iptables: add {arp,eb}tables-nft

Add a patch to add some missing init_extensions{a,b}() calls Package lib{arp,eb}t_*.so Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 23:14:48 -05:00
parent c913be1da1
commit 66bb6dde36
2 changed files with 145 additions and 0 deletions
--- a/package/network/utils/iptables/Makefile
+++ b/package/network/utils/iptables/Makefile
@@ -107,6 +107,28 @@ $(call Package/iptables/Default)
  DEPENDS:=@IPTABLES_NFTABLES +libnftnl +libiptext +IPV6:libiptext6 +libiptext-nft +kmod-nft-compat
 endef

+define Package/arptables-nft
+$(call Package/iptables/Default)
+  DEPENDS:=+kmod-nft-arp +xtables-nft +kmod-arptables
+  TITLE:=ARP firewall administration tool nft
+  PROVIDES:=arptables
+  ALTERNATIVES:=\
+    300:/usr/sbin/arptables:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/arptables-restore:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/arptables-save:/usr/sbin/xtables-nft-multi
+endef
+
+define Package/ebtables-nft
+$(call Package/iptables/Default)
+  DEPENDS:=+kmod-nft-bridge +xtables-nft +kmod-ebtables
+  TITLE:=Bridge firewall administration tool nft
+  PROVIDES:=ebtables
+  ALTERNATIVES:=\
+    300:/usr/sbin/ebtables:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/ebtables-restore:/usr/sbin/xtables-nft-multi \
+    300:/usr/sbin/ebtables-save:/usr/sbin/xtables-nft-multi
+endef
+
 define Package/iptables-nft
 $(call Package/iptables/Default)
  TITLE:=IP firewall administration tool nft
@@ -666,6 +688,20 @@ define Package/xtables-nft/install
 	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-nft-multi $(1)/usr/sbin/
 endef

+define Package/arptables-nft/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/arptables-nft{,-restore,-save} $(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+	$(CP) $(PKG_BUILD_DIR)/extensions/libarpt_*.so $(1)/usr/lib/iptables/
+endef
+
+define Package/ebtables-nft/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ebtables-nft{,-restore,-save} $(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+	$(CP) $(PKG_BUILD_DIR)/extensions/libebt_*.so $(1)/usr/lib/iptables/
+endef
+
 define Package/iptables-nft/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-nft{,-restore,-save} $(1)/usr/sbin/
@@ -737,6 +773,8 @@ $(eval $(call BuildPackage,libiptext-nft))
 $(eval $(call BuildPackage,xtables-legacy))
 $(eval $(call BuildPackage,iptables-legacy))
 $(eval $(call BuildPackage,xtables-nft))
+$(eval $(call BuildPackage,arptables-nft))
+$(eval $(call BuildPackage,ebtables-nft))
 $(eval $(call BuildPackage,iptables-nft))
 $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
 $(eval $(call BuildPlugin,iptables-mod-conntrack-label,$(IPT_CONNTRACK_LABEL-m)))
--- a/package/network/utils/iptables/patches/002-xtables-Call-init_extensions_a_b.patch
+++ b/package/network/utils/iptables/patches/002-xtables-Call-init_extensions_a_b.patch
@@ -0,0 +1,107 @@
+A modified version of this patch was commited upstream
+as part of a fixup series
+https://bugzilla.netfilter.org/show_bug.cgi?id=1593
+https://git.netfilter.org/iptables/commit/?id=0836524f093c0fd9c39604a46a949e43d9b47ef2
+
+--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
+@@ -629,6 +629,8 @@ int xtables_monitor_main(int argc, char
+ 	init_extensions();
+ 	init_extensions4();
+ 	init_extensions6();
+	init_extensionsa();
+	init_extensionsb();
+ #endif
+ 
+ 	if (nft_init(&h, AF_INET, xtables_ipv4)) {
+--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
+@@ -368,9 +368,17 @@ xtables_restore_main(int family, const c
+ #endif
+ 		break;
+ 	case NFPROTO_ARP:
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+		init_extensions();
+		init_extensionsa();
+#endif
+ 		tables = xtables_arp;
+ 		break;
+ 	case NFPROTO_BRIDGE:
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+		init_extensions();
+		init_extensionsb();
+#endif
+ 		tables = xtables_bridge;
+ 		break;
+ 	default:
+--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
+@@ -208,9 +208,17 @@ xtables_save_main(int family, int argc,
+ 		d.commit = true;
+ 		break;
+ 	case NFPROTO_ARP:
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+		init_extensions();
+		init_extensionsa();
+#endif
+ 		tables = xtables_arp;
+ 		break;
+ 	case NFPROTO_BRIDGE: {
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+		init_extensions();
+		init_extensionsb();
+#endif
+ 		const char *ctr = getenv("EBTABLES_SAVE_COUNTER");
+ 
+ 		if (!(d.format & FMT_NOCOUNTS)) {
+--- a/iptables/xtables-standalone.c
+++ b/iptables/xtables-standalone.c
+@@ -58,6 +58,8 @@ xtables_main(int family, const char *pro
+ 	init_extensions();
+ 	init_extensions4();
+ 	init_extensions6();
+	init_extensionsa();
+	init_extensionsb();
+ #endif
+ 
+ 	if (nft_init(&h, family, xtables_ipv4) < 0) {
+--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
+@@ -474,9 +474,17 @@ static int xtables_xlate_main_common(str
+ 		tables = xtables_ipv4;
+ 		break;
+ 	case NFPROTO_ARP:
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+		init_extensions();
+		init_extensionsa();
+#endif
+ 		tables = xtables_arp;
+ 		break;
+ 	case NFPROTO_BRIDGE:
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+		init_extensions();
+		init_extensionsb();
+#endif
+ 		tables = xtables_bridge;
+ 		break;
+ 	default:
+--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
+@@ -438,6 +438,7 @@ int nft_init_arp(struct nft_handle *h, c
+ 	}
+ 
+ #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+	init_extensions();
+ 	init_extensionsa();
+ #endif
+ 
+--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
+@@ -685,6 +685,7 @@ int nft_init_eb(struct nft_handle *h, co
+ 	}
+ 
+ #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+	init_extensions();
+ 	init_extensionsb();
+ #endif
+