From 4fccb4584150763041b2a0d0b0b09accb554154ae2e1314f6ffe516b5869129d Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Mon, 15 Apr 2013 06:19:44 +0000 Subject: [PATCH] Reprovide libxt_state.so symlink OBS-URL: https://build.opensuse.org/package/show/security:netfilter/iptables?expand=0&rev=72 --- ...resolve-link-failure-for-ip6t_NETMAP.patch | 74 ++++++++++++++++ ...d-also-use-libtool-for-install-stage.patch | 80 ----------------- ...dereference-symlinks-on-installation.patch | 69 --------------- ...se-xtables_ip6mask_to_cidr-and-get-r.patch | 88 +++++++++++++++++++ iptables.changes | 9 ++ iptables.spec | 7 +- 6 files changed, 176 insertions(+), 151 deletions(-) create mode 100644 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch delete mode 100644 0001-build-also-use-libtool-for-install-stage.patch delete mode 100644 0001-build-do-not-dereference-symlinks-on-installation.patch create mode 100644 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch diff --git a/0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch b/0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch new file mode 100644 index 0000000..76e175b --- /dev/null +++ b/0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch @@ -0,0 +1,74 @@ +From 37b19d08f3cbc83a653386d76261490e173a874b Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Sat, 16 Mar 2013 12:15:30 +0100 +Subject: [PATCH] Revert "build: resolve link failure for ip6t_NETMAP" + +This reverts commit 68e77a26111ee6b8f10c735a76891a7de6d57ee6. + +The use of libtool was introduced to resolve linking problems +in NETMAP (IPv6 version), but that resulted in RPATH problems +reported from distributors and warnings spotted by libtool at +linking stage. + +Since (0ca548b libip6t_NETMAP: Use xtables_ip6mask_to_cidr and +get rid of libip6tc dependency) fixed the NETMAP issue, let's +roll back to our previous stage. + +A small conflicts in extensions/GNUmakefile.in has been resolved +in this revert. + +Signed-off-by: Pablo Neira Ayuso +--- + extensions/GNUmakefile.in | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in +index 3db6985..1ae7f74 100644 +--- a/extensions/GNUmakefile.in ++++ b/extensions/GNUmakefile.in +@@ -33,7 +33,6 @@ AM_VERBOSE_CXX = @echo " CXX " $@; + AM_VERBOSE_CXXLD = @echo " CXXLD " $@; + AM_VERBOSE_AR = @echo " AR " $@; + AM_VERBOSE_GEN = @echo " GEN " $@; +-AM_VERBOSE_NULL = @ + endif + + # +@@ -76,7 +75,7 @@ install: ${targets_install} + if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi; + + clean: +- rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c; ++ rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c; + rm -f .*.d .*.dd; + + distclean: clean +@@ -90,19 +89,16 @@ init%.o: init%.c + # + # Shared libraries + # +-lib%.so: lib%.la +- ${AM_VERBOSE_NULL} ln -fs .libs/$@ $@ ++lib%.so: lib%.oo ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD}; + +-lib%.la: lib%.lo +- ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir} +- +-lib%.lo: ${srcdir}/lib%.c +- ${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $< ++lib%.oo: ${srcdir}/lib%.c ++ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; + + libxt_NOTRACK.so: libxt_CT.so +- ${AM_VERBOSE_GEN} ln -fs $< $@ ++ ln -fs $< $@ + libxt_state.so: libxt_conntrack.so +- ${AM_VERBOSE_GEN} ln -fs $< $@ ++ ln -fs $< $@ + + # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD + xt_RATEEST_LIBADD = -lm +-- +1.8.2 + diff --git a/0001-build-also-use-libtool-for-install-stage.patch b/0001-build-also-use-libtool-for-install-stage.patch deleted file mode 100644 index 7cf87e1..0000000 --- a/0001-build-also-use-libtool-for-install-stage.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 145e3ea1c4c6a8e47a77587d17fcad4df4e2c06f Mon Sep 17 00:00:00 2001 -From: Jan Engelhardt -Date: Thu, 10 Jan 2013 15:54:08 +0100 -Subject: [PATCH] build: also use libtool for install stage - -The just-built library has DT_RPATH entries to be runnable from -whereever it is. If we just install that, the distro build systems -will throw warnings like - - (Open Build Service) ERROR: RPATH - "/home/abuild/rpmbuild/BUILD/iptables-1.4.18/libxtables/.libs" - on /home/abuild/rpmbuild/BUILDROOT/iptables-1.4.18-0.x86_64/usr/lib64/xtables/libxt_unclean.so - is not allowed - -These RPATH entries are indeed undesired for libraries in a system -location, which is why libtool produces another copy of the library on -installation. The Makefile however missed using libtool during -installation (introduced with commit v1.4.17-1-g68e77a2). This patch -now resolves this. - -Signed-off-by: Jan Engelhardt ---- - extensions/GNUmakefile.in | 16 +++++++++++----- - 1 file changed, 11 insertions(+), 5 deletions(-) - -diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in -index 781ac6d..6467f05 100644 ---- a/extensions/GNUmakefile.in -+++ b/extensions/GNUmakefile.in -@@ -49,6 +49,9 @@ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod}) - pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod}) - pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod}) - pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod}) -+pfx_lalibs := $(patsubst %,libxt_%.la,${pfx_build_mod}) -+pf4_lalibs := $(patsubst %,libipt_%.la,${pf4_build_mod}) -+pf6_lalibs := $(patsubst %,libip6t_%.la,${pf6_build_mod}) - pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod}) - pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod}) - pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) -@@ -63,8 +66,9 @@ targets_instlink := - @ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs} - @ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} - @ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs} --@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfx_symlinks} ${pf4_solibs} ${pf6_solibs} --@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} -+@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} -+@ENABLE_STATIC_FALSE@ targets_la_install += ${pfx_lalibs} ${pf4_lalibs} ${pf6_lalibs} -+@ENABLE_STATIC_FALSE@ targets_so_install += ${pfx_solibs} - @ENABLE_STATIC_FALSE@ targets_instlink += ${pfx_symlinks} - - .SECONDARY: -@@ -73,12 +77,14 @@ targets_instlink := - - all: ${targets} - --install: ${targets_install} ${targets_instlink} -+install: ${targets_la_install} ${targets_so_install} ${targets_instlink} - @mkdir -p "${DESTDIR}${xtlibdir}"; -+ ../libtool ${AM_LIBTOOL_SILENT} --mode=install install -pm0755 ${targets_la_install} "${DESTDIR}${xtlibdir}/" -+ rm -f "${DESTDIR}${xtlibdir}"/*.la - if test -n "${targets_install}"; then \ - install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/"; \ - cp -a ${pfx_symlinks} "${DESTDIR}${xtlibdir}/"; \ -- fi; -+ fi - - clean: - rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c; -@@ -99,7 +105,7 @@ lib%.so: lib%.la - ${AM_VERBOSE_NULL} ln -fs .libs/$@ $@ - - lib%.la: lib%.lo -- ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir} -+ ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -avoid-version -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir} - - lib%.lo: ${srcdir}/lib%.c - ${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $< --- -1.7.10.4 - diff --git a/0001-build-do-not-dereference-symlinks-on-installation.patch b/0001-build-do-not-dereference-symlinks-on-installation.patch deleted file mode 100644 index a7893a0..0000000 --- a/0001-build-do-not-dereference-symlinks-on-installation.patch +++ /dev/null @@ -1,69 +0,0 @@ -From cbe7c8ef0dabe56bf8a1f7ed27722e85abb0af9f Mon Sep 17 00:00:00 2001 -From: Jan Engelhardt -Date: Thu, 10 Jan 2013 16:02:09 +0100 -Subject: [PATCH] build: do not dereference symlinks on installation - -By using install(1), libxt_NOTRACK.so was inadvertently installed as -an actual file to /usr/lib/xtables rather than as a symlink. Switch to -using cp(1). - -Signed-off-by: Jan Engelhardt ---- - extensions/GNUmakefile.in | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in -index adad4d6..781ac6d 100644 ---- a/extensions/GNUmakefile.in -+++ b/extensions/GNUmakefile.in -@@ -40,7 +40,7 @@ endif - # Wildcard module list - # - pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c))) --pfx_symlinks := NOTRACK state -+pfx_symlinks := libxt_NOTRACK.so libxt_state.so - @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c))) - @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c))) - pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod}) -@@ -49,7 +49,7 @@ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod}) - pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod}) - pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod}) - pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod}) --pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks}) -+pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod}) - pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod}) - pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) - -@@ -59,11 +59,13 @@ pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) - # - targets := libext.a libext4.a libext6.a matches.man targets.man - targets_install := -+targets_instlink := - @ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs} - @ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} - @ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs} --@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} -+@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfx_symlinks} ${pf4_solibs} ${pf6_solibs} - @ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} -+@ENABLE_STATIC_FALSE@ targets_instlink += ${pfx_symlinks} - - .SECONDARY: - -@@ -71,9 +73,12 @@ targets_install := - - all: ${targets} - --install: ${targets_install} -+install: ${targets_install} ${targets_instlink} - @mkdir -p "${DESTDIR}${xtlibdir}"; -- if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi; -+ if test -n "${targets_install}"; then \ -+ install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/"; \ -+ cp -a ${pfx_symlinks} "${DESTDIR}${xtlibdir}/"; \ -+ fi; - - clean: - rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c; --- -1.7.10.4 - diff --git a/0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch b/0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch new file mode 100644 index 0000000..c095baa --- /dev/null +++ b/0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch @@ -0,0 +1,88 @@ +From cccfff9309743f173c504dd265fae173caa5b47f Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Sat, 16 Mar 2013 12:11:07 +0100 +Subject: [PATCH] libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of + libip6tc dependency + +This patch changes the NETMAP target extension (IPv6 side) to use +the xtables_ip6mask_to_cidr available in libxtables. + +As a side effect, we get rid of the libip6tc dependency. + +Signed-off-by: Pablo Neira Ayuso +--- + extensions/GNUmakefile.in | 1 - + extensions/libip6t_NETMAP.c | 2 +- + include/libiptc/libip6tc.h | 3 --- + iptables/ip6tables.c | 2 +- + libiptc/libip6tc.c | 2 +- + 5 files changed, 3 insertions(+), 7 deletions(-) + +diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in +index adad4d6..3db6985 100644 +--- a/extensions/GNUmakefile.in ++++ b/extensions/GNUmakefile.in +@@ -105,7 +105,6 @@ libxt_state.so: libxt_conntrack.so + ${AM_VERBOSE_GEN} ln -fs $< $@ + + # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD +-ip6t_NETMAP_LIBADD = ../libiptc/libip6tc.la + xt_RATEEST_LIBADD = -lm + xt_statistic_LIBADD = -lm + +diff --git a/extensions/libip6t_NETMAP.c b/extensions/libip6t_NETMAP.c +index d14dece..a4df70e 100644 +--- a/extensions/libip6t_NETMAP.c ++++ b/extensions/libip6t_NETMAP.c +@@ -61,7 +61,7 @@ static void NETMAP_print(const void *ip, const struct xt_entry_target *target, + printf("%s", xtables_ip6addr_to_numeric(&a)); + for (i = 0; i < 4; i++) + a.s6_addr32[i] = ~(r->min_addr.ip6[i] ^ r->max_addr.ip6[i]); +- bits = ipv6_prefix_length(&a); ++ bits = xtables_ip6mask_to_cidr(&a); + if (bits < 0) + printf("/%s", xtables_ip6addr_to_numeric(&a)); + else +diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h +index c656bc4..9aed80a 100644 +--- a/include/libiptc/libip6tc.h ++++ b/include/libiptc/libip6tc.h +@@ -154,9 +154,6 @@ int ip6tc_get_raw_socket(void); + /* Translates errno numbers into more human-readable form than strerror. */ + const char *ip6tc_strerror(int err); + +-/* Return prefix length, or -1 if not contiguous */ +-int ipv6_prefix_length(const struct in6_addr *a); +- + extern void dump_entries6(struct xtc_handle *const); + + extern const struct xtc_ops ip6tc_ops; +diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c +index 4cfbea3..7d02cc1 100644 +--- a/iptables/ip6tables.c ++++ b/iptables/ip6tables.c +@@ -1022,7 +1022,7 @@ static void print_ip(const char *prefix, const struct in6_addr *ip, + const struct in6_addr *mask, int invert) + { + char buf[51]; +- int l = ipv6_prefix_length(mask); ++ int l = xtables_ip6mask_to_cidr(mask); + + if (l == 0 && !invert) + return; +diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c +index 7128e1c..ca01bcb 100644 +--- a/libiptc/libip6tc.c ++++ b/libiptc/libip6tc.c +@@ -113,7 +113,7 @@ typedef unsigned int socklen_t; + #define BIT6(a, l) \ + ((ntohl(a->s6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1) + +-int ++static int + ipv6_prefix_length(const struct in6_addr *a) + { + int l, i; +-- +1.8.2 + diff --git a/iptables.changes b/iptables.changes index d192114..4c9e7fa 100644 --- a/iptables.changes +++ b/iptables.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon Apr 15 06:19:21 UTC 2013 - jengelh@inai.de + +- libxt_state.so symlink was not installed (bnc#815182); fix by + removing 0001-build-also-use-libtool-for-install-stage.patch, + removing 0001-build-do-not-dereference-symlinks-on-installation.patch, + adding 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch, + adding 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch + ------------------------------------------------------------------- Wed Mar 20 08:22:20 UTC 2013 - cfarrell@suse.com diff --git a/iptables.spec b/iptables.spec index 25d7ff2..3e3e197 100644 --- a/iptables.spec +++ b/iptables.spec @@ -34,8 +34,8 @@ Url: http://netfilter.org/projects/iptables/ Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2 Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig Source3: %name.keyring -Patch1: 0001-build-do-not-dereference-symlinks-on-installation.patch -Patch2: 0001-build-also-use-libtool-for-install-stage.patch +Patch1: 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch +Patch2: 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch Patch3: iptables-batch.patch Patch4: iptables-apply-mktemp-fix.patch @@ -172,6 +172,9 @@ rm -f "%buildroot/%_libdir"/*.la; %fdupes %buildroot/%_prefix %endif +%clean +: + %post -n %lname_ipq -p /sbin/ldconfig %postun -n %lname_ipq -p /sbin/ldconfig %post -n %lname_iptc -p /sbin/ldconfig