1
0
forked from jengelh/iptables

Accepting request 170988 from security:netfilter

- libxt_state.so symlink was not installed (bnc#815182); fix by
  removing 0001-build-also-use-libtool-for-install-stage.patch,
  removing 0001-build-do-not-dereference-symlinks-on-installation.patch,
  adding 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch,
  adding 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch

OBS-URL: https://build.opensuse.org/request/show/170988
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/iptables?expand=0&rev=50
This commit is contained in:
Stephan Kulow 2013-04-17 15:54:49 +00:00 committed by Git OBS Bridge
commit 74de95e13e
6 changed files with 176 additions and 151 deletions

View File

@ -0,0 +1,74 @@
From 37b19d08f3cbc83a653386d76261490e173a874b Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 16 Mar 2013 12:15:30 +0100
Subject: [PATCH] Revert "build: resolve link failure for ip6t_NETMAP"
This reverts commit 68e77a26111ee6b8f10c735a76891a7de6d57ee6.
The use of libtool was introduced to resolve linking problems
in NETMAP (IPv6 version), but that resulted in RPATH problems
reported from distributors and warnings spotted by libtool at
linking stage.
Since (0ca548b libip6t_NETMAP: Use xtables_ip6mask_to_cidr and
get rid of libip6tc dependency) fixed the NETMAP issue, let's
roll back to our previous stage.
A small conflicts in extensions/GNUmakefile.in has been resolved
in this revert.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
extensions/GNUmakefile.in | 18 +++++++-----------
1 file changed, 7 insertions(+), 11 deletions(-)
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 3db6985..1ae7f74 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -33,7 +33,6 @@ AM_VERBOSE_CXX = @echo " CXX " $@;
AM_VERBOSE_CXXLD = @echo " CXXLD " $@;
AM_VERBOSE_AR = @echo " AR " $@;
AM_VERBOSE_GEN = @echo " GEN " $@;
-AM_VERBOSE_NULL = @
endif
#
@@ -76,7 +75,7 @@ install: ${targets_install}
if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi;
clean:
- rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
+ rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
rm -f .*.d .*.dd;
distclean: clean
@@ -90,19 +89,16 @@ init%.o: init%.c
#
# Shared libraries
#
-lib%.so: lib%.la
- ${AM_VERBOSE_NULL} ln -fs .libs/$@ $@
+lib%.so: lib%.oo
+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD};
-lib%.la: lib%.lo
- ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir}
-
-lib%.lo: ${srcdir}/lib%.c
- ${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<
+lib%.oo: ${srcdir}/lib%.c
+ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
libxt_NOTRACK.so: libxt_CT.so
- ${AM_VERBOSE_GEN} ln -fs $< $@
+ ln -fs $< $@
libxt_state.so: libxt_conntrack.so
- ${AM_VERBOSE_GEN} ln -fs $< $@
+ ln -fs $< $@
# Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
xt_RATEEST_LIBADD = -lm
--
1.8.2

View File

@ -1,80 +0,0 @@
From 145e3ea1c4c6a8e47a77587d17fcad4df4e2c06f Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Thu, 10 Jan 2013 15:54:08 +0100
Subject: [PATCH] build: also use libtool for install stage
The just-built library has DT_RPATH entries to be runnable from
whereever it is. If we just install that, the distro build systems
will throw warnings like
(Open Build Service) ERROR: RPATH
"/home/abuild/rpmbuild/BUILD/iptables-1.4.18/libxtables/.libs"
on /home/abuild/rpmbuild/BUILDROOT/iptables-1.4.18-0.x86_64/usr/lib64/xtables/libxt_unclean.so
is not allowed
These RPATH entries are indeed undesired for libraries in a system
location, which is why libtool produces another copy of the library on
installation. The Makefile however missed using libtool during
installation (introduced with commit v1.4.17-1-g68e77a2). This patch
now resolves this.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
extensions/GNUmakefile.in | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 781ac6d..6467f05 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -49,6 +49,9 @@ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod})
pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod})
pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod})
+pfx_lalibs := $(patsubst %,libxt_%.la,${pfx_build_mod})
+pf4_lalibs := $(patsubst %,libipt_%.la,${pf4_build_mod})
+pf6_lalibs := $(patsubst %,libip6t_%.la,${pf6_build_mod})
pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod})
pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod})
@@ -63,8 +66,9 @@ targets_instlink :=
@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfx_symlinks} ${pf4_solibs} ${pf6_solibs}
-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+@ENABLE_STATIC_FALSE@ targets_la_install += ${pfx_lalibs} ${pf4_lalibs} ${pf6_lalibs}
+@ENABLE_STATIC_FALSE@ targets_so_install += ${pfx_solibs}
@ENABLE_STATIC_FALSE@ targets_instlink += ${pfx_symlinks}
.SECONDARY:
@@ -73,12 +77,14 @@ targets_instlink :=
all: ${targets}
-install: ${targets_install} ${targets_instlink}
+install: ${targets_la_install} ${targets_so_install} ${targets_instlink}
@mkdir -p "${DESTDIR}${xtlibdir}";
+ ../libtool ${AM_LIBTOOL_SILENT} --mode=install install -pm0755 ${targets_la_install} "${DESTDIR}${xtlibdir}/"
+ rm -f "${DESTDIR}${xtlibdir}"/*.la
if test -n "${targets_install}"; then \
install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/"; \
cp -a ${pfx_symlinks} "${DESTDIR}${xtlibdir}/"; \
- fi;
+ fi
clean:
rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
@@ -99,7 +105,7 @@ lib%.so: lib%.la
${AM_VERBOSE_NULL} ln -fs .libs/$@ $@
lib%.la: lib%.lo
- ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir}
+ ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -avoid-version -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir}
lib%.lo: ${srcdir}/lib%.c
${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<
--
1.7.10.4

View File

@ -1,69 +0,0 @@
From cbe7c8ef0dabe56bf8a1f7ed27722e85abb0af9f Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Thu, 10 Jan 2013 16:02:09 +0100
Subject: [PATCH] build: do not dereference symlinks on installation
By using install(1), libxt_NOTRACK.so was inadvertently installed as
an actual file to /usr/lib/xtables rather than as a symlink. Switch to
using cp(1).
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
extensions/GNUmakefile.in | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index adad4d6..781ac6d 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -40,7 +40,7 @@ endif
# Wildcard module list
#
pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c)))
-pfx_symlinks := NOTRACK state
+pfx_symlinks := libxt_NOTRACK.so libxt_state.so
@ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c)))
@ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c)))
pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
@@ -49,7 +49,7 @@ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod})
pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod})
pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod})
-pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks})
+pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod})
pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod})
@@ -59,11 +59,13 @@ pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod})
#
targets := libext.a libext4.a libext6.a matches.man targets.man
targets_install :=
+targets_instlink :=
@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfx_symlinks} ${pf4_solibs} ${pf6_solibs}
@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+@ENABLE_STATIC_FALSE@ targets_instlink += ${pfx_symlinks}
.SECONDARY:
@@ -71,9 +73,12 @@ targets_install :=
all: ${targets}
-install: ${targets_install}
+install: ${targets_install} ${targets_instlink}
@mkdir -p "${DESTDIR}${xtlibdir}";
- if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi;
+ if test -n "${targets_install}"; then \
+ install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/"; \
+ cp -a ${pfx_symlinks} "${DESTDIR}${xtlibdir}/"; \
+ fi;
clean:
rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
--
1.7.10.4

View File

@ -0,0 +1,88 @@
From cccfff9309743f173c504dd265fae173caa5b47f Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 16 Mar 2013 12:11:07 +0100
Subject: [PATCH] libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of
libip6tc dependency
This patch changes the NETMAP target extension (IPv6 side) to use
the xtables_ip6mask_to_cidr available in libxtables.
As a side effect, we get rid of the libip6tc dependency.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
extensions/GNUmakefile.in | 1 -
extensions/libip6t_NETMAP.c | 2 +-
include/libiptc/libip6tc.h | 3 ---
iptables/ip6tables.c | 2 +-
libiptc/libip6tc.c | 2 +-
5 files changed, 3 insertions(+), 7 deletions(-)
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index adad4d6..3db6985 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -105,7 +105,6 @@ libxt_state.so: libxt_conntrack.so
${AM_VERBOSE_GEN} ln -fs $< $@
# Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
-ip6t_NETMAP_LIBADD = ../libiptc/libip6tc.la
xt_RATEEST_LIBADD = -lm
xt_statistic_LIBADD = -lm
diff --git a/extensions/libip6t_NETMAP.c b/extensions/libip6t_NETMAP.c
index d14dece..a4df70e 100644
--- a/extensions/libip6t_NETMAP.c
+++ b/extensions/libip6t_NETMAP.c
@@ -61,7 +61,7 @@ static void NETMAP_print(const void *ip, const struct xt_entry_target *target,
printf("%s", xtables_ip6addr_to_numeric(&a));
for (i = 0; i < 4; i++)
a.s6_addr32[i] = ~(r->min_addr.ip6[i] ^ r->max_addr.ip6[i]);
- bits = ipv6_prefix_length(&a);
+ bits = xtables_ip6mask_to_cidr(&a);
if (bits < 0)
printf("/%s", xtables_ip6addr_to_numeric(&a));
else
diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h
index c656bc4..9aed80a 100644
--- a/include/libiptc/libip6tc.h
+++ b/include/libiptc/libip6tc.h
@@ -154,9 +154,6 @@ int ip6tc_get_raw_socket(void);
/* Translates errno numbers into more human-readable form than strerror. */
const char *ip6tc_strerror(int err);
-/* Return prefix length, or -1 if not contiguous */
-int ipv6_prefix_length(const struct in6_addr *a);
-
extern void dump_entries6(struct xtc_handle *const);
extern const struct xtc_ops ip6tc_ops;
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 4cfbea3..7d02cc1 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1022,7 +1022,7 @@ static void print_ip(const char *prefix, const struct in6_addr *ip,
const struct in6_addr *mask, int invert)
{
char buf[51];
- int l = ipv6_prefix_length(mask);
+ int l = xtables_ip6mask_to_cidr(mask);
if (l == 0 && !invert)
return;
diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c
index 7128e1c..ca01bcb 100644
--- a/libiptc/libip6tc.c
+++ b/libiptc/libip6tc.c
@@ -113,7 +113,7 @@ typedef unsigned int socklen_t;
#define BIT6(a, l) \
((ntohl(a->s6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1)
-int
+static int
ipv6_prefix_length(const struct in6_addr *a)
{
int l, i;
--
1.8.2

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Mon Apr 15 06:19:21 UTC 2013 - jengelh@inai.de
- libxt_state.so symlink was not installed (bnc#815182); fix by
removing 0001-build-also-use-libtool-for-install-stage.patch,
removing 0001-build-do-not-dereference-symlinks-on-installation.patch,
adding 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch,
adding 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch
-------------------------------------------------------------------
Wed Mar 20 08:22:20 UTC 2013 - cfarrell@suse.com

View File

@ -34,8 +34,8 @@ Url: http://netfilter.org/projects/iptables/
Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2
Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig
Source3: %name.keyring
Patch1: 0001-build-do-not-dereference-symlinks-on-installation.patch
Patch2: 0001-build-also-use-libtool-for-install-stage.patch
Patch1: 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch
Patch2: 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch
Patch3: iptables-batch.patch
Patch4: iptables-apply-mktemp-fix.patch
@ -172,6 +172,9 @@ rm -f "%buildroot/%_libdir"/*.la;
%fdupes %buildroot/%_prefix
%endif
%clean
:
%post -n %lname_ipq -p /sbin/ldconfig
%postun -n %lname_ipq -p /sbin/ldconfig
%post -n %lname_iptc -p /sbin/ldconfig