[ptxdist] [PATCH 1/5] iptables: bump version to 1.6.0 and update compile switches

[ptxdist] [PATCH 1/5] iptables: bump version to 1.6.0 and update compile switches

[Andreas Geisenhainer]

    - since iptables 1.6.0 depends on libnftnl, this patchset adds support
      for nftables, too.
      nftables should be used on sufficient new kernel, somewhere around 4.2
      should be ok.
    - new libraries to resolv dependencies are
      - libnftnl
      - libmnl

Signed-off-by: Andreas Geisenhainer <Andreas.Geisenhainer@atsonline.de>
---
 rules/iptables.in   | 18 ++++++++++++++++++
 rules/iptables.make | 47 +++++++++++++++++++++++++++++++++++++++++------
 2 files changed, 59 insertions(+), 6 deletions(-)

diff --git a/rules/iptables.in b/rules/iptables.in
index e6f3699..6e4bc91 100644
--- a/rules/iptables.in
+++ b/rules/iptables.in
@@ -7,6 +7,7 @@ menuconfig IPTABLES
 	select LIBC_M
 	select LIBC_DL
 	select GCCLIBS_GCC_S
+	select LIBNFTNL
 	select LIBNFNETLINK if IPTABLES_LIBNFNETLINK
 	help
 	  Iptables  is used to set up, maintain, and inspect the
@@ -32,6 +33,16 @@ config IPTABLES_LIBIPQ
 	  Builds and installs libipq (the iptables userspace packet
 	  queuing library).
 
+config IPTABLES_BPF_COMPILE
+	bool
+    prompt "install BPF_compile"
+	help
+	  Enable for the Berkeley Packet Filter(BPF) compile helper program.
+
+config IPTABLES_NFSYNPROXY
+	bool
+    prompt "install nfsynproxy"
+
 config IPTABLES_INSTALL_TOOLS
 	bool "install executables"
 	help
@@ -61,4 +72,11 @@ config IPTABLES_LIBNFNETLINK
 	help
 	  Select if iptables should be build against libnfnetlink
 
+config IPTABLES_NFTABLES_COMPAT
+	bool
+	select NFTABLES
+	prompt "nftables compat"
+	help
+	  build with nftables compability support
+
 endif
diff --git a/rules/iptables.make b/rules/iptables.make
index 8a1ea66..90df197 100644
--- a/rules/iptables.make
+++ b/rules/iptables.make
@@ -4,6 +4,8 @@
 #               2007 by Carsten Schlote, konzeptpark
 #               2008 by Juergen Beisert
 #               2009 by Marc Kleine-Budde <mkl@pengutronix.de>
+#               2016 by Andreas Geisenhainer <andreas.geisenhainer@atsonline.de>
+#
 #
 # See CREDITS for details about who has contributed to this project.
 #
@@ -19,8 +21,8 @@ PACKAGES-$(PTXCONF_IPTABLES) += iptables
 #
 # Paths and names
 #
-IPTABLES_VERSION	:= 1.4.21
-IPTABLES_MD5		:= 536d048c8e8eeebcd9757d0863ebb0c0
+IPTABLES_VERSION	:= 1.6.0
+IPTABLES_MD5		:= 27ba3451cb622467fc9267a176f19a31
 IPTABLES		:= iptables-$(IPTABLES_VERSION)
 IPTABLES_SUFFIX		:= tar.bz2
 IPTABLES_URL		:= http://ftp.netfilter.org/pub/iptables/$(IPTABLES).$(IPTABLES_SUFFIX)
@@ -43,12 +45,15 @@ IPTABLES_CONF_OPT	:= \
 	$(GLOBAL_LARGE_FILE_OPTION) \
 	--enable-devel \
 	--$(call ptx/endis, PTXCONF_IPTABLES_LIBIPQ)-libipq \
+	--$(call ptx/endis, PTXCONF_IPTABLES_BPF_COMPILE)-bpf-compiler \
+	--$(call ptx/endis, PTXCONF_IPTABLES_NFTABLES_COMPAT)-nftables \
+	--$(call ptx/endis, PTXCONF_IPTABLES_NFSYNPROXY)-nfsynproxy \
 	--with-kernel=$(KERNEL_HEADERS_DIR) \
 	--with-xtlibdir=/usr/lib
 
-## broken configure.ac, so setting these would _enable_ the options:
-#	--disable-bpf-compiler
-#	--disable-nfsynproxy
+# static build is possible, but probably not useful. expand with:
+#	--enable-static --disable-shared
+
 
 # ----------------------------------------------------------------------------
 # Install
@@ -110,8 +115,8 @@ endif
 
 ifdef PTXCONF_IPTABLES_INSTALL_TOOLS
 	@$(call install_copy, iptables, 0, 0, 0755, -, /usr/sbin/xtables-multi)
-
 	@$(call install_link, iptables, ../sbin/xtables-multi, /usr/bin/iptables-xml)
+	@$(call install_copy, iptables, 0, 0, 0755, -, /usr/sbin/nfnl_osf)
 
 ifdef PTXCONF_IPTABLES_IPV6
 # 	# IPv6 part
@@ -132,6 +137,36 @@ ifdef PTXCONF_IPTABLES_INSTALL_IPTABLES_APPLY
 	@$(call install_copy, iptables, 0, 0, 0755, -, /usr/sbin/iptables-apply)
 endif
 
+#	#  nftables compability layer
+ifdef PTXCONF_IPTABLES_NFTABLES_COMPAT
+	@$(call install_copy, iptables, 0, 0, 0755, -, /usr/sbin/xtables-compat-multi)
+
+ifdef PTXCONF_IPTABLES_IPV4
+# 	# IPv4 part
+	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/iptables-compat)
+	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/iptables-compat-save)
+	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/iptables-compat-restore)
+endif
+
+ifdef PTXCONF_IPTABLES_IPV6
+# 	# IPv6 part
+	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/ip6tables-compat)
+	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/ip6tables-compat-save)
+	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/ip6tables-compat-restore)
+endif
+
+	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/arptables-compat)
+	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/ebtables-compat)
+endif
+
+ifdef PTXCONF_IPTABLES_NFSYNPROXY
+	@$(call install_copy, iptables, 0, 0, 0755, -, /usr/sbin/nfsynproxy)
+endif
+
+ifdef PTXCONF_IPTABLES_BPF_COMPILE
+	@$(call install_copy, iptables, 0, 0, 0755, -, /usr/sbin/nfbpf_compile)
+endif
+
 	@$(call install_finish, iptables)
 
 	@$(call touch)
-- 
2.8.0.rc3

____________
Virus checked by G Data MailSecurity
Version: AVA 25.6071 dated 06.04.2016
Virus news: www.antiviruslab.com.

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH 2/5] libnfnetlink: bump version to 1.01

[Andreas Geisenhainer]

Signed-off-by: Andreas Geisenhainer <Andreas.Geisenhainer@atsonline.de>
---
 rules/libnfnetlink.in   | 1 -
 rules/libnfnetlink.make | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/rules/libnfnetlink.in b/rules/libnfnetlink.in
index 8684131..91e68a5 100644
--- a/rules/libnfnetlink.in
+++ b/rules/libnfnetlink.in
@@ -12,4 +12,3 @@ config LIBNFNETLINK
           This library is not meant as a public API for application
           developers. It is only used by other netfilter.org projects,
           such as libnetfilter_log,
-
diff --git a/rules/libnfnetlink.make b/rules/libnfnetlink.make
index bde7316..a9fc6e1 100644
--- a/rules/libnfnetlink.make
+++ b/rules/libnfnetlink.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_LIBNFNETLINK) += libnfnetlink
 #
 # Paths and names
 #
-LIBNFNETLINK_VERSION	:= 1.0.0
-LIBNFNETLINK_MD5	:= 016fdec8389242615024c529acc1adb8
+LIBNFNETLINK_VERSION	:= 1.0.1
+LIBNFNETLINK_MD5	:= 98927583d2016a9fb1936fed992e2c5e
 LIBNFNETLINK		:= libnfnetlink-$(LIBNFNETLINK_VERSION)
 LIBNFNETLINK_SUFFIX	:= tar.bz2
 LIBNFNETLINK_URL		:= http://ftp.netfilter.org/pub/libnfnetlink/$(LIBNFNETLINK).$(LIBNFNETLINK_SUFFIX)
-- 
2.8.0.rc3

____________
Virus checked by G Data MailSecurity
Version: AVA 25.6071 dated 06.04.2016
Virus news: www.antiviruslab.com.

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH 3/5] libnftnl: resolves new dependency on libnftnl by iptables

[Andreas Geisenhainer]

Signed-off-by: Andreas Geisenhainer <Andreas.Geisenhainer@atsonline.de>
---
 rules/libnftnl.in   | 26 +++++++++++++++++++++++++
 rules/libnftnl.make | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+)
 create mode 100644 rules/libnftnl.in
 create mode 100644 rules/libnftnl.make

diff --git a/rules/libnftnl.in b/rules/libnftnl.in
new file mode 100644
index 0000000..190e645
--- /dev/null
+++ b/rules/libnftnl.in
@@ -0,0 +1,26 @@
+## SECTION=networking
+
+menuconfig LIBNFTNL
+	tristate
+	select LIBMXML if LIBNFTNL_XML
+	select JANSSON if LIBNFTNL_JSON
+	prompt "libnftnl      "
+	help
+		libnftnl is a userspace library providing a low-level netlink
+		programming interface (API) to the in-kernel nf_tables subsystem.
+		The library libnftnl has been previously known as libnftables.
+		This library is currently used by nftables.
+
+if LIBNFTNL
+
+config LIBNFTNL_XML
+	bool
+    depends on LIBNFTNL
+	prompt "XML parsing support     "
+
+config LIBNFTNL_JSON
+	bool
+    depends on LIBNFTNL
+	prompt "JSON parsing support     "
+
+endif
diff --git a/rules/libnftnl.make b/rules/libnftnl.make
new file mode 100644
index 0000000..614c1ef
--- /dev/null
+++ b/rules/libnftnl.make
@@ -0,0 +1,56 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2016 by Andreas Geisenhainer <andreas.geisenhainer@atsonline.de>
+#
+# See CREDITS for details about who has contributed to this project.
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBNFTNL) += libnftnl
+
+#
+# Paths and names
+#
+LIBNFTNL_VERSION	:= 1.0.5
+LIBNFTNL_MD5	:= af0c62ce6bbd7a7d39def0996c1c17c9
+LIBNFTNL		:= libnftnl-$(LIBNFTNL_VERSION)
+LIBNFTNL_SUFFIX	:= tar.bz2
+LIBNFTNL_URL		:= http://ftp.netfilter.org/pub/libnftnl/$(LIBNFTNL).$(LIBNFTNL_SUFFIX)
+LIBNFTNL_SOURCE	:= $(SRCDIR)/$(LIBNFTNL).$(LIBNFTNL_SUFFIX)
+LIBNFTNL_DIR		:= $(BUILDDIR)/$(LIBNFTNL)
+LIBNFTNL_LICENSE	:= GPL2
+
+#
+# autoconf
+#
+LIBNFTNL_CONF_TOOL	:= autoconf
+LIBNFTNL_CONF_OPT	:= \
+	$(CROSS_AUTOCONF_USR) \
+	--$(call ptx/wwo, PTXCONF_LIBNFTNL_XML)-xml-parsing \
+	--$(call ptx/wwo, PTXCONF_LIBNFTNL_JSON)-json-parsing
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/libnftnl.targetinstall:
+	@$(call targetinfo)
+
+	@$(call install_init, libnftnl)
+	@$(call install_fixup, libnftnl,PRIORITY,optional)
+	@$(call install_fixup, libnftnl,SECTION,base)
+	@$(call install_fixup, libnftnl,AUTHOR,"Andreas Geisenhainer <andreas.geisenhainer@atsonline.de>")
+	@$(call install_fixup, libnftnl,DESCRIPTION,missing)
+
+	@$(call install_lib, libnftnl, 0, 0, 0644, libnftnl)
+
+	@$(call install_finish, libnftnl)
+
+	@$(call touch)
+
+# vim: syntax=make
-- 
2.8.0.rc3

____________
Virus checked by G Data MailSecurity
Version: AVA 25.6071 dated 06.04.2016
Virus news: www.antiviruslab.com.

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH 4/5] nftables: adds new package nftables in version 0.5

[Andreas Geisenhainer]

Signed-off-by: Andreas Geisenhainer <Andreas.Geisenhainer@atsonline.de>
---
 rules/nftables.in   | 35 ++++++++++++++++++++++++++++++
 rules/nftables.make | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 97 insertions(+)
 create mode 100644 rules/nftables.in
 create mode 100644 rules/nftables.make

diff --git a/rules/nftables.in b/rules/nftables.in
new file mode 100644
index 0000000..630530f
--- /dev/null
+++ b/rules/nftables.in
@@ -0,0 +1,35 @@
+## SECTION=networking
+
+menuconfig NFTABLES
+	tristate
+	prompt "nftables                    "
+	select LIBGMP if !NFTABLES_MGMP
+    select READLINE
+	select LIBMNL
+	select LIBNFTNL
+	help
+	  nftables is the project that aims to replace the existing
+	  {ip,ip6,arp,eb}tables framework. Basically, this project provides
+	  a new packet filtering framework, a new userspace utility and also
+	  a compatibility layer for {ip,ip6}tables. nftables is built upon
+	  the building blocks of the Netfilter infrastructure such as the
+	  existing hooks, the connection tracking system, the userspace
+	  queueing component and the logging subsystem.
+	  Don't forget to enable nf_tables in kernel.
+
+if NFTABLES
+
+config NFTABLES_DEBUG
+    bool
+    default y
+    prompt "enable debug"
+
+# broken in v0.5 (seems to be fixed some time after)
+# config NFTABLES_MGMP
+# 	bool
+# 	prompt "use mini-GMP"
+# 	help
+# 	  use the nftables build-in mini-GMP instead of linking to the shared
+# 	  libgmp. (may reduce debugging verbosity on some files)
+
+endif
diff --git a/rules/nftables.make b/rules/nftables.make
new file mode 100644
index 0000000..f5c94f1
--- /dev/null
+++ b/rules/nftables.make
@@ -0,0 +1,62 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2016 by Andreas Geisenhainer <andreas.geisenhainer@atsonline.de>
+#
+# See CREDITS for details about who has contributed to this project.
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_NFTABLES) += nftables
+
+#
+# Paths and names
+#
+NFTABLES_VERSION	:= 0.5
+NFTABLES_MD5		:= 94bfe1c54bcb9f6ed974835f2fca8069
+NFTABLES		:= nftables-$(NFTABLES_VERSION)
+NFTABLES_SUFFIX		:= tar.bz2
+NFTABLES_URL		:= http://ftp.netfilter.org/pub/nftables/$(NFTABLES).$(NFTABLES_SUFFIX)
+NFTABLES_SOURCE		:= $(SRCDIR)/$(NFTABLES).$(NFTABLES_SUFFIX)
+NFTABLES_DIR		:= $(BUILDDIR)/$(NFTABLES)
+NFTABLES_LICENSE	:= GPL-2.0
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# autoconf
+#
+NFTABLES_CONF_TOOL	:= autoconf
+NFTABLES_CONF_OPT	:= \
+	$(CROSS_AUTOCONF_USR) \
+	--$(call ptx/endis, PTXCONF_NFTABLES_DEBUG)-debug
+
+# broken in v0.5 (mini-gmp.h missing), seems to be fixed in newer releases
+#	--$(call ptx/wwo, PTXCONF_NFTABLES_MGMP)-mini-gmp
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/nftables.targetinstall:
+	@$(call targetinfo)
+
+	@$(call install_init, nftables)
+	@$(call install_fixup, nftables,PRIORITY,optional)
+	@$(call install_fixup, nftables,SECTION,base)
+	@$(call install_fixup, nftables,AUTHOR,"Andreas Geisenhainer <andreas.geisenhainer@atsonline.de")
+	@$(call install_fixup, nftables,DESCRIPTION,missing)
+
+	@$(call install_copy, nftables, 0, 0, 0755, $(NFTABLES_DIR)/src/nft, /usr/sbin/nft)
+
+	@$(call install_finish, nftables)
+
+	@$(call touch)
+
+# vim: syntax=make
-- 
2.8.0.rc3

____________
Virus checked by G Data MailSecurity
Version: AVA 25.6071 dated 06.04.2016
Virus news: www.antiviruslab.com.

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH 5/5] libmnl: resolvs dependency to libmnl by nftables by adding libmnl-package

[Andreas Geisenhainer]

Signed-off-by: Andreas Geisenhainer <Andreas.Geisenhainer@atsonline.de>
---
 rules/libmnl.in   | 11 +++++++++++
 rules/libmnl.make | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100644 rules/libmnl.in
 create mode 100644 rules/libmnl.make

diff --git a/rules/libmnl.in b/rules/libmnl.in
new file mode 100644
index 0000000..aa71e5d
--- /dev/null
+++ b/rules/libmnl.in
@@ -0,0 +1,11 @@
+## SECTION=networking
+
+config LIBMNL
+	bool
+	prompt "libmnl"
+	help
+		libmnl is a minimalistic user-space library oriented to Netlink
+		developers. There are a lot of common tasks in parsing, validating,
+		constructing of both the Netlink header and TLVs that are repetitive
+		and easy to get wrong. This library aims to provide simple helpers
+		that allows you to re-use code and to avoid re-inventing the wheel.
diff --git a/rules/libmnl.make b/rules/libmnl.make
new file mode 100644
index 0000000..95f68d1
--- /dev/null
+++ b/rules/libmnl.make
@@ -0,0 +1,52 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2016 by Andreas Geisenhainer <andreas.geisenhainer@atsonline.de>
+#
+# See CREDITS for details about who has contributed to this project.
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBMNL) += libmnl
+
+#
+# Paths and names
+#
+LIBMNL_VERSION	:= 1.0.3
+LIBMNL_MD5	:= 7d95fc3bea3365bc03c48e484224f65f
+LIBMNL		:= libmnl-$(LIBMNL_VERSION)
+LIBMNL_SUFFIX	:= tar.bz2
+LIBMNL_URL		:= http://ftp.netfilter.org/pub/libmnl/$(LIBMNL).$(LIBMNL_SUFFIX)
+LIBMNL_SOURCE	:= $(SRCDIR)/$(LIBMNL).$(LIBMNL_SUFFIX)
+LIBMNL_DIR		:= $(BUILDDIR)/$(LIBMNL)
+LIBMNL_LICENSE	:= GPL2
+
+#
+# autoconf
+#
+LIBMNL_CONF_TOOL	:= autoconf
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/libmnl.targetinstall:
+	@$(call targetinfo)
+
+	@$(call install_init, libmnl)
+	@$(call install_fixup, libmnl,PRIORITY,optional)
+	@$(call install_fixup, libmnl,SECTION,base)
+	@$(call install_fixup, libmnl,AUTHOR,"Andreas Geisenhainer <andreas.geisenhainer@atsonline.de>")
+	@$(call install_fixup, libmnl,DESCRIPTION,missing)
+
+	@$(call install_lib, libmnl, 0, 0, 0644, libmnl)
+
+	@$(call install_finish, libmnl)
+
+	@$(call touch)
+
+# vim: syntax=make
-- 
2.8.0.rc3

____________
Virus checked by G Data MailSecurity
Version: AVA 25.6071 dated 06.04.2016
Virus news: www.antiviruslab.com.

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH 1/5] iptables: bump version to 1.6.0 and update compile switches

[Michael Olbrich]

On Wed, Apr 06, 2016 at 05:20:23PM +0200, Andreas Geisenhainer wrote:
>     - since iptables 1.6.0 depends on libnftnl, this patchset adds support
>       for nftables, too.
>       nftables should be used on sufficient new kernel, somewhere around 4.2
>       should be ok.
>     - new libraries to resolv dependencies are
>       - libnftnl
>       - libmnl
> 
> Signed-off-by: Andreas Geisenhainer <Andreas.Geisenhainer@atsonline.de>
> ---
>  rules/iptables.in   | 18 ++++++++++++++++++
>  rules/iptables.make | 47 +++++++++++++++++++++++++++++++++++++++++------
>  2 files changed, 59 insertions(+), 6 deletions(-)
> 
> diff --git a/rules/iptables.in b/rules/iptables.in
> index e6f3699..6e4bc91 100644
> --- a/rules/iptables.in
> +++ b/rules/iptables.in
> @@ -7,6 +7,7 @@ menuconfig IPTABLES
>  	select LIBC_M
>  	select LIBC_DL
>  	select GCCLIBS_GCC_S
> +	select LIBNFTNL

Please reorder your patches so libnftnl is actually available.

>  	select LIBNFNETLINK if IPTABLES_LIBNFNETLINK
>  	help
>  	  Iptables  is used to set up, maintain, and inspect the
> @@ -32,6 +33,16 @@ config IPTABLES_LIBIPQ
>  	  Builds and installs libipq (the iptables userspace packet
>  	  queuing library).
>  
> +config IPTABLES_BPF_COMPILE
> +	bool
> +    prompt "install BPF_compile"

Maybe we could enable this unconditionally? I guessing the binary will be
rather small and this doesn't introduce any new external dependencies.

> +	help
> +	  Enable for the Berkeley Packet Filter(BPF) compile helper program.
> +
> +config IPTABLES_NFSYNPROXY
> +	bool
> +    prompt "install nfsynproxy"

Same here. What's this for anyways?

> +
>  config IPTABLES_INSTALL_TOOLS
>  	bool "install executables"
>  	help
> @@ -61,4 +72,11 @@ config IPTABLES_LIBNFNETLINK
>  	help
>  	  Select if iptables should be build against libnfnetlink
>  
> +config IPTABLES_NFTABLES_COMPAT
> +	bool
> +	select NFTABLES
> +	prompt "nftables compat"
> +	help
> +	  build with nftables compability support
> +
>  endif
> diff --git a/rules/iptables.make b/rules/iptables.make
> index 8a1ea66..90df197 100644
> --- a/rules/iptables.make
> +++ b/rules/iptables.make
> @@ -4,6 +4,8 @@
>  #               2007 by Carsten Schlote, konzeptpark
>  #               2008 by Juergen Beisert
>  #               2009 by Marc Kleine-Budde <mkl@pengutronix.de>
> +#               2016 by Andreas Geisenhainer <andreas.geisenhainer@atsonline.de>
> +#
>  #
>  # See CREDITS for details about who has contributed to this project.
>  #
> @@ -19,8 +21,8 @@ PACKAGES-$(PTXCONF_IPTABLES) += iptables
>  #
>  # Paths and names
>  #
> -IPTABLES_VERSION	:= 1.4.21
> -IPTABLES_MD5		:= 536d048c8e8eeebcd9757d0863ebb0c0
> +IPTABLES_VERSION	:= 1.6.0
> +IPTABLES_MD5		:= 27ba3451cb622467fc9267a176f19a31
>  IPTABLES		:= iptables-$(IPTABLES_VERSION)
>  IPTABLES_SUFFIX		:= tar.bz2
>  IPTABLES_URL		:= http://ftp.netfilter.org/pub/iptables/$(IPTABLES).$(IPTABLES_SUFFIX)
> @@ -43,12 +45,15 @@ IPTABLES_CONF_OPT	:= \
>  	$(GLOBAL_LARGE_FILE_OPTION) \
>  	--enable-devel \
>  	--$(call ptx/endis, PTXCONF_IPTABLES_LIBIPQ)-libipq \
> +	--$(call ptx/endis, PTXCONF_IPTABLES_BPF_COMPILE)-bpf-compiler \
> +	--$(call ptx/endis, PTXCONF_IPTABLES_NFTABLES_COMPAT)-nftables \
> +	--$(call ptx/endis, PTXCONF_IPTABLES_NFSYNPROXY)-nfsynproxy \

Make sure --disable-* works correctly now. Otherwise you need to use:
	$(call ptx/ifdef, PTXCONF_IPTABLES_...,--enable-...)

>  	--with-kernel=$(KERNEL_HEADERS_DIR) \
>  	--with-xtlibdir=/usr/lib
>  
> -## broken configure.ac, so setting these would _enable_ the options:
> -#	--disable-bpf-compiler
> -#	--disable-nfsynproxy
> +# static build is possible, but probably not useful. expand with:
> +#	--enable-static --disable-shared

No need to comment on shared/static options. It's the same for everything.

Michael

> +
>  
>  # ----------------------------------------------------------------------------
>  # Install
> @@ -110,8 +115,8 @@ endif
>  
>  ifdef PTXCONF_IPTABLES_INSTALL_TOOLS
>  	@$(call install_copy, iptables, 0, 0, 0755, -, /usr/sbin/xtables-multi)
> -
>  	@$(call install_link, iptables, ../sbin/xtables-multi, /usr/bin/iptables-xml)
> +	@$(call install_copy, iptables, 0, 0, 0755, -, /usr/sbin/nfnl_osf)
>  
>  ifdef PTXCONF_IPTABLES_IPV6
>  # 	# IPv6 part
> @@ -132,6 +137,36 @@ ifdef PTXCONF_IPTABLES_INSTALL_IPTABLES_APPLY
>  	@$(call install_copy, iptables, 0, 0, 0755, -, /usr/sbin/iptables-apply)
>  endif
>  
> +#	#  nftables compability layer
> +ifdef PTXCONF_IPTABLES_NFTABLES_COMPAT
> +	@$(call install_copy, iptables, 0, 0, 0755, -, /usr/sbin/xtables-compat-multi)
> +
> +ifdef PTXCONF_IPTABLES_IPV4
> +# 	# IPv4 part
> +	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/iptables-compat)
> +	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/iptables-compat-save)
> +	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/iptables-compat-restore)
> +endif
> +
> +ifdef PTXCONF_IPTABLES_IPV6
> +# 	# IPv6 part
> +	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/ip6tables-compat)
> +	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/ip6tables-compat-save)
> +	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/ip6tables-compat-restore)
> +endif
> +
> +	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/arptables-compat)
> +	@$(call install_link, iptables, xtables-compat-multi, /usr/sbin/ebtables-compat)
> +endif
> +
> +ifdef PTXCONF_IPTABLES_NFSYNPROXY
> +	@$(call install_copy, iptables, 0, 0, 0755, -, /usr/sbin/nfsynproxy)
> +endif
> +
> +ifdef PTXCONF_IPTABLES_BPF_COMPILE
> +	@$(call install_copy, iptables, 0, 0, 0755, -, /usr/sbin/nfbpf_compile)
> +endif
> +
>  	@$(call install_finish, iptables)
>  
>  	@$(call touch)
> -- 
> 2.8.0.rc3
> 
> ____________
> Virus checked by G Data MailSecurity
> Version: AVA 25.6071 dated 06.04.2016
> Virus news: www.antiviruslab.com.
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH 3/5] libnftnl: resolves new dependency on libnftnl by iptables

[Michael Olbrich]

On Wed, Apr 06, 2016 at 05:20:25PM +0200, Andreas Geisenhainer wrote:
> Signed-off-by: Andreas Geisenhainer <Andreas.Geisenhainer@atsonline.de>
> ---
>  rules/libnftnl.in   | 26 +++++++++++++++++++++++++
>  rules/libnftnl.make | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 82 insertions(+)
>  create mode 100644 rules/libnftnl.in
>  create mode 100644 rules/libnftnl.make
> 
> diff --git a/rules/libnftnl.in b/rules/libnftnl.in
> new file mode 100644
> index 0000000..190e645
> --- /dev/null
> +++ b/rules/libnftnl.in
> @@ -0,0 +1,26 @@
> +## SECTION=networking
> +
> +menuconfig LIBNFTNL
> +	tristate
> +	select LIBMXML if LIBNFTNL_XML
> +	select JANSSON if LIBNFTNL_JSON
> +	prompt "libnftnl      "
> +	help
> +		libnftnl is a userspace library providing a low-level netlink
> +		programming interface (API) to the in-kernel nf_tables subsystem.
> +		The library libnftnl has been previously known as libnftables.
> +		This library is currently used by nftables.
> +
> +if LIBNFTNL
> +
> +config LIBNFTNL_XML
> +	bool
> +    depends on LIBNFTNL

Indent with <tab>.

> +	prompt "XML parsing support     "

No spaces at the end of the prompt. That is only used to align the '-->'
for 'menuconfig'.

> +
> +config LIBNFTNL_JSON
> +	bool
> +    depends on LIBNFTNL

Same here.

> +	prompt "JSON parsing support     "

Same here.

> +
> +endif
> diff --git a/rules/libnftnl.make b/rules/libnftnl.make
> new file mode 100644
> index 0000000..614c1ef
> --- /dev/null
> +++ b/rules/libnftnl.make
> @@ -0,0 +1,56 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2016 by Andreas Geisenhainer <andreas.geisenhainer@atsonline.de>
> +#
> +# See CREDITS for details about who has contributed to this project.
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBNFTNL) += libnftnl
> +
> +#
> +# Paths and names
> +#
> +LIBNFTNL_VERSION	:= 1.0.5
> +LIBNFTNL_MD5	:= af0c62ce6bbd7a7d39def0996c1c17c9
> +LIBNFTNL		:= libnftnl-$(LIBNFTNL_VERSION)
> +LIBNFTNL_SUFFIX	:= tar.bz2
> +LIBNFTNL_URL		:= http://ftp.netfilter.org/pub/libnftnl/$(LIBNFTNL).$(LIBNFTNL_SUFFIX)
> +LIBNFTNL_SOURCE	:= $(SRCDIR)/$(LIBNFTNL).$(LIBNFTNL_SUFFIX)
> +LIBNFTNL_DIR		:= $(BUILDDIR)/$(LIBNFTNL)
> +LIBNFTNL_LICENSE	:= GPL2

Use the SPDX identifier: GPL-2.0

Michael

> +
> +#
> +# autoconf
> +#
> +LIBNFTNL_CONF_TOOL	:= autoconf
> +LIBNFTNL_CONF_OPT	:= \
> +	$(CROSS_AUTOCONF_USR) \
> +	--$(call ptx/wwo, PTXCONF_LIBNFTNL_XML)-xml-parsing \
> +	--$(call ptx/wwo, PTXCONF_LIBNFTNL_JSON)-json-parsing
> +
> +# ----------------------------------------------------------------------------
> +# Target-Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/libnftnl.targetinstall:
> +	@$(call targetinfo)
> +
> +	@$(call install_init, libnftnl)
> +	@$(call install_fixup, libnftnl,PRIORITY,optional)
> +	@$(call install_fixup, libnftnl,SECTION,base)
> +	@$(call install_fixup, libnftnl,AUTHOR,"Andreas Geisenhainer <andreas.geisenhainer@atsonline.de>")
> +	@$(call install_fixup, libnftnl,DESCRIPTION,missing)
> +
> +	@$(call install_lib, libnftnl, 0, 0, 0644, libnftnl)
> +
> +	@$(call install_finish, libnftnl)
> +
> +	@$(call touch)
> +
> +# vim: syntax=make
> -- 
> 2.8.0.rc3
> 
> ____________
> Virus checked by G Data MailSecurity
> Version: AVA 25.6071 dated 06.04.2016
> Virus news: www.antiviruslab.com.
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH 4/5] nftables: adds new package nftables in version 0.5

[Michael Olbrich]

On Wed, Apr 06, 2016 at 05:20:26PM +0200, Andreas Geisenhainer wrote:
> Signed-off-by: Andreas Geisenhainer <Andreas.Geisenhainer@atsonline.de>
> ---
>  rules/nftables.in   | 35 ++++++++++++++++++++++++++++++
>  rules/nftables.make | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 97 insertions(+)
>  create mode 100644 rules/nftables.in
>  create mode 100644 rules/nftables.make
> 
> diff --git a/rules/nftables.in b/rules/nftables.in
> new file mode 100644
> index 0000000..630530f
> --- /dev/null
> +++ b/rules/nftables.in
> @@ -0,0 +1,35 @@
> +## SECTION=networking
> +
> +menuconfig NFTABLES
> +	tristate
> +	prompt "nftables                    "
> +	select LIBGMP if !NFTABLES_MGMP
> +    select READLINE

Indent with <tab>

> +	select LIBMNL
> +	select LIBNFTNL
> +	help
> +	  nftables is the project that aims to replace the existing
> +	  {ip,ip6,arp,eb}tables framework. Basically, this project provides
> +	  a new packet filtering framework, a new userspace utility and also
> +	  a compatibility layer for {ip,ip6}tables. nftables is built upon
> +	  the building blocks of the Netfilter infrastructure such as the
> +	  existing hooks, the connection tracking system, the userspace
> +	  queueing component and the logging subsystem.
> +	  Don't forget to enable nf_tables in kernel.
> +
> +if NFTABLES
> +
> +config NFTABLES_DEBUG
> +    bool
> +    default y
> +    prompt "enable debug"
> +
> +# broken in v0.5 (seems to be fixed some time after)
> +# config NFTABLES_MGMP
> +# 	bool
> +# 	prompt "use mini-GMP"
> +# 	help
> +# 	  use the nftables build-in mini-GMP instead of linking to the shared
> +# 	  libgmp. (may reduce debugging verbosity on some files)


add the option normally and then add:

	# broken in v0.5 (seems to be fixed some time after)
	depends on BROKEN

> +
> +endif
> diff --git a/rules/nftables.make b/rules/nftables.make
> new file mode 100644
> index 0000000..f5c94f1
> --- /dev/null
> +++ b/rules/nftables.make
> @@ -0,0 +1,62 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2016 by Andreas Geisenhainer <andreas.geisenhainer@atsonline.de>
> +#
> +# See CREDITS for details about who has contributed to this project.
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_NFTABLES) += nftables
> +
> +#
> +# Paths and names
> +#
> +NFTABLES_VERSION	:= 0.5
> +NFTABLES_MD5		:= 94bfe1c54bcb9f6ed974835f2fca8069
> +NFTABLES		:= nftables-$(NFTABLES_VERSION)
> +NFTABLES_SUFFIX		:= tar.bz2
> +NFTABLES_URL		:= http://ftp.netfilter.org/pub/nftables/$(NFTABLES).$(NFTABLES_SUFFIX)
> +NFTABLES_SOURCE		:= $(SRCDIR)/$(NFTABLES).$(NFTABLES_SUFFIX)
> +NFTABLES_DIR		:= $(BUILDDIR)/$(NFTABLES)
> +NFTABLES_LICENSE	:= GPL-2.0
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +#
> +# autoconf
> +#
> +NFTABLES_CONF_TOOL	:= autoconf
> +NFTABLES_CONF_OPT	:= \
> +	$(CROSS_AUTOCONF_USR) \
> +	--$(call ptx/endis, PTXCONF_NFTABLES_DEBUG)-debug
> +
> +# broken in v0.5 (mini-gmp.h missing), seems to be fixed in newer releases
> +#	--$(call ptx/wwo, PTXCONF_NFTABLES_MGMP)-mini-gmp

Just add it normally. It will always generate 'without' for now.

> +
> +# ----------------------------------------------------------------------------
> +# Target-Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/nftables.targetinstall:
> +	@$(call targetinfo)
> +
> +	@$(call install_init, nftables)
> +	@$(call install_fixup, nftables,PRIORITY,optional)
> +	@$(call install_fixup, nftables,SECTION,base)
> +	@$(call install_fixup, nftables,AUTHOR,"Andreas Geisenhainer <andreas.geisenhainer@atsonline.de")
> +	@$(call install_fixup, nftables,DESCRIPTION,missing)
> +
> +	@$(call install_copy, nftables, 0, 0, 0755, $(NFTABLES_DIR)/src/nft, /usr/sbin/nft)

Don't use NFTABLES_DIR here. "make install" should produce something useful
in the install stage.

Michael

> +
> +	@$(call install_finish, nftables)
> +
> +	@$(call touch)
> +
> +# vim: syntax=make
> -- 
> 2.8.0.rc3
> 
> ____________
> Virus checked by G Data MailSecurity
> Version: AVA 25.6071 dated 06.04.2016
> Virus news: www.antiviruslab.com.
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH 1/5] iptables: bump version to 1.6.0 and updatecompile switches

[Andreas Geisenhainer]

Hello Michael.

On 07/04/16 12:55 PM, Michael Olbrich wrote:
> On Wed, Apr 06, 2016 at 05:20:23PM +0200, Andreas Geisenhainer wrote:
>> @@ -7,6 +7,7 @@ menuconfig IPTABLES
>>   	select LIBC_M
>>   	select LIBC_DL
>>   	select GCCLIBS_GCC_S
>> +	select LIBNFTNL
> Please reorder your patches so libnftnl is actually available.

Oh, i see. I didn't think about treating each commit as
separate entity.

>> +config IPTABLES_BPF_COMPILE
>> +	bool
>> +    prompt "install BPF_compile"
> Maybe we could enable this unconditionally? I guessing the binary will be
> rather small and this doesn't introduce any new external dependencies.
>
>> +	help
>> +	  Enable for the Berkeley Packet Filter(BPF) compile helper program.
>> +
>> +config IPTABLES_NFSYNPROXY
>> +	bool
>> +    prompt "install nfsynproxy"
> Same here. What's this for anyways?

I have no clue, but i assumed there could be some use for it.
And going with the safe option, I created kconfig selections for
them. There are three tool (nfbpf_compile, nfnl_osf, nfsynproxy),
together these are less than 100kB of data. It should be safe
to just install them.
On the other hand: nobody seemed to miss them for the 1.4.21 release …


>> @@ -43,12 +45,15 @@ IPTABLES_CONF_OPT	:= \
>>   	$(GLOBAL_LARGE_FILE_OPTION) \
>>   	--enable-devel \
>>   	--$(call ptx/endis, PTXCONF_IPTABLES_LIBIPQ)-libipq \
>> +	--$(call ptx/endis, PTXCONF_IPTABLES_BPF_COMPILE)-bpf-compiler \
>> +	--$(call ptx/endis, PTXCONF_IPTABLES_NFTABLES_COMPAT)-nftables \
>> +	--$(call ptx/endis, PTXCONF_IPTABLES_NFSYNPROXY)-nfsynproxy \
> Make sure --disable-* works correctly now. Otherwise you need to use:
> 	$(call ptx/ifdef, PTXCONF_IPTABLES_...,--enable-...)

I tested the enable/disable versions for bpf-compile and nfsynproxy, they
seemed to work. Disabling them, stated the correct option after 
configuration
and it did not build the corresponding binary.

I just double checked. The nftables support does work as advertised.
Disabling it, does not build the "xtables-compat-multi" binary.
I paraphrased the help text.

>>   	--with-kernel=$(KERNEL_HEADERS_DIR) \
>>   	--with-xtlibdir=/usr/lib
>>   
>> -## broken configure.ac, so setting these would _enable_ the options:
>> -#	--disable-bpf-compiler
>> -#	--disable-nfsynproxy
>> +# static build is possible, but probably not useful. expand with:
>> +#	--enable-static --disable-shared
> No need to comment on shared/static options. It's the same for everything.
I was stumped, testing this. Using the "--enable-static" switch did not 
produce
static binaries. It seems, the build process did favor the "--enable-shared"
default option. So I figured it could be helpful to other. Will remove it.


I'll add your other recommendations and resubmit the patch set.

regards
Andreas

____________
Virus checked by G Data MailSecurity
Version: AVA 25.6081 dated 07.04.2016
Virus news: www.antiviruslab.com

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de