[iptables] include: fix build with kernel headers before 4.2

Commit 672accf1530 (include: update kernel netfilter header files)
updated linux/netfilter.h and brought with it the update from kernel
commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h
from netns headers). This triggers conflict of headers that is fixed in
kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with
netinet/in.h) included in kernel version 4.2. For earlier kernel headers
we need a workaround that prevents the headers conflict.

Fixes the following build failure:

In file included from .../sysroot/usr/include/netinet/ip.h:25:0,
                 from ../include/libiptc/ipt_kernel_headers.h:8,
                 from ../include/libiptc/libiptc.h:6,
                 from libip4tc.c:29:
.../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’
   IPPROTO_IP = 0,  /* Dummy protocol for TCP  */
   ^
.../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here
     IPPROTO_IP = 0,    /* Dummy protocol for TCP.  */
     ^~~~~~~~~~

Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
 include/linux/netfilter.h | 2 ++
 1 file changed, 2 insertions(+)

Hi Baruch,

On Fri, Nov 16, 2018 at 09:30:33AM +0200, Baruch Siach wrote:
> Commit 672accf1530 (include: update kernel netfilter header files)
> updated linux/netfilter.h and brought with it the update from kernel
> commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h
> from netns headers). This triggers conflict of headers that is fixed in
> kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with
> netinet/in.h) included in kernel version 4.2. For earlier kernel headers
> we need a workaround that prevents the headers conflict.
> 
> Fixes the following build failure:
> 
> In file included from .../sysroot/usr/include/netinet/ip.h:25:0,
>                  from ../include/libiptc/ipt_kernel_headers.h:8,
>                  from ../include/libiptc/libiptc.h:6,
>                  from libip4tc.c:29:
> .../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’
>    IPPROTO_IP = 0,  /* Dummy protocol for TCP  */
>    ^
> .../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here
>      IPPROTO_IP = 0,    /* Dummy protocol for TCP.  */
>      ^~~~~~~~~~
> 
> Cc: Florian Westphal <fw@strlen.de>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
> ---
>  include/linux/netfilter.h | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
> index c3f087ac680c..bacf8cd92116 100644
> --- a/include/linux/netfilter.h
> +++ b/include/linux/netfilter.h
> @@ -3,7 +3,9 @@
>  
>  #include <linux/types.h>
>  
> +#ifndef _NETINET_IN_H
>  #include <linux/in.h>
> +#endif

This is updating a cached copy of the kernel headers, we basically
copy kernel headers and place in the userspace tree to make sure that
iptables compiles standalone, without the need for kernel-headers to
be installed in the system in order to simplify building process.

I would like we don't have to modify this cached copy, so if you can
find a way to update the userspace C files without touching the cached
copy of the kernel header, that would be great. My concern is that
this little tweak will go away once we update the cached copy anytime
soon in the future.

Thanks.

Hi Pablo,

Pablo Neira Ayuso writes:
> On Fri, Nov 16, 2018 at 09:30:33AM +0200, Baruch Siach wrote:
>> Commit 672accf1530 (include: update kernel netfilter header files)
>> updated linux/netfilter.h and brought with it the update from kernel
>> commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h
>> from netns headers). This triggers conflict of headers that is fixed in
>> kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with
>> netinet/in.h) included in kernel version 4.2. For earlier kernel headers
>> we need a workaround that prevents the headers conflict.
>>
>> Fixes the following build failure:
>>
>> In file included from .../sysroot/usr/include/netinet/ip.h:25:0,
>>                  from ../include/libiptc/ipt_kernel_headers.h:8,
>>                  from ../include/libiptc/libiptc.h:6,
>>                  from libip4tc.c:29:
>> .../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’
>>    IPPROTO_IP = 0,  /* Dummy protocol for TCP  */
>>    ^
>> .../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here
>>      IPPROTO_IP = 0,    /* Dummy protocol for TCP.  */
>>      ^~~~~~~~~~
>>
>> Cc: Florian Westphal <fw@strlen.de>
>> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
>> ---
>>  include/linux/netfilter.h | 2 ++
>>  1 file changed, 2 insertions(+)
>>
>> diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
>> index c3f087ac680c..bacf8cd92116 100644
>> --- a/include/linux/netfilter.h
>> +++ b/include/linux/netfilter.h
>> @@ -3,7 +3,9 @@
>>
>>  #include <linux/types.h>
>>
>> +#ifndef _NETINET_IN_H
>>  #include <linux/in.h>
>> +#endif
>
> This is updating a cached copy of the kernel headers, we basically
> copy kernel headers and place in the userspace tree to make sure that
> iptables compiles standalone, without the need for kernel-headers to
> be installed in the system in order to simplify building process.
>
> I would like we don't have to modify this cached copy, so if you can
> find a way to update the userspace C files without touching the cached
> copy of the kernel header, that would be great. My concern is that
> this little tweak will go away once we update the cached copy anytime
> soon in the future.
>
> Thanks.

I can't think of any better solution.

A possible alternative would be to add '#define _LINUX_IN_H' in every
file that include netinet/in.h to suppress the kernel headern. This is a
bigger change, although is doesn't touch any cached kernel header as far
as I can see.

Do you like this solution better?

baruch

--
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -

On Sat, Nov 17, 2018 at 10:28:56PM +0200, Baruch Siach wrote:
> Hi Pablo,
> 
> Pablo Neira Ayuso writes:
> > On Fri, Nov 16, 2018 at 09:30:33AM +0200, Baruch Siach wrote:
> >> Commit 672accf1530 (include: update kernel netfilter header files)
> >> updated linux/netfilter.h and brought with it the update from kernel
> >> commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h
> >> from netns headers). This triggers conflict of headers that is fixed in
> >> kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with
> >> netinet/in.h) included in kernel version 4.2. For earlier kernel headers
> >> we need a workaround that prevents the headers conflict.
> >>
> >> Fixes the following build failure:
> >>
> >> In file included from .../sysroot/usr/include/netinet/ip.h:25:0,
> >>                  from ../include/libiptc/ipt_kernel_headers.h:8,
> >>                  from ../include/libiptc/libiptc.h:6,
> >>                  from libip4tc.c:29:
> >> .../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’
> >>    IPPROTO_IP = 0,  /* Dummy protocol for TCP  */
> >>    ^
> >> .../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here
> >>      IPPROTO_IP = 0,    /* Dummy protocol for TCP.  */
> >>      ^~~~~~~~~~
> >>
> >> Cc: Florian Westphal <fw@strlen.de>
> >> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
> >> ---
> >>  include/linux/netfilter.h | 2 ++
> >>  1 file changed, 2 insertions(+)
> >>
> >> diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
> >> index c3f087ac680c..bacf8cd92116 100644
> >> --- a/include/linux/netfilter.h
> >> +++ b/include/linux/netfilter.h
> >> @@ -3,7 +3,9 @@
> >>
> >>  #include <linux/types.h>
> >>
> >> +#ifndef _NETINET_IN_H
> >>  #include <linux/in.h>
> >> +#endif
> >
> > This is updating a cached copy of the kernel headers, we basically
> > copy kernel headers and place in the userspace tree to make sure that
> > iptables compiles standalone, without the need for kernel-headers to
> > be installed in the system in order to simplify building process.
> >
> > I would like we don't have to modify this cached copy, so if you can
> > find a way to update the userspace C files without touching the cached
> > copy of the kernel header, that would be great. My concern is that
> > this little tweak will go away once we update the cached copy anytime
> > soon in the future.
> >
> > Thanks.
> 
> I can't think of any better solution.
> 
> A possible alternative would be to add '#define _LINUX_IN_H' in every
> file that include netinet/in.h to suppress the kernel headern. This is a
> bigger change, although is doesn't touch any cached kernel header as far
> as I can see.
> 
> Do you like this solution better?

Probably we can consolidate this in one single spot, eg.
iptables/nft.h ? So we only have to add this once.

Hi Pablo,


Pablo Neira Ayuso writes:
> On Sat, Nov 17, 2018 at 10:28:56PM +0200, Baruch Siach wrote:
>> Pablo Neira Ayuso writes:
>> > On Fri, Nov 16, 2018 at 09:30:33AM +0200, Baruch Siach wrote:
>> >> Commit 672accf1530 (include: update kernel netfilter header files)
>> >> updated linux/netfilter.h and brought with it the update from kernel
>> >> commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h
>> >> from netns headers). This triggers conflict of headers that is fixed in
>> >> kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with
>> >> netinet/in.h) included in kernel version 4.2. For earlier kernel headers
>> >> we need a workaround that prevents the headers conflict.
>> >>
>> >> Fixes the following build failure:
>> >>
>> >> In file included from .../sysroot/usr/include/netinet/ip.h:25:0,
>> >>                  from ../include/libiptc/ipt_kernel_headers.h:8,
>> >>                  from ../include/libiptc/libiptc.h:6,
>> >>                  from libip4tc.c:29:
>> >> .../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’
>> >>    IPPROTO_IP = 0,  /* Dummy protocol for TCP  */
>> >>    ^
>> >> .../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here
>> >>      IPPROTO_IP = 0,    /* Dummy protocol for TCP.  */
>> >>      ^~~~~~~~~~
>> >>
>> >> Cc: Florian Westphal <fw@strlen.de>
>> >> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
>> >> ---
>> >>  include/linux/netfilter.h | 2 ++
>> >>  1 file changed, 2 insertions(+)
>> >>
>> >> diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
>> >> index c3f087ac680c..bacf8cd92116 100644
>> >> --- a/include/linux/netfilter.h
>> >> +++ b/include/linux/netfilter.h
>> >> @@ -3,7 +3,9 @@
>> >>
>> >>  #include <linux/types.h>
>> >>
>> >> +#ifndef _NETINET_IN_H
>> >>  #include <linux/in.h>
>> >> +#endif
>> >
>> > This is updating a cached copy of the kernel headers, we basically
>> > copy kernel headers and place in the userspace tree to make sure that
>> > iptables compiles standalone, without the need for kernel-headers to
>> > be installed in the system in order to simplify building process.
>> >
>> > I would like we don't have to modify this cached copy, so if you can
>> > find a way to update the userspace C files without touching the cached
>> > copy of the kernel header, that would be great. My concern is that
>> > this little tweak will go away once we update the cached copy anytime
>> > soon in the future.
>> >
>> > Thanks.
>>
>> I can't think of any better solution.
>>
>> A possible alternative would be to add '#define _LINUX_IN_H' in every
>> file that include netinet/in.h to suppress the kernel headern. This is a
>> bigger change, although is doesn't touch any cached kernel header as far
>> as I can see.
>>
>> Do you like this solution better?
>
> Probably we can consolidate this in one single spot, eg.
> iptables/nft.h ? So we only have to add this once.

I don't understand your suggestion. Both netfilter.h and netinet/in.h
are included in many places:

extensions/libxt_TEE.c:#include <linux/netfilter.h>
extensions/libxt_iprange.c:#include <linux/netfilter.h>
include/linux/netfilter/nf_nat.h:#include <linux/netfilter.h>
include/linux/netfilter_arp.h:#include <linux/netfilter.h>
include/linux/netfilter_ipv4.h:#include <linux/netfilter.h>
include/linux/netfilter_ipv6.h:#include <linux/netfilter.h>
include/linux/netfilter_ipv6/ip6t_NPT.h:#include <linux/netfilter.h>
include/linux/netfilter_ipv6/ip6t_srh.h:#include <linux/netfilter.h>
include/xtables.h:#include <linux/netfilter.h>
iptables/xtables-config-parser.y:#include <linux/netfilter.h>
libipq/libipq.c:#include <linux/netfilter.h>

extensions/libxt_TEE.c:#include <netinet/in.h>
extensions/libxt_TOS.c:#include <netinet/in.h>
extensions/libxt_sctp.c:#include <netinet/in.h>
extensions/libxt_tcp.c:#include <netinet/in.h>
include/libiptc/ipt_kernel_headers.h:#include <netinet/in.h>
include/xtables.h:#include <netinet/in.h>
iptables/nft-bridge.h:#include <netinet/in.h>
iptables/nft-ipv4.c:#include <netinet/in.h>
iptables/nft.c:#include <netinet/in.h>  /* inet_ntoa */
iptables/xshared.h:#include <netinet/in.h>
iptables/xtables-arp.c:/* defined in netinet/in.h */
iptables/xtables-config-parser.y:#include <netinet/in.h>
iptables/xtables-monitor.c:#include <netinet/in.h>
libipq/libipq.c:#include <netinet/in.h>
utils/nfsynproxy.c:#include <netinet/in.h>

Which single place other than netfilter.h itself would solve the headers
conflict?

baruch

--
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -

Baruch Siach <baruch@tkos.co.il> wrote:
> Pablo Neira Ayuso writes:
> >> > This is updating a cached copy of the kernel headers, we basically
> >> > copy kernel headers and place in the userspace tree to make sure that
> >> > iptables compiles standalone, without the need for kernel-headers to
> >> > be installed in the system in order to simplify building process.
> >> >
> >> > I would like we don't have to modify this cached copy, so if you can
> >> > find a way to update the userspace C files without touching the cached
> >> > copy of the kernel header, that would be great. My concern is that
> >> > this little tweak will go away once we update the cached copy anytime
> >> > soon in the future.
> >> >
> >> > Thanks.
> >>
> >> I can't think of any better solution.
> >>
> >> A possible alternative would be to add '#define _LINUX_IN_H' in every
> >> file that include netinet/in.h to suppress the kernel headern. This is a
> >> bigger change, although is doesn't touch any cached kernel header as far
> >> as I can see.
> >>
> >> Do you like this solution better?
> >
> > Probably we can consolidate this in one single spot, eg.
> > iptables/nft.h ? So we only have to add this once.
> 
> I don't understand your suggestion. Both netfilter.h and netinet/in.h
> are included in many places:

Note that I missed Pablos comment and did apply your patch.

I think its not worth it to spend more time on this.

If we lose the patch in some future update and someone
spots this bug again we just have to ressurect it.