iptables: bump to 1.6.1

Switch to git repo Removed musl patch Refreshed existing patch Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com> Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup]
2017-03-22 16:02:09 +01:00 · 2017-03-22 16:02:09 +01:00 · 98e43b13a7
parent efb22b6f06
commit 98e43b13a7
9 changed files with 103 additions and 304 deletions
--- a/package/network/utils/iptables/Makefile
+++ b/package/network/utils/iptables/Makefile
@ -9,17 +9,16 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk

 PKG_NAME:=iptables
-PKG_VERSION:=1.4.21
-PKG_RELEASE:=2
+PKG_VERSION:=1.6.1
+PKG_RELEASE:=1

-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
-PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
-	ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
-	ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
-	ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
-PKG_HASH:=52004c68021da9a599feed27f65defcfb22128f7da2c0531c0f75de0f479d3e0
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://git.netfilter.org/iptables
+PKG_SOURCE_VERSION:=7df66f1c13563cfbab75246b009ce36f69ee4487
+PKG_MIRROR_HASH:=22f15ef41fd8e3724bedcee666b7b6a3491d2d038d580ef1fb032718dcb73f14

 PKG_FIXUP:=autoreconf
+
 PKG_INSTALL:=1
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0
@ -51,6 +50,20 @@ $(call Package/iptables/Default)
  DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
 endef

+define Package/iptables/config
+  config IPTABLES_CONNLABEL
+	bool "Enable Connlabel support"
+	default n
+	help
+		This enable connlabel support in iptables.
+
+  config IPTABLES_NFTABLES
+	bool "Enable Nftables support"
+	default n
+	help
+		This enable nftables support in iptables.
+endef
+
 define Package/iptables/description
 IP firewall administration tool.

@ -413,6 +426,9 @@ define Package/libxtables
 SECTION:=libs
 CATEGORY:=Libraries
 TITLE:=IPv4/IPv6 firewall - shared xtables library
+ DEPENDS:= \
+	+IPTABLES_CONNLABEL:libnetfilter-conntrack \
+	+IPTABLES_NFTABLES:libnfnetlink
 endef

 TARGET_CPPFLAGS := \
@ -431,10 +447,12 @@ TARGET_LDFLAGS += \

 CONFIGURE_ARGS += \
 	--enable-shared \
+	--enable-static \
 	--enable-devel \
 	--with-kernel="$(LINUX_DIR)/user_headers" \
 	--with-xtlibdir=/usr/lib/iptables \
-	--enable-static \
+	$(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
+	$(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \
 	$(if $(CONFIG_IPV6),,--disable-ipv6)

 MAKE_FLAGS := \
--- a/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch
+++ b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch
@ -1,6 +1,6 @@
 --- a/libxtables/xtables.c
 +++ b/libxtables/xtables.c
-@@ -336,6 +336,7 @@ static char *get_modprobe(void)
+@@ -355,6 +355,7 @@ static char *get_modprobe(void)
 
 int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
 {
@ -8,7 +8,7 @@
 	char *buf = NULL;
 	char *argv[4];
 	int status;
-@@ -380,6 +381,7 @@ int xtables_insmod(const char *modname, 
+@@ -395,6 +396,7 @@ int xtables_insmod(const char *modname,
 	free(buf);
 	if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
 		return 0;
--- a/package/network/utils/iptables/patches/030-no-libnfnetlink.patch
+++ b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch
@ -1,94 +0,0 @@
--- a/configure
-+++ b/configure
-@@ -12367,77 +12367,7 @@ fi
- fi
- 
- 
-pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5
-$as_echo_n "checking for libnfnetlink... " >&6; }
-
-if test -n "$libnfnetlink_CFLAGS"; then
-    pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS"
- elif test -n "$PKG_CONFIG"; then
-    if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }; then
-  pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null`
-		      test "x$?" != "x0" && pkg_failed=yes
-else
-  pkg_failed=yes
-fi
- else
-    pkg_failed=untried
-fi
-if test -n "$libnfnetlink_LIBS"; then
-    pkg_cv_libnfnetlink_LIBS="$libnfnetlink_LIBS"
- elif test -n "$PKG_CONFIG"; then
-    if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }; then
-  pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null`
-		      test "x$?" != "x0" && pkg_failed=yes
-else
-  pkg_failed=yes
-fi
- else
-    pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1`
-        else
-	        libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$libnfnetlink_PKG_ERRORS" >&5
-
-	nfnetlink=0
-elif test $pkg_failed = untried; then
-     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-	nfnetlink=0
-else
-	libnfnetlink_CFLAGS=$pkg_cv_libnfnetlink_CFLAGS
-	libnfnetlink_LIBS=$pkg_cv_libnfnetlink_LIBS
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-	nfnetlink=1
-fi
- if test "$nfnetlink" = 1; then
-+if false; then
-   HAVE_LIBNFNETLINK_TRUE=
-   HAVE_LIBNFNETLINK_FALSE='#'
- else
--- a/configure.ac
-+++ b/configure.ac
-@@ -111,9 +111,7 @@ if test "x$enable_bpfc" = "xyes" || test
- 	AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library required by bpf compiler or nfsynproxy tool))
- fi
- 
-PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
-	[nfnetlink=1], [nfnetlink=0])
-AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1])
-+AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false])
- 
- regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
- 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
--- a/package/network/utils/iptables/patches/050-optional-xml.patch
+++ b/package/network/utils/iptables/patches/050-optional-xml.patch
@ -1,6 +1,6 @@
 --- a/iptables/xtables-multi.c
 +++ b/iptables/xtables-multi.c
-@@ -22,8 +22,10 @@ static const struct subcommand multi_sub
+@@ -26,8 +26,10 @@ static const struct subcommand multi_sub
 	{"iptables-restore",    iptables_restore_main},
 	{"restore4",            iptables_restore_main},
 #endif
--- a/package/network/utils/iptables/patches/100-bash-location.patch
+++ b/package/network/utils/iptables/patches/100-bash-location.patch
@ -1,8 +0,0 @@
--- a/iptables/iptables-apply
-+++ b/iptables/iptables-apply
-@@ -1,4 +1,4 @@
-#!/bin/bash
-+#!/usr/bin/env bash
- #
- # iptables-apply -- a safer way to update iptables remotely
- #
--- a/package/network/utils/iptables/patches/200-configurable_builtin.patch
+++ b/package/network/utils/iptables/patches/200-configurable_builtin.patch
@ -1,58 +1,75 @@
 --- a/extensions/GNUmakefile.in
 +++ b/extensions/GNUmakefile.in
-@@ -45,9 +45,24 @@ pfx_symlinks  := NOTRACK state
- pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
- pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod})
- pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
+@@ -50,11 +50,31 @@ pfb_build_mod := $(filter-out @blacklist
+ pfa_build_mod := $(filter-out @blacklist_modules@ @blacklist_a_modules@,${pfa_build_mod})
+ pf4_build_mod := $(filter-out @blacklist_modules@ @blacklist_4_modules@,${pf4_build_mod})
+ pf6_build_mod := $(filter-out @blacklist_modules@ @blacklist_6_modules@,${pf6_build_mod})
 -pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_mod})
+-pfb_objs      := $(patsubst %,libebt_%.o,${pfb_build_mod})
+-pfa_objs      := $(patsubst %,libarpt_%.o,${pfa_build_mod})
 -pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_mod})
 -pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_mod})
-+
 +ifdef BUILTIN_MODULES
 +pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod})
+pfb_build_static := $(filter $(BUILTIN_MODULES),${pfb_build_mod})
+pfa_build_static := $(filter $(BUILTIN_MODULES),${pfa_build_mod})
 +pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod})
 +pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod})
 +else
 +@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod)
+@ENABLE_STATIC_TRUE@ pfb_build_static := $(pfb_build_mod)
+@ENABLE_STATIC_TRUE@ pfa_build_static := $(pfa_build_mod)
 +@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod)
 +@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod)
 +endif
 +
 +pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod))
+pfb_build_mod := $(filter-out $(pfb_build_static),$(pfb_build_mod))
+pfa_build_mod := $(filter-out $(pfa_build_static),$(pfa_build_mod))
 +pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod))
 +pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod))
 +
 +pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_static})
+pfb_objs      := $(patsubst %,libebt_%.o,${pfb_build_static})
+pfa_objs      := $(patsubst %,libarpt_%.o,${pfa_build_static})
 +pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_static})
 +pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_static})
 pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks})
- pf4_solibs    := $(patsubst %,libipt_%.so,${pf4_build_mod})
- pf6_solibs    := $(patsubst %,libip6t_%.so,${pf6_build_mod})
-@@ -58,11 +73,11 @@ pf6_solibs    := $(patsubst %,libip6t_%.
+ pfb_solibs    := $(patsubst %,libebt_%.so,${pfb_build_mod})
+ pfa_solibs    := $(patsubst %,libarpt_%.so,${pfa_build_mod})
+@@ -67,13 +87,13 @@ pf6_solibs    := $(patsubst %,libip6t_%.
 #
- targets := libext.a libext4.a libext6.a matches.man targets.man
+ targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man
 targets_install :=
 -@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
+-@ENABLE_STATIC_TRUE@ libext_ebt_objs := ${pfb_objs}
+-@ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs}
 -@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
 -@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
+-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
 +libext_objs := ${pfx_objs}
+libext_ebt_objs := ${pfb_objs}
+libext_arpt_objs := ${pfa_objs}
 +libext4_objs := ${pf4_objs}
 +libext6_objs := ${pf6_objs}
-+targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
-+targets_install := $(strip ${targets_install} ${pfx_solibs} ${pf4_solibs} ${pf6_solibs})
+targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
+targets_install := $(strip ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs})
 
 .SECONDARY:
 
-@@ -126,9 +141,9 @@ libext4.a: initext4.o ${libext4_objs}
+@@ -141,11 +161,11 @@ libext4.a: initext4.o ${libext4_objs}
 libext6.a: initext6.o ${libext6_objs}
 	${AM_VERBOSE_AR} ${AR} crs $@ $^;
 
 -initext_func  := $(addprefix xt_,${pfx_build_mod})
+-initextb_func := $(addprefix ebt_,${pfb_build_mod})
+-initexta_func := $(addprefix arpt_,${pfa_build_mod})
 -initext4_func := $(addprefix ipt_,${pf4_build_mod})
 -initext6_func := $(addprefix ip6t_,${pf6_build_mod})
 +initext_func  := $(addprefix xt_,${pfx_build_static})
+initextb_func := $(addprefix ebt_,${pfb_build_static})
+initexta_func := $(addprefix arpt_,${pfa_build_static})
 +initext4_func := $(addprefix ipt_,${pf4_build_static})
 +initext6_func := $(addprefix ip6t_,${pf6_build_static})
 
--- a/package/network/utils/iptables/patches/300-musl_fixes.patch
+++ b/package/network/utils/iptables/patches/300-musl_fixes.patch
@ -1,127 +0,0 @@
--- a/extensions/libip6t_ipv6header.c
-+++ b/extensions/libip6t_ipv6header.c
-@@ -10,6 +10,9 @@ on whether they contain certain headers 
- #include <netdb.h>
- #include <xtables.h>
- #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
-+#ifndef IPPROTO_HOPOPTS
-+#	define IPPROTO_HOPOPTS 0
-+#endif
- 
- enum {
- 	O_HEADER = 0,
--- a/extensions/libxt_TCPOPTSTRIP.c
-+++ b/extensions/libxt_TCPOPTSTRIP.c
-@@ -12,6 +12,21 @@
- #ifndef TCPOPT_MD5SIG
- #	define TCPOPT_MD5SIG 19
- #endif
-+#ifndef TCPOPT_MAXSEG
-+#	define TCPOPT_MAXSEG 2
-+#endif
-+#ifndef TCPOPT_WINDOW
-+#	define TCPOPT_WINDOW 3
-+#endif
-+#ifndef TCPOPT_SACK_PERMITTED
-+#	define TCPOPT_SACK_PERMITTED 4
-+#endif
-+#ifndef TCPOPT_SACK
-+#	define TCPOPT_SACK 5
-+#endif
-+#ifndef TCPOPT_TIMESTAMP
-+#	define TCPOPT_TIMESTAMP 8
-+#endif
- 
- enum {
- 	O_STRIP_OPTION = 0,
--- a/include/libiptc/ipt_kernel_headers.h
-+++ b/include/libiptc/ipt_kernel_headers.h
-@@ -5,7 +5,6 @@
- 
- #include <limits.h>
- 
-#if defined(__GLIBC__) && __GLIBC__ == 2
- #include <netinet/ip.h>
- #include <netinet/in.h>
- #include <netinet/ip_icmp.h>
-@@ -13,15 +12,4 @@
- #include <netinet/udp.h>
- #include <net/if.h>
- #include <sys/types.h>
-#else /* libc5 */
-#include <sys/socket.h>
-#include <linux/ip.h>
-#include <linux/in.h>
-#include <linux/if.h>
-#include <linux/icmp.h>
-#include <linux/tcp.h>
-#include <linux/udp.h>
-#include <linux/types.h>
-#include <linux/in6.h>
-#endif
- #endif
--- a/include/linux/netfilter_ipv4/ip_tables.h
-+++ b/include/linux/netfilter_ipv4/ip_tables.h
-@@ -16,6 +16,7 @@
- #define _IPTABLES_H
- 
- #include <linux/types.h>
-+#include <sys/types.h>
- 
- #include <linux/netfilter_ipv4.h>
- 
--- a/iptables/ip6tables-restore.c
-+++ b/iptables/ip6tables-restore.c
-@@ -9,7 +9,7 @@
-  */
- 
- #include <getopt.h>
-#include <sys/errno.h>
-+#include <errno.h>
- #include <stdbool.h>
- #include <string.h>
- #include <stdio.h>
--- a/iptables/ip6tables-save.c
-+++ b/iptables/ip6tables-save.c
-@@ -6,7 +6,7 @@
-  * This code is distributed under the terms of GNU GPL v2
-  */
- #include <getopt.h>
-#include <sys/errno.h>
-+#include <errno.h>
- #include <stdio.h>
- #include <fcntl.h>
- #include <stdlib.h>
--- a/iptables/iptables-restore.c
-+++ b/iptables/iptables-restore.c
-@@ -6,7 +6,7 @@
-  */
- 
- #include <getopt.h>
-#include <sys/errno.h>
-+#include <errno.h>
- #include <stdbool.h>
- #include <string.h>
- #include <stdio.h>
--- a/iptables/iptables-save.c
-+++ b/iptables/iptables-save.c
-@@ -6,7 +6,7 @@
-  *
-  */
- #include <getopt.h>
-#include <sys/errno.h>
-+#include <errno.h>
- #include <stdio.h>
- #include <fcntl.h>
- #include <stdlib.h>
--- a/iptables/iptables-xml.c
-+++ b/iptables/iptables-xml.c
-@@ -7,7 +7,7 @@
-  */
- 
- #include <getopt.h>
-#include <sys/errno.h>
-+#include <errno.h>
- #include <string.h>
- #include <stdio.h>
- #include <stdlib.h>
--- a/package/network/utils/iptables/patches/600-shared-libext.patch
+++ b/package/network/utils/iptables/patches/600-shared-libext.patch
@ -1,17 +1,15 @@
-Index: iptables-1.4.21/extensions/GNUmakefile.in
-===================================================================
--- iptables-1.4.21.orig/extensions/GNUmakefile.in
-+++ iptables-1.4.21/extensions/GNUmakefile.in
-@@ -71,7 +71,7 @@ pf6_solibs    := $(patsubst %,libip6t_%.
+--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
+@@ -85,7 +85,7 @@ pf6_solibs    := $(patsubst %,libip6t_%.
 #
 # Building blocks
 #
-targets := libext.a libext4.a libext6.a matches.man targets.man
-+targets := libiptext.so libiptext4.so libiptext6.so matches.man targets.man
+-targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man
+targets := libiptext.so libiptext4.so libiptext6.so libiptext_ebt.so libiptext_arpt.so matches.man targets.man
 targets_install :=
 libext_objs := ${pfx_objs}
- libext4_objs := ${pf4_objs}
-@@ -96,7 +96,7 @@ clean:
+ libext_ebt_objs := ${pfb_objs}
+@@ -112,7 +112,7 @@ clean:
 distclean: clean
 
 init%.o: init%.c
@ -20,7 +18,7 @@ Index: iptables-1.4.21/extensions/GNUmakefile.in
 
 -include .*.d
 
-@@ -130,16 +130,16 @@ xt_statistic_LIBADD = -lm
+@@ -144,22 +144,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
 #	handling code in the Makefiles.
 #
 lib%.o: ${srcdir}/lib%.c
@ -32,6 +30,16 @@ Index: iptables-1.4.21/extensions/GNUmakefile.in
 +libiptext.so: initext.o ${libext_objs}
 +	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
 
+-libext_ebt.a: initextb.o ${libext_ebt_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
+libiptext_ebt.so: initextb.o ${libext_ebt__objs}
+	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
+ 
+-libext_arpt.a: initexta.o ${libext_arpt_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
+libiptext_arpt.so: initexta.o ${libext_arpt__objs}
+	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
+ 
 -libext4.a: initext4.o ${libext4_objs}
 -	${AM_VERBOSE_AR} ${AR} crs $@ $^;
 +libiptext4.so: initext4.o ${libext4_objs}
@ -43,12 +51,10 @@ Index: iptables-1.4.21/extensions/GNUmakefile.in
 +	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
 
 initext_func  := $(addprefix xt_,${pfx_build_static})
- initext4_func := $(addprefix ipt_,${pf4_build_static})
-Index: iptables-1.4.21/iptables/Makefile.am
-===================================================================
--- iptables-1.4.21.orig/iptables/Makefile.am
-+++ iptables-1.4.21/iptables/Makefile.am
-@@ -5,7 +5,8 @@ AM_CPPFLAGS      = ${regular_CPPFLAGS} -
+ initextb_func := $(addprefix ebt_,${pfb_build_static})
+--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
+@@ -8,7 +8,8 @@ BUILT_SOURCES =
 
 xtables_multi_SOURCES  = xtables-multi.c iptables-xml.c
 xtables_multi_CFLAGS   = ${AM_CFLAGS}
@ -58,7 +64,7 @@ Index: iptables-1.4.21/iptables/Makefile.am
 if ENABLE_STATIC
 xtables_multi_CFLAGS  += -DALL_INCLUSIVE
 endif
-@@ -13,13 +14,15 @@ if ENABLE_IPV4
+@@ -16,13 +17,15 @@ if ENABLE_IPV4
 xtables_multi_SOURCES += iptables-save.c iptables-restore.c \
                          iptables-standalone.c iptables.c
 xtables_multi_CFLAGS  += -DENABLE_IPV4
--- a/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch
+++ b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch
@ -1,8 +1,6 @@
-Index: iptables-1.4.21/extensions/libxt_conntrack.c
-===================================================================
--- iptables-1.4.21.orig/extensions/libxt_conntrack.c
-+++ iptables-1.4.21/extensions/libxt_conntrack.c
-@@ -1157,6 +1157,7 @@ static void state_save(const void *ip, c
+--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
+@@ -1397,6 +1397,7 @@ static int conntrack3_mt6_xlate(struct x
 }
 
 static struct xtables_match conntrack_mt_reg[] = {
@ -10,7 +8,7 @@ Index: iptables-1.4.21/extensions/libxt_conntrack.c
 	{
 		.version       = XTABLES_VERSION,
 		.name          = "conntrack",
-@@ -1232,6 +1233,7 @@ static struct xtables_match conntrack_mt
+@@ -1472,6 +1473,7 @@ static struct xtables_match conntrack_mt
 		.alias	       = conntrack_print_name_alias,
 		.x6_options    = conntrack2_mt_opts,
 	},
@ -18,31 +16,24 @@ Index: iptables-1.4.21/extensions/libxt_conntrack.c
 	{
 		.version       = XTABLES_VERSION,
 		.name          = "conntrack",
-@@ -1262,6 +1264,7 @@ static struct xtables_match conntrack_mt
- 		.alias	       = conntrack_print_name_alias,
+@@ -1504,6 +1506,7 @@ static struct xtables_match conntrack_mt
 		.x6_options    = conntrack3_mt_opts,
+ 		.xlate	       = conntrack3_mt6_xlate,
 	},
 +#ifndef NO_LEGACY
 	{
 		.family        = NFPROTO_UNSPEC,
 		.name          = "state",
-@@ -1292,6 +1295,7 @@ static struct xtables_match conntrack_mt
+@@ -1534,6 +1537,8 @@ static struct xtables_match conntrack_mt
 		.x6_parse      = state_ct23_parse,
 		.x6_options    = state_opts,
 	},
 +#endif
- 	{
- 		.family        = NFPROTO_UNSPEC,
- 		.name          = "state",
-@@ -1307,6 +1311,7 @@ static struct xtables_match conntrack_mt
- 		.x6_parse      = state_ct23_parse,
- 		.x6_options    = state_opts,
- 	},
 +#ifndef NO_LEGACY
 	{
 		.family        = NFPROTO_UNSPEC,
 		.name          = "state",
-@@ -1320,6 +1325,7 @@ static struct xtables_match conntrack_mt
+@@ -1563,6 +1568,7 @@ static struct xtables_match conntrack_mt
 		.x6_parse      = state_parse,
 		.x6_options    = state_opts,
 	},
@ -50,11 +41,9 @@ Index: iptables-1.4.21/extensions/libxt_conntrack.c
 };
 
 void _init(void)
-Index: iptables-1.4.21/extensions/libxt_CT.c
-===================================================================
--- iptables-1.4.21.orig/extensions/libxt_CT.c
-+++ iptables-1.4.21/extensions/libxt_CT.c
-@@ -290,6 +290,7 @@ static void notrack_ct2_tg_init(struct x
+--- a/extensions/libxt_CT.c
+++ b/extensions/libxt_CT.c
+@@ -349,6 +349,7 @@ static void notrack_ct2_tg_init(struct x
 }
 
 static struct xtables_target ct_target_reg[] = {
@ -62,7 +51,7 @@ Index: iptables-1.4.21/extensions/libxt_CT.c
 	{
 		.family		= NFPROTO_UNSPEC,
 		.name		= "CT",
-@@ -315,6 +316,7 @@ static struct xtables_target ct_target_r
+@@ -374,6 +375,7 @@ static struct xtables_target ct_target_r
 		.x6_parse	= ct_parse_v1,
 		.x6_options	= ct_opts_v1,
 	},
@ -70,7 +59,7 @@ Index: iptables-1.4.21/extensions/libxt_CT.c
 	{
 		.family		= NFPROTO_UNSPEC,
 		.name		= "CT",
-@@ -329,6 +331,7 @@ static struct xtables_target ct_target_r
+@@ -388,6 +390,7 @@ static struct xtables_target ct_target_r
 		.x6_parse	= ct_parse_v1,
 		.x6_options	= ct_opts_v1,
 	},
@ -78,7 +67,7 @@ Index: iptables-1.4.21/extensions/libxt_CT.c
 	{
 		.family        = NFPROTO_UNSPEC,
 		.name          = "NOTRACK",
-@@ -366,6 +369,7 @@ static struct xtables_target ct_target_r
+@@ -425,6 +428,7 @@ static struct xtables_target ct_target_r
 		.revision      = 0,
 		.version       = XTABLES_VERSION,
 	},
@ -86,11 +75,9 @@ Index: iptables-1.4.21/extensions/libxt_CT.c
 };
 
 void _init(void)
-Index: iptables-1.4.21/extensions/libxt_multiport.c
-===================================================================
--- iptables-1.4.21.orig/extensions/libxt_multiport.c
-+++ iptables-1.4.21/extensions/libxt_multiport.c
-@@ -469,6 +469,7 @@ static void multiport_save6_v1(const voi
+--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
+@@ -571,6 +571,7 @@ static int multiport_xlate6_v1(struct xt
 }
 
 static struct xtables_match multiport_mt_reg[] = {
@ -98,9 +85,9 @@ Index: iptables-1.4.21/extensions/libxt_multiport.c
 	{
 		.family        = NFPROTO_IPV4,
 		.name          = "multiport",
-@@ -497,6 +498,7 @@ static struct xtables_match multiport_mt
- 		.save          = multiport_save6,
+@@ -601,6 +602,7 @@ static struct xtables_match multiport_mt
 		.x6_options    = multiport_opts,
+ 		.xlate         = multiport_xlate6,
 	},
 +#endif
 	{