qi-hardware/openwrt-xburst
1
0
Fork 0
mirror of git://projects.qi-hardware.com/openwrt-xburst.git synced 2025-04-21 12:27:27 +03:00
Code Activity

packages: sort network related packages into package/network/

Browse Source 
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@33688 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
nbd
2012-10-10 12:32:29 +00:00
parent eecf5b1752
commit 9c8997d54d
344 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

475
package/network/utils/iptables/Makefile Normal file
View File

@@ -0,0 +1,475 @@
#
# Copyright (C) 2006-2012 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=iptables
PKG_VERSION:=1.4.10
PKG_RELEASE:=4
PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
PKG_FIXUP:=autoreconf
PKG_INSTALL:=1
PKG_BUILD_PARALLEL:=1
ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"")
PATCH_DIR:=
endif
include $(INCLUDE_DIR)/package.mk
ifeq ($(DUMP),)
-include $(LINUX_DIR)/.config
include $(INCLUDE_DIR)/netfilter.mk
STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s)
endif
define Package/iptables/Default
SECTION:=net
CATEGORY:=Network
SUBMENU:=Firewall
URL:=http://netfilter.org/
endef
define Package/iptables/Module
$(call Package/iptables/Default)
DEPENDS:=iptables $(1)
endef
define Package/iptables
$(call Package/iptables/Default)
TITLE:=IPv4 firewall administration tool
MENU:=1
DEPENDS+= +kmod-ipt-core +libip4tc +libxtables
endef
define Package/iptables/description
IPv4 firewall administration tool.
Matches:
- icmp
- tcp
- udp
- comment
- limit
- mac
- multiport
Targets:
- ACCEPT
- DROP
- REJECT
- LOG
- TCPMSS
Tables:
- filter
- mangle
endef
define Package/iptables-mod-conntrack-extra
$(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
TITLE:=Extra connection tracking extensions
endef
define Package/iptables-mod-conntrack-extra/description
Extra iptables extensions for connection tracking.
Matches:
- connbytes
- connmark
- recent
- helper
Targets:
- CONNMARK
endef
define Package/iptables-mod-filter
$(call Package/iptables/Module, +kmod-ipt-filter)
TITLE:=Content inspection extensions
endef
define Package/iptables-mod-filter/description
iptables extensions for packet content inspection.
Includes support for:
Matches:
- layer7
- string
endef
define Package/iptables-mod-ipopt
$(call Package/iptables/Module, +kmod-ipt-ipopt)
TITLE:=IP/Packet option extensions
endef
define Package/iptables-mod-ipopt/description
iptables extensions for matching/changing IP packet options.
Matches:
- dscp
- ecn
- length
- mark
- statistic
- tcpmss
- time
- unclean
- hl
Targets:
- DSCP
- CLASSIFY
- ECN
- MARK
- HL
endef
define Package/iptables-mod-ipsec
$(call Package/iptables/Module, +kmod-ipt-ipsec)
TITLE:=IPsec extensions
endef
define Package/iptables-mod-ipsec/description
iptables extensions for matching ipsec traffic.
Matches:
- ah
- esp
- policy
endef
define Package/iptables-mod-ipset
$(call Package/iptables/Module,)
TITLE:=IPset iptables extensions
endef
define Package/iptables-mod-ipset/description
IPset iptables extensions.
Matches:
- set
Targets:
- SET
endef
define Package/iptables-mod-nat-extra
$(call Package/iptables/Module, +kmod-ipt-nat-extra)
TITLE:=Extra NAT extensions
endef
define Package/iptables-mod-nat-extra/description
iptables extensions for extra NAT targets.
Targets:
- MIRROR
- NETMAP
- REDIRECT
endef
define Package/iptables-mod-ulog
$(call Package/iptables/Module, +kmod-ipt-ulog)
TITLE:=user-space packet logging
endef
define Package/iptables-mod-ulog/description
iptables extensions for user-space packet logging.
Targets:
- ULOG
endef
define Package/iptables-mod-hashlimit
$(call Package/iptables/Module, +kmod-ipt-hashlimit)
TITLE:=hashlimit matching
endef
define Package/iptables-mod-hashlimit/description
iptables extensions for hashlimit matching
Matches:
- hashlimit
endef
define Package/iptables-mod-iprange
$(call Package/iptables/Module, +kmod-ipt-iprange)
TITLE:=IP range extension
endef
define Package/iptables-mod-iprange/description
iptables extensions for matching ip ranges.
Matches:
- iprange
endef
define Package/iptables-mod-extra
$(call Package/iptables/Module, +kmod-ipt-extra)
TITLE:=Other extra iptables extensions
endef
define Package/iptables-mod-extra/description
Other extra iptables extensions.
Matches:
- condition
- owner
- physdev (if ebtables is enabled)
- pkttype
- quota
endef
define Package/iptables-mod-led
$(call Package/iptables/Module, +kmod-ipt-led)
TITLE:=LED trigger iptables extension
endef
define Package/iptables-mod-led/description
iptables extension for triggering a LED.
Targets:
- LED
endef
define Package/iptables-mod-tproxy
$(call Package/iptables/Module, +kmod-ipt-tproxy)
TITLE:=Transparent proxy iptables extensions
endef
define Package/iptables-mod-tproxy/description
Transparent proxy iptables extensions.
Matches:
- socket
Targets:
- TPROXY
endef
define Package/iptables-mod-tee
$(call Package/iptables/Module, +kmod-ipt-tee)
TITLE:=TEE iptables extensions
endef
define Package/iptables-mod-tee/description
TEE iptables extensions.
Targets:
- TEE
endef
define Package/iptables-mod-u32
$(call Package/iptables/Module, +kmod-ipt-u32)
TITLE:=U32 iptables extensions
endef
define Package/iptables-mod-u32/description
U32 iptables extensions.
Matches:
- u32
endef
define Package/ip6tables
$(call Package/iptables/Default)
DEPENDS:=+kmod-ip6tables +libip6tc +libxtables
CATEGORY:=IPv6
TITLE:=IPv6 firewall administration tool
MENU:=1
endef
define Package/libiptc
$(call Package/iptables/Default)
SECTION:=libs
CATEGORY:=Libraries
DEPENDS:=+libip4tc +libip6tc
TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
endef
define Package/libip4tc
$(call Package/iptables/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE:=IPv4 firewall - shared libiptc library
endef
define Package/libip6tc
$(call Package/iptables/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE:=IPv6 firewall - shared libiptc library
endef
define Package/libxtables
$(call Package/iptables/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE:=IPv4/IPv6 firewall - shared xtables library
endef
define Package/libipq
$(call Package/iptables/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE:=IPv4/IPv6 firewall - shared libipq library
endef
TARGET_CPPFLAGS := \
-I$(PKG_BUILD_DIR)/include \
-I$(LINUX_DIR)/user_headers/include \
$(TARGET_CPPFLAGS)
TARGET_CFLAGS += \
-I$(PKG_BUILD_DIR)/include \
-I$(LINUX_DIR)/user_headers/include
CONFIGURE_ARGS += \
--enable-shared \
--enable-devel \
$(if $(CONFIG_IPV6),--enable-ipv6,--disable-ipv6) \
--enable-libipq \
--with-kernel="$(LINUX_DIR)/user_headers" \
--with-xtlibdir=/usr/lib/iptables \
--enable-static
MAKE_FLAGS := \
$(TARGET_CONFIGURE_OPTS) \
COPT_FLAGS="$(TARGET_CFLAGS)" \
KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
KBUILD_OUTPUT="$(LINUX_DIR)" \
BUILTIN_MODULES="$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m)))"
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include
$(INSTALL_DIR) $(1)/usr/include/iptables
$(INSTALL_DIR) $(1)/usr/include/net/netfilter
# XXX: iptables header fixup, some headers are not installed by iptables anymore
$(CP) $(PKG_BUILD_DIR)/include/net/netfilter/*.h $(1)/usr/include/net/netfilter/
$(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
$(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
$(CP) $(PKG_BUILD_DIR)/include/libipq/libipq.h $(1)/usr/include/
$(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
$(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libipq.so* $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libiptc.pc $(1)/usr/lib/pkgconfig/
endef
define Package/iptables/install
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(1)/usr/sbin/
$(LN) iptables $(1)/usr/sbin/iptables-save
$(LN) iptables $(1)/usr/sbin/iptables-restore
$(INSTALL_DIR) $(1)/usr/lib/iptables
endef
define Package/ip6tables/install
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables $(1)/usr/sbin/
$(LN) ip6tables $(1)/usr/sbin/ip6tables-save
$(LN) ip6tables $(1)/usr/sbin/ip6tables-restore
$(INSTALL_DIR) $(1)/usr/lib/iptables
(cd $(PKG_INSTALL_DIR)/usr/lib/iptables ; \
$(CP) libip6t_*.so $(1)/usr/lib/iptables/ \
)
endef
define Package/libiptc/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
endef
define Package/libip4tc/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
endef
define Package/libip6tc/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
endef
define Package/libxtables/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
endef
define Package/libipq/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libipq.so* $(1)/usr/lib/
endef
define BuildPlugin
define Package/$(1)/install
$(INSTALL_DIR) $$(1)/usr/lib/iptables
for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)); do \
if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
$(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
fi; \
done
$(3)
endef
$$(eval $$(call BuildPackage,$(1)))
endef
L7_INSTALL:=\
$(INSTALL_DIR) $$(1)/etc/l7-protocols; \
$(CP) files/l7/*.pat $$(1)/etc/l7-protocols/
$(eval $(call BuildPackage,iptables))
$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m),$(L7_INSTALL)))
$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
$(eval $(call BuildPlugin,iptables-mod-ipset,ipt_set ipt_SET))
$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
$(eval $(call BuildPackage,ip6tables))
$(eval $(call BuildPackage,libiptc))
$(eval $(call BuildPackage,libip4tc))
$(eval $(call BuildPackage,libip6tc))
$(eval $(call BuildPackage,libxtables))
$(eval $(call BuildPackage,libipq))

28
package/network/utils/iptables/files/l7/aim.pat Normal file
View File

@@ -0,0 +1,28 @@
# AIM - AOL instant messenger (OSCAR and TOC)
# Pattern attributes: good slow notsofast
# Protocol groups: chat proprietary
# Wiki: http://www.protocolinfo.org/wiki/AIM
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Usually runs on port 5190
#
# This may also match ICQ traffic.
#
# This pattern has been tested and is believed to work well.
aim
# See http://gridley.res.carleton.edu/~straitm/final (and various other places)
# The first bit matches OSCAR signon and data commands, but not sure what
# \x03\x0b matches, but it works apparently.
# The next three bits match various parts of the TOC signon process.
# The third one is the magic number "*", then 0x01 for "signon", then up to four
# bytes ("up to" because l7-filter strips out nulls) which contain a sequence
# number (2 bytes) the data length (2 more) and 3 nulls (which don't count),
# then 0x01 for the version number (not sure if there ever has been another
# version)
# The fourth one is a command string, followed by some stuff, then the
# beginning of the "roasted" password
# This pattern is too slow!
^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x

25
package/network/utils/iptables/files/l7/bittorrent.pat Normal file
View File

@@ -0,0 +1,25 @@
# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com
# Pattern attributes: good slow594 notsofast undermatch
# Protocol groups: p2p open_source
# Wiki: http://www.protocolinfo.org/wiki/Bittorrent
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# This pattern has been tested and is believed to work well.
# It will, however, not work on bittorrent streams that are encrypted, since
# it's impossible to match (well) encrypted data.
bittorrent
# Does not attempt to match the HTTP download of the tracker
# 0x13 is the length of "bittorrent protocol"
# Second two bits match UDP wierdness
# Next bit matches something Azureus does
# Ditto on the next bit. Could also match on "user-agent: azureus", but that's in the next
# packet and perhaps this will match multiple clients.
# bitcomet-specific strings contributed by liangjun.
# This is not a valid GNU basic regular expression (but that's ok).
^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]
# This pattern is "fast", but won't catch as much
#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)

37
package/network/utils/iptables/files/l7/edonkey.pat Normal file
View File

@@ -0,0 +1,37 @@
# eDonkey2000 - P2P filesharing - http://edonkey2000.com and others
# Pattern attributes: good veryfast fast overmatch
# Protocol groups: p2p
# Wiki: http://www.protocolinfo.org/wiki/EDonkey
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4
# and a long time ago with something else.
#
# In addition to matching what you might expect, this matches much of
# what eMule does when you tell it to only connect to the KAD network.
# I don't quite know what to make of this.
# Thanks to Matt Skidmore <fox AT woozle.org>
edonkey
# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6
#
# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5.
# As of April 2006, I also see some \xe4.
#
# God this is a mess. What an irritating protocol.
# This will match about 2% of streams with random data in them!
# (But fortunately much fewer than 2% of streams that are other protocols.
# You can test this with the data in ../testing/)
^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$)
# matches everything and too much
# ^(\xe3|\xc5|\xd4)
# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me.
# bandwidtharbitrator uses
# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey
# no comments to explain what all the mush is, of course...

23
package/network/utils/iptables/files/l7/fasttrack.pat Normal file
View File

@@ -0,0 +1,23 @@
# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)
# Pattern attributes: good slow notsofast
# Protocol groups: p2p
# Wiki: http://www.protocolinfo.org/wiki/Fasttrack
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Tested with Kazaa Lite Resurrection 0.0.7.6F
#
# This appears to match the download connections well, but not the search
# connections (I think they are encrypted :-( ).
fasttrack
# while this is a valid http request, this will be caught because
# the http pattern matches the response (and therefore the next packet)
# Even so, it's best to put this match earlier in the chain.
# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup
# This pattern is kinda slow, but not too bad.
^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
# This isn't much faster:
#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?

46
package/network/utils/iptables/files/l7/ftp.pat Normal file
View File

@@ -0,0 +1,46 @@
# FTP - File Transfer Protocol - RFC 959
# Pattern attributes: great notsofast fast
# Protocol groups: document_retrieval ietf_internet_standard
# Wiki: http://protocolinfo.org/wiki/FTP
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Usually runs on port 21. Note that the data stream is on a dynamically
# assigned port, which means that you will need the FTP connection
# tracking module in your kernel to usefully match FTP data transfers.
#
# This pattern is well tested.
#
# Handles the first two things a server should say:
#
# First, the server says it's ready by sending "220". Most servers say
# something after 220, even though they don't have to, and it usually
# includes the string "ftp" (l7-filter is case insensitive). This
# includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP
# Server, and whatever ftp.microsoft.com uses. Almost all servers use only
# ASCII printable characters between the "220" and the "FTP", but non-English
# ones might use others.
#
# The next thing the server sends is a 331. All the above servers also
# send something including "password" after this code. By default, we
# do not match on this because it takes another packet and is more work
# for regexec.
ftp
# by default, we allow only ASCII
^220[\x09-\x0d -~]*ftp
# This covers UTF-8 as well
#^220[\x09-\x0d -~\x80-\xfd]*ftp
# This allows any characters and is about 4x faster than either of the above
# (which are about the same as each other)
#^220.*ftp
# This is much slower
#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password
# This pattern is more precise, but takes longer to match. (3 packets vs. 1)
#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331
# same as above, but slightly less precise and only takes 2 packets.
#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a

34
package/network/utils/iptables/files/l7/gnutella.pat Normal file
View File

@@ -0,0 +1,34 @@
# Gnutella - P2P filesharing
# Pattern attributes: good notsofast notsofast
# Protocol groups: p2p open_source
# Wiki: http://www.protocolinfo.org/wiki/Gnutella
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# This should match both Gnutella and "Gnutella2" ("Mike's protocol")
#
# Various clients use this protocol including Mactella, Shareaza,
# GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare.
#
# This is tested with gtk-gnutella and Shareaza.
# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver
# http://rfc-gnutella.sf.net/
# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification
# http://en.wikipedia.org/wiki/Shareaza
gnutella
# The first part matches UDP messages - All start with "GND", then have
# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes
# that can be anything, then a fragment number, which must start at 1.
# The rest matches TCP first client message or first server message (in case
# we can't see client messages). Some parts of this are empirical rather than
# document based. Assumes version is between 0.0 and 2.9. (usually is
# 0.4 or 0.6). I'm guessing at many of the user-agents.
# The last bit is emprical and probably only matches Limewire.
^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime)
# Needlessly precise, at the expense of time
#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime)

28
package/network/utils/iptables/files/l7/http.pat Normal file
View File

@@ -0,0 +1,28 @@
# HTTP - HyperText Transfer Protocol - RFC 2616
# Pattern attributes: great slow notsofast superset
# Protocol groups: document_retrieval ietf_draft_standard
# Wiki: http://protocolinfo.org/wiki/HTTP
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Usually runs on port 80
#
# This pattern has been tested and is believed to work well.
#
# this intentionally catches the response from the server rather than
# the request so that other protocols which use http (like kazaa) can be
# caught based on specific http requests regardless of the ordering of
# filters... also matches posts
# Sites that serve really long cookies may break this by pushing the
# server response too far away from the beginning of the connection. To
# fix this, increase the kernel's data buffer length.
http
# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616)
# As specified in rfc 2616 a status code is preceeded and followed by a
# space.
http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019]
# A slightly faster version that might be good enough:
#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019]
# old pattern(s):
#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/)

15
package/network/utils/iptables/files/l7/ident.pat Normal file
View File

@@ -0,0 +1,15 @@
# Ident - Identification Protocol - RFC 1413
# Pattern attributes: good fast fast
# Protocol groups: networking ietf_proposed_standard
# Wiki: http://www.protocolinfo.org/wiki/Ident
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Usually runs on port 113
#
# This pattern is believed to work.
ident
# "number , numberCRLF" possibly without the CR and/or LF.
# ^$ is appropriate because the first packet should never have anything
# else in it.
^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$

20
package/network/utils/iptables/files/l7/irc.pat Normal file
View File

@@ -0,0 +1,20 @@
# IRC - Internet Relay Chat - RFC 1459
# Pattern attributes: great veryfast fast
# Protocol groups: chat ietf_proposed_standard
# Wiki: http://www.protocolinfo.org/wiki/IRC
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Usually runs on port 6666 or 6667
# Note that chat traffic runs on these ports, but IRC-DCC traffic (which
# can use much more bandwidth) uses a dynamically assigned port, so you
# must have the IRC connection tracking module in your kernel to classify
# this.
#
# This pattern has been tested and is believed to work well.
irc
# First thing that happens is that the client sends NICK and USER, in
# either order. This allows MIRC color codes (\x02-\x0d instead of
# \x09-\x0d).
^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a)

24
package/network/utils/iptables/files/l7/jabber.pat Normal file
View File

@@ -0,0 +1,24 @@
# Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org
# Pattern attributes: good notsofast notsofast
# Protocol groups: chat ietf_proposed_standard
# Wiki: http://www.protocolinfo.org/wiki/Jabber
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# This pattern has been tested with Gaim and Gabber. It is only tested
# with non-SSL mode Jabber with no proxies.
# Thanks to Jan Hudec for some improvements.
# Jabber seems to take a long time to set up a connection. I'm
# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets
# is this:
# <stream:stream to='12jabber.com' xmlns='jabber:client'
# xmlns:stream='http://etherx.jabber.org/streams'><?xml
# version='1.0'?><stream:stream
# xmlns:stream='http://etherx.jabber.org/streams' id='3f73e951'
# xmlns='jabber:client' from='12jabber.com'>
#
# No mention of my username or password yet, you'll note.
jabber
<stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=['"]jabber

28
package/network/utils/iptables/files/l7/msnmessenger.pat Normal file
View File

@@ -0,0 +1,28 @@
# MSN Messenger - Microsoft Network chat client
# Pattern attributes: good slow notsofast
# Protocol groups: chat proprietary
# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Usually uses TCP port 1863
# http://www.hypothetic.org/docs/msn/index.php
# http://msnpiki.msnfanatic.com/
#
# This pattern has been tested and is believed to work well.
msnmessenger
# First branch: login
# ver: allow versions up to 99.
# I've never seen a cvr other than cvr0. Maybe this will be trouble later?
# Can't anchor at the beginning because sometimes this is encapsulated in
# HTTP. But either way, the first packet ends like this.
# Second/Third branches: accepting/sending a message
# I will assume that these can also be encapsulated in HTTP, although I have
# not checked. Example of each direction:
# ANS 1 quadong@hotmail.com 1139803431.29427 17522047
# USR 1 quadong@hotmail.com 530423708.968145.366138
# Branches are written entirely separately for better performance.
ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$

17
package/network/utils/iptables/files/l7/ntp.pat Normal file
View File

@@ -0,0 +1,17 @@
# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030
# Pattern attributes: good fast fast overmatch
# Protocol groups: time_synchronization ietf_draft_standard
# Wiki: http://www.protocolinfo.org/wiki/NTP
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# This pattern is tested and is believed to work.
# client|server
# Requires the server's timestamp to be in the present or future (of 2005).
# Tested with ntpdate on Linux.
# Assumes version 2, 3 or 4.
# Note that ntp packets are always 48 bytes, so you should match on that too.
ntp
^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff])

50
package/network/utils/iptables/files/l7/pop3.pat Normal file
View File

@@ -0,0 +1,50 @@
# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939
# Pattern attributes: great veryfast fast
# Protocol groups: mail ietf_internet_standard
# Wiki: http://www.protocolinfo.org/wiki/POP
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# This pattern has been tested somewhat.
# this is a difficult protocol to match because of the relative lack of
# distinguishing information. Read on.
pop3
# this the most conservative pattern. It should definitely work.
#^(\+ok|-err)
# this pattern assumes that the server says _something_ after +ok or -err
# I think this is probably the way to go.
^(\+ok |-err )
# more that 90% of servers seem to say "pop" after "+ok", but not all.
#^(\+ok .*pop)
# Here's another tack. I think this is my second favorite.
#^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command))
# this matches the server saying "you have N messages that are M bytes",
# which the client probably asks for early in the session (not tested)
#\+ok [0-9]+ [0-9]+
# some sample servers:
# RFC example: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>
# mail.dreamhost.com: +OK Hello there.
# pop.carleton.edu: +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled)
# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon>
# *.email.umn.edu: +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu>
# mail.yale.edu: +OK POP3 pantheon-po01 v2002.81 server ready
# mail.gustavus.edu: +OK POP3 solen v2001.78 server ready
# mail.reed.edu: +OK POP3 letra.reed.edu v2002.81 server ready
# mail.bowdoin.edu: +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003))
# pop.colby.edu: +OK Qpopper (version 4.0.5) at basalt starting.
# mail.mac.com: +OK Netscape Messaging Multiplexor ready
# various error strings:
#-ERR Invalid command.
#-ERR invalid command
#-ERR unimplemented
#-ERR Invalid command, try one of: USER name, PASS string, QUIT
#-ERR Unknown AUTHORIZATION state command
#-ERR Unrecognized command
#-ERR Unknown command: "sadf'".

40
package/network/utils/iptables/files/l7/smtp.pat Normal file
View File

@@ -0,0 +1,40 @@
# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869)
# Pattern attributes: great notsofast fast
# Protocol groups: mail ietf_internet_standard
# Wiki: http://www.protocolinfo.org/wiki/SMTP
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# usually runs on port 25
#
# This pattern has been tested and is believed to work well.
# As usual, no text is required after "220", but all known servers have some
# there. It (almost?) always has string "smtp" in it. The RFC examples
# does not, so we match those too, just in case anyone has copied them
# literally.
#
# Some examples:
# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3
# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400
# 220 mail.ut.caldera.com ESMTP
# 220 persephone.pmail.gen.nz ESMTP server ready.
# 220 smtp1.superb.net ESMTP
# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready
# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4
# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500
# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3)
# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200
# 220-mail.email-scan.com ESMTP
# 220 smaug.dreamhost.com ESMTP
# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648)
# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT)
# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700
#
# RFC examples:
# 220 xyz.com Simple Mail Transfer Service Ready (RFC example)
# 220 dbc.mtview.ca.us SMTP service ready
smtp
^220[\x09-\x0d -~]* (e?smtp|simple mail)
userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail)
userspace flags=REG_NOSUB REG_EXTENDED

16
package/network/utils/iptables/files/l7/ssl.pat Normal file
View File

@@ -0,0 +1,16 @@
# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246
# Pattern attributes: good notsofast fast superset
# Protocol groups: secure ietf_proposed_standard
# Wiki: http://www.protocolinfo.org/wiki/SSL
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Usually runs on port 443
#
# This is a superset of validcertssl. For it to match, it must be first.
#
# This pattern has been tested and is believed to work well.
ssl
# Server Hello with certificate | Client Hello
# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1
^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)

23
package/network/utils/iptables/files/l7/vnc.pat Normal file
View File

@@ -0,0 +1,23 @@
# VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer
# Pattern attributes: great veryfast fast
# Protocol groups: remote_access
# Wiki: http://www.protocolinfo.org/wiki/VNC
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# http://www.realvnc.com/documentation.html
#
# This pattern has been verified with vnc v3.3.7 on WinXP and Linux
#
# Thanks to Trevor Paskett <tpaskett AT cymphonix.com> for this pattern.
vnc
# Assumes single digit major and minor version numbers
# This message should be all alone in the first packet, so ^$ is appropriate
^rfb 00[1-9]\.00[0-9]\x0a$
# This is a more restrictive version which assumes the version numbers
# are ones actually in existance at the time of this writing, i.e. 3.3,
# 3.7 and 3.8 (with some clients wrongly reporting 3.5). It should be
# slightly faster, but probably not worth the extra maintenance.
# ^rfb 003\.00[3578]\x0a$

371
package/network/utils/iptables/patches/002-layer7_2.22.patch Normal file
View File

@@ -0,0 +1,371 @@
--- /dev/null
+++ b/extensions/libxt_layer7.c
@@ -0,0 +1,368 @@
+/*
+ Shared library add-on to iptables for layer 7 matching support.
+
+ By Matthew Strait <quadong@users.sf.net>, Oct 2003-Aug 2008.
+
+ http://l7-filter.sf.net
+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License
+ as published by the Free Software Foundation; either version
+ 2 of the License, or (at your option) any later version.
+ http://www.gnu.org/licenses/gpl.txt
+*/
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <ctype.h>
+#include <dirent.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_layer7.h>
+
+#define MAX_FN_LEN 256
+
+static char l7dir[MAX_FN_LEN] = "\0";
+
+/* Function which prints out usage message. */
+static void help(void)
+{
+ printf(
+ "layer7 match options:\n"
+ " --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
+ " (--l7dir must be specified before --l7proto if used)\n"
+ "[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat\n");
+}
+
+static const struct option opts[] = {
+ { .name = "l7proto", .has_arg = 1, .val = 'p' },
+ { .name = "l7dir", .has_arg = 1, .val = 'd' },
+ { .name = NULL }
+};
+
+/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
+static int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
+{
+ FILE * f;
+ char * line = NULL;
+ size_t len = 0;
+
+ enum { protocol, pattern, done } datatype = protocol;
+
+ f = fopen(filename, "r");
+
+ if(!f)
+ return 0;
+
+ while(getline(&line, &len, f) != -1)
+ {
+ if(strlen(line) < 2 || line[0] == '#')
+ continue;
+
+ /* strip the pesky newline... */
+ if(line[strlen(line) - 1] == '\n')
+ line[strlen(line) - 1] = '\0';
+
+ if(datatype == protocol)
+ {
+ /* Ignore everything on the line beginning with the
+ first space or tab . For instance, this allows the
+ protocol line in http.pat to be "http " (or
+ "http I am so cool") instead of just "http". */
+ if(strchr(line, ' ')){
+ char * space = strchr(line, ' ');
+ space[0] = '\0';
+ }
+ if(strchr(line, '\t')){
+ char * space = strchr(line, '\t');
+ space[0] = '\0';
+ }
+
+ /* sanity check. First non-comment non-blank
+ line must be the same as the file name. */
+ if(strcmp(line, protoname))
+ xtables_error(OTHER_PROBLEM,
+ "Protocol name (%s) doesn't match file name (%s). Bailing out\n",
+ line, filename);
+
+ if(strlen(line) >= MAX_PROTOCOL_LEN)
+ xtables_error(PARAMETER_PROBLEM,
+ "Protocol name in %s too long!", filename);
+ strncpy(info->protocol, line, MAX_PROTOCOL_LEN);
+
+ datatype = pattern;
+ }
+ else if(datatype == pattern)
+ {
+ if(strlen(line) >= MAX_PATTERN_LEN)
+ xtables_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename);
+ strncpy(info->pattern, line, MAX_PATTERN_LEN);
+
+ datatype = done;
+ break;
+ }
+ else
+ xtables_error(OTHER_PROBLEM, "Internal error");
+ }
+
+ if(datatype != done)
+ xtables_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename);
+
+ if(line) free(line);
+ fclose(f);
+
+ return 1;
+}
+
+static int hex2dec(char c)
+{
+ switch (c)
+ {
+ case '0' ... '9':
+ return c - '0';
+ case 'a' ... 'f':
+ return c - 'a' + 10;
+ case 'A' ... 'F':
+ return c - 'A' + 10;
+ default:
+ xtables_error(OTHER_PROBLEM, "hex2dec: bad value!\n");
+ return 0;
+ }
+}
+
+/* takes a string with \xHH escapes and returns one with the characters
+they stand for */
+static char * pre_process(char * s)
+{
+ char * result = malloc(strlen(s) + 1);
+ int sindex = 0, rrindex = 0;
+ while( sindex < strlen(s) )
+ {
+ if( sindex + 3 < strlen(s) &&
+ s[sindex] == '\\' && s[sindex+1] == 'x' &&
+ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) )
+ {
+ /* carefully remember to call tolower here... */
+ result[rrindex] = tolower( hex2dec(s[sindex + 2])*16 +
+ hex2dec(s[sindex + 3] ) );
+
+ switch ( result[rrindex] )
+ {
+ case 0x24:
+ case 0x28:
+ case 0x29:
+ case 0x2a:
+ case 0x2b:
+ case 0x2e:
+ case 0x3f:
+ case 0x5b:
+ case 0x5c:
+ case 0x5d:
+ case 0x5e:
+ case 0x7c:
+ fprintf(stderr,
+ "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
+ "I recommend that you write this as %c or \\%c, depending on what you meant.\n",
+ result[rrindex], s[sindex + 2], s[sindex + 3], result[rrindex], result[rrindex]);
+ break;
+ case 0x00:
+ fprintf(stderr,
+ "Warning: null (\\x00) in layer7 regexp. A null terminates the regexp string!\n");
+ break;
+ default:
+ break;
+ }
+
+
+ sindex += 3; /* 4 total */
+ }
+ else
+ result[rrindex] = tolower(s[sindex]);
+
+ sindex++;
+ rrindex++;
+ }
+ result[rrindex] = '\0';
+
+ return result;
+}
+
+#define MAX_SUBDIRS 128
+static char ** readl7dir(char * dirname)
+{
+ DIR * scratchdir;
+ struct dirent ** namelist;
+ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *));
+
+ int n, d = 1;
+ subdirs[0] = "";
+
+ n = scandir(dirname, &namelist, 0, alphasort);
+
+ if (n < 0)
+ {
+ perror("scandir");
+ xtables_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname);
+ }
+ else
+ {
+ while(n--)
+ {
+ char fulldirname[MAX_FN_LEN];
+
+ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name);
+
+ if((scratchdir = opendir(fulldirname)) != NULL)
+ {
+ closedir(scratchdir);
+
+ if(!strcmp(namelist[n]->d_name, ".") ||
+ !strcmp(namelist[n]->d_name, ".."))
+ /* do nothing */ ;
+ else
+ {
+ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1);
+ strcpy(subdirs[d], namelist[n]->d_name);
+ d++;
+ if(d >= MAX_SUBDIRS - 1)
+ {
+ fprintf(stderr,
+ "Too many subdirectories, skipping the rest!\n");
+ break;
+ }
+ }
+ }
+ free(namelist[n]);
+ }
+ free(namelist);
+ }
+
+ subdirs[d] = NULL;
+
+ return subdirs;
+}
+
+static void parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
+{
+ char filename[MAX_FN_LEN];
+ char * dir = NULL;
+ char ** subdirs;
+ int n = 0, done = 0;
+
+ if(strlen(l7dir) > 0) dir = l7dir;
+ else dir = "/etc/l7-protocols";
+
+ subdirs = readl7dir(dir);
+
+ while(subdirs[n] != NULL)
+ {
+ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
+
+ if(c > MAX_FN_LEN)
+ xtables_error(OTHER_PROBLEM,
+ "Filename beginning with %s is too long!\n", filename);
+
+ /* read in the pattern from the file */
+ if(parse_protocol_file(filename, s, info)){
+ done = 1;
+ break;
+ }
+
+ n++;
+ }
+
+ if(!done)
+ xtables_error(OTHER_PROBLEM,
+ "Couldn't find a pattern definition file for %s.\n", s);
+
+ /* process \xHH escapes and tolower everything. (our regex lib has no
+ case insensitivity option.) */
+ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN);
+}
+
+/* Function which parses command options; returns true if it ate an option */
+static int parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_layer7_info *layer7info =
+ (struct xt_layer7_info *)(*match)->data;
+
+ switch (c) {
+ case 'p':
+ parse_layer7_protocol(argv[optind-1], layer7info);
+ if (invert)
+ layer7info->invert = true;
+ *flags = 1;
+ break;
+
+ case 'd':
+ if(strlen(argv[optind-1]) >= MAX_FN_LEN)
+ xtables_error(PARAMETER_PROBLEM, "directory name too long\n");
+
+ strncpy(l7dir, argv[optind-1], MAX_FN_LEN);
+
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+/* Final check; must have specified --l7proto */
+static void final_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "LAYER7 match: You must specify `--l7proto'");
+}
+
+static void print_protocol(char s[], int invert, int numeric)
+{
+ fputs("l7proto ", stdout);
+ if (invert) fputc('!', stdout);
+ printf("%s ", s);
+}
+
+/* Prints out the matchinfo. */
+static void print(const void *ip,
+ const struct xt_entry_match *match,
+ int numeric)
+{
+ printf("LAYER7 ");
+ print_protocol(((struct xt_layer7_info *)match->data)->protocol,
+ ((struct xt_layer7_info *)match->data)->invert, numeric);
+}
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_layer7_info *info =
+ (const struct xt_layer7_info*) match->data;
+
+ printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol);
+}
+
+static struct xtables_match layer7 = {
+ .family = AF_INET,
+ .name = "layer7",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_layer7_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_layer7_info)),
+ .help = &help,
+ .parse = &parse,
+ .final_check = &final_check,
+ .print = &print,
+ .save = &save,
+ .extra_opts = opts
+};
+
+void _init(void)
+{
+ xtables_register_match(&layer7);
+}

11
package/network/utils/iptables/patches/009-table-alignment.patch Normal file
View File

@@ -0,0 +1,11 @@
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -69,7 +69,7 @@ static const char *hooknames[] = {
struct ipt_error_target
{
STRUCT_ENTRY_TARGET t;
- char error[TABLE_MAXNAMELEN];
+ char error[FUNCTION_MAXNAMELEN];
};
struct chain_head;

265
package/network/utils/iptables/patches/010-multiport-linux-2.4-compat.patch Normal file
View File

@@ -0,0 +1,265 @@
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -15,21 +15,6 @@
#include <linux/netfilter/xt_multiport.h>
/* Function which prints out usage message. */
-static void multiport_help(void)
-{
- printf(
-"multiport match options:\n"
-" --source-ports port[,port,port...]\n"
-" --sports ...\n"
-" match source port(s)\n"
-" --destination-ports port[,port,port...]\n"
-" --dports ...\n"
-" match destination port(s)\n"
-" --ports port[,port,port]\n"
-" match both source and destination port(s)\n"
-" NOTE: this kernel does not support port ranges in multiport.\n");
-}
-
static void multiport_help_v1(void)
{
printf(
@@ -72,26 +57,6 @@ proto_to_name(u_int8_t proto)
}
}
-static unsigned int
-parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto)
-{
- char *buffer, *cp, *next;
- unsigned int i;
-
- buffer = strdup(portstring);
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
-
- for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
- {
- next=strchr(cp, ',');
- if (next) *next++='\0';
- ports[i] = xtables_parse_port(cp, proto);
- }
- if (cp) xtables_error(PARAMETER_PROBLEM, "too many ports specified");
- free(buffer);
- return i;
-}
-
static void
parse_multi_ports_v1(const char *portstring,
struct xt_multiport_v1 *multiinfo,
@@ -155,73 +120,6 @@ check_proto(u_int16_t pnum, u_int8_t inv
/* Function which parses command options; returns true if it
ate an option */
static int
-__multiport_parse(int c, char **argv, int invert, unsigned int *flags,
- struct xt_entry_match **match, u_int16_t pnum,
- u_int8_t invflags)
-{
- const char *proto;
- struct xt_multiport *multiinfo
- = (struct xt_multiport *)(*match)->data;
-
- switch (c) {
- case '1':
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
- proto = check_proto(pnum, invflags);
- multiinfo->count = parse_multi_ports(optarg,
- multiinfo->ports, proto);
- multiinfo->flags = XT_MULTIPORT_SOURCE;
- break;
-
- case '2':
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
- proto = check_proto(pnum, invflags);
- multiinfo->count = parse_multi_ports(optarg,
- multiinfo->ports, proto);
- multiinfo->flags = XT_MULTIPORT_DESTINATION;
- break;
-
- case '3':
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
- proto = check_proto(pnum, invflags);
- multiinfo->count = parse_multi_ports(optarg,
- multiinfo->ports, proto);
- multiinfo->flags = XT_MULTIPORT_EITHER;
- break;
-
- default:
- return 0;
- }
-
- if (invert)
- xtables_error(PARAMETER_PROBLEM,
- "multiport does not support invert");
-
- if (*flags)
- xtables_error(PARAMETER_PROBLEM,
- "multiport can only have one option");
- *flags = 1;
- return 1;
-}
-
-static int
-multiport_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *e, struct xt_entry_match **match)
-{
- const struct ipt_entry *entry = e;
- return __multiport_parse(c, argv, invert, flags, match,
- entry->ip.proto, entry->ip.invflags);
-}
-
-static int
-multiport_parse6(int c, char **argv, int invert, unsigned int *flags,
- const void *e, struct xt_entry_match **match)
-{
- const struct ip6t_entry *entry = e;
- return __multiport_parse(c, argv, invert, flags, match,
- entry->ipv6.proto, entry->ipv6.invflags);
-}
-
-static int
__multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags,
struct xt_entry_match **match, u_int16_t pnum,
u_int8_t invflags)
@@ -314,55 +212,6 @@ print_port(u_int16_t port, u_int8_t prot
}
/* Prints out the matchinfo. */
-static void
-__multiport_print(const struct xt_entry_match *match, int numeric,
- u_int16_t proto)
-{
- const struct xt_multiport *multiinfo
- = (const struct xt_multiport *)match->data;
- unsigned int i;
-
- printf("multiport ");
-
- switch (multiinfo->flags) {
- case XT_MULTIPORT_SOURCE:
- printf("sports ");
- break;
-
- case XT_MULTIPORT_DESTINATION:
- printf("dports ");
- break;
-
- case XT_MULTIPORT_EITHER:
- printf("ports ");
- break;
-
- default:
- printf("ERROR ");
- break;
- }
-
- for (i=0; i < multiinfo->count; i++) {
- printf("%s", i ? "," : "");
- print_port(multiinfo->ports[i], proto, numeric);
- }
- printf(" ");
-}
-
-static void multiport_print(const void *ip_void,
- const struct xt_entry_match *match, int numeric)
-{
- const struct ipt_ip *ip = ip_void;
- __multiport_print(match, numeric, ip->proto);
-}
-
-static void multiport_print6(const void *ip_void,
- const struct xt_entry_match *match, int numeric)
-{
- const struct ip6t_ip6 *ip = ip_void;
- __multiport_print(match, numeric, ip->proto);
-}
-
static void __multiport_print_v1(const struct xt_entry_match *match,
int numeric, u_int16_t proto)
{
@@ -419,48 +268,6 @@ static void multiport_print6_v1(const vo
}
/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void __multiport_save(const struct xt_entry_match *match,
- u_int16_t proto)
-{
- const struct xt_multiport *multiinfo
- = (const struct xt_multiport *)match->data;
- unsigned int i;
-
- switch (multiinfo->flags) {
- case XT_MULTIPORT_SOURCE:
- printf("--sports ");
- break;
-
- case XT_MULTIPORT_DESTINATION:
- printf("--dports ");
- break;
-
- case XT_MULTIPORT_EITHER:
- printf("--ports ");
- break;
- }
-
- for (i=0; i < multiinfo->count; i++) {
- printf("%s", i ? "," : "");
- print_port(multiinfo->ports[i], proto, 1);
- }
- printf(" ");
-}
-
-static void multiport_save(const void *ip_void,
- const struct xt_entry_match *match)
-{
- const struct ipt_ip *ip = ip_void;
- __multiport_save(match, ip->proto);
-}
-
-static void multiport_save6(const void *ip_void,
- const struct xt_entry_match *match)
-{
- const struct ip6t_ip6 *ip = ip_void;
- __multiport_save(match, ip->proto);
-}
-
static void __multiport_save_v1(const struct xt_entry_match *match,
u_int16_t proto)
{
@@ -514,34 +321,6 @@ static struct xtables_match multiport_mt
{
.family = NFPROTO_IPV4,
.name = "multiport",
- .revision = 0,
- .version = XTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_multiport)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
- .help = multiport_help,
- .parse = multiport_parse,
- .final_check = multiport_check,
- .print = multiport_print,
- .save = multiport_save,
- .extra_opts = multiport_opts,
- },
- {
- .family = NFPROTO_IPV6,
- .name = "multiport",
- .revision = 0,
- .version = XTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_multiport)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
- .help = multiport_help,
- .parse = multiport_parse6,
- .final_check = multiport_check,
- .print = multiport_print6,
- .save = multiport_save6,
- .extra_opts = multiport_opts,
- },
- {
- .family = NFPROTO_IPV4,
- .name = "multiport",
.version = XTABLES_VERSION,
.revision = 1,
.size = XT_ALIGN(sizeof(struct xt_multiport_v1)),

116
package/network/utils/iptables/patches/011-recent-add-reap.patch Normal file
View File

@@ -0,0 +1,116 @@
From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001
From: Tim Gardner <tim.gardner@canonical.com>
Date: Mon, 1 Mar 2010 19:00:29 -0700
Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
extensions/libxt_recent.c | 20 ++++++++++++++++++++
extensions/libxt_recent.man | 5 +++++
include/linux/netfilter/xt_recent.h | 7 +++++++
3 files changed, 32 insertions(+), 0 deletions(-)
--- a/extensions/libxt_recent.c
+++ b/extensions/libxt_recent.c
@@ -20,6 +20,7 @@ static const struct option recent_opts[]
{.name = "name", .has_arg = true, .val = 208},
{.name = "rsource", .has_arg = false, .val = 209},
{.name = "rdest", .has_arg = false, .val = 210},
+ {.name = "reap", .has_arg = false, .val = 211},
XT_GETOPT_TABLEEND,
};
@@ -37,6 +38,7 @@ static void recent_help(void)
" --hitcount hits For check and update commands above.\n"
" Specifies that the match will only occur if source address seen hits times.\n"
" May be used in conjunction with the seconds option.\n"
+" --reap Remove entries that have expired. Can only be used with --seconds\n"
" --rttl For check and update commands above.\n"
" Specifies that the match will only occur if the source address and the TTL\n"
" match between this packet and the one which was set.\n"
@@ -63,6 +65,8 @@ static void recent_init(struct xt_entry_
(XT_RECENT_SET | XT_RECENT_CHECK | \
XT_RECENT_UPDATE | XT_RECENT_REMOVE)
+#define XT_RECENT_SECONDS 1 << 31
+
static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
@@ -104,6 +108,7 @@ static int recent_parse(int c, char **ar
case 204:
info->seconds = atoi(optarg);
+ *flags |= XT_RECENT_SECONDS;
break;
case 205:
@@ -139,6 +144,11 @@ static int recent_parse(int c, char **ar
info->side = XT_RECENT_DEST;
break;
+ case 211:
+ info->check_set |= XT_RECENT_REAP;
+ *flags |= XT_RECENT_REAP;
+ break;
+
default:
return 0;
}
@@ -157,6 +167,12 @@ static void recent_check(unsigned int fl
xtables_error(PARAMETER_PROBLEM,
"recent: --rttl may only be used with --rcheck or "
"--update");
+ if ((flags & XT_RECENT_REAP) &&
+ ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) ||
+ (!(flags & XT_RECENT_SECONDS))))
+ xtables_error(PARAMETER_PROBLEM,
+ "recent: --reap may only be used with --rcheck or "
+ "--update and --seconds");
}
static void recent_print(const void *ip, const struct xt_entry_match *match,
@@ -185,6 +201,8 @@ static void recent_print(const void *ip,
printf("side: source ");
if (info->side == XT_RECENT_DEST)
printf("side: dest ");
+ if (info->check_set & XT_RECENT_REAP)
+ printf("reap ");
}
static void recent_save(const void *ip, const struct xt_entry_match *match)
@@ -211,6 +229,8 @@ static void recent_save(const void *ip,
printf("--rsource ");
if (info->side == XT_RECENT_DEST)
printf("--rdest ");
+ if (info->check_set & XT_RECENT_REAP)
+ printf("--reap ");
}
static struct xtables_match recent_mt_reg = {
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -41,6 +41,11 @@ This option must be used in conjunction
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
address is in the list and was seen within the last given number of seconds.
.TP
+\fB\-\-reap\fP \fIreap\fP
+This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
+will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
+since the last packet was received.
+.TP
\fB\-\-hitcount\fP \fIhits\fP
This option must be used in conjunction with one of \fB\-\-rcheck\fP or
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
--- a/include/linux/netfilter/xt_recent.h
+++ b/include/linux/netfilter/xt_recent.h
@@ -23,6 +23,9 @@ enum {
#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
+/* Only allowed with --rcheck and --update */
+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
+
struct xt_recent_mtinfo {
__u32 seconds;
__u32 hit_count;

18
package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch Normal file
View File

@@ -0,0 +1,18 @@
--- a/xtables.c
+++ b/xtables.c
@@ -305,6 +305,7 @@ static char *get_modprobe(void)
int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
{
+#if 0
char *buf = NULL;
char *argv[4];
int status;
@@ -348,6 +349,7 @@ int xtables_insmod(const char *modname,
free(buf);
if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
return 0;
+#endif
return -1;
}

92
package/network/utils/iptables/patches/030-no-libnfnetlink.patch Normal file
View File

@@ -0,0 +1,92 @@
--- a/configure
+++ b/configure
@@ -10917,75 +10917,7 @@ $as_echo "no" >&6; }
fi
fi
-pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5
-$as_echo_n "checking for libnfnetlink... " >&6; }
-
-if test -n "$libnfnetlink_CFLAGS"; then
- pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS"
- elif test -n "$PKG_CONFIG"; then
- if test -n "$PKG_CONFIG" && \
- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
- ac_status=$?
- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; }; then
- pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null`
-else
- pkg_failed=yes
-fi
- else
- pkg_failed=untried
-fi
-if test -n "$libnfnetlink_LIBS"; then
- pkg_cv_libnfnetlink_LIBS="$libnfnetlink_LIBS"
- elif test -n "$PKG_CONFIG"; then
- if test -n "$PKG_CONFIG" && \
- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
- ac_status=$?
- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; }; then
- pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null`
-else
- pkg_failed=yes
-fi
- else
- pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
- _pkg_short_errors_supported=yes
-else
- _pkg_short_errors_supported=no
-fi
- if test $_pkg_short_errors_supported = yes; then
- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libnfnetlink >= 1.0" 2>&1`
- else
- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors "libnfnetlink >= 1.0" 2>&1`
- fi
- # Put the nasty error message in config.log where it belongs
- echo "$libnfnetlink_PKG_ERRORS" >&5
-
- nfnetlink=0
-elif test $pkg_failed = untried; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- nfnetlink=0
-else
- libnfnetlink_CFLAGS=$pkg_cv_libnfnetlink_CFLAGS
- libnfnetlink_LIBS=$pkg_cv_libnfnetlink_LIBS
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- nfnetlink=1
-fi
- if test "$nfnetlink" = 1; then
+if false; then
HAVE_LIBNFNETLINK_TRUE=
HAVE_LIBNFNETLINK_FALSE='#'
else
--- a/configure.ac
+++ b/configure.ac
@@ -79,9 +79,7 @@ AM_CONDITIONAL([ENABLE_LARGEFILE], [test
AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"])
AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"])
-PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
- [nfnetlink=1], [nfnetlink=0])
-AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1])
+AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false])
regular_CFLAGS="${largefile_cflags} \
-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \

16
package/network/utils/iptables/patches/100-bash-location.patch Normal file
View File

@@ -0,0 +1,16 @@
--- a/autogen.sh
+++ b/autogen.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
autoreconf -fi;
rm -Rf autom4te*.cache;
--- a/iptables-apply
+++ b/iptables-apply
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
#
# iptables-apply -- a safer way to update iptables remotely
#

12
package/network/utils/iptables/patches/110-linux_3.2_compat.patch Normal file
View File

@@ -0,0 +1,12 @@
--- iptables-1.4.10/include/linux/types.h.orig 2011-11-07 00:08:33.000000000 +0100
+++ iptables-1.4.10/include/linux/types.h 2011-11-07 00:09:25.000000000 +0100
@@ -34,5 +34,9 @@
typedef __u16 __bitwise __sum16;
typedef __u32 __bitwise __wsum;
+#define __aligned_u64 __u64 __attribute__((aligned(8)))
+#define __aligned_be64 __be64 __attribute__((aligned(8)))
+#define __aligned_le64 __le64 __attribute__((aligned(8)))
+
#endif /* __ASSEMBLY__ */
#endif /* _LINUX_TYPES_H */

56
package/network/utils/iptables/patches/200-configurable_builtin.patch Normal file
View File

@@ -0,0 +1,56 @@
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -40,9 +40,24 @@
pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod})
pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
-pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod})
-pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod})
-pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod})
+
+ifdef BUILTIN_MODULES
+pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod})
+pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod})
+pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod})
+else
+@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod)
+@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod)
+@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod)
+endif
+
+pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod))
+pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod))
+pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod))
+
+pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_static})
+pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static})
+pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static})
pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod})
pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod})
@@ -54,10 +69,10 @@
targets := libext4.a libext6.a matches4.man matches6.man \
targets4.man targets6.man
targets_install :=
-@ENABLE_STATIC_TRUE@ libext4_objs := ${pfx_objs} ${pf4_objs}
-@ENABLE_STATIC_TRUE@ libext6_objs := ${pfx_objs} ${pf6_objs}
-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+libext4_objs := ${pfx_objs} ${pf4_objs}
+libext6_objs := ${pfx_objs} ${pf6_objs}
+targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+targets_install := $(strip ${targets_install} ${pfx_solibs} ${pf4_solibs} ${pf6_solibs})
.SECONDARY:
@@ -107,8 +122,8 @@
libext6.a: initext6.o ${libext6_objs}
${AM_VERBOSE_AR} ${AR} crs $@ $^;
-initext_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ipt_,${pf4_build_mod})
-initext6_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ip6t_,${pf6_build_mod})
+initext_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ipt_,${pf4_build_static})
+initext6_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ip6t_,${pf6_build_static})
.initext4.dd: FORCE
@echo "${initext_func}" >$@.tmp; \