Squashed 'import-layers/meta-openembedded/' content from commit 247b126
Change-Id: I40827e9ce5fba63f1cca2a0be44976ae8383b4c0
git-subtree-dir: import-layers/meta-openembedded
git-subtree-split: 247b1267bbe95719cd4877d2d3cfbaf2a2f4865a
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.2.bb b/import-layers/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.2.bb
new file mode 100644
index 0000000..7b11d20
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.2.bb
@@ -0,0 +1,33 @@
+SUMMARY = "Connection tracking userspace tools for Linux"
+SECTION = "net"
+LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
+DEPENDS = "libnfnetlink libnetfilter-conntrack libnetfilter-cttimeout \
+ libnetfilter-cthelper libnetfilter-queue bison-native"
+
+SRC_URI = " \
+ http://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-${PV}.tar.bz2;name=tar \
+ file://conntrack-failover \
+ file://init \
+ file://0001-conntrackd-build-fix-crash-when-optional-kernel-modu.patch \
+"
+SRC_URI[tar.md5sum] = "b1f9d006e7bf000a77395ff7cd3fac16"
+SRC_URI[tar.sha256sum] = "e5c423dc077f9ca8767eaa6cf40446943905711c6a8fe27f9cc1977d4d6aa11e"
+
+inherit autotools-brokensep update-rc.d pkgconfig
+
+INITSCRIPT_NAME = "conntrackd"
+
+do_install_append() {
+ install -d ${D}/${sysconfdir}/conntrackd
+ install -d ${D}/${sysconfdir}/init.d
+ install -m 0644 doc/sync/ftfw/conntrackd.conf ${D}/${sysconfdir}/conntrackd/conntrackd.conf.sample
+ install -m 0755 ${WORKDIR}/conntrack-failover ${D}/${sysconfdir}/init.d/conntrack-failover
+ install -m 0755 ${WORKDIR}/init ${D}/${sysconfdir}/init.d/conntrackd
+
+ # Fix hardcoded paths in scripts
+ sed -i 's!/usr/sbin/!${sbindir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd
+ sed -i 's!/etc/!${sysconfdir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd
+ sed -i 's!/var/!${localstatedir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd ${D}/${sysconfdir}/conntrackd/conntrackd.conf.sample
+ sed -i 's!^export PATH=.*!export PATH=${base_sbindir}:${base_bindir}:${sbindir}:${bindir}!' ${D}/${sysconfdir}/init.d/conntrackd
+}
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/0001-conntrackd-build-fix-crash-when-optional-kernel-modu.patch b/import-layers/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/0001-conntrackd-build-fix-crash-when-optional-kernel-modu.patch
new file mode 100644
index 0000000..a7ab6d6
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/0001-conntrackd-build-fix-crash-when-optional-kernel-modu.patch
@@ -0,0 +1,85 @@
+From c392c159605956c7bd4a264ab4490e2b2704c0cd Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 13 Jun 2014 12:53:17 +0200
+Subject: [PATCH] conntrackd: build: fix crash when optional kernel modules are
+ not loaded
+
+Upstream-Status: Backport
+
+Fix a possible crash if conntrackd sees DCCP, SCTP and ICMPv6 traffic
+and the corresponding kernel modules that track this traffic are not
+available.
+
+Fixes: http://bugzilla.netfilter.org/show_bug.cgi?id=910
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/build.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/src/build.c b/src/build.c
+index 5799b51..9ba8b57 100644
+--- a/src/build.c
++++ b/src/build.c
+@@ -105,14 +105,14 @@ static enum nf_conntrack_attr nat_type[] =
+ ATTR_ORIG_NAT_SEQ_OFFSET_AFTER, ATTR_REPL_NAT_SEQ_CORRECTION_POS,
+ ATTR_REPL_NAT_SEQ_OFFSET_BEFORE, ATTR_REPL_NAT_SEQ_OFFSET_AFTER };
+
++/* ICMP, UDP and TCP are always loaded with nf_conntrack_ipv4 */
+ static void build_l4proto_tcp(const struct nf_conntrack *ct, struct nethdr *n)
+ {
+- ct_build_group(ct, ATTR_GRP_ORIG_PORT, n, NTA_PORT,
+- sizeof(struct nfct_attr_grp_port));
+-
+ if (!nfct_attr_is_set(ct, ATTR_TCP_STATE))
+ return;
+
++ ct_build_group(ct, ATTR_GRP_ORIG_PORT, n, NTA_PORT,
++ sizeof(struct nfct_attr_grp_port));
+ ct_build_u8(ct, ATTR_TCP_STATE, n, NTA_TCP_STATE);
+ if (CONFIG(sync).tcp_window_tracking) {
+ ct_build_u8(ct, ATTR_TCP_WSCALE_ORIG, n, NTA_TCP_WSCALE_ORIG);
+@@ -122,12 +122,12 @@ static void build_l4proto_tcp(const struct nf_conntrack *ct, struct nethdr *n)
+
+ static void build_l4proto_sctp(const struct nf_conntrack *ct, struct nethdr *n)
+ {
+- ct_build_group(ct, ATTR_GRP_ORIG_PORT, n, NTA_PORT,
+- sizeof(struct nfct_attr_grp_port));
+-
++ /* SCTP is optional, make sure nf_conntrack_sctp is loaded */
+ if (!nfct_attr_is_set(ct, ATTR_SCTP_STATE))
+ return;
+
++ ct_build_group(ct, ATTR_GRP_ORIG_PORT, n, NTA_PORT,
++ sizeof(struct nfct_attr_grp_port));
+ ct_build_u8(ct, ATTR_SCTP_STATE, n, NTA_SCTP_STATE);
+ ct_build_u32(ct, ATTR_SCTP_VTAG_ORIG, n, NTA_SCTP_VTAG_ORIG);
+ ct_build_u32(ct, ATTR_SCTP_VTAG_REPL, n, NTA_SCTP_VTAG_REPL);
+@@ -135,18 +135,22 @@ static void build_l4proto_sctp(const struct nf_conntrack *ct, struct nethdr *n)
+
+ static void build_l4proto_dccp(const struct nf_conntrack *ct, struct nethdr *n)
+ {
+- ct_build_group(ct, ATTR_GRP_ORIG_PORT, n, NTA_PORT,
+- sizeof(struct nfct_attr_grp_port));
+-
++ /* DCCP is optional, make sure nf_conntrack_dccp is loaded */
+ if (!nfct_attr_is_set(ct, ATTR_DCCP_STATE))
+ return;
+
++ ct_build_group(ct, ATTR_GRP_ORIG_PORT, n, NTA_PORT,
++ sizeof(struct nfct_attr_grp_port));
+ ct_build_u8(ct, ATTR_DCCP_STATE, n, NTA_DCCP_STATE);
+ ct_build_u8(ct, ATTR_DCCP_ROLE, n, NTA_DCCP_ROLE);
+ }
+
+ static void build_l4proto_icmp(const struct nf_conntrack *ct, struct nethdr *n)
+ {
++ /* This is also used by ICMPv6 and nf_conntrack_ipv6 is optional */
++ if (!nfct_attr_is_set(ct, ATTR_ICMP_TYPE))
++ return;
++
+ ct_build_u8(ct, ATTR_ICMP_TYPE, n, NTA_ICMP_TYPE);
+ ct_build_u8(ct, ATTR_ICMP_CODE, n, NTA_ICMP_CODE);
+ ct_build_u16(ct, ATTR_ICMP_ID, n, NTA_ICMP_ID);
+--
+1.9.1
+
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/conntrack-failover b/import-layers/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/conntrack-failover
new file mode 100644
index 0000000..6d92e63
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/conntrack-failover
@@ -0,0 +1,77 @@
+#!/bin/sh
+#
+# (C) 2008 by Pablo Neira Ayuso <pablo@netfilter.org>
+# (C) 2009 Roman I Khimov <khimov@altell.ru>
+#
+# This software may be used and distributed according to the terms
+# of the GNU General Public License, incorporated herein by reference.
+#
+# Description:
+#
+# This is the script for primary-backup setups for keepalived
+# (http://www.keepalived.org). You may adapt it to make it work with other
+# high-availability managers.
+#
+# Do not forget to include the required modifications to your keepalived.conf
+# file to invoke this script during keepalived's state transitions.
+#
+# Contributions to improve this script are welcome :).
+#
+## Modified to work as init.d script under pacemaker control
+
+CONNTRACKD_BIN=/usr/sbin/conntrackd
+CONNTRACKD_LOCK=/var/lock/conntrack.lock
+CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf
+
+case "$1" in
+ start)
+ #
+ # commit the external cache into the kernel table
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -c"
+ fi
+
+ #
+ # flush the internal and the external caches
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -f"
+ fi
+
+ #
+ # resynchronize my internal cache to the kernel table
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -R"
+ fi
+
+ #
+ # send a bulk update to backups
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -B"
+ fi
+ ;;
+ stop)
+ $CONNTRACKD_BIN -t
+ $CONNTRACKD_BIN -n
+ ;;
+ status)
+ ;;
+ *)
+ logger "ERROR: unknown command"
+ echo "Usage: conntrack-failover {start|stop|status}"
+ exit 1
+ ;;
+esac
+
+exit 0
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/init b/import-layers/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/init
new file mode 100644
index 0000000..bce2075
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/init
@@ -0,0 +1,87 @@
+#!/bin/sh
+#
+# /etc/init.d/conntrackd
+#
+# Maximilian Wilhelm <max@rfc2324.org>
+# -- Mon, 06 Nov 2006 18:39:07 +0100
+#
+# Roman I Khimov <khimov@altell.ru>
+# -- Tue, 27 Oct 2009 14:34:00 +0300
+
+### BEGIN INIT INFO
+# Provides: conntrackd
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Description: Starts conntrackd
+# short-description: Starts conntrackd
+### END INIT INFO
+
+export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+NAME="conntrackd"
+DAEMON="/usr/sbin/conntrackd"
+CONFIG="/etc/conntrackd/conntrackd.conf"
+PIDFILE="/var/run/${NAME}.pid"
+
+
+# Gracefully exit if there is no daemon (debian way of life)
+if [ ! -x "${DAEMON}" ]; then
+ exit 0
+fi
+
+# Check for config file
+if [ ! -f /etc/conntrackd/conntrackd.conf ]; then
+ echo "Error: There is no config file for $NAME" >&2
+ exit 1;
+fi
+
+case "$1" in
+ start)
+ echo -n "Starting $NAME: "
+ for i in nf_conntrack_netlink nf_conntrack_netbios_ns nf_conntrack_proto_dccp nf_conntrack_tftp \
+ nf_conntrack_sane nf_conntrack_pptp nf_conntrack_irc nf_conntrack_amanda nf_conntrack_h323 \
+ nf_conntrack_proto_udplite nf_conntrack_proto_gre nf_conntrack_proto_sctp nf_conntrack_ftp \
+ nf_conntrack_sip; do
+ modprobe $i >/dev/null 2>/dev/null &
+ done
+ start-stop-daemon --start --quiet --make-pidfile --pidfile "/var/run/${NAME}.pid" --background --exec "${DAEMON}"
+ RET=$?
+ if [ "$?" = "0" ]; then
+ sleep 2
+ # Sync with other server
+ conntrackd -n
+ echo "done."
+ else
+ echo "FAILED!"
+ fi
+ exit $RET
+ ;;
+ stop)
+ echo -n "Stopping $NAME:"
+ start-stop-daemon --stop --quiet --oknodo --pidfile "/var/run/${NAME}.pid" && echo "done." || echo "FAILED!"
+ ;;
+ status)
+ echo -n "conntrackd "
+ start-stop-daemon -q -K -t -x $DAEMON
+ RET=$?
+ if [ "$RET" = "0" ]; then
+ PID=`cat $PIDFILE`
+ echo "($PID) is running"
+ else
+ echo "is not running"
+ exit $RET
+ fi
+ ;;
+ restart)
+ $0 stop
+ $0 start
+ ;;
+
+ *)
+ echo "Usage: /etc/init.d/conntrackd {start|stop|restart}"
+ exit 1
+esac
+
+exit 0
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/01debian_defaultconfig.patch b/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/01debian_defaultconfig.patch
new file mode 100644
index 0000000..c260403
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/01debian_defaultconfig.patch
@@ -0,0 +1,50 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## debian_defaultconfig.dpatch by <hesso@pool.math.tu-berlin.de>
+##
+## DP: Debian enhancements to the ebtables "sysconfig" default settings.
+
+@DPATCH@
+
+--- ebtables-2.0.8.1.orig/ebtables-config
++++ ebtables-2.0.8.1/ebtables-config
+@@ -1,17 +1,3 @@
+-# Save (and possibly restore) in text format.
+-# Value: yes|no, default: yes
+-# Save the firewall rules in text format to __SYSCONFIG__/ebtables
+-# If EBTABLES_BINARY_FORMAT="no" then restoring the firewall rules
+-# is done using this text format.
+-EBTABLES_TEXT_FORMAT="yes"
+-
+-# Save (and restore) in binary format.
+-# Value: yes|no, default: yes
+-# Save (and restore) the firewall rules in binary format to (and from)
+-# __SYSCONFIG__/ebtables.<chain>. Enabling this option will make
+-# firewall initialisation a lot faster.
+-EBTABLES_BINARY_FORMAT="yes"
+-
+ # Unload modules on restart and stop
+ # Value: yes|no, default: yes
+ # This option has to be 'yes' to get to a sane state for a firewall
+@@ -19,6 +5,12 @@
+ # modules.
+ EBTABLES_MODULES_UNLOAD="yes"
+
++# Load firewall rules on system startup.
++# Value: yes|no, default: no
++# Restores the ebtables rulesets from the last saved state when the
++# system boots up.
++EBTABLES_LOAD_ON_START="no"
++
+ # Save current firewall rules on stop.
+ # Value: yes|no, default: no
+ # Saves all firewall rules if firewall gets stopped
+@@ -35,3 +27,9 @@
+ # Save rule counters when saving a kernel table to a file. If the
+ # rule counters were saved, they will be restored when restoring the table.
+ EBTABLES_SAVE_COUNTER="no"
++
++# Backup suffix for ruleset save files.
++# Value: <string>, default: "~"
++# Keep one backup level of saved rules.
++# Set this variable to the empty string to disable backups.
++EBTABLES_BACKUP_SUFFIX="~"
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.common b/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.common
new file mode 100644
index 0000000..640025d
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.common
@@ -0,0 +1,163 @@
+#!/bin/sh
+
+[ -x /sbin/ebtables ] || exit 1
+
+EBTABLES_DUMPFILE_STEM=/etc/ebtables/dump
+
+RETVAL=0
+prog="ebtables"
+desc="Ethernet bridge filtering"
+umask 0077
+
+#default configuration
+EBTABLES_MODULES_UNLOAD="yes"
+EBTABLES_LOAD_ON_START="no"
+EBTABLES_SAVE_ON_STOP="no"
+EBTABLES_SAVE_ON_RESTART="no"
+EBTABLES_SAVE_COUNTER="no"
+EBTABLES_BACKUP_SUFFIX="~"
+
+config=/etc/default/$prog
+[ -f "$config" ] && . "$config"
+
+function get_supported_tables() {
+ EBTABLES_SUPPORTED_TABLES=
+ /sbin/ebtables -t filter -L 2>&1 1>/dev/null | grep -q permission
+ if [ $? -eq 0 ]; then
+ echo "Error: insufficient privileges to access the ebtables rulesets."
+ exit 1
+ fi
+ for table in filter nat broute; do
+ /sbin/ebtables -t $table -L &> /dev/null
+ if [ $? -eq 0 ]; then
+ EBTABLES_SUPPORTED_TABLES="${EBTABLES_SUPPORTED_TABLES} $table"
+ fi
+ done
+}
+
+function load() {
+ RETVAL=0
+ get_supported_tables
+ echo -n "Restoring ebtables rulesets: "
+ for table in $EBTABLES_SUPPORTED_TABLES; do
+ echo -n "$table "
+ if [ -s ${EBTABLES_DUMPFILE_STEM}.$table ]; then
+ /sbin/ebtables -t $table --atomic-file ${EBTABLES_DUMPFILE_STEM}.$table --atomic-commit
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ echo -n "(failed) "
+ RETVAL=$RET
+ fi
+ else
+ echo -n "(no saved state) "
+ fi
+ done
+ if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then
+ echo -n "no kernel support. "
+ else
+ echo -n "done. "
+ fi
+ if [ $RETVAL -eq 0 ]; then
+ echo "ok"
+ else
+ echo "fail"
+ fi
+}
+
+function clear() {
+ RETVAL=0
+ get_supported_tables
+ echo -n "Clearing ebtables rulesets: "
+ for table in $EBTABLES_SUPPORTED_TABLES; do
+ echo -n "$table "
+ /sbin/ebtables -t $table --init-table
+ done
+
+ if [ "$EBTABLES_MODULES_UNLOAD" = "yes" ]; then
+ for mod in $(grep -E '^(ebt|ebtable)_' /proc/modules | cut -d' ' -f1) ebtables; do
+ rmmod $mod 2> /dev/null
+ done
+ fi
+ if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then
+ echo -n "no kernel support. "
+ else
+ echo -n "done. "
+ fi
+ if [ $RETVAL -eq 0 ]; then
+ echo "ok"
+ else
+ echo "fail"
+ fi
+}
+
+function save() {
+ RETVAL=0
+ get_supported_tables
+ echo -n "Saving ebtables rulesets: "
+ for table in $EBTABLES_SUPPORTED_TABLES; do
+ echo -n "$table "
+ [ -n "$EBTABLES_BACKUP_SUFFIX" ] && [ -s ${EBTABLES_DUMPFILE_STEM}.$table ] && \
+ mv ${EBTABLES_DUMPFILE_STEM}.$table ${EBTABLES_DUMPFILE_STEM}.$table$EBTABLES_BACKUP_SUFFIX
+ /sbin/ebtables -t $table --atomic-file ${EBTABLES_DUMPFILE_STEM}.$table --atomic-save
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ echo -n "(failed) "
+ RETVAL=$RET
+ else
+ if [ "$EBTABLES_SAVE_COUNTER" = "no" ]; then
+ /sbin/ebtables -t $table --atomic-file ${EBTABLES_DUMPFILE_STEM}.$table -Z
+ fi
+ fi
+ done
+ if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then
+ echo -n "no kernel support. "
+ else
+ echo -n "done. "
+ fi
+ if [ $RETVAL -eq 0 ]; then
+ echo "ok"
+ else
+ echo "fail"
+ fi
+}
+
+case "$1" in
+ start)
+ [ "$EBTABLES_LOAD_ON_START" = "yes" ] && load
+ ;;
+ stop)
+ [ "$EBTABLES_SAVE_ON_STOP" = "yes" ] && save
+ clear
+ ;;
+ restart|reload|force-reload)
+ [ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save
+ clear
+ [ "$EBTABLES_LOAD_ON_START" = "yes" ] && load
+ ;;
+ load)
+ load
+ ;;
+ save)
+ save
+ ;;
+ status)
+ get_supported_tables
+ if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then
+ echo "No kernel support for ebtables."
+ RETVAL=1
+ else
+ echo -n "Ebtables support available, number of installed rules: "
+ for table in $EBTABLES_SUPPORTED_TABLES; do
+ COUNT=$(( $(/sbin/ebtables -t $table -L | sed -e "/^Bridge chain/! d" -e "s/^.*entries: //" -e "s/,.*$/ +/") 0 ))
+ echo -n "$table($COUNT) "
+ done
+ echo ok
+ RETVAL=0
+ fi
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|restart|reload|force-reload|load|save|status}" >&2
+ RETVAL=1
+esac
+
+exit $RETVAL
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.init b/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.init
new file mode 100755
index 0000000..c9a77a2
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.init
@@ -0,0 +1,26 @@
+#!/bin/sh
+#
+# init script for the Ethernet Bridge filter tables
+#
+# Written by Dag Wieers <dag@wieers.com>
+# Modified by Rok Papez <rok.papez@arnes.si>
+# Bart De Schuymer <bdschuym@pandora.be>
+# Adapted to Debian by Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
+# Adapted to OpenEmbedded by Roman I Khimov <khimov@altell.ru>
+#
+# chkconfig: - 15 85
+# description: Ethernet Bridge filtering tables
+#
+### BEGIN INIT INFO
+# Provides: ebtables
+# Required-Start:
+# Required-Stop:
+# Should-Start: $local_fs
+# Should-Stop: $local_fs
+# Default-Start: S
+# Default-Stop: 0 6
+# Short-Description: ebtables ruleset management
+# Description: Saves and restores the state of the ebtables rulesets.
+### END INIT INFO
+
+/usr/sbin/ebtables.common $1
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.service b/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.service
new file mode 100644
index 0000000..3abd1fe
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Ethernet Bridge Filtering Tables
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=@SBINDIR@/ebtables.common start
+ExecStop=@SBINDIR@/ebtables.common stop
+
+[Install]
+WantedBy=multi-user.target
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/installnonroot.patch b/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/installnonroot.patch
new file mode 100644
index 0000000..bcd9bed
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/installnonroot.patch
@@ -0,0 +1,43 @@
+diff --git a/Makefile b/Makefile
+index c1106a4..7ea6b7a 100644
+--- a/Makefile
++++ b/Makefile
+@@ -157,31 +157,31 @@ tmp3:=$(shell printf $(PIPE) | sed 's/\//\\\//g')
+ scripts: ebtables-save ebtables.sysv ebtables-config
+ cat ebtables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > ebtables-save_
+ mkdir -p $(DESTDIR)$(BINDIR)
+- install -m 0755 -o root -g root ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
++ install -m 0755 ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
+ cat ebtables.sysv | sed 's/__EXEC_PATH__/$(tmp1)/g' | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables.sysv_
+ if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(INITDIR); fi
+- if test -d $(DESTDIR)$(INITDIR); then install -m 0755 -o root -g root ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi
++ if test -d $(DESTDIR)$(INITDIR); then install -m 0755 ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi
+ cat ebtables-config | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables-config_
+ if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(SYSCONFIGDIR); fi
+- if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 -o root -g root ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi
++ if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi
+ rm -f ebtables-save_ ebtables.sysv_ ebtables-config_
+
+ tmp4:=$(shell printf $(LOCKFILE) | sed 's/\//\\\//g')
+ $(MANDIR)/man8/ebtables.8: ebtables.8
+ mkdir -p $(DESTDIR)$(@D)
+ sed -e 's/$$(VERSION)/$(PROGVERSION)/' -e 's/$$(DATE)/$(PROGDATE)/' -e 's/$$(LOCKFILE)/$(tmp4)/' ebtables.8 > ebtables.8_
+- install -m 0644 -o root -g root ebtables.8_ $(DESTDIR)$@
++ install -m 0644 ebtables.8_ $(DESTDIR)$@
+ rm -f ebtables.8_
+
+ $(DESTDIR)$(ETHERTYPESFILE): ethertypes
+ mkdir -p $(@D)
+- install -m 0644 -o root -g root $< $@
++ install -m 0644 $< $@
+
+ .PHONY: exec
+ exec: ebtables ebtables-restore
+ mkdir -p $(DESTDIR)$(BINDIR)
+- install -m 0755 -o root -g root $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME)
+- install -m 0755 -o root -g root ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore
++ install -m 0755 $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME)
++ install -m 0755 ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore
+
+ .PHONY: install
+ install: $(MANDIR)/man8/ebtables.8 $(DESTDIR)$(ETHERTYPESFILE) exec scripts
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/no-as-needed.patch b/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/no-as-needed.patch
new file mode 100644
index 0000000..336119d
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/no-as-needed.patch
@@ -0,0 +1,25 @@
+link ebtables with --no-as-needed and adjust the link order to fix runtime crash
+
+Program terminated with signal 11, Segmentation fault.
+#0 0x00007ffaa837fb53 in ebt_initialize_entry () from /lib64/ebtables/libebtc.so
+(gdb) bt
+#0 0x00007ffaa837fb53 in ebt_initialize_entry () from /lib64/ebtables/libebtc.so
+#1 0x00007ffaa83824dc in do_command () from /lib64/ebtables/libebtc.so
+#2 0x000000000040065c in ?? ()
+#3 0x00007ffaa7fed755 in __libc_start_main () from /lib64/libc.so.6
+#4 0x0000000000400691 in ?? ()
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Index: ebtables-v2.0.10-4/Makefile
+===================================================================
+--- ebtables-v2.0.10-4.orig/Makefile 2011-12-15 12:02:47.000000000 -0800
++++ ebtables-v2.0.10-4/Makefile 2012-12-17 22:09:45.065973753 -0800
+@@ -90,7 +90,7 @@
+ $(CC) -shared $(LDFLAGS) -Wl,-soname,libebtc.so -o libebtc.so -lc $(OBJECTS2)
+
+ ebtables: $(OBJECTS) ebtables-standalone.o libebtc.so
+- $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(LDFLAGS) -o $@ ebtables-standalone.o -I$(KERNEL_INCLUDES) -L. -Lextensions -lebtc $(EXT_LIBSI) \
++ $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(LDFLAGS) -o $@ ebtables-standalone.o -I$(KERNEL_INCLUDES) -L. -Lextensions -Wl,--no-as-needed $(EXT_LIBSI) -lebtc \
+ -Wl,-rpath,$(LIBDIR)
+
+ ebtablesu: ebtablesu.c
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb b/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb
new file mode 100644
index 0000000..e9b726c
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb
@@ -0,0 +1,90 @@
+SUMMARY = "Filtering tool for a Linux-based bridging firewall"
+DESCRIPTION = "Utility for basic Ethernet frame filtering on a Linux bridge, \
+ advanced logging, MAC DNAT/SNAT and brouting."
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=53b4a999993871a28ab1488fdbd2e73e"
+SECTION = "net"
+PR = "r3"
+
+RDEPENDS_${PN} += "perl"
+
+RRECOMMENDS_${PN} += "kernel-module-ebtables \
+ "
+
+SRC_URI = "${SOURCEFORGE_MIRROR}/ebtables/ebtables-v${PV}.tar.gz \
+ file://installnonroot.patch \
+ file://01debian_defaultconfig.patch \
+ file://ebtables.init \
+ file://ebtables.common \
+ file://ebtables.service \
+ file://no-as-needed.patch \
+"
+
+SRC_URI[md5sum] = "506742a3d44b9925955425a659c1a8d0"
+SRC_URI[sha256sum] = "dc6f7b484f207dc712bfca81645f45120cb6aee3380e77a1771e9c34a9a4455d"
+
+S = "${WORKDIR}/ebtables-v${PV}"
+
+inherit update-rc.d systemd
+
+python __anonymous () {
+ import re
+
+ karch = d.getVar('KARCH', True)
+ multilib = d.getVar('MLPREFIX', True)
+
+ if multilib and karch == 'powerpc64':
+ searchstr = "lib.?32"
+ reg = re.compile(searchstr)
+ if reg.search(multilib):
+ d.appendVar('CFLAGS' ,' -DKERNEL_64_USERSPACE_32 -DEBT_MIN_ALIGN=8')
+}
+
+EXTRA_OEMAKE = " \
+ BINDIR=${base_sbindir} \
+ MANDIR=${mandir} \
+ ETHERTYPESPATH=${sysconfdir} \
+ INITDIR=${sysconfdir}/init.d \
+ SYSCONFIGDIR=${sysconfdir}/default \
+ LIBDIR=${base_libdir}/ebtables \
+ 'CC=${CC}' \
+ 'CFLAGS=${CFLAGS}' \
+ 'LDFLAGS=${LDFLAGS} -Wl,--no-as-needed' \
+ 'LD=${LD}' \
+"
+
+do_install () {
+ install -d ${D}${sbindir}
+ install -m 0755 ${WORKDIR}/ebtables.common ${D}${sbindir}/ebtables.common
+ # Fix hardcoded paths in scripts
+ sed -i 's!/sbin/!${base_sbindir}/!g' ${D}${sbindir}/ebtables.common
+ sed -i 's!/etc/!${sysconfdir}/!g' ${D}${sbindir}/ebtables.common
+
+ install -d ${D}${sysconfdir}/init.d
+ install -d ${D}${sysconfdir}/default
+ install -d ${D}${sysconfdir}/ebtables
+ oe_runmake DESTDIR='${D}' install
+ install -m 0755 ${WORKDIR}/ebtables.init ${D}/${sysconfdir}/init.d/ebtables
+ mv ${D}${sysconfdir}/default/ebtables-config ${D}${sysconfdir}/default/ebtables
+ sed -i 's!/usr/sbin/!${sbindir}/!g' ${D}${sysconfdir}/init.d/ebtables
+
+ # The script ebtables-save refernces perl in exec_prefix, so
+ # move it to sbindir to avoid QA issue
+ install -d ${D}/${sbindir}
+ mv ${D}/${base_sbindir}/ebtables-save ${D}/${sbindir}
+
+ # Install systemd service files
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/ebtables.service ${D}${systemd_unitdir}/system
+ sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/ebtables.service
+}
+
+CONFFILES_${PN} += "${sysconfdir}/default/ebtables"
+
+INITSCRIPT_NAME = "ebtables"
+INITSCRIPT_PARAMS = "start 41 S . stop 41 6 ."
+
+SYSTEMD_SERVICE_${PN} = "ebtables.service"
+
+FILES_${PN}-dbg += "${base_libdir}/ebtables/.debug"
+FILES_${PN} += "${base_libdir}/ebtables/*.so"
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/libmnl/libmnl_1.0.3.bb b/import-layers/meta-openembedded/meta-networking/recipes-filter/libmnl/libmnl_1.0.3.bb
new file mode 100644
index 0000000..b3a5f2e
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/libmnl/libmnl_1.0.3.bb
@@ -0,0 +1,13 @@
+SUMMARY = "Minimalistic user-space Netlink utility library"
+DESCRIPTION = "Minimalistic user-space library oriented to Netlink developers, providing \
+ functions for common tasks in parsing, validating, and constructing both the Netlink header and TLVs."
+HOMEPAGE = "http://www.netfilter.org/projects/libmnl/index.html"
+SECTION = "libs"
+LICENSE = "LGPLv2.1+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
+
+SRC_URI = "http://www.netfilter.org/projects/libmnl/files/libmnl-${PV}.tar.bz2;name=tar"
+SRC_URI[tar.md5sum] = "7d95fc3bea3365bc03c48e484224f65f"
+SRC_URI[tar.sha256sum] = "6f14336e9acdbc62c2dc71bbb59ce162e54e9af5c80153e92476c5443fe784de"
+
+inherit autotools pkgconfig
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/replace-VLAs-in-union.patch b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/replace-VLAs-in-union.patch
new file mode 100644
index 0000000..16e4af4
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/replace-VLAs-in-union.patch
@@ -0,0 +1,89 @@
+VLAs in structs and unions (non-PODs) is unsupported in non-gcc compilers
+therefore convert it to not use VLAs instead use fixed arrays
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Upstream-Status: Pending
+Index: libnetfilter_conntrack-1.0.4/src/conntrack/api.c
+===================================================================
+--- libnetfilter_conntrack-1.0.4.orig/src/conntrack/api.c
++++ libnetfilter_conntrack-1.0.4/src/conntrack/api.c
+@@ -954,16 +954,15 @@ int nfct_query(struct nfct_handle *h,
+ const enum nf_conntrack_query qt,
+ const void *data)
+ {
+- size_t size = 4096; /* enough for now */
+ union {
+- char buffer[size];
++ char buffer[4096];
+ struct nfnlhdr req;
+ } u;
+
+ assert(h != NULL);
+ assert(data != NULL);
+
+- if (__build_query_ct(h->nfnlssh_ct, qt, data, &u.req, size) == -1)
++ if (__build_query_ct(h->nfnlssh_ct, qt, data, &u.req, 4096) == -1)
+ return -1;
+
+ return nfnl_query(h->nfnlh, &u.req.nlh);
+@@ -986,16 +985,15 @@ int nfct_send(struct nfct_handle *h,
+ const enum nf_conntrack_query qt,
+ const void *data)
+ {
+- size_t size = 4096; /* enough for now */
+ union {
+- char buffer[size];
++ char buffer[4096];
+ struct nfnlhdr req;
+ } u;
+
+ assert(h != NULL);
+ assert(data != NULL);
+
+- if (__build_query_ct(h->nfnlssh_ct, qt, data, &u.req, size) == -1)
++ if (__build_query_ct(h->nfnlssh_ct, qt, data, &u.req, 4096) == -1)
+ return -1;
+
+ return nfnl_send(h->nfnlh, &u.req.nlh);
+Index: libnetfilter_conntrack-1.0.4/src/expect/api.c
+===================================================================
+--- libnetfilter_conntrack-1.0.4.orig/src/expect/api.c
++++ libnetfilter_conntrack-1.0.4/src/expect/api.c
+@@ -669,16 +669,15 @@ int nfexp_query(struct nfct_handle *h,
+ const enum nf_conntrack_query qt,
+ const void *data)
+ {
+- size_t size = 4096; /* enough for now */
+ union {
+- char buffer[size];
++ char buffer[4096];
+ struct nfnlhdr req;
+ } u;
+
+ assert(h != NULL);
+ assert(data != NULL);
+
+- if (__build_query_exp(h->nfnlssh_exp, qt, data, &u.req, size) == -1)
++ if (__build_query_exp(h->nfnlssh_exp, qt, data, &u.req, 4096) == -1)
+ return -1;
+
+ return nfnl_query(h->nfnlh, &u.req.nlh);
+@@ -701,16 +700,15 @@ int nfexp_send(struct nfct_handle *h,
+ const enum nf_conntrack_query qt,
+ const void *data)
+ {
+- size_t size = 4096; /* enough for now */
+ union {
+- char buffer[size];
++ char buffer[4096];
+ struct nfnlhdr req;
+ } u;
+
+ assert(h != NULL);
+ assert(data != NULL);
+
+- if (__build_query_exp(h->nfnlssh_exp, qt, data, &u.req, size) == -1)
++ if (__build_query_exp(h->nfnlssh_exp, qt, data, &u.req, 4096) == -1)
+ return -1;
+
+ return nfnl_send(h->nfnlh, &u.req.nlh);
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-conntrack_1.0.4.bb b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-conntrack_1.0.4.bb
new file mode 100644
index 0000000..ecbc86b
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-conntrack_1.0.4.bb
@@ -0,0 +1,17 @@
+SUMMARY = "Netfilter connection tracking library"
+DESCRIPTION = "Userspace library providing a programming interface (API) to the Linux kernel netfilter connection tracking state table"
+HOMEPAGE = "http://www.netfilter.org/projects/libnetfilter_conntrack/index.html"
+SECTION = "libs"
+LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
+DEPENDS = "libnfnetlink libmnl"
+
+SRC_URI = "http://www.netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-${PV}.tar.bz2;name=tar \
+ file://replace-VLAs-in-union.patch \
+"
+SRC_URI[tar.md5sum] = "18cf80c4b339a3285e78822dbd4f08d7"
+SRC_URI[tar.sha256sum] = "d9ec4a3caf49417f2b0a2d8d44249133e8c3ec78c757b7eb8c273f1cb6929c7d"
+
+S = "${WORKDIR}/libnetfilter_conntrack-${PV}"
+
+inherit autotools pkgconfig
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-cthelper_1.0.0.bb b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-cthelper_1.0.0.bb
new file mode 100644
index 0000000..3d37997
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-cthelper_1.0.0.bb
@@ -0,0 +1,15 @@
+SUMMARY = "Netfilter connection tracking helper library"
+DESCRIPTION = "Userspace library providing a programming interface (API) to the Linux kernel netfilter user-space helper infrastructure"
+HOMEPAGE = "http://www.netfilter.org/projects/libnetfilter_cthelper/index.html"
+SECTION = "libs"
+LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
+DEPENDS = "libmnl"
+
+SRC_URI = "http://www.netfilter.org/projects/libnetfilter_cthelper/files/libnetfilter_cthelper-${PV}.tar.bz2;name=tar"
+SRC_URI[tar.md5sum] = "b2efab1a3a198a5add448960ba011acd"
+SRC_URI[tar.sha256sum] = "07618e71c4d9a6b6b3dc1986540486ee310a9838ba754926c7d14a17d8fccf3d"
+
+S = "${WORKDIR}/libnetfilter_cthelper-${PV}"
+
+inherit autotools pkgconfig
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-cttimeout_1.0.0.bb b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-cttimeout_1.0.0.bb
new file mode 100644
index 0000000..dcf7485
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-cttimeout_1.0.0.bb
@@ -0,0 +1,14 @@
+SUMMARY = "Netfilter connection tracking timeout library"
+DESCRIPTION = "Userspace library providing a programming interface (API) to the Linux kernel netfilter fine-grain connection tracking timeout infrastructure"
+SECTION = "libs"
+LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
+DEPENDS = "libmnl"
+
+SRC_URI = "http://www.netfilter.org/projects/libnetfilter_cttimeout/files/libnetfilter_cttimeout-${PV}.tar.bz2;name=tar"
+SRC_URI[tar.md5sum] = "7697437fc9ebb6f6b83df56a633db7f9"
+SRC_URI[tar.sha256sum] = "aeab12754f557cba3ce2950a2029963d817490df7edb49880008b34d7ff8feba"
+
+S = "${WORKDIR}/libnetfilter_cttimeout-${PV}"
+
+inherit autotools pkgconfig
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb
new file mode 100644
index 0000000..30c9ae6
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb
@@ -0,0 +1,15 @@
+SUMMARY = "Netfilter logging library"
+DESCRIPTION = "Userspace library providing a programming interface (API) to the Linux kernel netfilter log message (NFLOG)"
+HOMEPAGE = "http://www.netfilter.org/projects/libnetfilter_log/index.html"
+SECTION = "libs"
+LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
+DEPENDS = "libnfnetlink"
+
+SRC_URI = "http://www.netfilter.org/projects/libnetfilter_log/files/libnetfilter_log-${PV}.tar.bz2;name=tar"
+SRC_URI[tar.md5sum] = "2a4bb0654ae675a52d2e8d1c06090b94"
+SRC_URI[tar.sha256sum] = "74e0fe75753dba3ac114531b5e73240452c789a3f3adccf5c51217da1d933b21"
+
+S = "${WORKDIR}/libnetfilter_log-${PV}"
+
+inherit autotools pkgconfig
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.2.bb b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.2.bb
new file mode 100644
index 0000000..ddf2aa5
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.2.bb
@@ -0,0 +1,15 @@
+SUMMARY = "Netfilter packet queue access library"
+DESCRIPTION = "Userspace library providing a programming interface (API) to access the Linux kernel netfilter packet queue"
+HOMEPAGE = "http://www.netfilter.org/projects/libnetfilter_queue/index.html"
+SECTION = "libs"
+LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
+DEPENDS = "libnfnetlink libmnl"
+
+SRC_URI = "http://www.netfilter.org/projects/libnetfilter_queue/files/libnetfilter_queue-${PV}.tar.bz2;name=tar"
+SRC_URI[tar.md5sum] = "df09befac35cb215865b39a36c96a3fa"
+SRC_URI[tar.sha256sum] = "838490eb5dbe358f9669823704982f5313a8d397111562373200203f93ac1a32"
+
+S = "${WORKDIR}/libnetfilter_queue-${PV}"
+
+inherit autotools pkgconfig
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink_1.0.1.bb b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink_1.0.1.bb
new file mode 100644
index 0000000..edd0f86
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink_1.0.1.bb
@@ -0,0 +1,18 @@
+SUMMARY = "Low-level library for netfilter related kernel/userspace communication"
+DESCRIPTION = "libnfnetlink is the low-level library for netfilter related \
+kernel/userspace communication. It provides a generic messaging \
+infrastructure for in-kernel netfilter subsystems (such as nfnetlink_log, \
+nfnetlink_queue, nfnetlink_conntrack) and their respective users and/or \
+management tools in userspace."
+HOMEPAGE = "http://www.netfilter.org/projects/libnfnetlink/index.html"
+SECTION = "libs"
+LICENSE = "GPLv2+"
+
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
+
+SRC_URI = "http://www.netfilter.org/projects/libnfnetlink/files/libnfnetlink-${PV}.tar.bz2;name=tar"
+SRC_URI[tar.md5sum] = "98927583d2016a9fb1936fed992e2c5e"
+SRC_URI[tar.sha256sum] = "f270e19de9127642d2a11589ef2ec97ef90a649a74f56cf9a96306b04817b51a"
+
+inherit autotools pkgconfig
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl_1.0.5.bb b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl_1.0.5.bb
new file mode 100644
index 0000000..6171151
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl_1.0.5.bb
@@ -0,0 +1,13 @@
+SUMMARY = "Library for low-level interaction with nftables Netlink's API over libmnl"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=79808397c3355f163c012616125c9e26"
+SECTION = "libs"
+DEPENDS = "libmnl"
+
+SRC_URI = "http://netfilter.org/projects/libnftnl/files/${BP}.tar.bz2 \
+ "
+
+SRC_URI[md5sum] = "af0c62ce6bbd7a7d39def0996c1c17c9"
+SRC_URI[sha256sum] = "f6d4f5a702e38bc7987f2363f9fcd65930e8b702595c221a497e2f3a359be497"
+
+inherit autotools pkgconfig
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/nftables/files/fix-to-generate-ntf.8.patch b/import-layers/meta-openembedded/meta-networking/recipes-filter/nftables/files/fix-to-generate-ntf.8.patch
new file mode 100644
index 0000000..8dce90a
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/nftables/files/fix-to-generate-ntf.8.patch
@@ -0,0 +1,26 @@
+[PATCH] disable to make ntf.8 man
+
+Upstream-Status: Pending
+
+$DB2MAN do not support the xinclude parameter whether it is
+docbook2x-man or other, so disable to make ntf.8 man
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ doc/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index a92de7f..537c36b 100644
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -1,5 +1,5 @@
+ if BUILD_MAN
+-man_MANS = nft.8
++#man_MANS = nft.8
+ endif
+
+ if BUILD_PDF
+--
+1.9.1
+
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-filter/nftables/nftables_0.5.bb b/import-layers/meta-openembedded/meta-networking/recipes-filter/nftables/nftables_0.5.bb
new file mode 100644
index 0000000..11b5e5a
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-filter/nftables/nftables_0.5.bb
@@ -0,0 +1,17 @@
+SUMMARY = "Netfilter Tables userspace utillites"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=d1a78fdd879a263a5e0b42d1fc565e79"
+SECTION = "net"
+
+DEPENDS = "libmnl libnftnl readline gmp"
+RRECOMMENDS_${PN} += "kernel-module-nf-tables \
+ "
+
+SRC_URI = "http://www.netfilter.org/projects/nftables/files/${BP}.tar.bz2 \
+ file://fix-to-generate-ntf.8.patch \
+ "
+
+SRC_URI[md5sum] = "94bfe1c54bcb9f6ed974835f2fca8069"
+SRC_URI[sha256sum] = "1fb6dff333d8a4fc347cbbe273bf905a2634b27a8c39df0d3a45d5a3fde10ad6"
+
+inherit autotools pkgconfig