Make IPv6 support optional

author Jo-Philipp Wich <jow@openwrt.org>

Mon, 27 May 2013 14:50:50 +0000 (16:50 +0200)

committer Jo-Philipp Wich <jow@openwrt.org>

Mon, 27 May 2013 15:06:24 +0000 (17:06 +0200)
author Jo-Philipp Wich <jow@openwrt.org>
Mon, 27 May 2013 14:50:50 +0000 (16:50 +0200)
committer Jo-Philipp Wich <jow@openwrt.org>
Mon, 27 May 2013 15:06:24 +0000 (17:06 +0200)
diff --git a/CMakeLists.txt b/CMakeLists.txt

index a6f1271..cf7ee96 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -3,6 +3,8 @@ cmake_minimum_required(VERSION 2.6)
  PROJECT(firewall3 C)
  ADD_DEFINITIONS(-Os -Wall -Werror --std=gnu99 -g3 -Wmissing-declarations)
  
  PROJECT(firewall3 C)
  ADD_DEFINITIONS(-Os -Wall -Werror --std=gnu99 -g3 -Wmissing-declarations)
  
+SET(iptc_libs   ip4tc)
+
  SET(sed_match   "^[[:space:]]*__ipt_module(\\(.*\\)).*")
  SET(sed_replace "-Wl,--undefined=libxt_\\1_init -Wl,--undefined=libipt_\\1_init -Wl,--undefined=libip6t_\\1_init")
  
  SET(sed_match   "^[[:space:]]*__ipt_module(\\(.*\\)).*")
  SET(sed_replace "-Wl,--undefined=libxt_\\1_init -Wl,--undefined=libipt_\\1_init -Wl,--undefined=libip6t_\\1_init")
  
@@ -24,14 +26,19 @@ IF (EXISTS "${CMAKE_SOURCE_DIR}/libext4.a")
    LIST(APPEND ext_libs ext4)
  ENDIF()
  
    LIST(APPEND ext_libs ext4)
  ENDIF()
  
-IF (EXISTS "${CMAKE_SOURCE_DIR}/libext6.a")
-  ADD_LIBRARY(ext6 STATIC IMPORTED)
-  SET_PROPERTY(TARGET ext6 PROPERTY IMPORTED_LOCATION "${CMAKE_SOURCE_DIR}/libext6.a")
-  LIST(APPEND ext_libs ext6)
+IF (NOT DISABLE_IPV6)
+  IF (EXISTS "${CMAKE_SOURCE_DIR}/libext6.a")
+       ADD_LIBRARY(ext6 STATIC IMPORTED)
+       SET_PROPERTY(TARGET ext6 PROPERTY IMPORTED_LOCATION "${CMAKE_SOURCE_DIR}/libext6.a")
+       LIST(APPEND ext_libs ext6)
+  ENDIF()
+  LIST(APPEND iptc_libs ip6tc)
+ELSE()
+  ADD_DEFINITIONS(-DDISABLE_IPV6)
  ENDIF()
  
  ADD_EXECUTABLE(firewall3 main.c options.c defaults.c zones.c forwards.c rules.c redirects.c utils.c ubus.c ipsets.c includes.c iptables.c)
  ENDIF()
  
  ADD_EXECUTABLE(firewall3 main.c options.c defaults.c zones.c forwards.c rules.c redirects.c utils.c ubus.c ipsets.c includes.c iptables.c)
-TARGET_LINK_LIBRARIES(firewall3 uci ubox ubus ip4tc ip6tc xtables m ${ext_libs})
+TARGET_LINK_LIBRARIES(firewall3 uci ubox ubus xtables m ${iptc_libs} ${ext_libs})
  
  SET(CMAKE_INSTALL_PREFIX /usr)
  
  
  SET(CMAKE_INSTALL_PREFIX /usr)
  
diff --git a/iptables.c b/iptables.c

index 9565f8d..21c96b4 100644 (file)
--- a/iptables.c
+++ b/iptables.c
@@ -54,8 +54,13 @@ get_kernel_version(void)
         kernel_version = 0x10000 * x + 0x100 * y + z;
  }
  
         kernel_version = 0x10000 * x + 0x100 * y + z;
  }
  
+#ifdef DISABLE_IPV6
+#undef __ipt_module
+#define __ipt_module(x) libxt_##x##_init, libipt_##x##_init,
+#else
  #undef __ipt_module
  #define __ipt_module(x) libxt_##x##_init, libipt_##x##_init, libip6t_##x##_init,
  #undef __ipt_module
  #define __ipt_module(x) libxt_##x##_init, libipt_##x##_init, libip6t_##x##_init,
+#endif
  
  static void fw3_init_extensions(void)
  {
  
  static void fw3_init_extensions(void)
  {
@@ -78,12 +83,14 @@ fw3_ipt_open(enum fw3_family family, enum fw3_table table)
  
         if (family == FW3_FAMILY_V6)
         {
  
         if (family == FW3_FAMILY_V6)
         {
+#ifndef DISABLE_IPV6
                 h->family = FW3_FAMILY_V6;
                 h->table  = table;
                 h->handle = ip6tc_init(fw3_flag_names[table]);
  
                 xtables_set_params(&xtg6);
                 xtables_set_nfproto(NFPROTO_IPV6);
                 h->family = FW3_FAMILY_V6;
                 h->table  = table;
                 h->handle = ip6tc_init(fw3_flag_names[table]);
  
                 xtables_set_params(&xtg6);
                 xtables_set_nfproto(NFPROTO_IPV6);
+#endif
         }
         else
         {
         }
         else
         {
@@ -127,9 +134,11 @@ fw3_ipt_set_policy(struct fw3_ipt_handle *h, const char *chain,
         if (fw3_pr_debug)
                 debug(h, "-P %s %s\n", chain, fw3_flag_names[policy]);
  
         if (fw3_pr_debug)
                 debug(h, "-P %s %s\n", chain, fw3_flag_names[policy]);
  
+#ifndef DISABLE_IPV6
         if (h->family == FW3_FAMILY_V6)
                 ip6tc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
         else
         if (h->family == FW3_FAMILY_V6)
                 ip6tc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
         else
+#endif
                 iptc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
  }
  
                 iptc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
  }
  
@@ -142,12 +151,14 @@ fw3_ipt_delete_chain(struct fw3_ipt_handle *h, const char *chain)
                 debug(h, "-X %s\n", chain);
         }
  
                 debug(h, "-X %s\n", chain);
         }
  
+#ifndef DISABLE_IPV6
         if (h->family == FW3_FAMILY_V6)
         {
                 if (ip6tc_flush_entries(chain, h->handle))
                         ip6tc_delete_chain(chain, h->handle);
         }
         else
         if (h->family == FW3_FAMILY_V6)
         {
                 if (ip6tc_flush_entries(chain, h->handle))
                         ip6tc_delete_chain(chain, h->handle);
         }
         else
+#endif
         {
                 if (iptc_flush_entries(chain, h->handle))
                         iptc_delete_chain(chain, h->handle);
         {
                 if (iptc_flush_entries(chain, h->handle))
                         iptc_delete_chain(chain, h->handle);
@@ -159,11 +170,11 @@ fw3_ipt_delete_rules(struct fw3_ipt_handle *h, const char *target)
  {
         unsigned int num;
         const struct ipt_entry *e;
  {
         unsigned int num;
         const struct ipt_entry *e;
-       const struct ip6t_entry *e6;
         const char *chain;
         const char *t;
         bool found;
  
         const char *chain;
         const char *t;
         bool found;
  
+#ifndef DISABLE_IPV6
         if (h->family == FW3_FAMILY_V6)
         {
                 for (chain = ip6tc_first_chain(h->handle);
         if (h->family == FW3_FAMILY_V6)
         {
                 for (chain = ip6tc_first_chain(h->handle);
@@ -173,6 +184,7 @@ fw3_ipt_delete_rules(struct fw3_ipt_handle *h, const char *target)
                         do {
                                 found = false;
  
                         do {
                                 found = false;
  
+                               const struct ip6t_entry *e6;
                                 for (num = 0, e6 = ip6tc_first_rule(chain, h->handle);
                                          e6 != NULL;
                                          num++, e6 = ip6tc_next_rule(e6, h->handle))
                                 for (num = 0, e6 = ip6tc_first_rule(chain, h->handle);
                                          e6 != NULL;
                                          num++, e6 = ip6tc_next_rule(e6, h->handle))
@@ -193,6 +205,7 @@ fw3_ipt_delete_rules(struct fw3_ipt_handle *h, const char *target)
                 }
         }
         else
                 }
         }
         else
+#endif
         {
                 for (chain = iptc_first_chain(h->handle);
                      chain != NULL;
         {
                 for (chain = iptc_first_chain(h->handle);
                      chain != NULL;
@@ -243,6 +256,7 @@ fw3_ipt_flush(struct fw3_ipt_handle *h)
  {
         const char *chain;
  
  {
         const char *chain;
  
+#ifndef DISABLE_IPV6
         if (h->family == FW3_FAMILY_V6)
         {
                 for (chain = ip6tc_first_chain(h->handle);
         if (h->family == FW3_FAMILY_V6)
         {
                 for (chain = ip6tc_first_chain(h->handle);
@@ -260,6 +274,7 @@ fw3_ipt_flush(struct fw3_ipt_handle *h)
                 }
         }
         else
                 }
         }
         else
+#endif
         {
                 for (chain = iptc_first_chain(h->handle);
                      chain != NULL;
         {
                 for (chain = iptc_first_chain(h->handle);
                      chain != NULL;
@@ -282,6 +297,7 @@ fw3_ipt_commit(struct fw3_ipt_handle *h)
  {
         int rv;
  
  {
         int rv;
  
+#ifndef DISABLE_IPV6
         if (h->family == FW3_FAMILY_V6)
         {
                 rv = ip6tc_commit(h->handle);
         if (h->family == FW3_FAMILY_V6)
         {
                 rv = ip6tc_commit(h->handle);
@@ -289,6 +305,7 @@ fw3_ipt_commit(struct fw3_ipt_handle *h)
                         fprintf(stderr, "ip6tc_commit(): %s\n", ip6tc_strerror(errno));
         }
         else
                         fprintf(stderr, "ip6tc_commit(): %s\n", ip6tc_strerror(errno));
         }
         else
+#endif
         {
                 rv = iptc_commit(h->handle);
                 if (!rv)
         {
                 rv = iptc_commit(h->handle);
                 if (!rv)
@@ -316,9 +333,11 @@ fw3_ipt_rule_new(struct fw3_ipt_handle *h)
  static bool
  is_chain(struct fw3_ipt_handle *h, const char *name)
  {
  static bool
  is_chain(struct fw3_ipt_handle *h, const char *name)
  {
+#ifndef DISABLE_IPV6
         if (h->family == FW3_FAMILY_V6)
                 return ip6tc_is_chain(name, h->handle);
         else
         if (h->family == FW3_FAMILY_V6)
                 return ip6tc_is_chain(name, h->handle);
         else
+#endif
                 return iptc_is_chain(name, h->handle);
  }
  
                 return iptc_is_chain(name, h->handle);
  }
  
@@ -447,6 +466,7 @@ fw3_ipt_rule_proto(struct fw3_ipt_rule *r, struct fw3_protocol *proto)
  
         pr = proto->protocol;
  
  
         pr = proto->protocol;
  
+#ifndef DISABLE_IPV6
         if (r->h->family == FW3_FAMILY_V6)
         {
                 if (pr == 1)
         if (r->h->family == FW3_FAMILY_V6)
         {
                 if (pr == 1)
@@ -459,6 +479,7 @@ fw3_ipt_rule_proto(struct fw3_ipt_rule *r, struct fw3_protocol *proto)
                         r->e6.ipv6.invflags |= XT_INV_PROTO;
         }
         else
                         r->e6.ipv6.invflags |= XT_INV_PROTO;
         }
         else
+#endif
         {
                 r->e.ip.proto = pr;
  
         {
                 r->e.ip.proto = pr;
  
@@ -473,6 +494,7 @@ void
  fw3_ipt_rule_in_out(struct fw3_ipt_rule *r,
                      struct fw3_device *in, struct fw3_device *out)
  {
  fw3_ipt_rule_in_out(struct fw3_ipt_rule *r,
                      struct fw3_device *in, struct fw3_device *out)
  {
+#ifndef DISABLE_IPV6
         if (r->h->family == FW3_FAMILY_V6)
         {
                 if (in && !in->any)
         if (r->h->family == FW3_FAMILY_V6)
         {
                 if (in && !in->any)
@@ -494,6 +516,7 @@ fw3_ipt_rule_in_out(struct fw3_ipt_rule *r,
                 }
         }
         else
                 }
         }
         else
+#endif
         {
                 if (in && !in->any)
                 {
         {
                 if (in && !in->any)
                 {
@@ -522,6 +545,7 @@ ip4prefix2mask(int prefix, struct in_addr *mask)
         mask->s_addr = htonl(~((1 << (32 - prefix)) - 1));
  }
  
         mask->s_addr = htonl(~((1 << (32 - prefix)) - 1));
  }
  
+#ifndef DISABLE_IPV6
  static void
  ip6prefix2mask(int prefix, struct in6_addr *mask)
  {
  static void
  ip6prefix2mask(int prefix, struct in6_addr *mask)
  {
@@ -538,13 +562,12 @@ ip6prefix2mask(int prefix, struct in6_addr *mask)
                 memset(mask, 0, sizeof(*mask));
         }
  }
                 memset(mask, 0, sizeof(*mask));
         }
  }
+#endif
  
  void
  fw3_ipt_rule_src_dest(struct fw3_ipt_rule *r,
                        struct fw3_address *src, struct fw3_address *dest)
  {
  
  void
  fw3_ipt_rule_src_dest(struct fw3_ipt_rule *r,
                        struct fw3_address *src, struct fw3_address *dest)
  {
-       int i;
-
         if ((src && src->range) || (dest && dest->range))
         {
                 fw3_ipt_rule_addarg(r, false, "-m", "iprange");
         if ((src && src->range) || (dest && dest->range))
         {
                 fw3_ipt_rule_addarg(r, false, "-m", "iprange");
@@ -557,17 +580,20 @@ fw3_ipt_rule_src_dest(struct fw3_ipt_rule *r,
                         fw3_ipt_rule_addarg(r, src->invert, "--src-range",
                                             fw3_address_to_string(src, false));
                 }
                         fw3_ipt_rule_addarg(r, src->invert, "--src-range",
                                             fw3_address_to_string(src, false));
                 }
+#ifndef DISABLE_IPV6
                 else if (r->h->family == FW3_FAMILY_V6)
                 {
                         r->e6.ipv6.src = src->address.v6;
                         ip6prefix2mask(src->mask, &r->e6.ipv6.smsk);
  
                 else if (r->h->family == FW3_FAMILY_V6)
                 {
                         r->e6.ipv6.src = src->address.v6;
                         ip6prefix2mask(src->mask, &r->e6.ipv6.smsk);
  
+                       int i;
                         for (i = 0; i < 4; i++)
                                 r->e6.ipv6.src.s6_addr32[i] &= r->e6.ipv6.smsk.s6_addr32[i];
  
                         if (src->invert)
                                 r->e6.ipv6.invflags |= IP6T_INV_SRCIP;
                 }
                         for (i = 0; i < 4; i++)
                                 r->e6.ipv6.src.s6_addr32[i] &= r->e6.ipv6.smsk.s6_addr32[i];
  
                         if (src->invert)
                                 r->e6.ipv6.invflags |= IP6T_INV_SRCIP;
                 }
+#endif
                 else
                 {
                         r->e.ip.src = src->address.v4;
                 else
                 {
                         r->e.ip.src = src->address.v4;
@@ -587,17 +613,20 @@ fw3_ipt_rule_src_dest(struct fw3_ipt_rule *r,
                         fw3_ipt_rule_addarg(r, dest->invert, "--dst-range",
                                             fw3_address_to_string(dest, false));
                 }
                         fw3_ipt_rule_addarg(r, dest->invert, "--dst-range",
                                             fw3_address_to_string(dest, false));
                 }
+#ifndef DISABLE_IPV6
                 else if (r->h->family == FW3_FAMILY_V6)
                 {
                         r->e6.ipv6.dst = dest->address.v6;
                         ip6prefix2mask(dest->mask, &r->e6.ipv6.dmsk);
  
                 else if (r->h->family == FW3_FAMILY_V6)
                 {
                         r->e6.ipv6.dst = dest->address.v6;
                         ip6prefix2mask(dest->mask, &r->e6.ipv6.dmsk);
  
+                       int i;
                         for (i = 0; i < 4; i++)
                                 r->e6.ipv6.dst.s6_addr32[i] &= r->e6.ipv6.dmsk.s6_addr32[i];
  
                         if (dest->invert)
                                 r->e6.ipv6.invflags |= IP6T_INV_DSTIP;
                 }
                         for (i = 0; i < 4; i++)
                                 r->e6.ipv6.dst.s6_addr32[i] &= r->e6.ipv6.dmsk.s6_addr32[i];
  
                         if (dest->invert)
                                 r->e6.ipv6.invflags |= IP6T_INV_DSTIP;
                 }
+#endif
                 else
                 {
                         r->e.ip.dst = dest->address.v4;
                 else
                 {
                         r->e.ip.dst = dest->address.v4;
@@ -662,6 +691,7 @@ fw3_ipt_rule_icmptype(struct fw3_ipt_rule *r, struct fw3_icmptype *icmp)
         if (!icmp)
                 return;
  
         if (!icmp)
                 return;
  
+#ifndef DISABLE_IPV6
         if (r->h->family == FW3_FAMILY_V6)
         {
                 if (icmp->code6_min == 0 && icmp->code6_max == 0xFF)
         if (r->h->family == FW3_FAMILY_V6)
         {
                 if (icmp->code6_min == 0 && icmp->code6_max == 0xFF)
@@ -672,6 +702,7 @@ fw3_ipt_rule_icmptype(struct fw3_ipt_rule *r, struct fw3_icmptype *icmp)
                 fw3_ipt_rule_addarg(r, icmp->invert, "--icmpv6-type", buf);
         }
         else
                 fw3_ipt_rule_addarg(r, icmp->invert, "--icmpv6-type", buf);
         }
         else
+#endif
         {
                 if (icmp->code_min == 0 && icmp->code_max == 0xFF)
                         sprintf(buf, "%u", icmp->type);
         {
                 if (icmp->code_min == 0 && icmp->code_max == 0xFF)
                         sprintf(buf, "%u", icmp->type);
@@ -876,6 +907,7 @@ fw3_ipt_rule_extra(struct fw3_ipt_rule *r, const char *extra)
         free(s);
  }
  
         free(s);
  }
  
+#ifndef DISABLE_IPV6
  static void
  rule_print6(struct ip6t_entry *e)
  {
  static void
  rule_print6(struct ip6t_entry *e)
  {
@@ -929,6 +961,7 @@ rule_print6(struct ip6t_entry *e)
                                     xtables_ip6mask_to_cidr(&e->ipv6.dmsk));
         }
  }
                                     xtables_ip6mask_to_cidr(&e->ipv6.dmsk));
         }
  }
+#endif
  
  static void
  rule_print4(struct ipt_entry *e)
  
  static void
  rule_print4(struct ipt_entry *e)
@@ -994,9 +1027,11 @@ rule_print(struct fw3_ipt_rule *r, const char *chain)
  
         debug(r->h, "-A %s", chain);
  
  
         debug(r->h, "-A %s", chain);
  
+#ifndef DISABLE_IPV6
         if (r->h->family == FW3_FAMILY_V6)
                 rule_print6(&r->e6);
         else
         if (r->h->family == FW3_FAMILY_V6)
                 rule_print6(&r->e6);
         else
+#endif
                 rule_print4(&r->e);
  
         for (rm = r->matches; rm; rm = rm->next)
                 rule_print4(&r->e);
  
         for (rm = r->matches; rm; rm = rm->next)
@@ -1109,7 +1144,6 @@ fw3_ipt_rule_append(struct fw3_ipt_rule *r, const char *fmt, ...)
         struct xtables_target *et;
         struct xtables_globals *g;
         struct ipt_entry *e;
         struct xtables_target *et;
         struct xtables_globals *g;
         struct ipt_entry *e;
-       struct ip6t_entry *e6;
  
         int i, optc;
         bool inv = false;
  
         int i, optc;
         bool inv = false;
@@ -1181,8 +1215,11 @@ fw3_ipt_rule_append(struct fw3_ipt_rule *r, const char *fmt, ...)
         if (fw3_pr_debug)
                 rule_print(r, buf);
  
         if (fw3_pr_debug)
                 rule_print(r, buf);
  
+#ifndef DISABLE_IPV6
         if (r->h->family == FW3_FAMILY_V6)
         {
         if (r->h->family == FW3_FAMILY_V6)
         {
+               struct ip6t_entry *e6;
+
                 s = XT_ALIGN(sizeof(struct ip6t_entry));
  
                 for (m = r->matches; m; m = m->next)
                 s = XT_ALIGN(sizeof(struct ip6t_entry));
  
                 for (m = r->matches; m; m = m->next)
@@ -1208,6 +1245,7 @@ fw3_ipt_rule_append(struct fw3_ipt_rule *r, const char *fmt, ...)
                 free(e6);
         }
         else
                 free(e6);
         }
         else
+#endif
         {
                 s = XT_ALIGN(sizeof(struct ipt_entry));
  
         {
                 s = XT_ALIGN(sizeof(struct ipt_entry));
  
diff --git a/iptables.h b/iptables.h

index 51c63d0..3237a4a 100644 (file)
--- a/iptables.h
+++ b/iptables.h
@@ -63,11 +63,18 @@
         __ipt_module(SNAT)                      \
         __ipt_module(TCPMSS)
  
         __ipt_module(SNAT)                      \
         __ipt_module(TCPMSS)
  
+#ifdef DISABLE_IPV6
+#undef __ipt_module
+#define __ipt_module(x) \
+       extern void libxt_##x##_init(void) __attribute__((weak)); \
+       extern void libipt_##x##_init(void) __attribute__((weak));
+#else
  #undef __ipt_module
  #define __ipt_module(x) \
         extern void libxt_##x##_init(void) __attribute__((weak)); \
         extern void libipt_##x##_init(void) __attribute__((weak)); \
         extern void libip6t_##x##_init(void) __attribute__((weak));
  #undef __ipt_module
  #define __ipt_module(x) \
         extern void libxt_##x##_init(void) __attribute__((weak)); \
         extern void libipt_##x##_init(void) __attribute__((weak)); \
         extern void libip6t_##x##_init(void) __attribute__((weak));
+#endif
  
  FW3_IPT_MODULES
  
  
  FW3_IPT_MODULES
  
diff --git a/main.c b/main.c

index 5897588..8b10d08 100644 (file)
--- a/main.c
+++ b/main.c
@@ -489,9 +489,18 @@ int main(int argc, char **argv)
         if (!strcmp(argv[optind], "print"))
         {
                 if (family == FW3_FAMILY_ANY)
         if (!strcmp(argv[optind], "print"))
         {
                 if (family == FW3_FAMILY_ANY)
+               {
                         family = FW3_FAMILY_V4;
                         family = FW3_FAMILY_V4;
-               else if (family == FW3_FAMILY_V6 && defs->disable_ipv6)
-                       warn("IPv6 rules globally disabled in configuration");
+               }
+               else if (family == FW3_FAMILY_V6)
+               {
+                       if (defs->disable_ipv6)
+                               warn("IPv6 rules globally disabled in configuration");
+#ifdef DISABLE_IPV6
+                       else
+                               warn("IPv6 support is not compiled in");
+#endif
+               }
  
                 freopen("/dev/null", "w", stderr);
  
  
                 freopen("/dev/null", "w", stderr);
author	Jo-Philipp Wich <jow@openwrt.org>
	Mon, 27 May 2013 14:50:50 +0000 (16:50 +0200)
committer	Jo-Philipp Wich <jow@openwrt.org>
	Mon, 27 May 2013 15:06:24 +0000 (17:06 +0200)
CMakeLists.txt		patch \| blob \| history
iptables.c		patch \| blob \| history
iptables.h		patch \| blob \| history
main.c		patch \| blob \| history