Re: [PATCH] Add a configure flag to link libc statically

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Mon, Jan 16, 2017 at 11:39:45AM -0500, Keno Fischer wrote:
[...]
> >> However, for my usage of iptables, I have never actually run into
> >> this situation, and even if I did, I'd rather switch libcs (though I
> >> may be in the minority there). Nevertheless, I think it would be
> >> useful to have this option available for those wanting a statically
> >> linked iptables.
> >
> > I'm trying to understand why you need this. Thanks.
> 
> I'm running docker in a stripped down security-enhanced context where
> everything is statically linked. Docker calls out to iptables to set
> up some firewall rules. So far I have not encountered it needing any
> of the code paths in iptables that would require the shared libraries
> from glibc at runtime. I'm also not the only person in this exact
> situation, e.g.:
> 
> https://github.com/vallinux/base/issues/14

Thanks for explaining.

It would be good if you can extend iptables building system to catch
up with glibc case by rejecting it. Another thing would be to add some
small documentation file on the tree that explains how to use this
with musl/ulibc.

My only concern about this new option is that people may believe this
works out of the box, and so far my impression is that this needs some
trickery.

I also wonder if everything is going to work fine with alternative
libc libraries, it would be good to run iptables tests (see
iptables-test.py) on this binary, you can edit the variable on that
script that points to the iptables binary to be tested.

Another alternative if the resulting patch is simple, probably we can
allow the override directive so you can easily append -all-static to
LDFLAGS at your own risk?

https://www.gnu.org/software/make/manual/make.html#Override-Directive