205127 – iptables-1.4.0-r1 build fail with monolithic kernel and USE=(l7filter|imq|extensions)

Bug 205127 - iptables-1.4.0-r1 build fail with monolithic kernel and USE=(l7filter|imq|extensions)

Summary: iptables-1.4.0-r1 build fail with monolithic kernel and USE=(l7filter|imq|ext...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] baselayout (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-01-09 22:05 UTC by Guillaume Castagnino
Modified:	2008-01-11 17:47 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
iptables-layer7-fix.patch (iptables-layer7-fix.patch,292 bytes, patch) 2008-01-09 22:06 UTC, Guillaume Castagnino	Details \| Diff
iptables-1.4.0-Rules.make.patch (iptables-1.4.0-Rules.make.patch,815 bytes, patch) 2008-01-11 16:38 UTC, Peter Volkov (RETIRED)	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Guillaume Castagnino 2008-01-09 22:05:22 UTC

when compiling iptables-1.4.0-r1 with l7filter USE flag enabled, there is this error :

>>> Compiling source in /var/tmp/portage/net-firewall/iptables-1.4.0-r1/work/iptables-1.4.0 ...
Making dependencies: please wait...
Unable to resolve dependency on linux/compiler.h. Try 'make clean'.


    Please try `make KERNEL_DIR=path-to-correct-kernel'.


This is solved with the following patch

Comment 1 Guillaume Castagnino 2008-01-09 22:06:03 UTC

Created attachment 140572 [details, diff]
iptables-layer7-fix.patch

Patch against the ebuild that fix the build error

Comment 2 Peter Volkov (RETIRED) gentoo-dev

2008-01-10 19:02:10 UTC

Guillaume, what USE flags do you use to build iptables, please, provide emerge --info, and full build output.

Comment 3 Guillaume Castagnino 2008-01-10 19:18:12 UTC

iptables USE flags : extensions ipv6 l7filter -imq -static
Simply removing l7filter USE solves the compilation error. Applying the patch I provided also fixes the compilation error.



Portage 2.1.4_rc14 (hardened/x86/2.6, gcc-3.4.6, glibc-2.7-r1, 2.6.23-xwing-r3 i686)
=================================================================
System uname: 2.6.23-xwing-r3 i686 Intel(R) Celeron(R) CPU 2.53GHz
Timestamp of tree: Wed, 09 Jan 2008 21:30:01 +0000
app-shells/bash:     3.2_p33
dev-lang/python:     2.5.1-r5
sys-apps/baselayout: 1.12.10-r5
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.61-r1
sys-devel/automake:  1.7.9-r1, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86 ~x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4 -O2 -mtune=pentium4 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=pentium4 -O2 -mtune=pentium4 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps y"
FEATURES="buildsyspkg collision-protect distlocks fixpackages metadata-transfer sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://r2d2.v6.xwing.info/ http://mirror.ovh.net/gentoo-distfiles/     http://gentoo.zie.pg.gda.pl http://gentoo.tiscali.nl/"
LANG="fr_FR.UTF-8"
LC_ALL="fr_FR.UTF-8"
LINGUAS="fr"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/webapps-experimental /usr/local/overlays/gcpan-portage /usr/local/overlays/portage /usr/local/overlays/local-portage"
SYNC="rsync://r2d2.v6.xwing.info/gentoo-portage"
USE="4kstacks acl acpi acpi4linux apache2 async bash-completion bashlogger berkdb bzip2 clamav cracklib crypt dba dbx devmap dga enscript expat extensions fbcon freetype fs gd gdbm gif gmp gocr hardened idled idn imagemagick imap imlib2 iproute2 ipv6 ithreads jpeg l7filter ldap maildir md5sum mhash midi mmx ncurses nls nptl nptlonly ocrad pam pcre perl php pic png posix python readline rrdtool sasl slang sni soap sockets spf sse sse2 ssl subversion sysfs syslog tcpd threads tiff truetype truetype-fonts type1 type1-fonts udev unicode urandom usb vim-pager vim-syntax x86 xml2 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_dbd authn_default authn_file authz_default authz_groupfile authz_host authz_owner authz_user autoindex dbd dir env expires include log_config mime mime_magic negotiation proxy proxy_connect proxy_http rewrite setenvif" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="fr" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 4 Guillaume Castagnino 2008-01-10 19:18:59 UTC

Full build output :


# emerge iptables
Calculating dependencies... done!
>>> Verifying ebuild Manifests...

>>> Emerging (1 of 1) net-firewall/iptables-1.4.0-r1 to /
 * netfilter-layer7-v2.17.tar.gz MD5 RMD160 SHA1 SHA256 size ;-) ...                                                                                                                                                                    [ ok ]
 * iptables-1.4.0.tar.bz2 MD5 RMD160 SHA1 SHA256 size ;-) ...                                                                                                                                                                           [ ok ]
 * checking ebuild checksums ;-) ...                                                                                                                                                                                                    [ ok ]
 * checking auxfile checksums ;-) ...                                                                                                                                                                                                   [ ok ]
 * checking miscfile checksums ;-) ...                                                                                                                                                                                                  [ ok ]
 * checking iptables-1.4.0.tar.bz2 ;-) ...                                                                                                                                                                                              [ ok ]
 * checking netfilter-layer7-v2.17.tar.gz ;-) ...                                                                                                                                                                                       [ ok ]
 * WARNING: 3rd party extensions has been enabled.
 * This means that iptables will use your currently installed
 * kernel in /usr/src/linux as headers for iptables.
 *
 * You may have to patch your kernel to allow iptables to build.
 * Please check http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ for patches
 * for your kernel.
 *
 * Determining the location of the kernel source code
 * Found kernel source directory:
 *     /usr/src/linux
 * Found sources for kernel version:
 *     2.6.23-xwing-r3
>>> Unpacking source...
>>> Unpacking iptables-1.4.0.tar.bz2 to /var/tmp/portage/net-firewall/iptables-1.4.0-r1/work
>>> Unpacking netfilter-layer7-v2.17.tar.gz to /var/tmp/portage/net-firewall/iptables-1.4.0-r1/work
 * Applying iptables-1.4.0-dev-files.patch ...                                                                                                                                                                                          [ ok ]
 * Applying grsecurity-1.2.8-iptables.patch-1.3.1 ...                                                                                                                                                                                   [ ok ]
 * Applying iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.patch ...                                                                                                                                                                 [ ok ]
>>> Source unpacked.
>>> Compiling source in /var/tmp/portage/net-firewall/iptables-1.4.0-r1/work/iptables-1.4.0 ...
Making dependencies: please wait...
Unable to resolve dependency on linux/compiler.h. Try 'make clean'.


    Please try `make KERNEL_DIR=path-to-correct-kernel'.


Extensions found:
 *
 * ERROR: net-firewall/iptables-1.4.0-r1 failed.
 * Call stack:
 *               ebuild.sh, line   46:  Called src_compile
 *             environment, line 2775:  Called die
 * The specific snippet of code:
 *       emake COPT_FLAGS="${CFLAGS}" ${myconf} CC="$(tc-getCC)" || diefunc "$FUNCNAME" "$LINENO" "$?" "${diemsg}"
 *  The die message:
 *   failure - with l7filter and/or imq patch and/or other miscellanious patches added
 *
 * If you need support, post the topmost build error, and the call stack if relevant.
 * A complete build log is located at '/var/tmp/portage/net-firewall/iptables-1.4.0-r1/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/net-firewall/iptables-1.4.0-r1/temp/environment'.
 *

Comment 5 Peter Volkov (RETIRED) gentoo-dev

2008-01-11 16:38:38 UTC

Created attachment 140726 [details, diff]
iptables-1.4.0-Rules.make.patch

Guillaume, I've tried to understand what going on, but I failed to reproduce the bug here, so I have to ask you more questions before I start to install hardened system...

Could you show me the output of 
ls -la /lib/modules/$(uname -r)/source
ls  /lib/modules/$(uname -r)/source
eselect kernel list
gcc-config -l
?

Also could you apply this patch and show me output of build process with this patch applied.

BTW. Are you sure that you disable l7-filter only and keep extensions USE flag on?

Comment 6 Guillaume Castagnino 2008-01-11 16:58:52 UTC

Hi,

This is a monolithic kernel without modules support, so there is no /lib/modules/$(uname -r)/source directory ("make modules_install" does not work on kernels with modules support disabled, /lib/modules does not make sense in such cases)

I just realize writing this that THIS point should be the problem, and that's why KERNEL_DIR should be indicated to the build (just like on the 1.3.8 ebuild does)



# eselect kernel list
Available kernel symlink targets:
  [1]   linux-2.6.23-hardened-r2
  [2]   linux-2.6.23-hardened-r5 *

# gcc-config -l
 [1] i686-pc-linux-gnu-3.4.6 *
 [2] i686-pc-linux-gnu-3.4.6-hardenednopie
 [3] i686-pc-linux-gnu-3.4.6-hardenednopiessp
 [4] i686-pc-linux-gnu-3.4.6-hardenednossp
 [5] i686-pc-linux-gnu-3.4.6-vanilla


Compilation output with your patch :
>>> Compiling source in /var/tmp/portage/net-firewall/iptables-1.4.0-r1/work/iptables-1.4.0 ...
Making dependencies: please wait... /lib/modules/2.6.23-xwing-r3/source
Generating dependency: extensions/libxt_TRACE.d
Generating dependency: extensions/libxt_TCPMSS.d
Generating dependency: extensions/libxt_NOTRACK.d
Generating dependency: extensions/libxt_NFQUEUE.d
Generating dependency: extensions/libxt_NFLOG.d
Generating dependency: extensions/libxt_MARK.d
Generating dependency: extensions/libxt_DSCP.d
Generating dependency: extensions/libxt_CONNMARK.d
Generating dependency: extensions/libxt_CLASSIFY.d
Generating dependency: extensions/libxt_udp.d
Generating dependency: extensions/libxt_u32.d
Generating dependency: extensions/libxt_time.d
Generating dependency: extensions/libxt_tcpmss.d
Generating dependency: extensions/libxt_tcp.d
Generating dependency: extensions/libxt_string.d
Generating dependency: extensions/libxt_standard.d
Generating dependency: extensions/libxt_statistic.d
Generating dependency: extensions/libxt_state.d
Generating dependency: extensions/libxt_sctp.d
Generating dependency: extensions/libxt_quota.d
Generating dependency: extensions/libxt_pkttype.d
Generating dependency: extensions/libxt_physdev.d
Generating dependency: extensions/libxt_multiport.d
Generating dependency: extensions/libxt_mark.d
Generating dependency: extensions/libxt_mac.d
Generating dependency: extensions/libxt_limit.d
Generating dependency: extensions/libxt_length.d
Generating dependency: extensions/libxt_helper.d
Generating dependency: extensions/libxt_hashlimit.d
Generating dependency: extensions/libxt_esp.d
Generating dependency: extensions/libxt_dscp.d
Generating dependency: extensions/libxt_dccp.d
Generating dependency: extensions/libxt_comment.d
Generating dependency: extensions/libxt_connlimit.d
Generating dependency: extensions/libxt_connmark.d
Generating dependency: extensions/libxt_connbytes.d
Generating dependency: extensions/libip6t_REJECT.d
Generating dependency: extensions/libip6t_LOG.d
Generating dependency: extensions/libip6t_HL.d
Generating dependency: extensions/libip6t_rt.d
Generating dependency: extensions/libip6t_policy.d
Generating dependency: extensions/libip6t_owner.d
Generating dependency: extensions/libip6t_mh.d
Generating dependency: extensions/libip6t_ipv6header.d
Generating dependency: extensions/libip6t_icmp6.d
Generating dependency: extensions/libip6t_hl.d
Generating dependency: extensions/libip6t_hbh.d
Generating dependency: extensions/libip6t_frag.d
Generating dependency: extensions/libip6t_eui64.d
Generating dependency: extensions/libip6t_dst.d
Generating dependency: extensions/libip6t_ah.d
Generating dependency: extensions/libipt_ULOG.d
Generating dependency: extensions/libipt_TTL.d
Generating dependency: extensions/libipt_TOS.d
Generating dependency: extensions/libipt_SNAT.d
Generating dependency: extensions/libipt_SAME.d
Generating dependency: extensions/libipt_REJECT.d
Generating dependency: extensions/libipt_REDIRECT.d
Generating dependency: extensions/libipt_NETMAP.d
Generating dependency: extensions/libipt_MIRROR.d
Generating dependency: extensions/libipt_MASQUERADE.d
Generating dependency: extensions/libipt_LOG.d
Generating dependency: extensions/libipt_ECN.d
Generating dependency: extensions/libipt_DNAT.d
Generating dependency: extensions/libipt_CLUSTERIP.d
Generating dependency: extensions/libipt_unclean.d
Generating dependency: extensions/libipt_ttl.d
Generating dependency: extensions/libipt_tos.d
Generating dependency: extensions/libipt_recent.d
Generating dependency: extensions/libipt_realm.d
Generating dependency: extensions/libipt_policy.d
Generating dependency: extensions/libipt_owner.d
Generating dependency: extensions/libipt_iprange.d
Generating dependency: extensions/libipt_icmp.d
Generating dependency: extensions/libipt_ecn.d
Generating dependency: extensions/libipt_conntrack.d
Generating dependency: extensions/libipt_addrtype.d
Generating dependency: extensions/libipt_ah.d
Generating dependency: extensions/libipt_stealth.d
Unable to resolve dependency on linux/compiler.h. Try 'make clean'.


    Please try `make KERNEL_DIR=path-to-correct-kernel'.



About disabling l7filter USE, very sorry, I was horribly mistaken, this does not solves the problem : This was on an other Gentoo system...

Comment 7 Peter Volkov (RETIRED) gentoo-dev

2008-01-11 17:47:30 UTC

Monolithic kernel makes sense and now I see the problem - we should always export KERNEL_DIR.

In case of vanilla iptables (USE="-imq -l7filter -extesions") we did that, while in case of any of that enabled we did not exported KERNEL_DIR and iptables build system fall back to /lib/modules/$(uname -r)/source that does not work in case of monolithic kernel.

Before your last comment it was unclear how l7filter influenced that as extensions should affect that behavior too, while you reported different. Please be more attentive next time. 

Not it's FIXED in CVS. Thank you for report!