_FLOWOFFLOAD.h>
++
++enum {
++    O_HW,
++};
++
++static void offload_help(void)
++{
++	printf(
++"FLOWOFFLOAD target options:\n"
++" --hw				Enable hardware offload\n"
++	);
++}
++
++static const struct xt_option_entry offload_opts[] = {
++	{.name = "hw", .id = O_HW, .type = XTTYPE_NONE},
++	XTOPT_TABLEEND,
++};
++
++static void offload_parse(struct xt_option_call *cb)
++{
++	struct xt_flowoffload_target_info *info = cb->data;
++
++	xtables_option_parse(cb);
++	switch (cb->entry->id) {
++	case O_HW:
++		info->flags |= XT_FLOWOFFLOAD_HW;
++		break;
++	}
++}
++
++static void offload_print(const void *ip, const struct xt_entry_target *target, int numeric)
++{
++	const struct xt_flowoffload_target_info *info =
++		(const struct xt_flowoffload_target_info *)target->data;
++
++	printf(" FLOWOFFLOAD");
++	if (info->flags & XT_FLOWOFFLOAD_HW)
++		printf(" hw");
++}
++
++static void offload_save(const void *ip, const struct xt_entry_target *target)
++{
++	const struct xt_flowoffload_target_info *info =
++		(const struct xt_flowoffload_target_info *)target->data;
++
++	if (info->flags & XT_FLOWOFFLOAD_HW)
++		printf(" --hw");
++}
++
++static struct xtables_target offload_tg_reg[] = {
++	{
++		.family		= NFPROTO_UNSPEC,
++		.name		= "FLOWOFFLOAD",
++		.revision	= 0,
++		.version	= XTABLES_VERSION,
++		.size		= XT_ALIGN(sizeof(struct xt_flowoffload_target_info)),
++		.userspacesize	= sizeof(struct xt_flowoffload_target_info),
++		.help		= offload_help,
++		.print		= offload_print,
++		.save		= offload_save,
++		.x6_parse	= offload_parse,
++		.x6_options	= offload_opts,
++	},
++};
++
++void _init(void)
++{
++	xtables_register_targets(offload_tg_reg, ARRAY_SIZE(offload_tg_reg));
++}
+--- /dev/null
++++ b/include/linux/netfilter/xt_FLOWOFFLOAD.h
+@@ -0,0 +1,17 @@
++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
++#ifndef _XT_FLOWOFFLOAD_H
++#define _XT_FLOWOFFLOAD_H
++
++#include <linux/types.h>
++
++enum {
++	XT_FLOWOFFLOAD_HW	= 1 << 0,
++
++	XT_FLOWOFFLOAD_MASK	= XT_FLOWOFFLOAD_HW
++};
++
++struct xt_flowoffload_target_info {
++	__u32 flags;
++};
++
++#endif /* _XT_FLOWOFFLOAD_H */