Skip to content

Commit

Permalink
iptables: default to ip(6)tables-nft
Browse files Browse the repository at this point in the history 
OpenWrt now uses firewall4 (nft) by default,
so iptables should also default to nftables backend.

When multiple packages provide the same virtual package,
opkg pick the first one by alphabetical order,
so we rename iptables-legacy to iptables-zz-legacy and add
iptables-legacy in PROVIDES.

We also need to remove IPTABLES_NFTABLES config as
this cause recursive dependencies.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
  • Loading branch information
@champtar @hauke
champtar authored and hauke committed Jun 28, 2022
1 parent a5796a4 commit 35fec48
Showing 1 changed file with 12 additions and 19 deletions.
31 changes: 12 additions & 19 deletions package/network/utils/iptables/Makefile
View file
Expand Up @@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk

PKG_NAME:=iptables
PKG_VERSION:=1.8.7
PKG_RELEASE:=6
PKG_RELEASE:=7

PKG_SOURCE_URL:=https://netfilter.org/projects/iptables/files
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
Expand Down Expand Up @@ -50,18 +50,18 @@ $(call Package/iptables/Default)
DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libiptext +IPV6:libiptext6 +libxtables
endef

define Package/iptables-legacy
define Package/iptables-zz-legacy
$(call Package/iptables/Default)
TITLE:=IP firewall administration tool
DEPENDS+= +xtables-legacy
PROVIDES:=iptables
PROVIDES:=iptables iptables-legacy
ALTERNATIVES:=\
200:/usr/sbin/iptables:/usr/sbin/xtables-legacy-multi \
200:/usr/sbin/iptables-restore:/usr/sbin/xtables-legacy-multi \
200:/usr/sbin/iptables-save:/usr/sbin/xtables-legacy-multi
endef

define Package/iptables-legacy/description
define Package/iptables-zz-legacy/description
IP firewall administration tool.

Matches:
Expand Down Expand Up @@ -104,7 +104,7 @@ endef
define Package/xtables-nft
$(call Package/iptables/Default)
TITLE:=IP firewall administration tool nft
DEPENDS:=@IPTABLES_NFTABLES +libnftnl +libiptext +IPV6:libiptext6 +libiptext-nft +kmod-nft-compat
DEPENDS:=+libnftnl +libiptext +IPV6:libiptext6 +libiptext-nft +kmod-nft-compat
endef

define Package/arptables-nft
Expand Down Expand Up @@ -483,12 +483,12 @@ define Package/iptables-mod-checksum/description
iptables extension for the CHECKSUM calculation target
endef

define Package/ip6tables-legacy
define Package/ip6tables-zz-legacy
$(call Package/iptables/Default)
DEPENDS:=@IPV6 +kmod-ip6tables +xtables-legacy
CATEGORY:=Network
TITLE:=IPv6 firewall administration tool
PROVIDES:=ip6tables
PROVIDES:=ip6tables ip6tables-legacy
ALTERNATIVES:=\
200:/usr/sbin/ip6tables:/usr/sbin/xtables-legacy-multi \
200:/usr/sbin/ip6tables-restore:/usr/sbin/xtables-legacy-multi \
Expand Down Expand Up @@ -575,7 +575,7 @@ define Package/libiptext-nft
CATEGORY:=Libraries
TITLE:=IPv4/IPv6 firewall - shared libiptext nft library
ABI_VERSION:=0
DEPENDS:=@IPTABLES_NFTABLES +libxtables
DEPENDS:=+libxtables
endef

define Package/libxtables
Expand All @@ -594,12 +594,6 @@ define Package/libxtables/config
default n
help
This enable connlabel support in iptables.

config IPTABLES_NFTABLES
bool "Enable Nftables support"
default y
help
This enable nftables support in iptables.
endef

TARGET_CPPFLAGS := \
Expand All @@ -624,7 +618,6 @@ CONFIGURE_ARGS += \
--with-xtlibdir=/usr/lib/iptables \
--with-xt-lock-name=/var/run/xtables.lock \
$(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
$(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \
$(if $(CONFIG_IPV6),,--disable-ipv6)

MAKE_FLAGS := \
Expand Down Expand Up @@ -677,7 +670,7 @@ define Package/xtables-legacy/install
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-legacy-multi $(1)/usr/sbin/
endef

define Package/iptables-legacy/install
define Package/iptables-zz-legacy/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables-legacy{,-restore,-save} $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/usr/lib/iptables
Expand Down Expand Up @@ -708,7 +701,7 @@ define Package/iptables-nft/install
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore}-translate $(1)/usr/sbin/
endef

define Package/ip6tables-legacy/install
define Package/ip6tables-zz-legacy/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables-legacy{,-restore,-save} $(1)/usr/sbin/
endef
Expand Down Expand Up @@ -771,7 +764,7 @@ $(eval $(call BuildPackage,libiptext))
$(eval $(call BuildPackage,libiptext6))
$(eval $(call BuildPackage,libiptext-nft))
$(eval $(call BuildPackage,xtables-legacy))
$(eval $(call BuildPackage,iptables-legacy))
$(eval $(call BuildPackage,iptables-zz-legacy))
$(eval $(call BuildPackage,xtables-nft))
$(eval $(call BuildPackage,arptables-nft))
$(eval $(call BuildPackage,ebtables-nft))
Expand Down Expand Up @@ -799,7 +792,7 @@ $(eval $(call BuildPlugin,iptables-mod-nflog,$(IPT_NFLOG-m)))
$(eval $(call BuildPlugin,iptables-mod-trace,$(IPT_DEBUG-m)))
$(eval $(call BuildPlugin,iptables-mod-nfqueue,$(IPT_NFQUEUE-m)))
$(eval $(call BuildPlugin,iptables-mod-checksum,$(IPT_CHECKSUM-m)))
$(eval $(call BuildPackage,ip6tables-legacy))
$(eval $(call BuildPackage,ip6tables-zz-legacy))
$(eval $(call BuildPackage,ip6tables-nft))
$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
$(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
Expand Down

0 comments on commit 35fec48

Please sign in to comment.