Skip Menu |

This queue is for tickets about the IPTables-IPv4 CPAN distribution.

Report information
The Basics
Id: 37965
Status: new
Priority: 0/
Queue: IPTables-IPv4
People
Owner: Nobody in particular
Requestors: minfrin [...] sharp.fm
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)
Attachments
perl-IPTables-IPv4-fixes.patch
smime.p7s

History Show all quoted text
  Sun Jul 27 17:18:35 2008 minfrin [...] sharp.fm - Ticket created
Subject: Module fails to compile on kernel 2.6.25.10-86.fc9 (Fedora Core 9)
Date: Sun, 27 Jul 2008 23:18:01 +0200
To: bug-IPTables-IPv4 [...] rt.cpan.org
From: Graham Leggett <minfrin [...] sharp.fm>
Hi all, IPTables-IPv4 as built from an rpm on Fedora Core 9 fails to compile as per the error below. It seems that someone has broken the kernel headers for iptables, or IPTables-IPv4 is doing something wrong in some way. In file included from /usr/include/linux/netfilter_ipv4.h:8, from /usr/include/linux/netfilter_ipv4/ip_tables.h:18, from include/libiptc/libiptc.h:6, from local_types.h:41, from module_iface.h:16, from loader.h:1, from loader.c:39: /usr/include/linux/netfilter.h:40: error: expected specifier-qualifier-list before '__u32' loader.c: In function 'find_module_int': loader.c:108: warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result make: *** [loader.o] Error 1 make: *** Waiting for unfinished jobs.... In file included from /usr/include/linux/netfilter_ipv4.h:8, from /usr/include/linux/netfilter_ipv4/ip_tables.h:18, from include/libiptc/libiptc.h:6, from local_types.h:41, from packer.c:30: /usr/include/linux/netfilter.h:40: error: expected specifier-qualifier-list before '__u32' packer.c: In function 'ipt_do_pack': packer.c:261: warning: passing argument 3 of 'Perl_sv_2pv_flags' from incompatible pointer type packer.c:319: warning: passing argument 3 of 'Perl_sv_2pv_flags' from incompatible pointer type packer.c:380: warning: passing argument 3 of 'Perl_sv_2pv_flags' from incompatible pointer type packer.c:512: warning: format '%Lu' expects type 'long long unsigned int *', but argument 3 has type 'u_int64_t *' packer.c:523: warning: format '%Lu' expects type 'long long unsigned int *', but argument 3 has type 'u_int64_t *' packer.c:249: warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result packer.c:310: warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result packer.c:372: warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result packer.c:542: warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result packer.c:558: warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result make: *** [packer.o] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.32445 (%build) Regards, Graham --
Download smime.p7s
application/x-pkcs7-signature 3.2k

Message body not shown because it is not plain text.

  Sun Jul 27 18:24:12 2008 minfrin [...] sharp.fm - Correspondence added
Subject: Re: [rt.cpan.org #37965] AutoReply: Module fails to compile on kernel 2.6.25.10-86.fc9 (Fedora Core 9)
Date: Mon, 28 Jul 2008 00:23:46 +0200
To: bug-IPTables-IPv4 [...] rt.cpan.org
From: Graham Leggett <minfrin [...] sharp.fm>
Hi all, Some further digging - it seems this module has tried to copy a subset of what looks like kernel headers within include/linux/netfilter_ipv4 and include/linux/netfilter_ipv6, which guarantees major confusion and breakage should these headers move out of sync. Busy investigating the effect of removing these headers entirely. Regards, Graham --
Download smime.p7s
application/x-pkcs7-signature 3.2k

Message body not shown because it is not plain text.

  Mon Jul 28 19:14:48 2008 minfrin [...] sharp.fm - Correspondence added
Subject: Re: [rt.cpan.org #37965] AutoReply: Module fails to compile on kernel 2.6.25.10-86.fc9 (Fedora Core 9)
Date: Tue, 29 Jul 2008 01:14:02 +0200
To: bug-IPTables-IPv4 [...] rt.cpan.org
From: Graham Leggett <minfrin [...] sharp.fm>
Download smime.p7s
application/x-pkcs7-signature 3.2k

Message body not shown because it is not plain text.

Hi all, The following patch works around the problem so far, fixing a number of problems: - It adds -fPIC in a number of places where shared objects are used - It adds an include of linux/types.h to work around the missing __u32 definition. - On FC9 the struct in6_addr isn't picked up from linux/in6.h, but rather from netinet/in.h, which causes a compile failure. There is a hack included to work around this problem, ideally someone who knows this header code better should find the "right" way to identify the correct header. The patch is attached. Regards, Graham --
diff -u -r -N IPTables-IPv4-0.98-orig/include/libiptc/ipt_kernel_headers.h IPTables-IPv4-0.98/include/libiptc/ipt_kernel_headers.h --- IPTables-IPv4-0.98-orig/include/libiptc/ipt_kernel_headers.h 2001-10-06 04:16:12.000000000 +0200 +++ IPTables-IPv4-0.98/include/libiptc/ipt_kernel_headers.h 2008-07-28 12:49:01.000000000 +0200 @@ -13,6 +13,7 @@ #include <netinet/udp.h> #include <net/if.h> #include <sys/types.h> +#include <linux/types.h> #else /* libc5 */ #include <sys/socket.h> #include <linux/ip.h> diff -u -r -N IPTables-IPv4-0.98-orig/include/linux/config.h IPTables-IPv4-0.98/include/linux/config.h --- IPTables-IPv4-0.98-orig/include/linux/config.h 1970-01-01 02:00:00.000000000 +0200 +++ IPTables-IPv4-0.98/include/linux/config.h 2008-07-28 14:45:12.000000000 +0200 @@ -0,0 +1,8 @@ +#ifndef _LINUX_CONFIG_H +#define _LINUX_CONFIG_H + +#ifdef __KERNEL__ +#error Incorrectly using glibc headers for a kernel module +#endif + +#endif diff -u -r -N IPTables-IPv4-0.98-orig/include/linux/netfilter_ipv4/ip_conntrack.h IPTables-IPv4-0.98/include/linux/netfilter_ipv4/ip_conntrack.h --- IPTables-IPv4-0.98-orig/include/linux/netfilter_ipv4/ip_conntrack.h 1970-01-01 02:00:00.000000000 +0200 +++ IPTables-IPv4-0.98/include/linux/netfilter_ipv4/ip_conntrack.h 2008-07-28 14:44:31.000000000 +0200 @@ -0,0 +1,45 @@ +#ifndef _IP_CONNTRACK_H +#define _IP_CONNTRACK_H +/* Connection state tracking for netfilter. This is separated from, + but required by, the NAT layer; it can also be used by an iptables + extension. */ + +#include <linux/config.h> +#include <linux/netfilter_ipv4/ip_conntrack_tuple.h> + +enum ip_conntrack_info +{ + /* Part of an established connection (either direction). */ + IP_CT_ESTABLISHED, + + /* Like NEW, but related to an existing connection, or ICMP error + (in either direction). */ + IP_CT_RELATED, + + /* Started a new connection to track (only + IP_CT_DIR_ORIGINAL); may be a retransmission. */ + IP_CT_NEW, + + /* >= this indicates reply direction */ + IP_CT_IS_REPLY, + + /* Number of distinct IP_CT types (no NEW in reply dirn). */ + IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 +}; + +/* Bitset representing status of connection. */ +enum ip_conntrack_status { + /* It's an expected connection: bit 0 set. This bit never changed */ + IPS_EXPECTED_BIT = 0, + IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), + + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ + IPS_SEEN_REPLY_BIT = 1, + IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), + + /* Conntrack should never be early-expired. */ + IPS_ASSURED_BIT = 2, + IPS_ASSURED = (1 << IPS_ASSURED_BIT), +}; + +#endif /* _IP_CONNTRACK_H */ diff -u -r -N IPTables-IPv4-0.98-orig/include/linux/netfilter_ipv4/ip_conntrack_tuple.h IPTables-IPv4-0.98/include/linux/netfilter_ipv4/ip_conntrack_tuple.h --- IPTables-IPv4-0.98-orig/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 1970-01-01 02:00:00.000000000 +0200 +++ IPTables-IPv4-0.98/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2008-07-28 14:43:39.000000000 +0200 @@ -0,0 +1,105 @@ +#ifndef _IP_CONNTRACK_TUPLE_H +#define _IP_CONNTRACK_TUPLE_H + +/* A `tuple' is a structure containing the information to uniquely + identify a connection. ie. if two packets have the same tuple, they + are in the same connection; if not, they are not. + + We divide the structure along "manipulatable" and + "non-manipulatable" lines, for the benefit of the NAT code. +*/ + +/* The protocol-specific manipulable parts of the tuple: always in + network order! */ +union ip_conntrack_manip_proto +{ + /* Add other protocols here. */ + u_int16_t all; + + struct { + u_int16_t port; + } tcp; + struct { + u_int16_t port; + } udp; + struct { + u_int16_t id; + } icmp; +}; + +/* The manipulable part of the tuple. */ +struct ip_conntrack_manip +{ + u_int32_t ip; + union ip_conntrack_manip_proto u; +}; + +/* This contains the information to distinguish a connection. */ +struct ip_conntrack_tuple +{ + struct ip_conntrack_manip src; + + /* These are the parts of the tuple which are fixed. */ + struct { + u_int32_t ip; + union { + /* Add other protocols here. */ + u_int16_t all; + + struct { + u_int16_t port; + } tcp; + struct { + u_int16_t port; + } udp; + struct { + u_int8_t type, code; + } icmp; + } u; + + /* The protocol. */ + u_int16_t protonum; + } dst; +}; + +enum ip_conntrack_dir +{ + IP_CT_DIR_ORIGINAL, + IP_CT_DIR_REPLY, + IP_CT_DIR_MAX +}; + +static inline int ip_ct_tuple_src_equal(const struct ip_conntrack_tuple *t1, + const struct ip_conntrack_tuple *t2) +{ + return t1->src.ip == t2->src.ip + && t1->src.u.all == t2->src.u.all; +} + +static inline int ip_ct_tuple_dst_equal(const struct ip_conntrack_tuple *t1, + const struct ip_conntrack_tuple *t2) +{ + return t1->dst.ip == t2->dst.ip + && t1->dst.u.all == t2->dst.u.all + && t1->dst.protonum == t2->dst.protonum; +} + +static inline int ip_ct_tuple_equal(const struct ip_conntrack_tuple *t1, + const struct ip_conntrack_tuple *t2) +{ + return ip_ct_tuple_src_equal(t1, t2) && ip_ct_tuple_dst_equal(t1, t2); +} + +static inline int ip_ct_tuple_mask_cmp(const struct ip_conntrack_tuple *t, + const struct ip_conntrack_tuple *tuple, + const struct ip_conntrack_tuple *mask) +{ + return !(((t->src.ip ^ tuple->src.ip) & mask->src.ip) + || ((t->dst.ip ^ tuple->dst.ip) & mask->dst.ip) + || ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all) + || ((t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all) + || ((t->dst.protonum ^ tuple->dst.protonum) + & mask->dst.protonum)); +} + +#endif /* _IP_CONNTRACK_TUPLE_H */ diff -u -r -N IPTables-IPv4-0.98-orig/include/linux/netfilter_ipv4/ip_nat.h IPTables-IPv4-0.98/include/linux/netfilter_ipv4/ip_nat.h --- IPTables-IPv4-0.98-orig/include/linux/netfilter_ipv4/ip_nat.h 1970-01-01 02:00:00.000000000 +0200 +++ IPTables-IPv4-0.98/include/linux/netfilter_ipv4/ip_nat.h 2008-07-28 14:41:40.000000000 +0200 @@ -0,0 +1,81 @@ +#ifndef _IP_NAT_H +#define _IP_NAT_H +#include <linux/netfilter_ipv4.h> +#include <linux/netfilter_ipv4/ip_conntrack_tuple.h> + +#define IP_NAT_MAPPING_TYPE_MAX_NAMELEN 16 + +enum ip_nat_manip_type +{ + IP_NAT_MANIP_SRC, + IP_NAT_MANIP_DST +}; + +#ifndef CONFIG_IP_NF_NAT_LOCAL +/* SRC manip occurs only on POST_ROUTING */ +#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING) +#else +/* SRC manip occurs POST_ROUTING or LOCAL_IN */ +#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING && (hooknum) != NF_IP_LOCAL_IN) +#endif + +/* 2.3.19 (I hope) will define this in linux/netfilter_ipv4.h. */ +#ifndef SO_ORIGINAL_DST +#define SO_ORIGINAL_DST 80 +#endif + +#define IP_NAT_RANGE_MAP_IPS 1 +#define IP_NAT_RANGE_PROTO_SPECIFIED 2 +/* Used internally by get_unique_tuple(). */ +#define IP_NAT_RANGE_FULL 4 + +/* NAT sequence number modifications */ +struct ip_nat_seq { + /* position of the last TCP sequence number + * modification (if any) */ + u_int32_t correction_pos; + /* sequence number offset before and after last modification */ + int32_t offset_before, offset_after; +}; + +/* Single range specification. */ +struct ip_nat_range +{ + /* Set to OR of flags above. */ + unsigned int flags; + + /* Inclusive: network order. */ + u_int32_t min_ip, max_ip; + + /* Inclusive: network order */ + union ip_conntrack_manip_proto min, max; +}; + +/* A range consists of an array of 1 or more ip_nat_range */ +struct ip_nat_multi_range +{ + unsigned int rangesize; + + /* hangs off end. */ + struct ip_nat_range range[1]; +}; + +/* Worst case: local-out manip + 1 post-routing, and reverse dirn. */ +#define IP_NAT_MAX_MANIPS (2*3) + +struct ip_nat_info_manip +{ + /* The direction. */ + u_int8_t direction; + + /* Which hook the manipulation happens on. */ + u_int8_t hooknum; + + /* The manipulation type. */ + u_int8_t maniptype; + + /* Manipulations to occur at each conntrack in this dirn. */ + struct ip_conntrack_manip manip; +}; + +#endif diff -u -r -N IPTables-IPv4-0.98-orig/libiptc/libip6tc.c IPTables-IPv4-0.98/libiptc/libip6tc.c --- IPTables-IPv4-0.98-orig/libiptc/libip6tc.c 2003-07-04 23:06:44.000000000 +0200 +++ IPTables-IPv4-0.98/libiptc/libip6tc.c 2008-07-28 12:55:39.000000000 +0200 @@ -111,7 +111,7 @@ #include "libiptc.c" #define BIT6(a, l) \ - ((ntohl(a->in6_u.u6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1) + ((ntohl(a->__in6_u.__u6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1) int ipv6_prefix_length(const struct in6_addr *a) diff -u -r -N IPTables-IPv4-0.98-orig/libiptc/Makefile IPTables-IPv4-0.98/libiptc/Makefile --- IPTables-IPv4-0.98-orig/libiptc/Makefile 2003-07-05 04:36:11.000000000 +0200 +++ IPTables-IPv4-0.98/libiptc/Makefile 2008-07-28 13:08:55.000000000 +0200 @@ -1,4 +1,4 @@ -CFLAGS := -I../include -I/usr/src/linux/include -DIPTABLES_VERSION=\"1.2.8\" -O2 -Wall +CFLAGS := -I../include -I/usr/src/linux/include -DIPTABLES_VERSION=\"1.2.8\" -O2 -Wall -fPIC CC := gcc AR := ar RM := rm diff -u -r -N IPTables-IPv4-0.98-orig/Makefile.PL IPTables-IPv4-0.98/Makefile.PL --- IPTables-IPv4-0.98-orig/Makefile.PL 2003-07-05 06:50:57.000000000 +0200 +++ IPTables-IPv4-0.98/Makefile.PL 2008-07-28 13:00:48.000000000 +0200 @@ -80,7 +80,7 @@ 'VERSION_FROM' => 'IPv4.pm', # finds $VERSION 'OBJECT' => 'IPv4.o loader.o packer.o unpacker.o maskgen.o libiptc/libiptc.a', 'INC' => '-Iinclude -I/usr/src/linux/include', - 'CCFLAGS' => "-Wall -DMODULE_PATH=\\\"$moduledir\\\"" . (defined $Config{'use64bitint'} ? " -DPERL_USES_64BIT_INT" : ""), + 'CCFLAGS' => "-Wall -fPIC -DMODULE_PATH=\\\"$moduledir\\\"" . (defined $Config{'use64bitint'} ? " -DPERL_USES_64BIT_INT" : ""), 'TYPEMAPS' => ['IPTables.typemap'], 'XSPROTOARG' => '-noprototypes', ); diff -u -r -N IPTables-IPv4-0.98-orig/modules/Makefile IPTables-IPv4-0.98/modules/Makefile --- IPTables-IPv4-0.98-orig/modules/Makefile 2003-07-06 19:29:47.000000000 +0200 +++ IPTables-IPv4-0.98/modules/Makefile 2008-07-28 14:32:44.000000000 +0200 @@ -16,7 +16,7 @@ INSTALL_DIR := $(INSTALL_BASE)/lib/IPTables-IPv4 endif -CFLAGS := -I$(KERNEL_INC) -I$(NF_INC) -I$(PERL_INC) -I.. -Wall -O2 -Wundef +CFLAGS := -I$(KERNEL_INC) -I$(NF_INC) -I$(PERL_INC) -I.. -Wall -O2 -Wundef -fPIC # Basic protocol modules for IPTables::IPv4 MODULE_NAMES := icmp tcp udp ah esp