iptables fixes 20110905

iptables fixes 20110905

[Jan Engelhardt]

The following changes since commit bf42cf92ea0c53e5470a20d62d00e5e83379f4d5:

  Merge branch 'stable' of git://dev.medozas.de/iptables (2011-09-05 20:16:07 +0200)

are available in the git repository at:

  git://dev.medozas.de/iptables stable

Jan Engelhardt (4):
      libxt_statistic: link with -lm
      libxt_RATEEST: link with -lm
      build: scan for unreferenced symbols
      iptables: move kernel version find routing into libxtables

Tom Eastep (1):
      libxt_CONNSECMARK: fix spacing in output

 Makefile.am                    |    3 ++-
 extensions/GNUmakefile.in      |   17 +++++++++++++++--
 extensions/libxt_CONNSECMARK.c |    2 +-
 include/iptables.h             |    8 --------
 include/xtables.h.in           |    8 ++++++++
 iptables/Makefile.am           |   10 +++++++---
 iptables/iptables.c            |   18 ------------------
 iptables/xtables.c             |   18 ++++++++++++++++++
 8 files changed, 51 insertions(+), 33 deletions(-)

[PATCH 1/5] libxt_statistic: link with -lm

[Jan Engelhardt]

$ ldd -r libxt_statistic.so
undefined symbol: lround        (./libxt_statistic.so)

References: https://bugs.archlinux.org/task/25358
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/GNUmakefile.in |    5 ++++-
 iptables/Makefile.am      |    9 +++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 2b48d84..dbf210c 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -90,11 +90,14 @@ init%.o: init%.c
 #	Shared libraries
 #
 lib%.so: lib%.oo
-	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
+	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< ${$*_LIBADD};
 
 lib%.oo: ${srcdir}/lib%.c
 	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
 
+# Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
+xt_statistic_LIBADD = -lm
+
 
 #
 #	Static bits
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index addb159..f6db32d 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -6,12 +6,17 @@ AM_CPPFLAGS      = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}
 lib_LTLIBRARIES       = libxtables.la
 libxtables_la_SOURCES = xtables.c xtoptions.c
 libxtables_la_LDFLAGS = -version-info ${libxtables_vcurrent}:0:${libxtables_vage}
+libxtables_la_LIBADD  =
+if ENABLE_STATIC
+# With --enable-static, shipped extensions are linked into the main executable,
+# so we need all the LIBADDs here too
+libxtables_la_LIBADD += -lm
+endif
 if ENABLE_SHARED
 libxtables_la_CFLAGS  = ${AM_CFLAGS}
-libxtables_la_LIBADD  = -ldl
+libxtables_la_LIBADD += -ldl
 else
 libxtables_la_CFLAGS  = ${AM_CFLAGS} -DNO_SHARED_LIBS=1
-libxtables_la_LIBADD  =
 endif
 
 xtables_multi_SOURCES  = xtables-multi.c iptables-xml.c
-- 
1.7.3.4

[PATCH 2/5] libxt_RATEEST: link with -lm

[Jan Engelhardt]

$ ldd -r libxt_RATEEST.so
undefined symbol: log   (./libxt_RATEEST.so)

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/GNUmakefile.in |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index dbf210c..107c9d5 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -96,6 +96,7 @@ lib%.oo: ${srcdir}/lib%.c
 	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
 
 # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
+xt_RATEEST_LIBADD   = -lm
 xt_statistic_LIBADD = -lm
 
 
-- 
1.7.3.4

[PATCH 3/5] build: scan for unreferenced symbols

[Jan Engelhardt]

To be notified of occurrences where we are missing any libraries, run
some ldd checks post building.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/GNUmakefile.in |   11 ++++++++++-
 1 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 107c9d5..a9edb1e 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -68,7 +68,16 @@ targets_install :=
 
 .PHONY: all install clean distclean FORCE
 
-all: ${targets}
+all: ${targets} check
+
+check: ${targets}
+	@echo "  CHECK    unknown symbols in .so files"; \
+	. ../iptables/libxtables.la; \
+	for i in "" lib*.so; do \
+		[ -z "$$i" ] && continue; \
+		LD_PRELOAD="$$dlname" LD_LIBRARY_PATH=../iptables/.libs \
+			ldd -r $$i 2>&1 >/dev/null; \
+	done;
 
 install: ${targets_install}
 	@mkdir -p "${DESTDIR}${xtlibdir}";
-- 
1.7.3.4

[PATCH 4/5] iptables: move kernel version find routing into libxtables

[Jan Engelhardt]

That way, the remaining unreferenced symbols that do appear in
libipt_DNAT and libipt_SNAT as part of the new check can be resolved,
and the ugly -rdynamic hack can finally be removed.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 Makefile.am          |    3 ++-
 include/iptables.h   |    8 --------
 include/xtables.h.in |    8 ++++++++
 iptables/Makefile.am |    1 -
 iptables/iptables.c  |   18 ------------------
 iptables/xtables.c   |   18 ++++++++++++++++++
 6 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 34b3501..9167e8e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3,7 +3,7 @@
 ACLOCAL_AMFLAGS  = -I m4
 AUTOMAKE_OPTIONS = foreign subdir-objects
 
-SUBDIRS          = extensions libiptc iptables
+SUBDIRS          = libiptc iptables
 if ENABLE_DEVEL
 SUBDIRS         += include
 endif
@@ -13,6 +13,7 @@ endif
 if HAVE_LIBNFNETLINK
 SUBDIRS         += utils
 endif
+SUBDIRS         += extensions
 
 .PHONY: tarball
 tarball:
diff --git a/include/iptables.h b/include/iptables.h
index 65b3290..89217e2 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -18,14 +18,6 @@ extern int for_each_chain4(int (*fn)(const ipt_chainlabel, int, struct iptc_hand
 extern void print_rule4(const struct ipt_entry *e,
 		struct iptc_handle *handle, const char *chain, int counters);
 
-/* kernel revision handling */
-extern int kernel_version;
-extern void get_kernel_version(void);
-#define LINUX_VERSION(x,y,z)	(0x10000*(x) + 0x100*(y) + z)
-#define LINUX_VERSION_MAJOR(x)	(((x)>>16) & 0xFF)
-#define LINUX_VERSION_MINOR(x)	(((x)>> 8) & 0xFF)
-#define LINUX_VERSION_PATCH(x)	( (x)      & 0xFF)
-
 extern struct xtables_globals iptables_globals;
 
 #endif /*_IPTABLES_USER_H*/
diff --git a/include/xtables.h.in b/include/xtables.h.in
index d50df79..28e2933 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -477,6 +477,14 @@ extern void xtables_save_string(const char *value);
 extern const struct xtables_pprot xtables_chain_protos[];
 extern u_int16_t xtables_parse_protocol(const char *s);
 
+/* kernel revision handling */
+extern int kernel_version;
+extern void get_kernel_version(void);
+#define LINUX_VERSION(x,y,z)	(0x10000*(x) + 0x100*(y) + z)
+#define LINUX_VERSION_MAJOR(x)	(((x)>>16) & 0xFF)
+#define LINUX_VERSION_MINOR(x)	(((x)>> 8) & 0xFF)
+#define LINUX_VERSION_PATCH(x)	( (x)      & 0xFF)
+
 /* xtoptions.c */
 extern void xtables_option_metavalidate(const char *,
 					const struct xt_option_entry *);
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index f6db32d..af620f7 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -21,7 +21,6 @@ endif
 
 xtables_multi_SOURCES  = xtables-multi.c iptables-xml.c
 xtables_multi_CFLAGS   = ${AM_CFLAGS}
-xtables_multi_LDFLAGS  = -rdynamic
 xtables_multi_LDADD    = ../extensions/libext.a
 if ENABLE_STATIC
 xtables_multi_CFLAGS  += -DALL_INCLUSIVE
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 50dc1e7..830ddbc 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -39,7 +39,6 @@
 #include <iptables.h>
 #include <xtables.h>
 #include <fcntl.h>
-#include <sys/utsname.h>
 #include "xshared.h"
 
 #ifndef TRUE
@@ -187,8 +186,6 @@ static const int inverse_for_options[NUMBER_OF_OPT] =
 #define prog_name iptables_globals.program_name
 #define prog_vers iptables_globals.program_version
 
-int kernel_version;
-
 /* Primitive headers... */
 /* defined in netinet/in.h */
 #if 0
@@ -1281,21 +1278,6 @@ static void clear_rule_matches(struct xtables_rule_match **matches)
 	*matches = NULL;
 }
 
-void
-get_kernel_version(void) {
-	static struct utsname uts;
-	int x = 0, y = 0, z = 0;
-
-	if (uname(&uts) == -1) {
-		fprintf(stderr, "Unable to retrieve kernel version.\n");
-		xtables_free_opts(1);
-		exit(1);
-	}
-
-	sscanf(uts.release, "%d.%d.%d", &x, &y, &z);
-	kernel_version = LINUX_VERSION(x, y, z);
-}
-
 static void command_jump(struct iptables_command_state *cs)
 {
 	size_t size;
diff --git a/iptables/xtables.c b/iptables/xtables.c
index e72aa28..014e115 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -31,6 +31,7 @@
 #include <sys/stat.h>
 #include <sys/statfs.h>
 #include <sys/types.h>
+#include <sys/utsname.h>
 #include <sys/wait.h>
 #include <arpa/inet.h>
 #if defined(HAVE_LINUX_MAGIC_H)
@@ -1812,3 +1813,20 @@ xtables_parse_protocol(const char *s)
 		"unknown protocol \"%s\" specified", s);
 	return -1;
 }
+
+int kernel_version;
+
+void get_kernel_version(void)
+{
+	static struct utsname uts;
+	int x = 0, y = 0, z = 0;
+
+	if (uname(&uts) == -1) {
+		fprintf(stderr, "Unable to retrieve kernel version.\n");
+		xtables_free_opts(1);
+		exit(1);
+	}
+
+	sscanf(uts.release, "%d.%d.%d", &x, &y, &z);
+	kernel_version = LINUX_VERSION(x, y, z);
+}
-- 
1.7.3.4

[PATCH 5/5] libxt_CONNSECMARK: fix spacing in output

[Jan Engelhardt]

From: Tom Eastep <teastep@shorewall.net>

~# iptables -t mangle -A foo -j CONNSECMARK --save
~# iptables -t mangle -S
[...]
-A foo -j CONNSECMARK--save

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_CONNSECMARK.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_CONNSECMARK.c b/extensions/libxt_CONNSECMARK.c
index df2e6b8..0b3cd79 100644
--- a/extensions/libxt_CONNSECMARK.c
+++ b/extensions/libxt_CONNSECMARK.c
@@ -87,7 +87,7 @@ CONNSECMARK_save(const void *ip, const struct xt_entry_target *target)
 	const struct xt_connsecmark_target_info *info =
 		(struct xt_connsecmark_target_info*)target->data;
 
-	printf("--");
+	printf(" --");
 	print_connsecmark(info);
 }
 
-- 
1.7.3.4