4 files changed, 80 insertions, 40 deletions

diff --git a/meta/recipes-extended/iptables/iptables/0001-configure-Add-option-to-enable-disable-libnfnetlink.patch b/meta/recipes-extended/iptables/iptables/0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
index 03c36ccbc2..8824bf2af7 100644
--- a/meta/recipes-extended/iptables/iptables/0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
+++ b/meta/recipes-extended/iptables/iptables/0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
@@ -1,4 +1,4 @@
-From c46db7c2e1f63ec525835553587e70c635565310 Mon Sep 17 00:00:00 2001
+From 0096c854d5015918ed154dccb3ad472fd06c1010 Mon Sep 17 00:00:00 2001
 From: "Maxin B. John" <maxin.john@intel.com>
 Date: Tue, 21 Feb 2017 11:16:31 +0200
 Subject: [PATCH] configure: Add option to enable/disable libnfnetlink
@@ -10,12 +10,13 @@ Upstream-Status: Pending
 
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 Signed-off-by: Maxin B. John <maxin.john@intel.com>
+
 ---
  configure.ac | 10 +++++++---
  1 file changed, 7 insertions(+), 3 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index eda7871..03ddc50 100644
+index d99fa3b..d607772 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -63,6 +63,9 @@ AC_ARG_WITH([pkgconfigdir], AS_HELP_STRING([--with-pkgconfigdir=PATH],
@@ -28,9 +29,9 @@ index eda7871..03ddc50 100644
  AC_ARG_ENABLE([connlabel],
         AS_HELP_STRING([--disable-connlabel],
         [Do not build libnetfilter_conntrack]),
-@@ -115,9 +118,10 @@ if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then
-        AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library required by bpf compiler or nfsynproxy tool))
- fi
+@@ -113,9 +116,10 @@ AM_CONDITIONAL([ENABLE_SYNCONF], [test "$enable_nfsynproxy" = "yes"])
+ AM_CONDITIONAL([ENABLE_NFTABLES], [test "$enable_nftables" = "yes"])
+ AM_CONDITIONAL([ENABLE_CONNLABEL], [test "$enable_connlabel" = "yes"])
  
 -PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
 -       [nfnetlink=1], [nfnetlink=0])
@@ -40,8 +41,5 @@ index eda7871..03ddc50 100644
 +    ])
 +AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "x$enable_libnfnetlink" = "xyes"])
  
- if test "x$enable_nftables" = "xyes"; then
-        PKG_CHECK_MODULES([libmnl], [libmnl >= 1.0], [mnl=1], [mnl=0])
--- 
-2.4.0
-
+ if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then
+        PKG_CHECK_MODULES([libpcap], [libpcap], [], [
diff --git a/meta/recipes-extended/iptables/iptables/0002-iptables-xshared.h-add-missing-sys.types.h-include.patch b/meta/recipes-extended/iptables/iptables/0002-iptables-xshared.h-add-missing-sys.types.h-include.patch
new file mode 100644
index 0000000000..a190c7e8ae
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/0002-iptables-xshared.h-add-missing-sys.types.h-include.patch
@@ -0,0 +1,31 @@
+From 465e3ef77f1763d225adc76220e43ee9bd73b178 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Tue, 17 May 2022 10:56:59 +0200
+Subject: [PATCH] iptables/xshared.h: add missing sys.types.h include
+
+This resolves the build error under musl:
+
+| ../../../../../../../workspace/sources/iptables/iptables/xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'?
+|    83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
+|       |                                                        ^~~~~~~~~
+|       |                                                        uint16_t
+
+Upstream-Status: Submitted [via email to phil@nwl.cc]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+
+---
+ iptables/xshared.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/iptables/xshared.h b/iptables/xshared.h
+index a200e0d..f543dbf 100644
+--- a/iptables/xshared.h
++++ b/iptables/xshared.h
+@@ -6,6 +6,7 @@
+ #include <stdint.h>
+ #include <netinet/in.h>
+ #include <net/if.h>
++#include <sys/types.h>
+ #include <linux/netfilter_arp/arp_tables.h>
+ #include <linux/netfilter_ipv4/ip_tables.h>
+ #include <linux/netfilter_ipv6/ip6_tables.h>
diff --git a/meta/recipes-extended/iptables/iptables/0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch b/meta/recipes-extended/iptables/iptables/0004-configure.ac-only-check-conntrack-when-libnfnetlink-.patch
index 7842c6408a..5a022ebc8c 100644
--- a/meta/recipes-extended/iptables/iptables/0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch
+++ b/meta/recipes-extended/iptables/iptables/0004-configure.ac-only-check-conntrack-when-libnfnetlink-.patch
@@ -1,4 +1,4 @@
-From 26090b3dbcdf6a11e60535da949b726a6e86426d Mon Sep 17 00:00:00 2001
+From 6832501bbb90a3dab977a4625d0391804c0e795c Mon Sep 17 00:00:00 2001
 From: "Maxin B. John" <maxin.john@intel.com>
 Date: Tue, 21 Feb 2017 11:49:07 +0200
 Subject: [PATCH] configure.ac:
@@ -23,15 +23,16 @@ Upstream-Status: Pending
 
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
 Signed-off-by: Maxin B. John <maxin.john@intel.com>
+
 ---
  configure.ac | 6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 03ddc50..523caea 100644
+index d607772..25a8e75 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -172,10 +172,12 @@ if test "$nftables" != 1; then
+@@ -159,10 +159,12 @@ if test "$nftables" != 1; then
  fi
  
  if test "x$enable_connlabel" = "xyes"; then
@@ -46,6 +47,3 @@ index 03ddc50..523caea 100644
         if test "$nfconntrack" -ne 1; then
                 blacklist_modules="$blacklist_modules connlabel";
                 echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built";
--- 
-2.4.0
-
diff --git a/meta/recipes-extended/iptables/iptables_1.8.7.bb b/meta/recipes-extended/iptables/iptables_1.8.10.bb
index 621f87ff87..5a87897742 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.7.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.10.bb
@@ -3,22 +3,23 @@ DESCRIPTION = "iptables is the userspace command line program used to configure
 filtering code in Linux."
 HOMEPAGE = "http://www.netfilter.org/"
 BUGTRACKER = "http://bugzilla.netfilter.org/"
-LICENSE = "GPLv2+"
+LICENSE = "GPL-2.0-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
                     file://iptables/iptables.c;beginline=13;endline=25;md5=c5cffd09974558cf27d0f763df2a12dc \
 "
 
-SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
-           file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
-           file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
+SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.xz \
            file://iptables.service \
            file://iptables.rules \
            file://ip6tables.service \
            file://ip6tables.rules \
+           file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
+           file://0002-iptables-xshared.h-add-missing-sys.types.h-include.patch \
+           file://0004-configure.ac-only-check-conntrack-when-libnfnetlink-.patch \
            "
-SRC_URI[sha256sum] = "c109c96bb04998cd44156622d36f8e04b140701ec60531a10668cfdff5e8d8f0"
+SRC_URI[sha256sum] = "5cc255c189356e317d070755ce9371eb63a1b783c34498fb8c30264f3cc59c9c"
 
-SYSTEMD_SERVICE_${PN} = "\
+SYSTEMD_SERVICE:${PN} = "\
     iptables.service \
     ${@bb.utils.contains('PACKAGECONFIG', 'ipv6', 'ip6tables.service', '', d)} \
 "
@@ -27,6 +28,8 @@ inherit autotools pkgconfig systemd
 
 EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}"
 
+CFLAGS:append:libc-musl = " -D__UAPI_DEF_ETHHDR=0"
+
 PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
 PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
 
@@ -36,20 +39,23 @@ PACKAGECONFIG[libnfnetlink] = "--enable-libnfnetlink,--disable-libnfnetlink,libn
 # libnftnl recipe is in meta-networking layer(previously known as libnftables)
 PACKAGECONFIG[libnftnl] = "--enable-nftables,--disable-nftables,libnftnl"
 
-do_configure_prepend() {
+do_configure:prepend() {
     # Remove some libtool m4 files
     # Keep ax_check_linker_flags.m4 which belongs to autoconf-archive.
     rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
+
+    # Copy a header to fix out of tree builds
+    cp -f ${S}/libiptc/linux_list.h ${S}/include/libiptc/
 }
 
 IPTABLES_RULES_DIR ?= "${sysconfdir}/${BPN}"
 
-do_install_append() {
+do_install:append() {
     install -d ${D}${IPTABLES_RULES_DIR}
-    install -m 0644 ${WORKDIR}/iptables.rules ${D}${IPTABLES_RULES_DIR}
+    install -m 0644 ${UNPACKDIR}/iptables.rules ${D}${IPTABLES_RULES_DIR}
 
     install -d ${D}${systemd_system_unitdir}
-    install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_system_unitdir}
+    install -m 0644 ${UNPACKDIR}/iptables.service ${D}${systemd_system_unitdir}
 
     sed -i \
         -e 's,@SBINDIR@,${sbindir},g' \
@@ -57,28 +63,33 @@ do_install_append() {
         ${D}${systemd_system_unitdir}/iptables.service
 
     if ${@bb.utils.contains('PACKAGECONFIG', 'ipv6', 'true', 'false', d)} ; then
-        install -m 0644 ${WORKDIR}/ip6tables.rules ${D}${IPTABLES_RULES_DIR}
-        install -m 0644 ${WORKDIR}/ip6tables.service ${D}${systemd_system_unitdir}
+        install -m 0644 ${UNPACKDIR}/ip6tables.rules ${D}${IPTABLES_RULES_DIR}
+        install -m 0644 ${UNPACKDIR}/ip6tables.service ${D}${systemd_system_unitdir}
 
         sed -i \
             -e 's,@SBINDIR@,${sbindir},g' \
             -e 's,@RULESDIR@,${IPTABLES_RULES_DIR},g' \
             ${D}${systemd_system_unitdir}/ip6tables.service
     fi
+
+    # if libnftnl is included, make the iptables symlink point to the nft-based binary by default
+    if ${@bb.utils.contains('PACKAGECONFIG', 'libnftnl', 'true', 'false', d)} ; then
+        ln -sf ${sbindir}/xtables-nft-multi ${D}${sbindir}/iptables 
+    fi
 }
 
 PACKAGES =+ "${PN}-modules ${PN}-apply"
 PACKAGES_DYNAMIC += "^${PN}-module-.*"
 
-python populate_packages_prepend() {
+python populate_packages:prepend() {
     modules = do_split_packages(d, '${libdir}/xtables', r'lib(.*)\.so$', '${PN}-module-%s', '${PN} module %s', extra_depends='')
     if modules:
         metapkg = d.getVar('PN') + '-modules'
-        d.appendVar('RDEPENDS_' + metapkg, ' ' + ' '.join(modules))
+        d.appendVar('RDEPENDS:' + metapkg, ' ' + ' '.join(modules))
 }
 
-RDEPENDS_${PN} = "${PN}-module-xt-standard"
-RRECOMMENDS_${PN} = " \
+RDEPENDS:${PN} = "${PN}-module-xt-standard"
+RRECOMMENDS:${PN} = " \
     ${PN}-modules \
     kernel-module-x-tables \
     kernel-module-ip-tables \
@@ -95,16 +106,18 @@ RRECOMMENDS_${PN} = " \
     ', '', d)} \
 "
 
-FILES_${PN} += "${datadir}/xtables"
+FILES:${PN} += "${datadir}/xtables"
 
-FILES_${PN}-apply = "${sbindir}/ip*-apply"
-RDEPENDS_${PN}-apply = "${PN} bash"
+FILES:${PN}-apply = "${sbindir}/ip*-apply"
+RDEPENDS:${PN}-apply = "${PN} bash"
 
 # Include the symlinks as well in respective packages
-FILES_${PN}-module-xt-conntrack += "${libdir}/xtables/libxt_state.so"
-FILES_${PN}-module-xt-ct += "${libdir}/xtables/libxt_NOTRACK.so"
+FILES:${PN}-module-xt-conntrack += "${libdir}/xtables/libxt_state.so"
+FILES:${PN}-module-xt-ct += "${libdir}/xtables/libxt_NOTRACK.so ${libdir}/xtables/libxt_REDIRECT.so"
+FILES:${PN}-module-xt-nat += "${libdir}/xtables/libxt_SNAT.so ${libdir}/xtables/libxt_DNAT.so ${libdir}/xtables/libxt_MASQUERADE.so"
 
-ALLOW_EMPTY_${PN}-modules = "1"
+ALLOW_EMPTY:${PN}-modules = "1"
 
-INSANE_SKIP_${PN}-module-xt-conntrack = "dev-so"
-INSANE_SKIP_${PN}-module-xt-ct = "dev-so"
+INSANE_SKIP:${PN}-module-xt-conntrack = "dev-so"
+INSANE_SKIP:${PN}-module-xt-ct = "dev-so"
+INSANE_SKIP:${PN}-module-xt-nat = "dev-so"