Revert "iptables: update to 1.4.18" due to toolchain-issue: binaries cause segfaults when stripped on ar71xx

SVN-Revision: 35894

package/network/utils/iptables/Makefile

@@ -9,15 +9,15 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=iptables
-PKG_VERSION:=1.4.18
-PKG_RELEASE:=1
+PKG_VERSION:=1.4.10
+PKG_RELEASE:=5
 
+PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
 	ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
 	ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
 	ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
-PKG_MD5SUM:=a819199d5ec013b82da13a8ffbba857e
 
 PKG_FIXUP:=autoreconf
 PKG_INSTALL:=1
@@ -49,13 +49,13 @@ endef
 
 define Package/iptables
 $(call Package/iptables/Default)
-  TITLE:=IP firewall administration tool
+  TITLE:=IPv4 firewall administration tool
   MENU:=1
-  DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
+  DEPENDS+= +kmod-ipt-core +libip4tc +libxtables
 endef
 
 define Package/iptables/description
-IP firewall administration tool.
+IPv4 firewall administration tool.
 
  Matches:
   - icmp
@@ -300,7 +300,7 @@ endef
 
 define Package/ip6tables
 $(call Package/iptables/Default)
-  DEPENDS:=@IPV6 +kmod-ip6tables +iptables
+  DEPENDS:=+kmod-ip6tables +libip6tc +libxtables
   CATEGORY:=IPv6
   TITLE:=IPv6 firewall administration tool
   MENU:=1
@@ -365,9 +365,9 @@ define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/include/net/netfilter
 
 	# XXX: iptables header fixup, some headers are not installed by iptables anymore
+	$(CP) $(PKG_BUILD_DIR)/include/net/netfilter/*.h $(1)/usr/include/net/netfilter/
 	$(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
 	$(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
-	$(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
 	$(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
 	$(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
 
@@ -382,14 +382,21 @@ endef
 
 define Package/iptables/install
 	$(INSTALL_DIR) $(1)/usr/sbin
-	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
-	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(1)/usr/sbin/
+	$(LN) iptables $(1)/usr/sbin/iptables-save
+	$(LN) iptables $(1)/usr/sbin/iptables-restore
 	$(INSTALL_DIR) $(1)/usr/lib/iptables
 endef
 
 define Package/ip6tables/install
 	$(INSTALL_DIR) $(1)/usr/sbin
-	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables $(1)/usr/sbin/
+	$(LN) ip6tables $(1)/usr/sbin/ip6tables-save
+	$(LN) ip6tables $(1)/usr/sbin/ip6tables-restore
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+	(cd $(PKG_INSTALL_DIR)/usr/lib/iptables ; \
+		$(CP) libip6t_*.so $(1)/usr/lib/iptables/ \
+	)
 endef
 
 define Package/libiptc/install

package/network/utils/iptables/patches/009-table-alignment.patch

@@ -0,0 +1,11 @@
+--- a/libiptc/libiptc.c
++++ b/libiptc/libiptc.c
+@@ -69,7 +69,7 @@ static const char *hooknames[] = {
+ struct ipt_error_target
+ {
+ 	STRUCT_ENTRY_TARGET t;
+-	char error[TABLE_MAXNAMELEN];
++	char error[FUNCTION_MAXNAMELEN];
+ };
+ 
+ struct chain_head;

package/network/utils/iptables/patches/010-multiport-linux-2.4-compat.patch

@@ -0,0 +1,265 @@
+--- a/extensions/libxt_multiport.c
++++ b/extensions/libxt_multiport.c
+@@ -15,21 +15,6 @@
+ #include <linux/netfilter/xt_multiport.h>
+ 
+ /* Function which prints out usage message. */
+-static void multiport_help(void)
+-{
+-	printf(
+-"multiport match options:\n"
+-" --source-ports port[,port,port...]\n"
+-" --sports ...\n"
+-"				match source port(s)\n"
+-" --destination-ports port[,port,port...]\n"
+-" --dports ...\n"
+-"				match destination port(s)\n"
+-" --ports port[,port,port]\n"
+-"				match both source and destination port(s)\n"
+-" NOTE: this kernel does not support port ranges in multiport.\n");
+-}
+-
+ static void multiport_help_v1(void)
+ {
+ 	printf(
+@@ -72,26 +57,6 @@ proto_to_name(u_int8_t proto)
+ 	}
+ }
+ 
+-static unsigned int
+-parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto)
+-{
+-	char *buffer, *cp, *next;
+-	unsigned int i;
+-
+-	buffer = strdup(portstring);
+-	if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
+-
+-	for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
+-	{
+-		next=strchr(cp, ',');
+-		if (next) *next++='\0';
+-		ports[i] = xtables_parse_port(cp, proto);
+-	}
+-	if (cp) xtables_error(PARAMETER_PROBLEM, "too many ports specified");
+-	free(buffer);
+-	return i;
+-}
+-
+ static void
+ parse_multi_ports_v1(const char *portstring, 
+ 		     struct xt_multiport_v1 *multiinfo,
+@@ -155,73 +120,6 @@ check_proto(u_int16_t pnum, u_int8_t inv
+ /* Function which parses command options; returns true if it
+    ate an option */
+ static int
+-__multiport_parse(int c, char **argv, int invert, unsigned int *flags,
+-                  struct xt_entry_match **match, u_int16_t pnum,
+-                  u_int8_t invflags)
+-{
+-	const char *proto;
+-	struct xt_multiport *multiinfo
+-		= (struct xt_multiport *)(*match)->data;
+-
+-	switch (c) {
+-	case '1':
+-		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+-		proto = check_proto(pnum, invflags);
+-		multiinfo->count = parse_multi_ports(optarg,
+-						     multiinfo->ports, proto);
+-		multiinfo->flags = XT_MULTIPORT_SOURCE;
+-		break;
+-
+-	case '2':
+-		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+-		proto = check_proto(pnum, invflags);
+-		multiinfo->count = parse_multi_ports(optarg,
+-						     multiinfo->ports, proto);
+-		multiinfo->flags = XT_MULTIPORT_DESTINATION;
+-		break;
+-
+-	case '3':
+-		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+-		proto = check_proto(pnum, invflags);
+-		multiinfo->count = parse_multi_ports(optarg,
+-						     multiinfo->ports, proto);
+-		multiinfo->flags = XT_MULTIPORT_EITHER;
+-		break;
+-
+-	default:
+-		return 0;
+-	}
+-
+-	if (invert)
+-		xtables_error(PARAMETER_PROBLEM,
+-			   "multiport does not support invert");
+-
+-	if (*flags)
+-		xtables_error(PARAMETER_PROBLEM,
+-			   "multiport can only have one option");
+-	*flags = 1;
+-	return 1;
+-}
+-
+-static int
+-multiport_parse(int c, char **argv, int invert, unsigned int *flags,
+-                const void *e, struct xt_entry_match **match)
+-{
+-	const struct ipt_entry *entry = e;
+-	return __multiport_parse(c, argv, invert, flags, match,
+-	       entry->ip.proto, entry->ip.invflags);
+-}
+-
+-static int
+-multiport_parse6(int c, char **argv, int invert, unsigned int *flags,
+-                 const void *e, struct xt_entry_match **match)
+-{
+-	const struct ip6t_entry *entry = e;
+-	return __multiport_parse(c, argv, invert, flags, match,
+-	       entry->ipv6.proto, entry->ipv6.invflags);
+-}
+-
+-static int
+ __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags,
+                      struct xt_entry_match **match, u_int16_t pnum,
+                      u_int8_t invflags)
+@@ -314,55 +212,6 @@ print_port(u_int16_t port, u_int8_t prot
+ }
+ 
+ /* Prints out the matchinfo. */
+-static void
+-__multiport_print(const struct xt_entry_match *match, int numeric,
+-                  u_int16_t proto)
+-{
+-	const struct xt_multiport *multiinfo
+-		= (const struct xt_multiport *)match->data;
+-	unsigned int i;
+-
+-	printf("multiport ");
+-
+-	switch (multiinfo->flags) {
+-	case XT_MULTIPORT_SOURCE:
+-		printf("sports ");
+-		break;
+-
+-	case XT_MULTIPORT_DESTINATION:
+-		printf("dports ");
+-		break;
+-
+-	case XT_MULTIPORT_EITHER:
+-		printf("ports ");
+-		break;
+-
+-	default:
+-		printf("ERROR ");
+-		break;
+-	}
+-
+-	for (i=0; i < multiinfo->count; i++) {
+-		printf("%s", i ? "," : "");
+-		print_port(multiinfo->ports[i], proto, numeric);
+-	}
+-	printf(" ");
+-}
+-
+-static void multiport_print(const void *ip_void,
+-                            const struct xt_entry_match *match, int numeric)
+-{
+-	const struct ipt_ip *ip = ip_void;
+-	__multiport_print(match, numeric, ip->proto);
+-}
+-
+-static void multiport_print6(const void *ip_void,
+-                             const struct xt_entry_match *match, int numeric)
+-{
+-	const struct ip6t_ip6 *ip = ip_void;
+-	__multiport_print(match, numeric, ip->proto);
+-}
+-
+ static void __multiport_print_v1(const struct xt_entry_match *match,
+                                  int numeric, u_int16_t proto)
+ {
+@@ -419,48 +268,6 @@ static void multiport_print6_v1(const vo
+ }
+ 
+ /* Saves the union ipt_matchinfo in parsable form to stdout. */
+-static void __multiport_save(const struct xt_entry_match *match,
+-                             u_int16_t proto)
+-{
+-	const struct xt_multiport *multiinfo
+-		= (const struct xt_multiport *)match->data;
+-	unsigned int i;
+-
+-	switch (multiinfo->flags) {
+-	case XT_MULTIPORT_SOURCE:
+-		printf("--sports ");
+-		break;
+-
+-	case XT_MULTIPORT_DESTINATION:
+-		printf("--dports ");
+-		break;
+-
+-	case XT_MULTIPORT_EITHER:
+-		printf("--ports ");
+-		break;
+-	}
+-
+-	for (i=0; i < multiinfo->count; i++) {
+-		printf("%s", i ? "," : "");
+-		print_port(multiinfo->ports[i], proto, 1);
+-	}
+-	printf(" ");
+-}
+-
+-static void multiport_save(const void *ip_void,
+-                           const struct xt_entry_match *match)
+-{
+-	const struct ipt_ip *ip = ip_void;
+-	__multiport_save(match, ip->proto);
+-}
+-
+-static void multiport_save6(const void *ip_void,
+-                            const struct xt_entry_match *match)
+-{
+-	const struct ip6t_ip6 *ip = ip_void;
+-	__multiport_save(match, ip->proto);
+-}
+-
+ static void __multiport_save_v1(const struct xt_entry_match *match,
+                                 u_int16_t proto)
+ {
+@@ -514,34 +321,6 @@ static struct xtables_match multiport_mt
+ 	{
+ 		.family        = NFPROTO_IPV4,
+ 		.name          = "multiport",
+-		.revision      = 0,
+-		.version       = XTABLES_VERSION,
+-		.size          = XT_ALIGN(sizeof(struct xt_multiport)),
+-		.userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
+-		.help          = multiport_help,
+-		.parse         = multiport_parse,
+-		.final_check   = multiport_check,
+-		.print         = multiport_print,
+-		.save          = multiport_save,
+-		.extra_opts    = multiport_opts,
+-	},
+-	{
+-		.family        = NFPROTO_IPV6,
+-		.name          = "multiport",
+-		.revision      = 0,
+-		.version       = XTABLES_VERSION,
+-		.size          = XT_ALIGN(sizeof(struct xt_multiport)),
+-		.userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
+-		.help          = multiport_help,
+-		.parse         = multiport_parse6,
+-		.final_check   = multiport_check,
+-		.print         = multiport_print6,
+-		.save          = multiport_save6,
+-		.extra_opts    = multiport_opts,
+-	},
+-	{
+-		.family        = NFPROTO_IPV4,
+-		.name          = "multiport",
+ 		.version       = XTABLES_VERSION,
+ 		.revision      = 1,
+ 		.size          = XT_ALIGN(sizeof(struct xt_multiport_v1)),

package/network/utils/iptables/patches/011-recent-add-reap.patch

@@ -0,0 +1,116 @@
+From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001
+From: Tim Gardner <[email protected]>
+Date: Mon, 1 Mar 2010 19:00:29 -0700
+Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation
+
+Signed-off-by: Tim Gardner <[email protected]>
+---
+ extensions/libxt_recent.c           |   20 ++++++++++++++++++++
+ extensions/libxt_recent.man         |    5 +++++
+ include/linux/netfilter/xt_recent.h |    7 +++++++
+ 3 files changed, 32 insertions(+), 0 deletions(-)
+
+--- a/extensions/libxt_recent.c
++++ b/extensions/libxt_recent.c
+@@ -20,6 +20,7 @@ static const struct option recent_opts[]
+ 	{.name = "name",     .has_arg = true,  .val = 208},
+ 	{.name = "rsource",  .has_arg = false, .val = 209},
+ 	{.name = "rdest",    .has_arg = false, .val = 210},
++	{.name = "reap",     .has_arg = false, .val = 211},
+ 	XT_GETOPT_TABLEEND,
+ };
+ 
+@@ -37,6 +38,7 @@ static void recent_help(void)
+ "    --hitcount hits             For check and update commands above.\n"
+ "                                Specifies that the match will only occur if source address seen hits times.\n"
+ "                                May be used in conjunction with the seconds option.\n"
++"    --reap                      Remove entries that have expired. Can only be used with --seconds\n"
+ "    --rttl                      For check and update commands above.\n"
+ "                                Specifies that the match will only occur if the source address and the TTL\n"
+ "                                match between this packet and the one which was set.\n"
+@@ -63,6 +65,8 @@ static void recent_init(struct xt_entry_
+ 	(XT_RECENT_SET | XT_RECENT_CHECK | \
+ 	XT_RECENT_UPDATE | XT_RECENT_REMOVE)
+ 
++#define XT_RECENT_SECONDS 1 << 31
++
+ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
+                         const void *entry, struct xt_entry_match **match)
+ {
+@@ -104,6 +108,7 @@ static int recent_parse(int c, char **ar
+ 
+ 		case 204:
+ 			info->seconds = atoi(optarg);
++			*flags |= XT_RECENT_SECONDS;
+ 			break;
+ 
+ 		case 205:
+@@ -139,6 +144,11 @@ static int recent_parse(int c, char **ar
+ 			info->side = XT_RECENT_DEST;
+ 			break;
+ 
++		case 211:
++			info->check_set |= XT_RECENT_REAP;
++			*flags |= XT_RECENT_REAP;
++			break;
++
+ 		default:
+ 			return 0;
+ 	}
+@@ -157,6 +167,12 @@ static void recent_check(unsigned int fl
+ 		xtables_error(PARAMETER_PROBLEM,
+ 		           "recent: --rttl may only be used with --rcheck or "
+ 		           "--update");
++	if ((flags & XT_RECENT_REAP) &&
++	    ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) ||
++	    (!(flags & XT_RECENT_SECONDS))))
++		xtables_error(PARAMETER_PROBLEM,
++		           "recent: --reap may only be used with --rcheck or "
++		           "--update and --seconds");
+ }
+ 
+ static void recent_print(const void *ip, const struct xt_entry_match *match,
+@@ -185,6 +201,8 @@ static void recent_print(const void *ip,
+ 		printf("side: source ");
+ 	if (info->side == XT_RECENT_DEST)
+ 		printf("side: dest ");
++	if (info->check_set & XT_RECENT_REAP)
++		printf("reap ");
+ }
+ 
+ static void recent_save(const void *ip, const struct xt_entry_match *match)
+@@ -211,6 +229,8 @@ static void recent_save(const void *ip,
+ 		printf("--rsource ");
+ 	if (info->side == XT_RECENT_DEST)
+ 		printf("--rdest ");
++	if (info->check_set & XT_RECENT_REAP)
++		printf("--reap ");
+ }
+ 
+ static struct xtables_match recent_mt_reg = {
+--- a/extensions/libxt_recent.man
++++ b/extensions/libxt_recent.man
+@@ -41,6 +41,11 @@ This option must be used in conjunction
+ \fB\-\-update\fP. When used, this will narrow the match to only happen when the
+ address is in the list and was seen within the last given number of seconds.
+ .TP
++\fB\-\-reap\fP \fIreap\fP
++This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
++will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
++since the last packet was received.
++.TP
+ \fB\-\-hitcount\fP \fIhits\fP
+ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
+ \fB\-\-update\fP. When used, this will narrow the match to only happen when the
+--- a/include/linux/netfilter/xt_recent.h
++++ b/include/linux/netfilter/xt_recent.h
+@@ -23,6 +23,9 @@ enum {
+ #define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
+ 			       XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
+ 
++/* Only allowed with --rcheck and --update */
++#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
++
+ struct xt_recent_mtinfo {
+ 	__u32 seconds;
+ 	__u32 hit_count;

package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch

@@ -1,6 +1,6 @@
---- a/libxtables/xtables.c
-+++ b/libxtables/xtables.c
-@@ -336,6 +336,7 @@ static char *get_modprobe(void)
+--- a/xtables.c
++++ b/xtables.c
+@@ -305,6 +305,7 @@ static char *get_modprobe(void)
  
  int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
  {
@@ -8,7 +8,7 @@
  	char *buf = NULL;
  	char *argv[4];
  	int status;
-@@ -380,6 +381,7 @@ int xtables_insmod(const char *modname,
+@@ -348,6 +349,7 @@ int xtables_insmod(const char *modname,
  	free(buf);
  	if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
  		return 0;

package/network/utils/iptables/patches/030-no-libnfnetlink.patch

@@ -1,6 +1,6 @@
 --- a/configure
 +++ b/configure
-@@ -12173,77 +12173,7 @@ $as_echo "no" >&6; }
+@@ -10917,75 +10917,7 @@ $as_echo "no" >&6; }
  	fi
  fi
  
@@ -18,7 +18,6 @@
 -  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
 -  test $ac_status = 0; }; then
 -  pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null`
--		      test "x$?" != "x0" && pkg_failed=yes
 -else
 -  pkg_failed=yes
 -fi
@@ -35,7 +34,6 @@
 -  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
 -  test $ac_status = 0; }; then
 -  pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null`
--		      test "x$?" != "x0" && pkg_failed=yes
 -else
 -  pkg_failed=yes
 -fi
@@ -55,9 +53,9 @@
 -        _pkg_short_errors_supported=no
 -fi
 -        if test $_pkg_short_errors_supported = yes; then
--	        libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1`
+-	        libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libnfnetlink >= 1.0" 2>&1`
 -        else
--	        libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1`
+-	        libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors "libnfnetlink >= 1.0" 2>&1`
 -        fi
 -	# Put the nasty error message in config.log where it belongs
 -	echo "$libnfnetlink_PKG_ERRORS" >&5
@@ -81,7 +79,7 @@
  else
 --- a/configure.ac
 +++ b/configure.ac
-@@ -89,9 +89,7 @@ AM_CONDITIONAL([ENABLE_LARGEFILE], [test
+@@ -79,9 +79,7 @@ AM_CONDITIONAL([ENABLE_LARGEFILE], [test
  AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"])
  AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"])
  
@@ -90,5 +88,5 @@
 -AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1])
 +AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false])
  
- regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
- 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
+ regular_CFLAGS="${largefile_cflags} \
+ 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \

package/network/utils/iptables/patches/100-bash-location.patch

@@ -1,5 +1,13 @@
---- a/iptables/iptables-apply
-+++ b/iptables/iptables-apply
+--- a/autogen.sh
++++ b/autogen.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ autoreconf -fi;
+ rm -Rf autom4te*.cache;
+--- a/iptables-apply
++++ b/iptables-apply
 @@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/usr/bin/env bash

package/network/utils/iptables/patches/110-linux_3.2_compat.patch

@@ -0,0 +1,12 @@
+--- a/include/linux/types.h
++++ b/include/linux/types.h
+@@ -34,5 +34,9 @@ typedef __u64 __bitwise __be64;
+ typedef __u16 __bitwise __sum16;
+ typedef __u32 __bitwise __wsum;
+ 
++#define __aligned_u64 __u64 __attribute__((aligned(8)))
++#define __aligned_be64 __be64 __attribute__((aligned(8)))
++#define __aligned_le64 __le64 __attribute__((aligned(8)))
++
+ #endif /*  __ASSEMBLY__ */
+ #endif /* _LINUX_TYPES_H */

package/network/utils/iptables/patches/200-configurable_builtin.patch

@@ -1,8 +1,6 @@
-Index: iptables-1.4.18/extensions/GNUmakefile.in
-===================================================================
---- iptables-1.4.18.orig/extensions/GNUmakefile.in	2013-03-03 22:40:11.000000000 +0100
-+++ iptables-1.4.18/extensions/GNUmakefile.in	2013-03-05 16:37:07.583256974 +0100
-@@ -46,9 +46,24 @@
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -40,9 +40,24 @@ pfx_build_mod := $(patsubst ${srcdir}/li
  pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
  pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod})
  pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
@@ -27,36 +25,32 @@ Index: iptables-1.4.18/extensions/GNUmakefile.in
 +pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_static})
 +pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_static})
 +pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_static})
- pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks})
+ pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod})
  pf4_solibs    := $(patsubst %,libipt_%.so,${pf4_build_mod})
  pf6_solibs    := $(patsubst %,libip6t_%.so,${pf6_build_mod})
-@@ -59,11 +74,11 @@
- #
- targets := libext.a libext4.a libext6.a matches.man targets.man
+@@ -54,10 +69,10 @@ pf6_solibs    := $(patsubst %,libip6t_%.
+ targets := libext4.a libext6.a matches4.man matches6.man \
+            targets4.man targets6.man
  targets_install :=
--@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
--@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
--@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
+-@ENABLE_STATIC_TRUE@ libext4_objs := ${pfx_objs} ${pf4_objs}
+-@ENABLE_STATIC_TRUE@ libext6_objs := ${pfx_objs} ${pf6_objs}
 -@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
 -@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
-+libext_objs := ${pfx_objs}
-+libext4_objs := ${pf4_objs}
-+libext6_objs := ${pf6_objs}
++libext4_objs := ${pfx_objs} ${pf4_objs}
++libext6_objs := ${pfx_objs} ${pf6_objs}
 +targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
 +targets_install := $(strip ${targets_install} ${pfx_solibs} ${pf4_solibs} ${pf6_solibs})
  
  .SECONDARY:
  
-@@ -128,9 +143,9 @@
+@@ -107,8 +122,8 @@ libext4.a: initext4.o ${libext4_objs}
  libext6.a: initext6.o ${libext6_objs}
  	${AM_VERBOSE_AR} ${AR} crs $@ $^;
  
--initext_func  := $(addprefix xt_,${pfx_build_mod})
--initext4_func := $(addprefix ipt_,${pf4_build_mod})
--initext6_func := $(addprefix ip6t_,${pf6_build_mod})
-+initext_func  := $(addprefix xt_,${pfx_build_static})
-+initext4_func := $(addprefix ipt_,${pf4_build_static})
-+initext6_func := $(addprefix ip6t_,${pf6_build_static})
+-initext_func  := $(addprefix xt_,${pfx_build_mod}) $(addprefix ipt_,${pf4_build_mod})
+-initext6_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ip6t_,${pf6_build_mod})
++initext_func  := $(addprefix xt_,${pfx_build_static}) $(addprefix ipt_,${pf4_build_static})
++initext6_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ip6t_,${pf6_build_static})
  
- .initext.dd: FORCE
+ .initext4.dd: FORCE
  	@echo "${initext_func}" >[email protected]; \

package/network/utils/iptables/patches/300-musl_fixes.patch

@@ -1,18 +1,18 @@
 --- a/extensions/libip6t_ipv6header.c
 +++ b/extensions/libip6t_ipv6header.c
-@@ -10,6 +10,9 @@ on whether they contain certain headers
- #include <netdb.h>
- #include <xtables.h>
+@@ -15,6 +15,9 @@ on whether they contain certain headers
+ #include <sys/types.h>
+ 
  #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
 +#ifndef IPPROTO_HOPOPTS
 +#	define IPPROTO_HOPOPTS 0
 +#endif
  
- enum {
- 	O_HEADER = 0,
+ /* This maybe required 
+ #include <linux/in.h>
 --- a/extensions/libxt_TCPOPTSTRIP.c
 +++ b/extensions/libxt_TCPOPTSTRIP.c
-@@ -12,6 +12,21 @@
+@@ -16,6 +16,21 @@
  #ifndef TCPOPT_MD5SIG
  #	define TCPOPT_MD5SIG 19
  #endif
@@ -33,7 +33,7 @@
 +#endif
  
  enum {
- 	O_STRIP_OPTION = 0,
+ 	FLAG_STRIP = 1 << 0,
 --- a/include/libiptc/ipt_kernel_headers.h
 +++ b/include/libiptc/ipt_kernel_headers.h
 @@ -5,7 +5,6 @@
@@ -82,9 +82,9 @@
  
  #include <linux/netfilter_ipv4.h>
  
---- a/iptables/ip6tables-restore.c
-+++ b/iptables/ip6tables-restore.c
-@@ -9,7 +9,7 @@
+--- a/ip6tables-restore.c
++++ b/ip6tables-restore.c
+@@ -11,7 +11,7 @@
   */
  
  #include <getopt.h>
@@ -93,8 +93,8 @@
  #include <stdbool.h>
  #include <string.h>
  #include <stdio.h>
---- a/iptables/ip6tables-save.c
-+++ b/iptables/ip6tables-save.c
+--- a/ip6tables-save.c
++++ b/ip6tables-save.c
 @@ -6,7 +6,7 @@
   * This code is distributed under the terms of GNU GPL v2
   */
@@ -104,9 +104,9 @@
  #include <stdio.h>
  #include <fcntl.h>
  #include <stdlib.h>
---- a/iptables/iptables-restore.c
-+++ b/iptables/iptables-restore.c
-@@ -6,7 +6,7 @@
+--- a/iptables-restore.c
++++ b/iptables-restore.c
+@@ -8,7 +8,7 @@
   */
  
  #include <getopt.h>
@@ -115,8 +115,8 @@
  #include <stdbool.h>
  #include <string.h>
  #include <stdio.h>
---- a/iptables/iptables-save.c
-+++ b/iptables/iptables-save.c
+--- a/iptables-save.c
++++ b/iptables-save.c
 @@ -6,7 +6,7 @@
   *
   */
@@ -126,9 +126,9 @@
  #include <stdio.h>
  #include <fcntl.h>
  #include <stdlib.h>
---- a/iptables/iptables-xml.c
-+++ b/iptables/iptables-xml.c
-@@ -7,7 +7,7 @@
+--- a/iptables-xml.c
++++ b/iptables-xml.c
+@@ -9,7 +9,7 @@
   */
  
  #include <getopt.h>

package/network/utils/iptables/patches/400-lenient-restore.patch

@@ -1,8 +1,6 @@
-Index: iptables-1.4.18/iptables/ip6tables-restore.c
-===================================================================
---- iptables-1.4.18.orig/iptables/ip6tables-restore.c	2013-03-05 16:37:31.000000000 +0100
-+++ iptables-1.4.18/iptables/ip6tables-restore.c	2013-03-05 16:42:57.475249794 +0100
-@@ -14,6 +14,8 @@
+--- a/ip6tables-restore.c
++++ b/ip6tables-restore.c
+@@ -16,6 +16,8 @@
  #include <string.h>
  #include <stdio.h>
  #include <stdlib.h>
@@ -11,7 +9,7 @@ Index: iptables-1.4.18/iptables/ip6tables-restore.c
  #include "ip6tables.h"
  #include "xtables.h"
  #include "libiptc/libip6tc.h"
-@@ -25,6 +27,7 @@
+@@ -27,6 +29,7 @@
  #define DEBUGP(x, args...)
  #endif
  
@@ -19,15 +17,15 @@ Index: iptables-1.4.18/iptables/ip6tables-restore.c
  static int binary = 0, counters = 0, verbose = 0, noflush = 0;
  
  /* Keeping track of external matches and targets.  */
-@@ -35,6 +38,7 @@
+@@ -37,6 +40,7 @@ static const struct option options[] = {
  	{.name = "test",     .has_arg = false, .val = 't'},
  	{.name = "help",     .has_arg = false, .val = 'h'},
  	{.name = "noflush",  .has_arg = false, .val = 'n'},
 +	{.name = "lenient",  .has_arg = false, .val = 'l'},
  	{.name = "modprobe", .has_arg = true,  .val = 'M'},
- 	{.name = "table",    .has_arg = true,  .val = 'T'},
  	{NULL},
-@@ -51,6 +55,7 @@
+ };
+@@ -52,6 +56,7 @@ static void print_usage(const char *name
  			"	   [ --test ]\n"
  			"	   [ --help ]\n"
  			"	   [ --noflush ]\n"
@@ -35,7 +33,7 @@ Index: iptables-1.4.18/iptables/ip6tables-restore.c
  			"          [ --modprobe=<command>]\n", name);
  
  	exit(1);
-@@ -114,6 +119,17 @@
+@@ -114,6 +119,17 @@ static void free_argv(void) {
  		free(newargv[i]);
  }
  
@@ -50,19 +48,19 @@ Index: iptables-1.4.18/iptables/ip6tables-restore.c
 +	longjmp(jmp, status);
 +}
 +
- static void add_param_to_argv(char *parsestart)
- {
- 	int quote_open = 0, escaped = 0, param_len = 0;
-@@ -204,7 +220,7 @@
- 	init_extensions6();
+ #ifdef IPTABLES_MULTI
+ int ip6tables_restore_main(int argc, char *argv[])
+ #else
+@@ -141,7 +157,7 @@ int main(int argc, char *argv[])
+ 	init_extensions();
  #endif
  
--	while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
-+	while ((c = getopt_long(argc, argv, "bcvthnlM:T:", options, NULL)) != -1) {
+-	while ((c = getopt_long(argc, argv, "bcvthnM:", options, NULL)) != -1) {
++	while ((c = getopt_long(argc, argv, "bcvthnlM:", options, NULL)) != -1) {
  		switch (c) {
  			case 'b':
  				binary = 1;
-@@ -225,6 +241,9 @@
+@@ -162,6 +178,9 @@ int main(int argc, char *argv[])
  			case 'n':
  				noflush = 1;
  				break;
@@ -72,7 +70,7 @@ Index: iptables-1.4.18/iptables/ip6tables-restore.c
  			case 'M':
  				xtables_modprobe_program = optarg;
  				break;
-@@ -437,8 +456,11 @@
+@@ -440,8 +459,11 @@ int main(int argc, char *argv[])
  			for (a = 0; a < newargc; a++)
  				DEBUGP("argv[%u]: %s\n", a, newargv[a]);
  
@@ -86,11 +84,9 @@ Index: iptables-1.4.18/iptables/ip6tables-restore.c
  
  			free_argv();
  			fflush(stdout);
-Index: iptables-1.4.18/iptables/iptables-restore.c
-===================================================================
---- iptables-1.4.18.orig/iptables/iptables-restore.c	2013-03-05 16:37:31.000000000 +0100
-+++ iptables-1.4.18/iptables/iptables-restore.c	2013-03-05 16:44:56.303247355 +0100
-@@ -11,6 +11,8 @@
+--- a/iptables-restore.c
++++ b/iptables-restore.c
+@@ -13,6 +13,8 @@
  #include <string.h>
  #include <stdio.h>
  #include <stdlib.h>
@@ -99,7 +95,7 @@ Index: iptables-1.4.18/iptables/iptables-restore.c
  #include "iptables.h"
  #include "xtables.h"
  #include "libiptc/libiptc.h"
-@@ -22,6 +24,7 @@
+@@ -24,6 +26,7 @@
  #define DEBUGP(x, args...)
  #endif
  
@@ -107,7 +103,7 @@ Index: iptables-1.4.18/iptables/iptables-restore.c
  static int binary = 0, counters = 0, verbose = 0, noflush = 0;
  
  /* Keeping track of external matches and targets.  */
-@@ -32,6 +35,7 @@
+@@ -34,6 +37,7 @@ static const struct option options[] = {
  	{.name = "test",     .has_arg = false, .val = 't'},
  	{.name = "help",     .has_arg = false, .val = 'h'},
  	{.name = "noflush",  .has_arg = false, .val = 'n'},
@@ -115,7 +111,7 @@ Index: iptables-1.4.18/iptables/iptables-restore.c
  	{.name = "modprobe", .has_arg = true,  .val = 'M'},
  	{.name = "table",    .has_arg = true,  .val = 'T'},
  	{NULL},
-@@ -50,6 +54,7 @@
+@@ -52,6 +56,7 @@ static void print_usage(const char *name
  			"	   [ --test ]\n"
  			"	   [ --help ]\n"
  			"	   [ --noflush ]\n"
@@ -123,7 +119,7 @@ Index: iptables-1.4.18/iptables/iptables-restore.c
  			"	   [ --table=<TABLE> ]\n"
  			"          [ --modprobe=<command>]\n", name);
  
-@@ -113,6 +118,17 @@
+@@ -114,6 +119,17 @@ static void free_argv(void) {
  		free(newargv[i]);
  }
  
@@ -138,11 +134,11 @@ Index: iptables-1.4.18/iptables/iptables-restore.c
 +	longjmp(jmp, status);
 +}
 +
- static void add_param_to_argv(char *parsestart)
- {
- 	int quote_open = 0, escaped = 0, param_len = 0;
-@@ -204,7 +220,7 @@
- 	init_extensions4();
+ #ifdef IPTABLES_MULTI
+ int
+ iptables_restore_main(int argc, char *argv[])
+@@ -144,7 +160,7 @@ main(int argc, char *argv[])
+ 	init_extensions();
  #endif
  
 -	while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
@@ -150,7 +146,7 @@ Index: iptables-1.4.18/iptables/iptables-restore.c
  		switch (c) {
  			case 'b':
  				binary = 1;
-@@ -225,6 +241,9 @@
+@@ -165,6 +181,9 @@ main(int argc, char *argv[])
  			case 'n':
  				noflush = 1;
  				break;
@@ -160,14 +156,14 @@ Index: iptables-1.4.18/iptables/iptables-restore.c
  			case 'M':
  				xtables_modprobe_program = optarg;
  				break;
-@@ -437,8 +456,11 @@
+@@ -445,8 +464,11 @@ main(int argc, char *argv[])
  			for (a = 0; a < newargc; a++)
  				DEBUGP("argv[%u]: %s\n", a, newargv[a]);
  
--			ret = do_command4(newargc, newargv,
+-			ret = do_command(newargc, newargv,
 -					 &newargv[2], &handle);
 +			if (!setjmp(jmp))
-+				ret = do_command4(newargc, newargv,
++				ret = do_command(newargc, newargv,
 +						 &newargv[2], &handle);
 +			else
 +				ret = 1;