xtables-addons: bump 3.30 and fix LUA build on 6.18

graysky2 · graysky2 · commit 72241343d72b · 2026-01-03T12:31:54.000-05:00
This upstream release allows clean builds against linux 6.18. Fix LUA
PacketScript build on 6.18 by switching to ccflags-y and restoring the
required -isystem include path. Remove compat_xtables since the module
no longer exists in 3.30 and drop all dependent kmod references.

Fix CI build failure with backport:
600-xt_pknock-fox-do_div-signness-mismatch.patch

Note that upstream tarball changed from xz to zst.

Signed-off-by: John Audia &lt;therealgraysky@proton.me&gt;
diff --git a/net/xtables-addons/Makefile b/net/xtables-addons/Makefile
@@ -7,11 +7,11 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=xtables-addons
-PKG_VERSION:=3.27
-PKG_RELEASE:=3
-PKG_HASH:=e47ea8febe73c12ecab09d2c93578c5dc72d76f17fdf673397758f519cce6828
+PKG_VERSION:=3.30
+PKG_RELEASE:=1
+PKG_HASH:=d43400322980390180bef05eb6f798af49285987c217b7f1c6332da74920d9a4
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.zst
 PKG_SOURCE_URL:=https://inai.de/files/xtables-addons/
 PKG_BUILD_DEPENDS:=iptables
 
@@ -205,32 +205,29 @@ define KernelPackage/nf-nathelper-rtsp
 endef
 
 
-#$(eval $(call BuildTemplate,SUFFIX,DESCRIPTION,EXTENSION,MODULE,DEPENDS))
-
-$(eval $(call BuildTemplate,compat-xtables,API compatibility layer,,compat_xtables,+IPV6:kmod-ip6tables))
-
-$(eval $(call BuildTemplate,account,ACCOUNT,xt_ACCOUNT,ACCOUNT/xt_ACCOUNT,+kmod-ipt-compat-xtables))
+# compat_xtables removed (module no longer exists in 3.30)
+$(eval $(call BuildTemplate,account,ACCOUNT,xt_ACCOUNT,ACCOUNT/xt_ACCOUNT,))
 $(eval $(call BuildTemplate,asn,asn,xt_asn,xt_asn,))
-$(eval $(call BuildTemplate,chaos,CHAOS,xt_CHAOS,xt_CHAOS,+kmod-ipt-compat-xtables +kmod-ipt-delude +kmod-ipt-tarpit))
+$(eval $(call BuildTemplate,chaos,CHAOS,xt_CHAOS,xt_CHAOS,+kmod-ipt-delude +kmod-ipt-tarpit))
 $(eval $(call BuildTemplate,condition,Condition,xt_condition,xt_condition,))
-$(eval $(call BuildTemplate,delude,DELUDE,xt_DELUDE,xt_DELUDE,+kmod-ipt-compat-xtables))
-$(eval $(call BuildTemplate,dhcpmac,DHCPMAC,xt_DHCPMAC,xt_DHCPMAC,+kmod-ipt-compat-xtables))
-$(eval $(call BuildTemplate,dnetmap,DNETMAP,xt_DNETMAP,xt_DNETMAP,+kmod-ipt-compat-xtables +kmod-ipt-nat))
+$(eval $(call BuildTemplate,delude,DELUDE,xt_DELUDE,xt_DELUDE,))
+$(eval $(call BuildTemplate,dhcpmac,DHCPMAC,xt_DHCPMAC,xt_DHCPMAC,))
+$(eval $(call BuildTemplate,dnetmap,DNETMAP,xt_DNETMAP,xt_DNETMAP,+kmod-ipt-nat))
 $(eval $(call BuildTemplate,fuzzy,fuzzy,xt_fuzzy,xt_fuzzy,))
 $(eval $(call BuildTemplate,geoip,geoip,xt_geoip,xt_geoip,))
 $(eval $(call BuildTemplate,iface,iface,xt_iface,xt_iface,))
-$(eval $(call BuildTemplate,ipmark,IPMARK,xt_IPMARK,xt_IPMARK,+kmod-ipt-compat-xtables))
-$(eval $(call BuildTemplate,ipp2p,IPP2P,xt_ipp2p,xt_ipp2p,+kmod-ipt-compat-xtables +kmod-lib-textsearch))
+$(eval $(call BuildTemplate,ipmark,IPMARK,xt_IPMARK,xt_IPMARK,))
+$(eval $(call BuildTemplate,ipp2p,IPP2P,xt_ipp2p,xt_ipp2p,+kmod-lib-textsearch))
 $(eval $(call BuildTemplate,ipv4options,ipv4options,xt_ipv4options,xt_ipv4options,))
-$(eval $(call BuildTemplate,length2,length2,xt_length2,xt_length2,+kmod-ipt-compat-xtables))
-$(eval $(call BuildTemplate,logmark,LOGMARK,xt_LOGMARK,xt_LOGMARK,+kmod-ipt-compat-xtables))
+$(eval $(call BuildTemplate,length2,length2,xt_length2,xt_length2,))
+$(eval $(call BuildTemplate,logmark,LOGMARK,xt_LOGMARK,xt_LOGMARK,))
 $(eval $(call BuildTemplate,lscan,lscan,xt_lscan,xt_lscan,))
 $(eval $(call BuildTemplate,lua,Lua PacketScript,xt_LUA,LUA/xt_LUA,+kmod-ipt-conntrack-extra))
 $(eval $(call BuildTemplate,proto,PROTO,xt_PROTO,xt_PROTO,))
 $(eval $(call BuildTemplate,psd,psd,xt_psd,xt_psd,))
 $(eval $(call BuildTemplate,quota2,quota2,xt_quota2,xt_quota2,))
-$(eval $(call BuildTemplate,sysrq,SYSRQ,xt_SYSRQ,xt_SYSRQ,+kmod-ipt-compat-xtables +kmod-crypto-hash))
-$(eval $(call BuildTemplate,tarpit,TARPIT,xt_TARPIT,xt_TARPIT,+kmod-ipt-compat-xtables))
+$(eval $(call BuildTemplate,sysrq,SYSRQ,xt_SYSRQ,xt_SYSRQ,+kmod-crypto-hash))
+$(eval $(call BuildTemplate,tarpit,TARPIT,xt_TARPIT,xt_TARPIT,))
 
 $(eval $(call BuildPackage,iptaccount))
 $(eval $(call BuildPackage,iptasn))
diff --git a/net/xtables-addons/patches/100-add-rtsp-conntrack.patch b/net/xtables-addons/patches/100-add-rtsp-conntrack.patch
@@ -1737,7 +1737,7 @@
  -include ${M}/Kbuild.*
 --- a/mconfig
 +++ b/mconfig
-@@ -24,3 +24,4 @@ build_lscan=m
+@@ -26,3 +26,4 @@ build_lscan=m
  build_pknock=m
  build_psd=m
  build_quota2=m
diff --git a/net/xtables-addons/patches/200-add-lua-packetscript.patch b/net/xtables-addons/patches/200-add-lua-packetscript.patch
@@ -1038,58 +1038,61 @@
 +#endif /* CONTROLLER_H_ */
 --- /dev/null
 +++ b/extensions/LUA/Kbuild
-@@ -0,0 +1,51 @@
+@@ -0,0 +1,54 @@
 +# -*- Makefile -*-
 +
 +# Adding debug options
-+EXTRA_CFLAGS += -DDEBUG
++ccflags-y += -DDEBUG
 +
 +obj-m += xt_LUA.o
 +
-+EXTRA_CFLAGS += -I$(src)/prot_buf_new
++ccflags-y += -I$(src)/prot_buf_new
++
 +xt_LUA-y += xt_LUA_target.o \
 +
 +xt_LUA-y += nf_lua.o \
-+			prot_buf_helpers.o \
-+			byte_array.o \
-+			controller.o \
-+			prot_buf_ethernet.o \
-+			prot_buf_icmp.o \
-+			prot_buf_ip.o \
-+			prot_buf_raw.o \
-+			prot_buf_tcp.o \
-+			prot_buf_udp.o \
-+			prot_buf_tftp.o \
-+			prot_buf_dynamic.o \
++                       prot_buf_helpers.o \
++                       byte_array.o \
++                       controller.o \
++                       prot_buf_ethernet.o \
++                       prot_buf_icmp.o \
++                       prot_buf_ip.o \
++                       prot_buf_raw.o \
++                       prot_buf_tcp.o \
++                       prot_buf_udp.o \
++                       prot_buf_tftp.o \
++                       prot_buf_dynamic.o \
 +
 +
 +# Enable <stddef.h> <stdarg.h>
-+EXTRA_CFLAGS += -isystem $(shell $(CC) -print-file-name=include)
-+# Adding Lua Support
-+EXTRA_CFLAGS += -I$(src)/lua -I$(src)/lua/include 
++ccflags-y += -I$(src)/prot_buf_new
++# Adding Lua Support (embedded Lua and libc shims)
++ccflags-y += -I$(src)/lua -I$(src)/lua/include
++ccflags-y += -isystem $(shell $(CC) -print-file-name=include)
++
 +xt_LUA-y += lua/lapi.o \
-+			lua/lbaselib.o \
-+			lua/lcode.o \
-+			lua/ldebug.o \
-+			lua/ldo.o \
-+			lua/ldump.o \
-+			lua/lfunc.o \
-+			lua/lgc.o \
-+			lua/llex.o \
-+			lua/lmem.o \
-+			lua/lobject.o \
-+			lua/lopcodes.o \
-+			lua/lparser.o \
-+			lua/lstate.o \
-+			lua/lstring.o \
-+			lua/lstrlib.o \
-+			lua/ltable.o \
-+			lua/ltablib.o \
-+			lua/ltm.o \
-+			lua/lundump.o \
-+			lua/lvm.o \
-+			lua/lzio.o \
-+			lua/lauxlib.o \
++                       lua/lbaselib.o \
++                       lua/lcode.o \
++                       lua/ldebug.o \
++                       lua/ldo.o \
++                       lua/ldump.o \
++                       lua/lfunc.o \
++                       lua/lgc.o \
++                       lua/llex.o \
++                       lua/lmem.o \
++                       lua/lobject.o \
++                       lua/lopcodes.o \
++                       lua/lparser.o \
++                       lua/lstate.o \
++                       lua/lstring.o \
++                       lua/lstrlib.o \
++                       lua/ltable.o \
++                       lua/ltablib.o \
++                       lua/ltm.o \
++                       lua/lundump.o \
++                       lua/lvm.o \
++                       lua/lzio.o \
++                       lua/lauxlib.o \
 --- /dev/null
 +++ b/extensions/LUA/libxt_LUA.c
 @@ -0,0 +1,191 @@
@@ -18169,7 +18172,7 @@
 +obj-${build_LUA}         += LUA/
 --- a/mconfig
 +++ b/mconfig
-@@ -25,3 +25,4 @@ build_pknock=m
+@@ -27,3 +27,4 @@ build_pknock=m
  build_psd=m
  build_quota2=m
  build_rtsp=m
diff --git a/net/xtables-addons/patches/300-fix-path-Makefile.extra.patch b/net/xtables-addons/patches/300-fix-path-Makefile.extra.patch
diff --git a/net/xtables-addons/patches/600-xt_pknock-fox-do_div-signness-mismatch.patch b/net/xtables-addons/patches/600-xt_pknock-fox-do_div-signness-mismatch.patch
@@ -0,0 +1,42 @@
+From 3c5c336fc0e47fea9baa912fc8d314ae9d1fa521 Mon Sep 17 00:00:00 2001
+From: Qingfang Deng <dqfext@gmail.com>
+Date: Mon, 29 Dec 2025 07:26:07 +0100
+Subject: [PATCH] xt_pknock: fix do_div() signness mismatch
+
+do_div() expects an unsigned 64-bit dividend, but time64_t is signed. On
+32-bit arch, this triggers a warnning:
+
+In file included from ./arch/arm/include/asm/div64.h:107,
+                 from ./include/linux/math.h:6,
+                 from ./include/linux/math64.h:6,
+                 from ./include/linux/time.h:6,
+                 from ./include/linux/stat.h:19,
+                 from ./include/linux/module.h:13,
+                 from ./xtables-addons-3.30/extensions/pknock/xt_pknock.c:10:
+./xtables-addons-3.30/extensions/pknock/xt_pknock.c: In function 'has_secret':
+./include/asm-generic/div64.h:222:35: warning: comparison of distinct pointer types lacks a cast [-Wcompare-distinct-pointer-types]
+  222 |         (void)(((typeof((n)) *)0) == ((uint64_t *)0));  \
+      |                                   ^~
+./xtables-addons-3.30/extensions/pknock/xt_pknock.c:747:17: note: in expansion of macro 'do_div'
+  747 |                 do_div(t, 60);
+      |
+
+Change the type of variable `t` to uint64_t to fix this.
+
+Fixes: 397b282dba9a ("xt_pknock: use walltime for building hash")
+Signed-off-by: Qingfang Deng <dqfext@gmail.com>
+---
+ extensions/pknock/xt_pknock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/extensions/pknock/xt_pknock.c
++++ b/extensions/pknock/xt_pknock.c
+@@ -743,7 +743,7 @@ has_secret(const unsigned char *secret,
+ 
+ 	/* Time needs to be in minutes relative to epoch. */
+ 	{
+-		time64_t t = ktime_get_real_seconds();
++		uint64_t t = ktime_get_real_seconds();
+ 		do_div(t, 60);
+ 		epoch_min = t;
+ 	}
