From 98e43b13a7f0f747d4625ba0209ba37ae22f3b48 Mon Sep 17 00:00:00 2001
From: Ansuel Smith <ansuelsmth@gmail.com>
Date: Wed, 22 Mar 2017 16:02:09 +0100
Subject: [PATCH] iptables: bump to 1.6.1

Switch to git repo
Removed musl patch
Refreshed existing patch

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup]
---
 package/network/utils/iptables/Makefile       |  36 +++--
 .../020-iptables-disable-modprobe.patch       |   4 +-
 .../patches/030-no-libnfnetlink.patch         |  94 -------------
 .../iptables/patches/050-optional-xml.patch   |   2 +-
 .../iptables/patches/100-bash-location.patch  |   8 --
 .../patches/200-configurable_builtin.patch    |  45 +++++--
 .../iptables/patches/300-musl_fixes.patch     | 127 ------------------
 .../iptables/patches/600-shared-libext.patch  |  40 +++---
 .../700-disable-legacy-revisions.patch        |  51 +++----
 9 files changed, 103 insertions(+), 304 deletions(-)
 delete mode 100644 package/network/utils/iptables/patches/030-no-libnfnetlink.patch
 delete mode 100644 package/network/utils/iptables/patches/100-bash-location.patch
 delete mode 100644 package/network/utils/iptables/patches/300-musl_fixes.patch

diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
index ac869f0385..2fef0aba19 100644
--- a/package/network/utils/iptables/Makefile
+++ b/package/network/utils/iptables/Makefile
@@ -9,17 +9,16 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=iptables
-PKG_VERSION:=1.4.21
-PKG_RELEASE:=2
+PKG_VERSION:=1.6.1
+PKG_RELEASE:=1
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
-PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
-	ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
-	ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
-	ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
-PKG_HASH:=52004c68021da9a599feed27f65defcfb22128f7da2c0531c0f75de0f479d3e0
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://git.netfilter.org/iptables
+PKG_SOURCE_VERSION:=7df66f1c13563cfbab75246b009ce36f69ee4487
+PKG_MIRROR_HASH:=22f15ef41fd8e3724bedcee666b7b6a3491d2d038d580ef1fb032718dcb73f14
 
 PKG_FIXUP:=autoreconf
+
 PKG_INSTALL:=1
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0
@@ -51,6 +50,20 @@ $(call Package/iptables/Default)
   DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
 endef
 
+define Package/iptables/config
+  config IPTABLES_CONNLABEL
+	bool "Enable Connlabel support"
+	default n
+	help
+		This enable connlabel support in iptables.
+
+  config IPTABLES_NFTABLES
+	bool "Enable Nftables support"
+	default n
+	help
+		This enable nftables support in iptables.
+endef
+
 define Package/iptables/description
 IP firewall administration tool.
 
@@ -413,6 +426,9 @@ define Package/libxtables
  SECTION:=libs
  CATEGORY:=Libraries
  TITLE:=IPv4/IPv6 firewall - shared xtables library
+ DEPENDS:= \
+	+IPTABLES_CONNLABEL:libnetfilter-conntrack \
+	+IPTABLES_NFTABLES:libnfnetlink
 endef
 
 TARGET_CPPFLAGS := \
@@ -431,10 +447,12 @@ TARGET_LDFLAGS += \
 
 CONFIGURE_ARGS += \
 	--enable-shared \
+	--enable-static \
 	--enable-devel \
 	--with-kernel="$(LINUX_DIR)/user_headers" \
 	--with-xtlibdir=/usr/lib/iptables \
-	--enable-static \
+	$(if $(CONFIG_IPTABLES_CONNLABEL),,--disable-connlabel) \
+	$(if $(CONFIG_IPTABLES_NFTABLES),,--disable-nftables) \
 	$(if $(CONFIG_IPV6),,--disable-ipv6)
 
 MAKE_FLAGS := \
diff --git a/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch
index 2b6c57ec9e..4add4ea5f3 100644
--- a/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch
+++ b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch
@@ -1,6 +1,6 @@
 --- a/libxtables/xtables.c
 +++ b/libxtables/xtables.c
-@@ -336,6 +336,7 @@ static char *get_modprobe(void)
+@@ -355,6 +355,7 @@ static char *get_modprobe(void)
  
  int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
  {
@@ -8,7 +8,7 @@
  	char *buf = NULL;
  	char *argv[4];
  	int status;
-@@ -380,6 +381,7 @@ int xtables_insmod(const char *modname, 
+@@ -395,6 +396,7 @@ int xtables_insmod(const char *modname,
  	free(buf);
  	if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
  		return 0;
diff --git a/package/network/utils/iptables/patches/030-no-libnfnetlink.patch b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch
deleted file mode 100644
index 50542ac0b5..0000000000
--- a/package/network/utils/iptables/patches/030-no-libnfnetlink.patch
+++ /dev/null
@@ -1,94 +0,0 @@
---- a/configure
-+++ b/configure
-@@ -12367,77 +12367,7 @@ fi
- fi
- 
- 
--pkg_failed=no
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5
--$as_echo_n "checking for libnfnetlink... " >&6; }
--
--if test -n "$libnfnetlink_CFLAGS"; then
--    pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS"
-- elif test -n "$PKG_CONFIG"; then
--    if test -n "$PKG_CONFIG" && \
--    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
--  ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
--  ac_status=$?
--  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
--  test $ac_status = 0; }; then
--  pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null`
--		      test "x$?" != "x0" && pkg_failed=yes
--else
--  pkg_failed=yes
--fi
-- else
--    pkg_failed=untried
--fi
--if test -n "$libnfnetlink_LIBS"; then
--    pkg_cv_libnfnetlink_LIBS="$libnfnetlink_LIBS"
-- elif test -n "$PKG_CONFIG"; then
--    if test -n "$PKG_CONFIG" && \
--    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
--  ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
--  ac_status=$?
--  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
--  test $ac_status = 0; }; then
--  pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null`
--		      test "x$?" != "x0" && pkg_failed=yes
--else
--  pkg_failed=yes
--fi
-- else
--    pkg_failed=untried
--fi
--
--
--
--if test $pkg_failed = yes; then
--   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--
--if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
--        _pkg_short_errors_supported=yes
--else
--        _pkg_short_errors_supported=no
--fi
--        if test $_pkg_short_errors_supported = yes; then
--	        libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1`
--        else
--	        libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1`
--        fi
--	# Put the nasty error message in config.log where it belongs
--	echo "$libnfnetlink_PKG_ERRORS" >&5
--
--	nfnetlink=0
--elif test $pkg_failed = untried; then
--     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--	nfnetlink=0
--else
--	libnfnetlink_CFLAGS=$pkg_cv_libnfnetlink_CFLAGS
--	libnfnetlink_LIBS=$pkg_cv_libnfnetlink_LIBS
--        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
--$as_echo "yes" >&6; }
--	nfnetlink=1
--fi
-- if test "$nfnetlink" = 1; then
-+if false; then
-   HAVE_LIBNFNETLINK_TRUE=
-   HAVE_LIBNFNETLINK_FALSE='#'
- else
---- a/configure.ac
-+++ b/configure.ac
-@@ -111,9 +111,7 @@ if test "x$enable_bpfc" = "xyes" || test
- 	AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library required by bpf compiler or nfsynproxy tool))
- fi
- 
--PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
--	[nfnetlink=1], [nfnetlink=0])
--AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1])
-+AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false])
- 
- regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
- 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
diff --git a/package/network/utils/iptables/patches/050-optional-xml.patch b/package/network/utils/iptables/patches/050-optional-xml.patch
index 11311ddb47..b782bbf13a 100644
--- a/package/network/utils/iptables/patches/050-optional-xml.patch
+++ b/package/network/utils/iptables/patches/050-optional-xml.patch
@@ -1,6 +1,6 @@
 --- a/iptables/xtables-multi.c
 +++ b/iptables/xtables-multi.c
-@@ -22,8 +22,10 @@ static const struct subcommand multi_sub
+@@ -26,8 +26,10 @@ static const struct subcommand multi_sub
  	{"iptables-restore",    iptables_restore_main},
  	{"restore4",            iptables_restore_main},
  #endif
diff --git a/package/network/utils/iptables/patches/100-bash-location.patch b/package/network/utils/iptables/patches/100-bash-location.patch
deleted file mode 100644
index 02ee45ba1e..0000000000
--- a/package/network/utils/iptables/patches/100-bash-location.patch
+++ /dev/null
@@ -1,8 +0,0 @@
---- a/iptables/iptables-apply
-+++ b/iptables/iptables-apply
-@@ -1,4 +1,4 @@
--#!/bin/bash
-+#!/usr/bin/env bash
- #
- # iptables-apply -- a safer way to update iptables remotely
- #
diff --git a/package/network/utils/iptables/patches/200-configurable_builtin.patch b/package/network/utils/iptables/patches/200-configurable_builtin.patch
index d35bc5a85d..9c53c2bfed 100644
--- a/package/network/utils/iptables/patches/200-configurable_builtin.patch
+++ b/package/network/utils/iptables/patches/200-configurable_builtin.patch
@@ -1,58 +1,75 @@
 --- a/extensions/GNUmakefile.in
 +++ b/extensions/GNUmakefile.in
-@@ -45,9 +45,24 @@ pfx_symlinks  := NOTRACK state
- pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
- pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod})
- pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
+@@ -50,11 +50,31 @@ pfb_build_mod := $(filter-out @blacklist
+ pfa_build_mod := $(filter-out @blacklist_modules@ @blacklist_a_modules@,${pfa_build_mod})
+ pf4_build_mod := $(filter-out @blacklist_modules@ @blacklist_4_modules@,${pf4_build_mod})
+ pf6_build_mod := $(filter-out @blacklist_modules@ @blacklist_6_modules@,${pf6_build_mod})
 -pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_mod})
+-pfb_objs      := $(patsubst %,libebt_%.o,${pfb_build_mod})
+-pfa_objs      := $(patsubst %,libarpt_%.o,${pfa_build_mod})
 -pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_mod})
 -pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_mod})
-+
 +ifdef BUILTIN_MODULES
 +pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod})
++pfb_build_static := $(filter $(BUILTIN_MODULES),${pfb_build_mod})
++pfa_build_static := $(filter $(BUILTIN_MODULES),${pfa_build_mod})
 +pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod})
 +pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod})
 +else
 +@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod)
++@ENABLE_STATIC_TRUE@ pfb_build_static := $(pfb_build_mod)
++@ENABLE_STATIC_TRUE@ pfa_build_static := $(pfa_build_mod)
 +@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod)
 +@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod)
 +endif
 +
 +pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod))
++pfb_build_mod := $(filter-out $(pfb_build_static),$(pfb_build_mod))
++pfa_build_mod := $(filter-out $(pfa_build_static),$(pfa_build_mod))
 +pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod))
 +pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod))
 +
 +pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_static})
++pfb_objs      := $(patsubst %,libebt_%.o,${pfb_build_static})
++pfa_objs      := $(patsubst %,libarpt_%.o,${pfa_build_static})
 +pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_static})
 +pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_static})
  pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks})
- pf4_solibs    := $(patsubst %,libipt_%.so,${pf4_build_mod})
- pf6_solibs    := $(patsubst %,libip6t_%.so,${pf6_build_mod})
-@@ -58,11 +73,11 @@ pf6_solibs    := $(patsubst %,libip6t_%.
+ pfb_solibs    := $(patsubst %,libebt_%.so,${pfb_build_mod})
+ pfa_solibs    := $(patsubst %,libarpt_%.so,${pfa_build_mod})
+@@ -67,13 +87,13 @@ pf6_solibs    := $(patsubst %,libip6t_%.
  #
- targets := libext.a libext4.a libext6.a matches.man targets.man
+ targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man
  targets_install :=
 -@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
+-@ENABLE_STATIC_TRUE@ libext_ebt_objs := ${pfb_objs}
+-@ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs}
 -@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
 -@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
--@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
--@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
+-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
 +libext_objs := ${pfx_objs}
++libext_ebt_objs := ${pfb_objs}
++libext_arpt_objs := ${pfa_objs}
 +libext4_objs := ${pf4_objs}
 +libext6_objs := ${pf6_objs}
-+targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
-+targets_install := $(strip ${targets_install} ${pfx_solibs} ${pf4_solibs} ${pf6_solibs})
++targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
++targets_install := $(strip ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs})
  
  .SECONDARY:
  
-@@ -126,9 +141,9 @@ libext4.a: initext4.o ${libext4_objs}
+@@ -141,11 +161,11 @@ libext4.a: initext4.o ${libext4_objs}
  libext6.a: initext6.o ${libext6_objs}
  	${AM_VERBOSE_AR} ${AR} crs $@ $^;
  
 -initext_func  := $(addprefix xt_,${pfx_build_mod})
+-initextb_func := $(addprefix ebt_,${pfb_build_mod})
+-initexta_func := $(addprefix arpt_,${pfa_build_mod})
 -initext4_func := $(addprefix ipt_,${pf4_build_mod})
 -initext6_func := $(addprefix ip6t_,${pf6_build_mod})
 +initext_func  := $(addprefix xt_,${pfx_build_static})
++initextb_func := $(addprefix ebt_,${pfb_build_static})
++initexta_func := $(addprefix arpt_,${pfa_build_static})
 +initext4_func := $(addprefix ipt_,${pf4_build_static})
 +initext6_func := $(addprefix ip6t_,${pf6_build_static})
  
diff --git a/package/network/utils/iptables/patches/300-musl_fixes.patch b/package/network/utils/iptables/patches/300-musl_fixes.patch
deleted file mode 100644
index a78eda775d..0000000000
--- a/package/network/utils/iptables/patches/300-musl_fixes.patch
+++ /dev/null
@@ -1,127 +0,0 @@
---- a/extensions/libip6t_ipv6header.c
-+++ b/extensions/libip6t_ipv6header.c
-@@ -10,6 +10,9 @@ on whether they contain certain headers 
- #include <netdb.h>
- #include <xtables.h>
- #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
-+#ifndef IPPROTO_HOPOPTS
-+#	define IPPROTO_HOPOPTS 0
-+#endif
- 
- enum {
- 	O_HEADER = 0,
---- a/extensions/libxt_TCPOPTSTRIP.c
-+++ b/extensions/libxt_TCPOPTSTRIP.c
-@@ -12,6 +12,21 @@
- #ifndef TCPOPT_MD5SIG
- #	define TCPOPT_MD5SIG 19
- #endif
-+#ifndef TCPOPT_MAXSEG
-+#	define TCPOPT_MAXSEG 2
-+#endif
-+#ifndef TCPOPT_WINDOW
-+#	define TCPOPT_WINDOW 3
-+#endif
-+#ifndef TCPOPT_SACK_PERMITTED
-+#	define TCPOPT_SACK_PERMITTED 4
-+#endif
-+#ifndef TCPOPT_SACK
-+#	define TCPOPT_SACK 5
-+#endif
-+#ifndef TCPOPT_TIMESTAMP
-+#	define TCPOPT_TIMESTAMP 8
-+#endif
- 
- enum {
- 	O_STRIP_OPTION = 0,
---- a/include/libiptc/ipt_kernel_headers.h
-+++ b/include/libiptc/ipt_kernel_headers.h
-@@ -5,7 +5,6 @@
- 
- #include <limits.h>
- 
--#if defined(__GLIBC__) && __GLIBC__ == 2
- #include <netinet/ip.h>
- #include <netinet/in.h>
- #include <netinet/ip_icmp.h>
-@@ -13,15 +12,4 @@
- #include <netinet/udp.h>
- #include <net/if.h>
- #include <sys/types.h>
--#else /* libc5 */
--#include <sys/socket.h>
--#include <linux/ip.h>
--#include <linux/in.h>
--#include <linux/if.h>
--#include <linux/icmp.h>
--#include <linux/tcp.h>
--#include <linux/udp.h>
--#include <linux/types.h>
--#include <linux/in6.h>
--#endif
- #endif
---- a/include/linux/netfilter_ipv4/ip_tables.h
-+++ b/include/linux/netfilter_ipv4/ip_tables.h
-@@ -16,6 +16,7 @@
- #define _IPTABLES_H
- 
- #include <linux/types.h>
-+#include <sys/types.h>
- 
- #include <linux/netfilter_ipv4.h>
- 
---- a/iptables/ip6tables-restore.c
-+++ b/iptables/ip6tables-restore.c
-@@ -9,7 +9,7 @@
-  */
- 
- #include <getopt.h>
--#include <sys/errno.h>
-+#include <errno.h>
- #include <stdbool.h>
- #include <string.h>
- #include <stdio.h>
---- a/iptables/ip6tables-save.c
-+++ b/iptables/ip6tables-save.c
-@@ -6,7 +6,7 @@
-  * This code is distributed under the terms of GNU GPL v2
-  */
- #include <getopt.h>
--#include <sys/errno.h>
-+#include <errno.h>
- #include <stdio.h>
- #include <fcntl.h>
- #include <stdlib.h>
---- a/iptables/iptables-restore.c
-+++ b/iptables/iptables-restore.c
-@@ -6,7 +6,7 @@
-  */
- 
- #include <getopt.h>
--#include <sys/errno.h>
-+#include <errno.h>
- #include <stdbool.h>
- #include <string.h>
- #include <stdio.h>
---- a/iptables/iptables-save.c
-+++ b/iptables/iptables-save.c
-@@ -6,7 +6,7 @@
-  *
-  */
- #include <getopt.h>
--#include <sys/errno.h>
-+#include <errno.h>
- #include <stdio.h>
- #include <fcntl.h>
- #include <stdlib.h>
---- a/iptables/iptables-xml.c
-+++ b/iptables/iptables-xml.c
-@@ -7,7 +7,7 @@
-  */
- 
- #include <getopt.h>
--#include <sys/errno.h>
-+#include <errno.h>
- #include <string.h>
- #include <stdio.h>
- #include <stdlib.h>
diff --git a/package/network/utils/iptables/patches/600-shared-libext.patch b/package/network/utils/iptables/patches/600-shared-libext.patch
index 92f5485399..2071ebd868 100644
--- a/package/network/utils/iptables/patches/600-shared-libext.patch
+++ b/package/network/utils/iptables/patches/600-shared-libext.patch
@@ -1,17 +1,15 @@
-Index: iptables-1.4.21/extensions/GNUmakefile.in
-===================================================================
---- iptables-1.4.21.orig/extensions/GNUmakefile.in
-+++ iptables-1.4.21/extensions/GNUmakefile.in
-@@ -71,7 +71,7 @@ pf6_solibs    := $(patsubst %,libip6t_%.
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -85,7 +85,7 @@ pf6_solibs    := $(patsubst %,libip6t_%.
  #
  # Building blocks
  #
--targets := libext.a libext4.a libext6.a matches.man targets.man
-+targets := libiptext.so libiptext4.so libiptext6.so matches.man targets.man
+-targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man
++targets := libiptext.so libiptext4.so libiptext6.so libiptext_ebt.so libiptext_arpt.so matches.man targets.man
  targets_install :=
  libext_objs := ${pfx_objs}
- libext4_objs := ${pf4_objs}
-@@ -96,7 +96,7 @@ clean:
+ libext_ebt_objs := ${pfb_objs}
+@@ -112,7 +112,7 @@ clean:
  distclean: clean
  
  init%.o: init%.c
@@ -20,7 +18,7 @@ Index: iptables-1.4.21/extensions/GNUmakefile.in
  
  -include .*.d
  
-@@ -130,16 +130,16 @@ xt_statistic_LIBADD = -lm
+@@ -144,22 +144,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
  #	handling code in the Makefiles.
  #
  lib%.o: ${srcdir}/lib%.c
@@ -32,6 +30,16 @@ Index: iptables-1.4.21/extensions/GNUmakefile.in
 +libiptext.so: initext.o ${libext_objs}
 +	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
  
+-libext_ebt.a: initextb.o ${libext_ebt_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
++libiptext_ebt.so: initextb.o ${libext_ebt__objs}
++	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
+ 
+-libext_arpt.a: initexta.o ${libext_arpt_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
++libiptext_arpt.so: initexta.o ${libext_arpt__objs}
++	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
+ 
 -libext4.a: initext4.o ${libext4_objs}
 -	${AM_VERBOSE_AR} ${AR} crs $@ $^;
 +libiptext4.so: initext4.o ${libext4_objs}
@@ -43,12 +51,10 @@ Index: iptables-1.4.21/extensions/GNUmakefile.in
 +	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
  
  initext_func  := $(addprefix xt_,${pfx_build_static})
- initext4_func := $(addprefix ipt_,${pf4_build_static})
-Index: iptables-1.4.21/iptables/Makefile.am
-===================================================================
---- iptables-1.4.21.orig/iptables/Makefile.am
-+++ iptables-1.4.21/iptables/Makefile.am
-@@ -5,7 +5,8 @@ AM_CPPFLAGS      = ${regular_CPPFLAGS} -
+ initextb_func := $(addprefix ebt_,${pfb_build_static})
+--- a/iptables/Makefile.am
++++ b/iptables/Makefile.am
+@@ -8,7 +8,8 @@ BUILT_SOURCES =
  
  xtables_multi_SOURCES  = xtables-multi.c iptables-xml.c
  xtables_multi_CFLAGS   = ${AM_CFLAGS}
@@ -58,7 +64,7 @@ Index: iptables-1.4.21/iptables/Makefile.am
  if ENABLE_STATIC
  xtables_multi_CFLAGS  += -DALL_INCLUSIVE
  endif
-@@ -13,13 +14,15 @@ if ENABLE_IPV4
+@@ -16,13 +17,15 @@ if ENABLE_IPV4
  xtables_multi_SOURCES += iptables-save.c iptables-restore.c \
                           iptables-standalone.c iptables.c
  xtables_multi_CFLAGS  += -DENABLE_IPV4
diff --git a/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch
index 342c3b013a..6800ca5ece 100644
--- a/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch
+++ b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch
@@ -1,8 +1,6 @@
-Index: iptables-1.4.21/extensions/libxt_conntrack.c
-===================================================================
---- iptables-1.4.21.orig/extensions/libxt_conntrack.c
-+++ iptables-1.4.21/extensions/libxt_conntrack.c
-@@ -1157,6 +1157,7 @@ static void state_save(const void *ip, c
+--- a/extensions/libxt_conntrack.c
++++ b/extensions/libxt_conntrack.c
+@@ -1397,6 +1397,7 @@ static int conntrack3_mt6_xlate(struct x
  }
  
  static struct xtables_match conntrack_mt_reg[] = {
@@ -10,7 +8,7 @@ Index: iptables-1.4.21/extensions/libxt_conntrack.c
  	{
  		.version       = XTABLES_VERSION,
  		.name          = "conntrack",
-@@ -1232,6 +1233,7 @@ static struct xtables_match conntrack_mt
+@@ -1472,6 +1473,7 @@ static struct xtables_match conntrack_mt
  		.alias	       = conntrack_print_name_alias,
  		.x6_options    = conntrack2_mt_opts,
  	},
@@ -18,31 +16,24 @@ Index: iptables-1.4.21/extensions/libxt_conntrack.c
  	{
  		.version       = XTABLES_VERSION,
  		.name          = "conntrack",
-@@ -1262,6 +1264,7 @@ static struct xtables_match conntrack_mt
- 		.alias	       = conntrack_print_name_alias,
+@@ -1504,6 +1506,7 @@ static struct xtables_match conntrack_mt
  		.x6_options    = conntrack3_mt_opts,
+ 		.xlate	       = conntrack3_mt6_xlate,
  	},
 +#ifndef NO_LEGACY
  	{
  		.family        = NFPROTO_UNSPEC,
  		.name          = "state",
-@@ -1292,6 +1295,7 @@ static struct xtables_match conntrack_mt
+@@ -1534,6 +1537,8 @@ static struct xtables_match conntrack_mt
  		.x6_parse      = state_ct23_parse,
  		.x6_options    = state_opts,
  	},
 +#endif
- 	{
- 		.family        = NFPROTO_UNSPEC,
- 		.name          = "state",
-@@ -1307,6 +1311,7 @@ static struct xtables_match conntrack_mt
- 		.x6_parse      = state_ct23_parse,
- 		.x6_options    = state_opts,
- 	},
 +#ifndef NO_LEGACY
  	{
  		.family        = NFPROTO_UNSPEC,
  		.name          = "state",
-@@ -1320,6 +1325,7 @@ static struct xtables_match conntrack_mt
+@@ -1563,6 +1568,7 @@ static struct xtables_match conntrack_mt
  		.x6_parse      = state_parse,
  		.x6_options    = state_opts,
  	},
@@ -50,11 +41,9 @@ Index: iptables-1.4.21/extensions/libxt_conntrack.c
  };
  
  void _init(void)
-Index: iptables-1.4.21/extensions/libxt_CT.c
-===================================================================
---- iptables-1.4.21.orig/extensions/libxt_CT.c
-+++ iptables-1.4.21/extensions/libxt_CT.c
-@@ -290,6 +290,7 @@ static void notrack_ct2_tg_init(struct x
+--- a/extensions/libxt_CT.c
++++ b/extensions/libxt_CT.c
+@@ -349,6 +349,7 @@ static void notrack_ct2_tg_init(struct x
  }
  
  static struct xtables_target ct_target_reg[] = {
@@ -62,7 +51,7 @@ Index: iptables-1.4.21/extensions/libxt_CT.c
  	{
  		.family		= NFPROTO_UNSPEC,
  		.name		= "CT",
-@@ -315,6 +316,7 @@ static struct xtables_target ct_target_r
+@@ -374,6 +375,7 @@ static struct xtables_target ct_target_r
  		.x6_parse	= ct_parse_v1,
  		.x6_options	= ct_opts_v1,
  	},
@@ -70,7 +59,7 @@ Index: iptables-1.4.21/extensions/libxt_CT.c
  	{
  		.family		= NFPROTO_UNSPEC,
  		.name		= "CT",
-@@ -329,6 +331,7 @@ static struct xtables_target ct_target_r
+@@ -388,6 +390,7 @@ static struct xtables_target ct_target_r
  		.x6_parse	= ct_parse_v1,
  		.x6_options	= ct_opts_v1,
  	},
@@ -78,7 +67,7 @@ Index: iptables-1.4.21/extensions/libxt_CT.c
  	{
  		.family        = NFPROTO_UNSPEC,
  		.name          = "NOTRACK",
-@@ -366,6 +369,7 @@ static struct xtables_target ct_target_r
+@@ -425,6 +428,7 @@ static struct xtables_target ct_target_r
  		.revision      = 0,
  		.version       = XTABLES_VERSION,
  	},
@@ -86,11 +75,9 @@ Index: iptables-1.4.21/extensions/libxt_CT.c
  };
  
  void _init(void)
-Index: iptables-1.4.21/extensions/libxt_multiport.c
-===================================================================
---- iptables-1.4.21.orig/extensions/libxt_multiport.c
-+++ iptables-1.4.21/extensions/libxt_multiport.c
-@@ -469,6 +469,7 @@ static void multiport_save6_v1(const voi
+--- a/extensions/libxt_multiport.c
++++ b/extensions/libxt_multiport.c
+@@ -571,6 +571,7 @@ static int multiport_xlate6_v1(struct xt
  }
  
  static struct xtables_match multiport_mt_reg[] = {
@@ -98,9 +85,9 @@ Index: iptables-1.4.21/extensions/libxt_multiport.c
  	{
  		.family        = NFPROTO_IPV4,
  		.name          = "multiport",
-@@ -497,6 +498,7 @@ static struct xtables_match multiport_mt
- 		.save          = multiport_save6,
+@@ -601,6 +602,7 @@ static struct xtables_match multiport_mt
  		.x6_options    = multiport_opts,
+ 		.xlate         = multiport_xlate6,
  	},
 +#endif
  	{
-- 
2.30.2