forked from jengelh/iptables
Accepting request 170988 from security:netfilter
- libxt_state.so symlink was not installed (bnc#815182); fix by removing 0001-build-also-use-libtool-for-install-stage.patch, removing 0001-build-do-not-dereference-symlinks-on-installation.patch, adding 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch, adding 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch OBS-URL: https://build.opensuse.org/request/show/170988 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/iptables?expand=0&rev=50
This commit is contained in:
commit
74de95e13e
74
0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch
Normal file
74
0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch
Normal file
@ -0,0 +1,74 @@
|
||||
From 37b19d08f3cbc83a653386d76261490e173a874b Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Sat, 16 Mar 2013 12:15:30 +0100
|
||||
Subject: [PATCH] Revert "build: resolve link failure for ip6t_NETMAP"
|
||||
|
||||
This reverts commit 68e77a26111ee6b8f10c735a76891a7de6d57ee6.
|
||||
|
||||
The use of libtool was introduced to resolve linking problems
|
||||
in NETMAP (IPv6 version), but that resulted in RPATH problems
|
||||
reported from distributors and warnings spotted by libtool at
|
||||
linking stage.
|
||||
|
||||
Since (0ca548b libip6t_NETMAP: Use xtables_ip6mask_to_cidr and
|
||||
get rid of libip6tc dependency) fixed the NETMAP issue, let's
|
||||
roll back to our previous stage.
|
||||
|
||||
A small conflicts in extensions/GNUmakefile.in has been resolved
|
||||
in this revert.
|
||||
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
extensions/GNUmakefile.in | 18 +++++++-----------
|
||||
1 file changed, 7 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
|
||||
index 3db6985..1ae7f74 100644
|
||||
--- a/extensions/GNUmakefile.in
|
||||
+++ b/extensions/GNUmakefile.in
|
||||
@@ -33,7 +33,6 @@ AM_VERBOSE_CXX = @echo " CXX " $@;
|
||||
AM_VERBOSE_CXXLD = @echo " CXXLD " $@;
|
||||
AM_VERBOSE_AR = @echo " AR " $@;
|
||||
AM_VERBOSE_GEN = @echo " GEN " $@;
|
||||
-AM_VERBOSE_NULL = @
|
||||
endif
|
||||
|
||||
#
|
||||
@@ -76,7 +75,7 @@ install: ${targets_install}
|
||||
if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi;
|
||||
|
||||
clean:
|
||||
- rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
|
||||
+ rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
|
||||
rm -f .*.d .*.dd;
|
||||
|
||||
distclean: clean
|
||||
@@ -90,19 +89,16 @@ init%.o: init%.c
|
||||
#
|
||||
# Shared libraries
|
||||
#
|
||||
-lib%.so: lib%.la
|
||||
- ${AM_VERBOSE_NULL} ln -fs .libs/$@ $@
|
||||
+lib%.so: lib%.oo
|
||||
+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD};
|
||||
|
||||
-lib%.la: lib%.lo
|
||||
- ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir}
|
||||
-
|
||||
-lib%.lo: ${srcdir}/lib%.c
|
||||
- ${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<
|
||||
+lib%.oo: ${srcdir}/lib%.c
|
||||
+ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
|
||||
|
||||
libxt_NOTRACK.so: libxt_CT.so
|
||||
- ${AM_VERBOSE_GEN} ln -fs $< $@
|
||||
+ ln -fs $< $@
|
||||
libxt_state.so: libxt_conntrack.so
|
||||
- ${AM_VERBOSE_GEN} ln -fs $< $@
|
||||
+ ln -fs $< $@
|
||||
|
||||
# Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
|
||||
xt_RATEEST_LIBADD = -lm
|
||||
--
|
||||
1.8.2
|
||||
|
@ -1,80 +0,0 @@
|
||||
From 145e3ea1c4c6a8e47a77587d17fcad4df4e2c06f Mon Sep 17 00:00:00 2001
|
||||
From: Jan Engelhardt <jengelh@inai.de>
|
||||
Date: Thu, 10 Jan 2013 15:54:08 +0100
|
||||
Subject: [PATCH] build: also use libtool for install stage
|
||||
|
||||
The just-built library has DT_RPATH entries to be runnable from
|
||||
whereever it is. If we just install that, the distro build systems
|
||||
will throw warnings like
|
||||
|
||||
(Open Build Service) ERROR: RPATH
|
||||
"/home/abuild/rpmbuild/BUILD/iptables-1.4.18/libxtables/.libs"
|
||||
on /home/abuild/rpmbuild/BUILDROOT/iptables-1.4.18-0.x86_64/usr/lib64/xtables/libxt_unclean.so
|
||||
is not allowed
|
||||
|
||||
These RPATH entries are indeed undesired for libraries in a system
|
||||
location, which is why libtool produces another copy of the library on
|
||||
installation. The Makefile however missed using libtool during
|
||||
installation (introduced with commit v1.4.17-1-g68e77a2). This patch
|
||||
now resolves this.
|
||||
|
||||
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
||||
---
|
||||
extensions/GNUmakefile.in | 16 +++++++++++-----
|
||||
1 file changed, 11 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
|
||||
index 781ac6d..6467f05 100644
|
||||
--- a/extensions/GNUmakefile.in
|
||||
+++ b/extensions/GNUmakefile.in
|
||||
@@ -49,6 +49,9 @@ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
|
||||
pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod})
|
||||
pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod})
|
||||
pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod})
|
||||
+pfx_lalibs := $(patsubst %,libxt_%.la,${pfx_build_mod})
|
||||
+pf4_lalibs := $(patsubst %,libipt_%.la,${pf4_build_mod})
|
||||
+pf6_lalibs := $(patsubst %,libip6t_%.la,${pf6_build_mod})
|
||||
pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
|
||||
pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod})
|
||||
pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod})
|
||||
@@ -63,8 +66,9 @@ targets_instlink :=
|
||||
@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
|
||||
@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
|
||||
@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
|
||||
-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfx_symlinks} ${pf4_solibs} ${pf6_solibs}
|
||||
-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
|
||||
+@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
|
||||
+@ENABLE_STATIC_FALSE@ targets_la_install += ${pfx_lalibs} ${pf4_lalibs} ${pf6_lalibs}
|
||||
+@ENABLE_STATIC_FALSE@ targets_so_install += ${pfx_solibs}
|
||||
@ENABLE_STATIC_FALSE@ targets_instlink += ${pfx_symlinks}
|
||||
|
||||
.SECONDARY:
|
||||
@@ -73,12 +77,14 @@ targets_instlink :=
|
||||
|
||||
all: ${targets}
|
||||
|
||||
-install: ${targets_install} ${targets_instlink}
|
||||
+install: ${targets_la_install} ${targets_so_install} ${targets_instlink}
|
||||
@mkdir -p "${DESTDIR}${xtlibdir}";
|
||||
+ ../libtool ${AM_LIBTOOL_SILENT} --mode=install install -pm0755 ${targets_la_install} "${DESTDIR}${xtlibdir}/"
|
||||
+ rm -f "${DESTDIR}${xtlibdir}"/*.la
|
||||
if test -n "${targets_install}"; then \
|
||||
install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/"; \
|
||||
cp -a ${pfx_symlinks} "${DESTDIR}${xtlibdir}/"; \
|
||||
- fi;
|
||||
+ fi
|
||||
|
||||
clean:
|
||||
rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
|
||||
@@ -99,7 +105,7 @@ lib%.so: lib%.la
|
||||
${AM_VERBOSE_NULL} ln -fs .libs/$@ $@
|
||||
|
||||
lib%.la: lib%.lo
|
||||
- ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir}
|
||||
+ ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -avoid-version -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir}
|
||||
|
||||
lib%.lo: ${srcdir}/lib%.c
|
||||
${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<
|
||||
--
|
||||
1.7.10.4
|
||||
|
@ -1,69 +0,0 @@
|
||||
From cbe7c8ef0dabe56bf8a1f7ed27722e85abb0af9f Mon Sep 17 00:00:00 2001
|
||||
From: Jan Engelhardt <jengelh@inai.de>
|
||||
Date: Thu, 10 Jan 2013 16:02:09 +0100
|
||||
Subject: [PATCH] build: do not dereference symlinks on installation
|
||||
|
||||
By using install(1), libxt_NOTRACK.so was inadvertently installed as
|
||||
an actual file to /usr/lib/xtables rather than as a symlink. Switch to
|
||||
using cp(1).
|
||||
|
||||
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
||||
---
|
||||
extensions/GNUmakefile.in | 15 ++++++++++-----
|
||||
1 file changed, 10 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
|
||||
index adad4d6..781ac6d 100644
|
||||
--- a/extensions/GNUmakefile.in
|
||||
+++ b/extensions/GNUmakefile.in
|
||||
@@ -40,7 +40,7 @@ endif
|
||||
# Wildcard module list
|
||||
#
|
||||
pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c)))
|
||||
-pfx_symlinks := NOTRACK state
|
||||
+pfx_symlinks := libxt_NOTRACK.so libxt_state.so
|
||||
@ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c)))
|
||||
@ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c)))
|
||||
pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
|
||||
@@ -49,7 +49,7 @@ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
|
||||
pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod})
|
||||
pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod})
|
||||
pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod})
|
||||
-pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks})
|
||||
+pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
|
||||
pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod})
|
||||
pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod})
|
||||
|
||||
@@ -59,11 +59,13 @@ pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod})
|
||||
#
|
||||
targets := libext.a libext4.a libext6.a matches.man targets.man
|
||||
targets_install :=
|
||||
+targets_instlink :=
|
||||
@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
|
||||
@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
|
||||
@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
|
||||
-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
|
||||
+@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfx_symlinks} ${pf4_solibs} ${pf6_solibs}
|
||||
@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
|
||||
+@ENABLE_STATIC_FALSE@ targets_instlink += ${pfx_symlinks}
|
||||
|
||||
.SECONDARY:
|
||||
|
||||
@@ -71,9 +73,12 @@ targets_install :=
|
||||
|
||||
all: ${targets}
|
||||
|
||||
-install: ${targets_install}
|
||||
+install: ${targets_install} ${targets_instlink}
|
||||
@mkdir -p "${DESTDIR}${xtlibdir}";
|
||||
- if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi;
|
||||
+ if test -n "${targets_install}"; then \
|
||||
+ install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/"; \
|
||||
+ cp -a ${pfx_symlinks} "${DESTDIR}${xtlibdir}/"; \
|
||||
+ fi;
|
||||
|
||||
clean:
|
||||
rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
|
||||
--
|
||||
1.7.10.4
|
||||
|
@ -0,0 +1,88 @@
|
||||
From cccfff9309743f173c504dd265fae173caa5b47f Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Sat, 16 Mar 2013 12:11:07 +0100
|
||||
Subject: [PATCH] libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of
|
||||
libip6tc dependency
|
||||
|
||||
This patch changes the NETMAP target extension (IPv6 side) to use
|
||||
the xtables_ip6mask_to_cidr available in libxtables.
|
||||
|
||||
As a side effect, we get rid of the libip6tc dependency.
|
||||
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
extensions/GNUmakefile.in | 1 -
|
||||
extensions/libip6t_NETMAP.c | 2 +-
|
||||
include/libiptc/libip6tc.h | 3 ---
|
||||
iptables/ip6tables.c | 2 +-
|
||||
libiptc/libip6tc.c | 2 +-
|
||||
5 files changed, 3 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
|
||||
index adad4d6..3db6985 100644
|
||||
--- a/extensions/GNUmakefile.in
|
||||
+++ b/extensions/GNUmakefile.in
|
||||
@@ -105,7 +105,6 @@ libxt_state.so: libxt_conntrack.so
|
||||
${AM_VERBOSE_GEN} ln -fs $< $@
|
||||
|
||||
# Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
|
||||
-ip6t_NETMAP_LIBADD = ../libiptc/libip6tc.la
|
||||
xt_RATEEST_LIBADD = -lm
|
||||
xt_statistic_LIBADD = -lm
|
||||
|
||||
diff --git a/extensions/libip6t_NETMAP.c b/extensions/libip6t_NETMAP.c
|
||||
index d14dece..a4df70e 100644
|
||||
--- a/extensions/libip6t_NETMAP.c
|
||||
+++ b/extensions/libip6t_NETMAP.c
|
||||
@@ -61,7 +61,7 @@ static void NETMAP_print(const void *ip, const struct xt_entry_target *target,
|
||||
printf("%s", xtables_ip6addr_to_numeric(&a));
|
||||
for (i = 0; i < 4; i++)
|
||||
a.s6_addr32[i] = ~(r->min_addr.ip6[i] ^ r->max_addr.ip6[i]);
|
||||
- bits = ipv6_prefix_length(&a);
|
||||
+ bits = xtables_ip6mask_to_cidr(&a);
|
||||
if (bits < 0)
|
||||
printf("/%s", xtables_ip6addr_to_numeric(&a));
|
||||
else
|
||||
diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h
|
||||
index c656bc4..9aed80a 100644
|
||||
--- a/include/libiptc/libip6tc.h
|
||||
+++ b/include/libiptc/libip6tc.h
|
||||
@@ -154,9 +154,6 @@ int ip6tc_get_raw_socket(void);
|
||||
/* Translates errno numbers into more human-readable form than strerror. */
|
||||
const char *ip6tc_strerror(int err);
|
||||
|
||||
-/* Return prefix length, or -1 if not contiguous */
|
||||
-int ipv6_prefix_length(const struct in6_addr *a);
|
||||
-
|
||||
extern void dump_entries6(struct xtc_handle *const);
|
||||
|
||||
extern const struct xtc_ops ip6tc_ops;
|
||||
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
|
||||
index 4cfbea3..7d02cc1 100644
|
||||
--- a/iptables/ip6tables.c
|
||||
+++ b/iptables/ip6tables.c
|
||||
@@ -1022,7 +1022,7 @@ static void print_ip(const char *prefix, const struct in6_addr *ip,
|
||||
const struct in6_addr *mask, int invert)
|
||||
{
|
||||
char buf[51];
|
||||
- int l = ipv6_prefix_length(mask);
|
||||
+ int l = xtables_ip6mask_to_cidr(mask);
|
||||
|
||||
if (l == 0 && !invert)
|
||||
return;
|
||||
diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c
|
||||
index 7128e1c..ca01bcb 100644
|
||||
--- a/libiptc/libip6tc.c
|
||||
+++ b/libiptc/libip6tc.c
|
||||
@@ -113,7 +113,7 @@ typedef unsigned int socklen_t;
|
||||
#define BIT6(a, l) \
|
||||
((ntohl(a->s6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1)
|
||||
|
||||
-int
|
||||
+static int
|
||||
ipv6_prefix_length(const struct in6_addr *a)
|
||||
{
|
||||
int l, i;
|
||||
--
|
||||
1.8.2
|
||||
|
@ -1,3 +1,12 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Apr 15 06:19:21 UTC 2013 - jengelh@inai.de
|
||||
|
||||
- libxt_state.so symlink was not installed (bnc#815182); fix by
|
||||
removing 0001-build-also-use-libtool-for-install-stage.patch,
|
||||
removing 0001-build-do-not-dereference-symlinks-on-installation.patch,
|
||||
adding 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch,
|
||||
adding 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 20 08:22:20 UTC 2013 - cfarrell@suse.com
|
||||
|
||||
|
@ -34,8 +34,8 @@ Url: http://netfilter.org/projects/iptables/
|
||||
Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2
|
||||
Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig
|
||||
Source3: %name.keyring
|
||||
Patch1: 0001-build-do-not-dereference-symlinks-on-installation.patch
|
||||
Patch2: 0001-build-also-use-libtool-for-install-stage.patch
|
||||
Patch1: 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch
|
||||
Patch2: 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch
|
||||
Patch3: iptables-batch.patch
|
||||
Patch4: iptables-apply-mktemp-fix.patch
|
||||
|
||||
@ -172,6 +172,9 @@ rm -f "%buildroot/%_libdir"/*.la;
|
||||
%fdupes %buildroot/%_prefix
|
||||
%endif
|
||||
|
||||
%clean
|
||||
:
|
||||
|
||||
%post -n %lname_ipq -p /sbin/ldconfig
|
||||
%postun -n %lname_ipq -p /sbin/ldconfig
|
||||
%post -n %lname_iptc -p /sbin/ldconfig
|
||||
|
Loading…
Reference in New Issue
Block a user