Message ID | 1415797607-28793-1-git-send-email-jengelh@inai.de |
---|---|
State | Changes Requested |
Delegated to: | Pablo Neira |
Headers | show |
On Wed, Nov 12, 2014 at 02:06:47PM +0100, Jan Engelhardt wrote: > It was possible to combine e.g. conntrackd-1.2.1 with > libnetfilter_conntrack-0.0.101, causing libc to issue an exit from > within conntrackd iff such a conntrackd was promoted to a master and > tried to call nfexp_send, due to lazy symbol resolution in libc. I wonder how you have reached such a situation. I can only think of very broken packaging. > Symbol versions enforce the checks at program startup, so add one. > > $ ldd -r /usr/sbin/conntrackd > undefined symbol: nfexp_cmp (/usr/sbin/conntrackd) > undefined symbol: nfexp_send (/usr/sbin/conntrackd) > libnetfilter_conntrack.so.3 => /usr/lib/libnetfilter_conntrack.so.3 (0x77fe7000) > libnfnetlink.so.0 => /usr/lib/libnfnetlink.so.0 (0x77fdf000) > libc.so.6 => /lib/libc.so.6 (0x77e7b000) > libdl.so.2 => /lib/libdl.so.2 (0x77e76000) > /lib/ld.so.1 (0x55555000) > $ dpkg-query -W conntrackd libnetfilter-conntrack3 > conntrackd 1:1.2.1-1 > libnetfilter-conntrack3 0.0.101-1 Would you also convert libnetfilter_conntrack to use the same EXPORT_SYMBOL() macro that we use in more recent libnetfilter_* libraries for consistency? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wednesday 2014-11-19 14:42, Pablo Neira Ayuso wrote: >On Wed, Nov 12, 2014 at 02:06:47PM +0100, Jan Engelhardt wrote: >> It was possible to combine e.g. conntrackd-1.2.1 with >> libnetfilter_conntrack-0.0.101, causing libc to issue an exit from >> within conntrackd iff such a conntrackd was promoted to a master and >> tried to call nfexp_send, due to lazy symbol resolution in libc. > >I wonder how you have reached such a situation. I can only think of >very broken packaging. To reach such a situation, the shortest way to get there is: 1. On Debian squeeze, `apt-get install conntrack`. This would install conntrack-tools-0.9.14. 2. Install a newer version at some point, `perl -i -pe s/squeeze/wheezy/g /etc/apt/sources.list && apt-get update && apt-get install conntrack`. The long description: The conntrack-tools source code only checks the libnetfilter_conntrack version only once, at build time. The files in the top-level source directory of conntrack-tools do not indicate any particular runtime requirement on libnetfilter_conntrack version besides the implicit requirement of the built conntrackd on a particular library by SONAME, in other words, the runtime requirements are weaker than the build-time requirements. Such a case is pretty normal, too. Build-time requirements are generally seen as independent from runtime requirements by distros and packagers. Some perl module may want Test::Simple at build time, and not use it at runtime. I cannot find that the Debian packager for conntrack-tools has done something inappropriate. >Would you also convert libnetfilter_conntrack to use the same >EXPORT_SYMBOL() macro that we use in more recent libnetfilter_* >libraries for consistency? I can; question is, do we need it? It turns out that using just a .map file (with implicit -fvisibility=default) gives the same result, but requiring less steps. The map file can also turn symbols from visible to hidden, without requiring -fvisibility+EXPORT_SYMBOLs. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/src/Makefile.am b/src/Makefile.am index 7d6c905..918c2ba 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -12,5 +12,7 @@ libnetfilter_conntrack_la_LIBADD = conntrack/libnfconntrack.la \ expect/libnfexpect.la \ ${LIBNFNETLINK_LIBS} ${LIBMNL_LIBS} libnetfilter_conntrack_la_LDFLAGS = -Wc,-nostartfiles -lnfnetlink -ldl \ - -version-info $(LIBVERSION) + -version-info $(LIBVERSION) \ + -Wl,--version-script=$(srcdir)/libnetfilter_conntrack.map libnetfilter_conntrack_la_SOURCES = main.c callback.c +libnetfilter_conntrack_la_DEPENDENCIES = libnetfilter_conntrack.map diff --git a/src/libnetfilter_conntrack.map b/src/libnetfilter_conntrack.map new file mode 100644 index 0000000..c6404d5 --- /dev/null +++ b/src/libnetfilter_conntrack.map @@ -0,0 +1,109 @@ +V_1.0.5 { +global: + nfct_attr_grp_is_set; + nfct_attr_grp_unset; + nfct_attr_is_set; + nfct_attr_is_set_array; + nfct_attr_unset; + nfct_bitmask_clear; + nfct_bitmask_clone; + nfct_bitmask_destroy; + nfct_bitmask_equal; + nfct_bitmask_maxbit; + nfct_bitmask_new; + nfct_bitmask_set_bit; + nfct_bitmask_test_bit; + nfct_bitmask_unset_bit; + nfct_build_conntrack; + nfct_build_query; + nfct_build_tuple; + nfct_callback_register; + nfct_callback_register2; + nfct_callback_unregister; + nfct_callback_unregister2; + nfct_catch; + nfct_clone; + nfct_close; + nfct_cmp; + nfct_compare; + nfct_copy; + nfct_copy_attr; + nfct_destroy; + nfct_fd; + nfct_filter_add_attr; + nfct_filter_add_attr_u32; + nfct_filter_attach; + nfct_filter_create; + nfct_filter_destroy; + nfct_filter_detach; + nfct_filter_dump_create; + nfct_filter_dump_destroy; + nfct_filter_dump_set_attr; + nfct_filter_dump_set_attr_u8; + nfct_filter_set_logic; + nfct_get_attr; + nfct_get_attr_grp; + nfct_get_attr_u16; + nfct_get_attr_u32; + nfct_get_attr_u64; + nfct_get_attr_u8; + nfct_getobjopt; + nfct_labelmap_destroy; + nfct_labelmap_get_bit; + nfct_labelmap_get_name; + nfct_labelmap_new; + nfct_maxsize; + nfct_new; + nfct_nfnlh; + nfct_nlmsg_build; + nfct_nlmsg_parse; + nfct_open; + nfct_open_nfnl; + nfct_parse_conntrack; + nfct_parse_tuple; + nfct_payload_parse; + nfct_query; + nfct_send; + nfct_set_attr; + nfct_set_attr_grp; + nfct_set_attr_l; + nfct_set_attr_u16; + nfct_set_attr_u32; + nfct_set_attr_u64; + nfct_set_attr_u8; + nfct_setobjopt; + nfct_sizeof; + nfct_snprintf; + nfct_snprintf_labels; + nfexp_attr_is_set; + nfexp_attr_unset; + nfexp_build_expect; + nfexp_build_query; + nfexp_callback_register; + nfexp_callback_register2; + nfexp_callback_unregister; + nfexp_callback_unregister2; + nfexp_catch; + nfexp_clone; + nfexp_cmp; + nfexp_destroy; + nfexp_get_attr; + nfexp_get_attr_u16; + nfexp_get_attr_u32; + nfexp_get_attr_u8; + nfexp_maxsize; + nfexp_new; + nfexp_nlmsg_build; + nfexp_nlmsg_parse; + nfexp_parse_expect; + nfexp_query; + nfexp_send; + nfexp_set_attr; + nfexp_set_attr_u16; + nfexp_set_attr_u32; + nfexp_set_attr_u8; + nfexp_sizeof; + nfexp_snprintf; +local: + *; +};
It was possible to combine e.g. conntrackd-1.2.1 with libnetfilter_conntrack-0.0.101, causing libc to issue an exit from within conntrackd iff such a conntrackd was promoted to a master and tried to call nfexp_send, due to lazy symbol resolution in libc. Symbol versions enforce the checks at program startup, so add one. $ ldd -r /usr/sbin/conntrackd undefined symbol: nfexp_cmp (/usr/sbin/conntrackd) undefined symbol: nfexp_send (/usr/sbin/conntrackd) libnetfilter_conntrack.so.3 => /usr/lib/libnetfilter_conntrack.so.3 (0x77fe7000) libnfnetlink.so.0 => /usr/lib/libnfnetlink.so.0 (0x77fdf000) libc.so.6 => /lib/libc.so.6 (0x77e7b000) libdl.so.2 => /lib/libdl.so.2 (0x77e76000) /lib/ld.so.1 (0x55555000) $ dpkg-query -W conntrackd libnetfilter-conntrack3 conntrackd 1:1.2.1-1 libnetfilter-conntrack3 0.0.101-1 Signed-off-by: Jan Engelhardt <jengelh@inai.de> --- src/Makefile.am | 4 +- src/libnetfilter_conntrack.map | 109 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 112 insertions(+), 1 deletion(-) create mode 100644 src/libnetfilter_conntrack.map