[PATCH iptables 0/3] Fix build errors on Android

[PATCH iptables 0/3] Fix build errors on Android

[Kevin Cernekee]

The current head of tree is not buildable with Android NDK r9 due to
a few small incompatibilities.  This series attempts to address them.

Android normally bundles a version of iptables which has additional
deltas (xt_quota2 match, xt_IDLETIMER modifications) from mainline.
I will not address those here.

With my patches applied, this produces a usable ARM xtables-multi binary:

NDK=/opt/android-ndk-r9
export PATH=$NDK/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin:$PATH
./autogen.sh
./configure --host=arm-linux-androideabi \
        --disable-shared --enable-static \
        CFLAGS="--sysroot=$NDK/platforms/android-8/arch-arm"
make

I retested x86 PC builds to make sure that nothing else broke.

Another way to handle the TCPOPTSTRIP issue is to add #ifndef's in
libxt_TCPOPTSTRIP.c for each missing constant, similar to how
TCPOPT_MD5SIG is currently done.  If this is preferred, let me know.


Kevin Cernekee (3):
  android: libiptc: Fix socklen_t type mismatch on Android
  android: Don't include conflicting headers
  android: build: Blacklist TCPOPTSTRIP on systems that lack TCPOPT_*

 configure.ac                         |    8 ++++++++
 include/libiptc/ipt_kernel_headers.h |    2 +-
 libiptc/libip4tc.c                   |    2 +-
 libiptc/libip6tc.c                   |    2 +-
 4 files changed, 11 insertions(+), 3 deletions(-)

-- 
1.7.9.5

[PATCH iptables 1/3] android: libiptc: Fix socklen_t type mismatch on Android

[Kevin Cernekee]

Bionic defines socklen_t as a signed int, so redefining it as unsigned
breaks the build.

This change comes from AOSP.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
---
 libiptc/libip4tc.c |    2 +-
 libiptc/libip6tc.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libiptc/libip4tc.c b/libiptc/libip4tc.c
index dd59951..2b029d4 100644
--- a/libiptc/libip4tc.c
+++ b/libiptc/libip4tc.c
@@ -22,7 +22,7 @@
 #define inline
 #endif
 
-#if !defined(__GLIBC__) || (__GLIBC__ < 2)
+#if !defined(__ANDROID__) && (!defined(__GLIBC__) || (__GLIBC__ < 2))
 typedef unsigned int socklen_t;
 #endif
 
diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c
index ca01bcb..4e47e69 100644
--- a/libiptc/libip6tc.c
+++ b/libiptc/libip6tc.c
@@ -23,7 +23,7 @@
 #define inline
 #endif
 
-#if !defined(__GLIBC__) || (__GLIBC__ < 2)
+#if !defined(__ANDROID__) && (!defined(__GLIBC__) || (__GLIBC__ < 2))
 typedef unsigned int socklen_t;
 #endif
 
-- 
1.7.9.5

[PATCH iptables 2/3] android: Don't include conflicting headers

[Kevin Cernekee]

<netinet/ip.h> and <linux/ip.h> redefine a couple of structs, including
iphdr.  Handle this the same way as on glibc, i.e. don't include
<linux/ip.h>.

This change comes from AOSP.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
---
 include/libiptc/ipt_kernel_headers.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/libiptc/ipt_kernel_headers.h b/include/libiptc/ipt_kernel_headers.h
index 18861fe..60c7998 100644
--- a/include/libiptc/ipt_kernel_headers.h
+++ b/include/libiptc/ipt_kernel_headers.h
@@ -5,7 +5,7 @@
 
 #include <limits.h>
 
-#if defined(__GLIBC__) && __GLIBC__ == 2
+#if defined(__ANDROID__) || (defined(__GLIBC__) && __GLIBC__ == 2)
 #include <netinet/ip.h>
 #include <netinet/in.h>
 #include <netinet/ip_icmp.h>
-- 
1.7.9.5

[PATCH iptables 3/3] android: build: Blacklist TCPOPTSTRIP on systems that lack TCPOPT_*

[Kevin Cernekee]

Bionic's <netinet/tcp.h> is missing constants needed to build this module,
so have autoconf check for this condition before trying to build it.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
---
 configure.ac |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/configure.ac b/configure.ac
index 76d0b37..53a9ded 100644
--- a/configure.ac
+++ b/configure.ac
@@ -91,6 +91,14 @@ if test "$nfconntrack" -ne 1; then
 	echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built";
 fi;
 
+AC_CHECK_DECL([TCPOPT_WINDOW], [tcpopt_ok=1], [tcpopt_ok=0],
+	[[#include <netinet/tcp.h>]])
+
+if test "$tcpopt_ok" -ne 1; then
+	blacklist_modules="$blacklist_modules TCPOPTSTRIP";
+	echo "WARNING: TCPOPT_* constants not found, TCPOPTSTRIP target will not be built";
+fi;
+
 AC_SUBST([blacklist_modules])
 AC_CHECK_SIZEOF([struct ip6_hdr], [], [#include <netinet/ip6.h>])
 
-- 
1.7.9.5

Re: [PATCH iptables 1/3] android: libiptc: Fix socklen_t type mismatch on Android

[Jan Engelhardt]

On Saturday 2013-10-26 20:50, Kevin Cernekee wrote:
> 
>-#if !defined(__GLIBC__) || (__GLIBC__ < 2)
>+#if !defined(__ANDROID__) && (!defined(__GLIBC__) || (__GLIBC__ < 2))
> typedef unsigned int socklen_t;
> #endif

Do we still need this group of 3 lines anyway? Are we willingly
targeting any libc which does not have socklen_t defined --
or glibc 1.x for that matter?

Re: [PATCH iptables 3/3] android: build: Blacklist TCPOPTSTRIP on systems that lack TCPOPT_*

[Pablo Neira Ayuso]

On Sat, Oct 26, 2013 at 11:50:33AM -0700, Kevin Cernekee wrote:
> Bionic's <netinet/tcp.h> is missing constants needed to build this module,
> so have autoconf check for this condition before trying to build it.

The blacklist infrastructure is there to skip extensions whose
dependencies are missing, ie. a library. I don't want to use it for
this hack. Please, fix bionic.

Re: [PATCH iptables 2/3] android: Don't include conflicting headers

[Pablo Neira Ayuso]

Hi Kevin,

On Sat, Oct 26, 2013 at 11:50:32AM -0700, Kevin Cernekee wrote:
> <netinet/ip.h> and <linux/ip.h> redefine a couple of structs, including
> iphdr.  Handle this the same way as on glibc, i.e. don't include
> <linux/ip.h>.
> 
> This change comes from AOSP.

No major objections to this 1/3 and 2/3, but I don't see this patch
here:

https://android.googlesource.com/platform/external/iptables/

Please, tell me if it's the right place to look at. Any plan to
include these patches to AOSP repositories?

Thanks.

Re: [PATCH iptables 2/3] android: Don't include conflicting headers

[Kevin Cernekee]

On Tue, Nov 5, 2013 at 5:02 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Hi Kevin,
>
> On Sat, Oct 26, 2013 at 11:50:32AM -0700, Kevin Cernekee wrote:
>> <netinet/ip.h> and <linux/ip.h> redefine a couple of structs, including
>> iphdr.  Handle this the same way as on glibc, i.e. don't include
>> <linux/ip.h>.
>>
>> This change comes from AOSP.
>
> No major objections to this 1/3 and 2/3, but I don't see this patch
> here:
>
> https://android.googlesource.com/platform/external/iptables/
>
> Please, tell me if it's the right place to look at. Any plan to
> include these patches to AOSP repositories?

1/3 (socklen_t redefinition) is included here:

https://android.googlesource.com/platform/external/iptables/+/master/libiptc/libip4tc.c
https://android.googlesource.com/platform/external/iptables/+/master/libiptc/libip6tc.c

2/3 (conflicting ip.h headers) is included here:

https://android.googlesource.com/platform/external/iptables/+/master/include/libiptc/ipt_kernel_headers.h

For 3/3 (missing TCPOPT_* breaks the TCPOPTSTRIP module) I submitted a
patch to Bionic, and verified that it allows a successful build with
TCPOPTSTRIP enabled:

https://android-review.googlesource.com/#/c/73580/