getopt* and iptables

getopt* and iptables

[orc]

Hi Rich,

Just to be sure - have you looked into issue with iptables and
getopt_long conflicting?

Quoting from 8 Jun 2012:

> I believe it's a common but non-portable way of restarting option
> scanning. Of course that would make no sense if this is the first scan
> of options anyway. I'll try to look into what's going wrong here..

I tested recently, it is still failing to parse options.

> iptables v1.4.12.1: unknown arguments found on commandline
> Try `iptables -h' or 'iptables --help' for more information.

with musl 0.9.6

Sorry for late posting (should be in remaining issues somewhere here).

Re: getopt* and iptables

[John Spencer]

On 09/23/2012 07:31 PM, orc wrote:
>
> I tested recently, it is still failing to parse options.
>
do you have a build recipe for iptables to share ?
i was not able to build it on sabotage (didn't put much effort into it, 
though), and it looks like a kernel header issue.
so please tell us additionally which kernel headers you used and which 
iptables version.

thanks

as for the getopt issue, the cause is likely that iptables assumes GNU 
semantics.
they should do a configure check for this and if GNU getopt behaviour is 
not detected, use a gnulib style replacement function instead of the 
libc one.

Re: getopt* and iptables

[orc]

[-- Attachment #1: Type: text/plain, Size: 760 bytes --]

On Sun, 23 Sep 2012 20:11:48 +0200
John Spencer <maillist-musl@barfooze.de> wrote:

> On 09/23/2012 07:31 PM, orc wrote:
> >
> > I tested recently, it is still failing to parse options.
> >
> do you have a build recipe for iptables to share ?
> i was not able to build it on sabotage (didn't put much effort into
> it, though), and it looks like a kernel header issue.
> so please tell us additionally which kernel headers you used and
> which iptables version.
> 
> thanks
> 
> as for the getopt issue, the cause is likely that iptables assumes
> GNU semantics.
> they should do a configure check for this and if GNU getopt behaviour
> is not detected, use a gnulib style replacement function instead of
> the libc one.

See attached patch.

iptables 1.4.12.1

[-- Attachment #2: iptables-1.4.12.1-musl-fixes.patch --]
[-- Type: application/octet-stream, Size: 4166 bytes --]

--- iptables-1.4.12.1.o/extensions/libip6t_ipv6header.c
+++ iptables-1.4.12.1/extensions/libip6t_ipv6header.c
@@ -10,6 +10,9 @@
 #include <netdb.h>
 #include <xtables.h>
 #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
+#ifndef IPPROTO_HOPOPTS
+#	define IPPROTO_HOPOPTS 0
+#endif
 
 enum {
 	O_HEADER = 0,
--- iptables-1.4.12.1.o/extensions/libxt_TCPOPTSTRIP.c
+++ iptables-1.4.12.1/extensions/libxt_TCPOPTSTRIP.c
@@ -12,6 +12,21 @@
 #ifndef TCPOPT_MD5SIG
 #	define TCPOPT_MD5SIG 19
 #endif
+#ifndef TCPOPT_MAXSEG
+#	define TCPOPT_MAXSEG 2
+#endif
+#ifndef TCPOPT_WINDOW
+#	define TCPOPT_WINDOW 3
+#endif
+#ifndef TCPOPT_SACK_PERMITTED
+#	define TCPOPT_SACK_PERMITTED 4
+#endif
+#ifndef TCPOPT_SACK
+#	define TCPOPT_SACK 5
+#endif
+#ifndef TCPOPT_TIMESTAMP
+#	define TCPOPT_TIMESTAMP 8
+#endif
 
 enum {
 	O_STRIP_OPTION = 0,
--- iptables-1.4.12.1.o/include/libiptc/ipt_kernel_headers.h
+++ iptables-1.4.12.1/include/libiptc/ipt_kernel_headers.h
@@ -5,7 +5,6 @@
 
 #include <limits.h>
 
-#if defined(__GLIBC__) && __GLIBC__ == 2
 #include <netinet/ip.h>
 #include <netinet/in.h>
 #include <netinet/ip_icmp.h>
@@ -13,15 +12,4 @@
 #include <netinet/udp.h>
 #include <net/if.h>
 #include <sys/types.h>
-#else /* libc5 */
-#include <sys/socket.h>
-#include <linux/ip.h>
-#include <linux/in.h>
-#include <linux/if.h>
-#include <linux/icmp.h>
-#include <linux/tcp.h>
-#include <linux/udp.h>
-#include <linux/types.h>
-#include <linux/in6.h>
-#endif
 #endif
--- iptables-1.4.12.1.o/include/linux/netfilter/xt_osf.h
+++ iptables-1.4.12.1/include/linux/netfilter/xt_osf.h
@@ -21,6 +21,7 @@
 #define _XT_OSF_H
 
 #include <linux/types.h>
+#include <linux/tcp.h>
 
 #define MAXGENRELEN		32
 
--- iptables-1.4.12.1.o/include/linux/netfilter_ipv4/ip_tables.h
+++ iptables-1.4.12.1/include/linux/netfilter_ipv4/ip_tables.h
@@ -16,6 +16,7 @@
 #define _IPTABLES_H
 
 #include <linux/types.h>
+#include <sys/types.h>
 
 #include <linux/netfilter_ipv4.h>
 
--- iptables-1.4.12.1.o/include/linux/types.h
+++ iptables-1.4.12.1/include/linux/types.h
@@ -34,5 +34,18 @@
 typedef __u16 __bitwise __sum16;
 typedef __u32 __bitwise __wsum;
 
+/*
+ * aligned_u64 should be used in defining kernel<->userspace ABIs to avoid
+ * common 32/64-bit compat problems.
+ * 64-bit values align to 4-byte boundaries on x86_32 (and possibly other
+ * architectures) and to 8-byte boundaries on 64-bit architetures.  The new
+ * aligned_64 type enforces 8-byte alignment so that structs containing
+ * aligned_64 values have the same alignment on 32-bit and 64-bit architectures.
+ * No conversions are necessary between 32-bit user-space and a 64-bit kernel.
+ */
+#define __aligned_u64 __u64 __attribute__((aligned(8)))
+#define __aligned_be64 __be64 __attribute__((aligned(8)))
+#define __aligned_le64 __le64 __attribute__((aligned(8)))
+
 #endif /*  __ASSEMBLY__ */
 #endif /* _LINUX_TYPES_H */
--- iptables-1.4.12.1.o/iptables/ip6tables-restore.c
+++ iptables-1.4.12.1/iptables/ip6tables-restore.c
@@ -9,7 +9,7 @@
  */
 
 #include <getopt.h>
-#include <sys/errno.h>
+#include <errno.h>
 #include <stdbool.h>
 #include <string.h>
 #include <stdio.h>
--- iptables-1.4.12.1.o/iptables/ip6tables-save.c
+++ iptables-1.4.12.1/iptables/ip6tables-save.c
@@ -6,7 +6,7 @@
  * This code is distributed under the terms of GNU GPL v2
  */
 #include <getopt.h>
-#include <sys/errno.h>
+#include <errno.h>
 #include <stdio.h>
 #include <fcntl.h>
 #include <stdlib.h>
--- iptables-1.4.12.1.o/iptables/iptables-restore.c
+++ iptables-1.4.12.1/iptables/iptables-restore.c
@@ -6,7 +6,7 @@
  */
 
 #include <getopt.h>
-#include <sys/errno.h>
+#include <errno.h>
 #include <stdbool.h>
 #include <string.h>
 #include <stdio.h>
--- iptables-1.4.12.1.o/iptables/iptables-save.c
+++ iptables-1.4.12.1/iptables/iptables-save.c
@@ -6,7 +6,7 @@
  *
  */
 #include <getopt.h>
-#include <sys/errno.h>
+#include <errno.h>
 #include <stdio.h>
 #include <fcntl.h>
 #include <stdlib.h>
--- iptables-1.4.12.1.o/iptables/iptables-xml.c
+++ iptables-1.4.12.1/iptables/iptables-xml.c
@@ -7,7 +7,7 @@
  */
 
 #include <getopt.h>
-#include <sys/errno.h>
+#include <errno.h>
 #include <string.h>
 #include <stdio.h>
 #include <stdlib.h>

Re: getopt* and iptables

[Isaac Dunham]

If upstream wants to support libc5, this patch would be rejected. Additionally, there's a better/simpler way to do it:
-#if defined(__GLIBC__) && __GLIBC__ == 2
+#if __GNU_LIBRARY__ >= 6 || !defined(__GNU_LIBRARY__)
/*__GNU_LIBRARY__ is what libc[1-5] used */


> --- iptables-1.4.12.1.o/include/libiptc/ipt_kernel_headers.h
> +++ iptables-1.4.12.1/include/libiptc/ipt_kernel_headers.h
> @@ -5,7 +5,6 @@
>  
>  #include <limits.h>
>  
> -#if defined(__GLIBC__) && __GLIBC__ == 2
>  #include <netinet/ip.h>
>  #include <netinet/in.h>
>  #include <netinet/ip_icmp.h>
> @@ -13,15 +12,4 @@
>  #include <netinet/udp.h>
>  #include <net/if.h>
>  #include <sys/types.h>
> -#else /* libc5 */
> -#include <sys/socket.h>
> -#include <linux/ip.h>
> -#include <linux/in.h>
> -#include <linux/if.h>
> -#include <linux/icmp.h>
> -#include <linux/tcp.h>
> -#include <linux/udp.h>
> -#include <linux/types.h>
> -#include <linux/in6.h>
> -#endif
>  #endif

-- 
Isaac Dunham <idunham@lavabit.com>

Re: getopt* and iptables

[orc]

On Mon, 24 Sep 2012 09:23:23 -0700
Isaac Dunham <idunham@lavabit.com> wrote:

> If upstream wants to support libc5, this patch would be rejected.
This patch is not for sending upstream, but (ugly) hack to make it
build successfully.
> Additionally, there's a better/simpler way to do it: -#if
> defined(__GLIBC__) && __GLIBC__ == 2 +#if __GNU_LIBRARY__ >= 6
> || !defined(__GNU_LIBRARY__) /*__GNU_LIBRARY__ is what libc[1-5] used
> */
Thanks.

Re: getopt* and iptables

[John Spencer]

On 09/24/2012 04:16 PM, orc wrote:
>
> See attached patch.
>
> iptables 1.4.12.1

cool thanks; it works.

for the getopt issue, i bundled the gnu-compatible netbsd version here 
https://github.com/rofl0r/gnu-getopt
adding the CFLAGS and LDFLAGS as described there makes the getopt 
misbehaviour go away for me.

Re: getopt* and iptables

[orc]

On Mon, 24 Sep 2012 20:20:36 +0200
John Spencer <maillist-musl@barfooze.de> wrote:

> On 09/24/2012 04:16 PM, orc wrote:
> >
> > See attached patch.
> >
> > iptables 1.4.12.1
> 
> cool thanks; it works.
> 
> for the getopt issue, i bundled the gnu-compatible netbsd version
> here https://github.com/rofl0r/gnu-getopt
> adding the CFLAGS and LDFLAGS as described there makes the getopt 
> misbehaviour go away for me.

Thanks for pointing out! And good license for reuse in other projects.