Message ID | 20161230054426.GA9694@juliacomputing.com |
---|---|
State | Changes Requested |
Delegated to: | Pablo Neira |
Headers | show |
On Fri, Dec 30, 2016 at 12:44:26AM -0500, Keno Fischer wrote: > The primary concern here is probably that iptables uses functions > that in glibc still require the dynamic library at runtime. I think that explains this: libxt_owner.c:416: warning: Using 'getgrgid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking > However, for my usage of iptables, I have never actually run into > this situation, and even if I did, I'd rather switch libcs (though I > may be in the minority there). Nevertheless, I think it would be > useful to have this option available for those wanting a statically > linked iptables. I'm trying to understand why you need this. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
>> The primary concern here is probably that iptables uses functions >> that in glibc still require the dynamic library at runtime. > > I think that explains this: > > libxt_owner.c:416: warning: Using 'getgrgid' in statically linked > applications requires at runtime the shared libraries from the glibc > version used for linking It does, yes. Other C libraries don't have this problem though. >> However, for my usage of iptables, I have never actually run into >> this situation, and even if I did, I'd rather switch libcs (though I >> may be in the minority there). Nevertheless, I think it would be >> useful to have this option available for those wanting a statically >> linked iptables. > > I'm trying to understand why you need this. Thanks. I'm running docker in a stripped down security-enhanced context where everything is statically linked. Docker calls out to iptables to set up some firewall rules. So far I have not encountered it needing any of the code paths in iptables that would require the shared libraries from glibc at runtime. I'm also not the only person in this exact situation, e.g.: https://github.com/vallinux/base/issues/14 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Jan 16, 2017 at 11:39:45AM -0500, Keno Fischer wrote: [...] > >> However, for my usage of iptables, I have never actually run into > >> this situation, and even if I did, I'd rather switch libcs (though I > >> may be in the minority there). Nevertheless, I think it would be > >> useful to have this option available for those wanting a statically > >> linked iptables. > > > > I'm trying to understand why you need this. Thanks. > > I'm running docker in a stripped down security-enhanced context where > everything is statically linked. Docker calls out to iptables to set > up some firewall rules. So far I have not encountered it needing any > of the code paths in iptables that would require the shared libraries > from glibc at runtime. I'm also not the only person in this exact > situation, e.g.: > > https://github.com/vallinux/base/issues/14 Thanks for explaining. It would be good if you can extend iptables building system to catch up with glibc case by rejecting it. Another thing would be to add some small documentation file on the tree that explains how to use this with musl/ulibc. My only concern about this new option is that people may believe this works out of the box, and so far my impression is that this needs some trickery. I also wonder if everything is going to work fine with alternative libc libraries, it would be good to run iptables tests (see iptables-test.py) on this binary, you can edit the variable on that script that points to the iptables binary to be tested. Another alternative if the resulting patch is simple, probably we can allow the override directive so you can easily append -all-static to LDFLAGS at your own risk? https://www.gnu.org/software/make/manual/make.html#Override-Directive -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/configure.ac b/configure.ac index 6ae63f8..a787de9 100644 --- a/configure.ac +++ b/configure.ac @@ -67,6 +67,9 @@ AC_ARG_ENABLE([connlabel], AS_HELP_STRING([--disable-connlabel], [Do not build libnetfilter_conntrack]), [enable_connlabel="$enableval"], [enable_connlabel="yes"]) +AC_ARG_ENABLE([static_executables], + AS_HELP_STRING([--enable-static-executables], [Statically link executables against libc]), + [enable_static_executables="$enableval"], [enable_static_executables="no"]) libiptc_LDFLAGS2=""; AX_CHECK_LINKER_FLAGS([-Wl,--no-as-needed], @@ -100,6 +103,7 @@ fi; AC_CHECK_SIZEOF([struct ip6_hdr], [], [#include <netinet/ip6.h>]) AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" = "yes"]) +AM_CONDITIONAL([ENABLE_STATIC_EXECUTABLES], [test "$enable_static_executables" = "yes"]) AM_CONDITIONAL([ENABLE_SHARED], [test "$enable_shared" = "yes"]) AM_CONDITIONAL([ENABLE_IPV4], [test "$enable_ipv4" = "yes"]) AM_CONDITIONAL([ENABLE_IPV6], [test "$enable_ipv6" = "yes"]) @@ -111,6 +115,11 @@ AM_CONDITIONAL([ENABLE_SYNCONF], [test "$enable_nfsynproxy" = "yes"]) AM_CONDITIONAL([ENABLE_NFTABLES], [test "$enable_nftables" = "yes"]) AM_CONDITIONAL([ENABLE_CONNLABEL], [test "$enable_connlabel" = "yes"]) +if test "x$enable_static_executables" = "xyes" && test "x$enable_static" != "xyes"; then + echo "*** Error: --enable-static-executables without --enable-static. ***" + exit 1 +fi + if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library required by bpf compiler or nfsynproxy tool)) fi @@ -262,6 +271,7 @@ Iptables Configuration: Build parameters: Put plugins into executable (static): ${enable_static} + Build static executables (static-executables): ${enable_static_executables} Support plugins via dlopen (shared): ${enable_shared} Installation prefix (--prefix): ${prefix} Xtables extension directory: ${e_xtlibdir} diff --git a/iptables/Makefile.am b/iptables/Makefile.am index f92cc4f..5c3edec 100644 --- a/iptables/Makefile.am +++ b/iptables/Makefile.am @@ -12,6 +12,9 @@ xtables_multi_LDADD = ../extensions/libext.a if ENABLE_STATIC xtables_multi_CFLAGS += -DALL_INCLUSIVE endif +if ENABLE_STATIC_EXECUTABLES +xtables_multi_LDFLAGS = ${AM_LDFLAGS} -all-static +endif if ENABLE_IPV4 xtables_multi_SOURCES += iptables-save.c iptables-restore.c \ iptables-standalone.c iptables.c @@ -36,6 +39,9 @@ xtables_compat_multi_LDADD = ../extensions/libext.a ../extensions/libext_ebt. if ENABLE_STATIC xtables_compat_multi_CFLAGS += -DALL_INCLUSIVE endif +if ENABLE_STATIC_EXECUTABLES +xtables_compat_multi_LDFLAGS = ${AM_LDFLAGS} -all-static +endif xtables_compat_multi_CFLAGS += -DENABLE_NFTABLES -DENABLE_IPV4 -DENABLE_IPV6 xtables_compat_multi_SOURCES += xtables-config-parser.y xtables-config-syntax.l xtables_compat_multi_SOURCES += xtables-save.c xtables-restore.c \
The primary concern here is probably that iptables uses functions that in glibc still require the dynamic library at runtime. However, for my usage of iptables, I have never actually run into this situation, and even if I did, I'd rather switch libcs (though I may be in the minority there). Nevertheless, I think it would be useful to have this option available for those wanting a statically linked iptables. Signed-off-by: Keno Fischer <keno@juliacomputing.com> --- configure.ac | 10 ++++++++++ iptables/Makefile.am | 6 ++++++ 2 files changed, 16 insertions(+)