pull: misc nf bugfixes

pull: misc nf bugfixes

[Jan Engelhardt]

Again I went through the bugzilla and shelve off some bugreports.
Please apply.


The following changes since commit 0428e5a6541c3f5eaaf683d8da9ea60c44eac4c7:

  build: fix static linking (2010-08-03 19:58:38 +0200)

are available in the git repository at:
  git://dev.medozas.de/iptables master

Jan Engelhardt (4):
      iptables-xml: resolve compiler warnings
      iptables: limit chain name length to be consistent with targets
      libiptc: build with -Wl,--no-as-needed
      libiptc: add Libs.private to pkgconfig files

 Makefile.am                 |    4 +-
 configure.ac                |    5 +++
 ip6tables.c                 |    6 ++--
 iptables-xml.c              |    2 +-
 iptables.c                  |    6 ++--
 libiptc.pc.in               |    1 +
 m4/ax_check_linker_flags.m4 |   78 +++++++++++++++++++++++++++++++++++++++++++
 xtables.pc.in               |    1 +
 8 files changed, 94 insertions(+), 9 deletions(-)
 create mode 100644 m4/ax_check_linker_flags.m4

[PATCH 1/4] iptables-xml: resolve compiler warnings

[Jan Engelhardt]

iptables-xml.c: In function "parse_counters":
iptables-xml.c:70:8: warning: assignment from incompatible pointer type
iptables-xml.c:71:8: warning: assignment from incompatible pointer type

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 iptables-xml.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/iptables-xml.c b/iptables-xml.c
index daf4208..32d996a 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -64,7 +64,7 @@ print_usage(const char *name, const char *version)
 static int
 parse_counters(char *string, struct ipt_counters *ctr)
 {
-	u_int64_t *pcnt, *bcnt;
+	__u64 *pcnt, *bcnt;
 
 	if (string != NULL) {
 		pcnt = &ctr->pcnt;
-- 
1.7.1

[PATCH 2/4] iptables: limit chain name length to be consistent with targets

[Jan Engelhardt]

Creationg of chain names longer than the ones being able to jump to
should be inhibited for consistency.

References: http://marc.info/?l=netfilter-devel&m=128397022618316&w=2
Cc: Stig Thormodsrud <stig@vyatta.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 ip6tables.c |    6 +++---
 iptables.c  |    6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/ip6tables.c b/ip6tables.c
index 6c5d124..15067da 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1838,10 +1838,10 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 
 	generic_opt_check(command, options);
 
-	if (chain && strlen(chain) > IP6T_FUNCTION_MAXNAMELEN)
+	if (chain != NULL && strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
 		xtables_error(PARAMETER_PROBLEM,
-			   "chain name `%s' too long (must be under %i chars)",
-			   chain, IP6T_FUNCTION_MAXNAMELEN);
+			   "chain name `%s' too long (must be under %u chars)",
+			   chain, XT_EXTENSION_MAXNAMELEN);
 
 	/* only allocate handle if we weren't called with a handle */
 	if (!*handle)
diff --git a/iptables.c b/iptables.c
index 19f6d4f..840dd3e 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1876,10 +1876,10 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 
 	generic_opt_check(command, options);
 
-	if (chain && strlen(chain) > IPT_FUNCTION_MAXNAMELEN)
+	if (chain != NULL && strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
 		xtables_error(PARAMETER_PROBLEM,
-			   "chain name `%s' too long (must be under %i chars)",
-			   chain, IPT_FUNCTION_MAXNAMELEN);
+			   "chain name `%s' too long (must be under %u chars)",
+			   chain, XT_EXTENSION_MAXNAMELEN);
 
 	/* only allocate handle if we weren't called with a handle */
 	if (!*handle)
-- 
1.7.1

[PATCH 3/4] libiptc: build with -Wl,--no-as-needed

[Jan Engelhardt]

Since libiptc does not reference any symbols in libip(4|6)tc, the linker
may ignore the dependencies. Use --no-as-needed to explicitly force a
DT_NEEDED entry.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=674
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 Makefile.am                 |    4 +-
 configure.ac                |    5 +++
 m4/ax_check_linker_flags.m4 |   78 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 85 insertions(+), 2 deletions(-)
 create mode 100644 m4/ax_check_linker_flags.m4

diff --git a/Makefile.am b/Makefile.am
index 2a63cc7..7f0eb2f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -20,11 +20,11 @@ lib_LTLIBRARIES =
 lib_LTLIBRARIES           += libiptc/libip4tc.la libiptc/libip6tc.la libiptc/libiptc.la
 libiptc_libiptc_la_SOURCES  =
 libiptc_libiptc_la_LIBADD   = libiptc/libip4tc.la libiptc/libip6tc.la
-libiptc_libiptc_la_LDFLAGS  = -version-info 0:0:0
+libiptc_libiptc_la_LDFLAGS  = -version-info 0:0:0 ${libiptc_LDFLAGS2}
 libiptc_libip4tc_la_SOURCES = libiptc/libip4tc.c
 libiptc_libip4tc_la_LDFLAGS = -version-info 0:0:0
 libiptc_libip6tc_la_SOURCES = libiptc/libip6tc.c
-libiptc_libip6tc_la_LDFLAGS = -version-info 0:0:0
+libiptc_libip6tc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2}
 
 lib_LTLIBRARIES      += libxtables.la
 libxtables_la_SOURCES = xtables.c
diff --git a/configure.ac b/configure.ac
index 3b26f54..6010afd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -52,6 +52,11 @@ AC_ARG_WITH([pkgconfigdir], AS_HELP_STRING([--with-pkgconfigdir=PATH],
 	[Path to the pkgconfig directory [[LIBDIR/pkgconfig]]]),
 	[pkgconfigdir="$withval"], [pkgconfigdir='${libdir}/pkgconfig'])
 
+libiptc_LDFLAGS2="";
+AX_CHECK_LINKER_FLAGS([-Wl,--no-as-needed],
+	[libiptc_LDFLAGS2="-Wl,--no-as-needed"])
+AC_SUBST([libiptc_LDFLAGS2])
+
 blacklist_modules="";
 
 AC_CHECK_HEADER([linux/dccp.h])
diff --git a/m4/ax_check_linker_flags.m4 b/m4/ax_check_linker_flags.m4
new file mode 100644
index 0000000..ba7bf3c
--- /dev/null
+++ b/m4/ax_check_linker_flags.m4
@@ -0,0 +1,78 @@
+#http://git.savannah.gnu.org/gitweb/?p=autoconf-archive.git;a=blob_plain;f=m4/ax_check_linker_flags.m4
+# ===========================================================================
+#   http://www.gnu.org/software/autoconf-archive/ax_check_linker_flags.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_CHECK_LINKER_FLAGS(FLAGS, [ACTION-SUCCESS], [ACTION-FAILURE])
+#
+# DESCRIPTION
+#
+#   Check whether the given linker FLAGS work with the current language's
+#   linker, or whether they give an error.
+#
+#   ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+#   success/failure.
+#
+#   NOTE: Based on AX_CHECK_COMPILER_FLAGS.
+#
+# LICENSE
+#
+#   Copyright (c) 2009 Mike Frysinger <vapier@gentoo.org>
+#   Copyright (c) 2009 Steven G. Johnson <stevenj@alum.mit.edu>
+#   Copyright (c) 2009 Matteo Frigo
+#
+#   This program is free software: you can redistribute it and/or modify it
+#   under the terms of the GNU General Public License as published by the
+#   Free Software Foundation, either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   This program is distributed in the hope that it will be useful, but
+#   WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+#   Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License along
+#   with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#   As a special exception, the respective Autoconf Macro's copyright owner
+#   gives unlimited permission to copy, distribute and modify the configure
+#   scripts that are the output of Autoconf when processing the Macro. You
+#   need not follow the terms of the GNU General Public License when using
+#   or distributing such scripts, even though portions of the text of the
+#   Macro appear in them. The GNU General Public License (GPL) does govern
+#   all other use of the material that constitutes the Autoconf Macro.
+#
+#   This special exception to the GPL applies to versions of the Autoconf
+#   Macro released by the Autoconf Archive. When you make and distribute a
+#   modified version of the Autoconf Macro, you may extend this special
+#   exception to the GPL to apply to your modified version as well.
+
+#serial 6
+
+AC_DEFUN([AX_CHECK_LINKER_FLAGS],
+[AC_MSG_CHECKING([whether the linker accepts $1])
+dnl Some hackery here since AC_CACHE_VAL can't handle a non-literal varname:
+AS_LITERAL_IF([$1],
+  [AC_CACHE_VAL(AS_TR_SH(ax_cv_linker_flags_[$1]), [
+      ax_save_FLAGS=$LDFLAGS
+      LDFLAGS="$1"
+      AC_LINK_IFELSE([AC_LANG_PROGRAM()],
+        AS_TR_SH(ax_cv_linker_flags_[$1])=yes,
+        AS_TR_SH(ax_cv_linker_flags_[$1])=no)
+      LDFLAGS=$ax_save_FLAGS])],
+  [ax_save_FLAGS=$LDFLAGS
+   LDFLAGS="$1"
+   AC_LINK_IFELSE([AC_LANG_PROGRAM()],
+     eval AS_TR_SH(ax_cv_linker_flags_[$1])=yes,
+     eval AS_TR_SH(ax_cv_linker_flags_[$1])=no)
+   LDFLAGS=$ax_save_FLAGS])
+eval ax_check_linker_flags=$AS_TR_SH(ax_cv_linker_flags_[$1])
+AC_MSG_RESULT($ax_check_linker_flags)
+if test "x$ax_check_linker_flags" = xyes; then
+	m4_default([$2], :)
+else
+	m4_default([$3], :)
+fi
+])dnl AX_CHECK_LINKER_FLAGS
-- 
1.7.1

[PATCH 4/4] libiptc: add Libs.private to pkgconfig files

[Jan Engelhardt]

This is needed when doing static linking.
(pkg-config --static --libs libiptc)

References: http://bugzilla.netfilter.org/show_bug.cgi?id=675
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 libiptc.pc.in |    1 +
 xtables.pc.in |    1 +
 2 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/libiptc.pc.in b/libiptc.pc.in
index 63a459a..99a3544 100644
--- a/libiptc.pc.in
+++ b/libiptc.pc.in
@@ -8,4 +8,5 @@ Name:		libiptc
 Description:	iptables ruleset ADT and kernel interface
 Version:	@PACKAGE_VERSION@
 Libs:		-L${libdir} -liptc
+Libs.private:	-lip4tc -lip6tc
 Cflags:		-I${includedir}
diff --git a/xtables.pc.in b/xtables.pc.in
index fa6f33b..43f35d5 100644
--- a/xtables.pc.in
+++ b/xtables.pc.in
@@ -10,3 +10,4 @@ Description:	Shared Xtables code for extensions and iproute2
 Version:	@PACKAGE_VERSION@
 Cflags:		-I${includedir}
 Libs:		-L${libdir} -lxtables
+Libs.private:	-ldl
-- 
1.7.1

Re: pull: misc nf bugfixes

[Patrick McHardy]

Am 15.09.2010 20:53, schrieb Jan Engelhardt:
> git://dev.medozas.de/iptables master

Pulled, thanks Jan.

Re: [PATCH 2/4] iptables: limit chain name length to be consistent with targets

[Stig Thormodsrud]

On 09/15/2010 11:53 AM, Jan Engelhardt wrote:
> Creationg of chain names longer than the ones being able to jump to
> should be inhibited for consistency.
> 
> References: http://marc.info/?l=netfilter-devel&m=128397022618316&w=2
> Cc: Stig Thormodsrud <stig@vyatta.com>
> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
> ---
>  ip6tables.c |    6 +++---
>  iptables.c  |    6 +++---
>  2 files changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/ip6tables.c b/ip6tables.c
> index 6c5d124..15067da 100644
> --- a/ip6tables.c
> +++ b/ip6tables.c
> @@ -1838,10 +1838,10 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
>  
>  	generic_opt_check(command, options);
>  
> -	if (chain && strlen(chain) > IP6T_FUNCTION_MAXNAMELEN)
> +	if (chain != NULL && strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
>  		xtables_error(PARAMETER_PROBLEM,
> -			   "chain name `%s' too long (must be under %i chars)",
> -			   chain, IP6T_FUNCTION_MAXNAMELEN);
> +			   "chain name `%s' too long (must be under %u chars)",
> +			   chain, XT_EXTENSION_MAXNAMELEN);
>  
>  	/* only allocate handle if we weren't called with a handle */
>  	if (!*handle)
> diff --git a/iptables.c b/iptables.c
> index 19f6d4f..840dd3e 100644
> --- a/iptables.c
> +++ b/iptables.c
> @@ -1876,10 +1876,10 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
>  
>  	generic_opt_check(command, options);
>  
> -	if (chain && strlen(chain) > IPT_FUNCTION_MAXNAMELEN)
> +	if (chain != NULL && strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
>  		xtables_error(PARAMETER_PROBLEM,
> -			   "chain name `%s' too long (must be under %i chars)",
> -			   chain, IPT_FUNCTION_MAXNAMELEN);
> +			   "chain name `%s' too long (must be under %u chars)",
> +			   chain, XT_EXTENSION_MAXNAMELEN);
>  
>  	/* only allocate handle if we weren't called with a handle */
>  	if (!*handle)

Thanks for the fix.  I guess my original question was if the change in
max name length from 29 to 28 characters was intentional or required by
some other data structure change?

iptables -t filter --new-chain A234567890123456789012345678901
iptables v1.4.4: chain name `A234567890123456789012345678901' too long
(must be under 30 chars)


iptables -t filter --new-chain A234567890123456789012345678901
iptables v1.4.9: chain name `A234567890123456789012345678901' too long
(must be under 29 chars)


I know you're probably thinking it's just 1 character who cares, but we
have checks for that max in a lot of places and our log tag is based on
the chain name and the log tag has a max size and blah blah...

Re: [PATCH 2/4] iptables: limit chain name length to be consistent with targets

[Jan Engelhardt]

On Thursday 2010-09-16 02:29, Stig Thormodsrud wrote:
>> -	if (chain && strlen(chain) > IPT_FUNCTION_MAXNAMELEN)
>> +	if (chain != NULL && strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
>>  		xtables_error(PARAMETER_PROBLEM,
>> -			   "chain name `%s' too long (must be under %i chars)",
>> -			   chain, IPT_FUNCTION_MAXNAMELEN);
>> +			   "chain name `%s' too long (must be under %u chars)",
>> +			   chain, XT_EXTENSION_MAXNAMELEN);
>>  
>>  	/* only allocate handle if we weren't called with a handle */
>>  	if (!*handle)
>
>Thanks for the fix.  I guess my original question was if the change in
>max name length from 29 to 28 characters was intentional or required by
>some other data structure change?

struct xt_entry_match simply just has space for 28+1 bytes for the
name+'\0'. Chain names could be 31+1, but it is unknown in advance
whether a name whose length is to be checked is going to be a target
or a chain, so it is safer to just use 29 for now.