[conntrack-tools PATCH] nfct: Support for non-lazy binding

[Phil Sutter <phil@nwl.cc>]

For security purposes, distributions might want to pass -Wl,-z,now
linker flags to all builds, thereby disabling lazy binding globally.

In the past, nfct relied upon lazy binding: It uses the helper objects'
parsing functions without but doesn't provide all symbols the objects
use.

Add a --disable-lazy configure option to add those missing symbols to
nfct so it may be used in those environments.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
This patch supersedes the previously submitted "Merge nfct tool into
conntrackd", providing a solution which is a) optional and b) doesn't
bloat nfct-only use-cases that much.
---
 configure.ac    | 12 ++++++++++--
 src/Makefile.am |  7 +++++++
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index b12b722a3396d..43baf8244ad64 100644
--- a/configure.ac
+++ b/configure.ac
@@ -48,6 +48,9 @@ AC_ARG_ENABLE([cttimeout],
 AC_ARG_ENABLE([systemd],
         AS_HELP_STRING([--enable-systemd], [Build systemd support]),
         [enable_systemd="$enableval"], [enable_systemd="no"])
+AC_ARG_ENABLE([lazy],
+        AS_HELP_STRING([--disable-lazy], [Disable lazy binding in nfct]),
+        [enable_lazy="$enableval"], [enable_lazy="yes"])
 
 AC_CHECK_HEADER([rpc/rpc_msg.h], [AC_SUBST([LIBTIRPC_CFLAGS],'')], [PKG_CHECK_MODULES([LIBTIRPC], [libtirpc])])
 
@@ -78,7 +81,11 @@ AC_CHECK_HEADERS(arpa/inet.h)
 AC_CHECK_FUNCS(inet_pton)
 
 # Let nfct use dlopen() on helper libraries without resolving all symbols.
-AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
+AS_IF([test "x$enable_lazy" = "xyes"], [
+	AX_CHECK_LINK_FLAG([-Wl,-z,lazy],
+			   [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
+])
+AM_CONDITIONAL([HAVE_LAZY], [test "x$enable_lazy" = "xyes"])
 
 if test ! -z "$libdir"; then
 	MODULE_DIR="\\\"$libdir/conntrack-tools/\\\""
@@ -92,4 +99,5 @@ echo "
 conntrack-tools configuration:
   userspace conntrack helper support:	${enable_cthelper}
   conntrack timeout support:		${enable_cttimeout}
-  systemd support:			${enable_systemd}"
+  systemd support:			${enable_systemd}
+  use lazy binding:                     ${enable_lazy}"
diff --git a/src/Makefile.am b/src/Makefile.am
index 1d56394698a68..95cff7d528d44 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -18,6 +18,9 @@ nfct_SOURCES = nfct.c
 if HAVE_CTHELPER
 nfct_SOURCES += helpers.c			\
 		nfct-extensions/helper.c
+if !HAVE_LAZY
+nfct_SOURCES += expect.c utils.c
+endif
 endif
 
 if HAVE_CTTIMEOUT
@@ -33,6 +36,10 @@ endif
 
 if HAVE_CTHELPER
 nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS}
+if !HAVE_LAZY
+nfct_LDADD += ${LIBNETFILTER_CONNTRACK_LIBS} \
+	      ${LIBNETFILTER_QUEUE_LIBS}
+endif
 endif
 
 nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS}
-- 
2.34.1