Created attachment 339168 [details] build log Portage 2.1.11.31 (default/linux/amd64/13.0, gcc-4.6.3, glibc-2.15-r3, 3.4.6-hardened-r1-osl-guest-x86_64-1 x86_64) ================================================================= System uname: Linux-3.4.6-hardened-r1-osl-guest-x86_64-1-x86_64-QEMU_Virtual_CPU_version_0.13.0-with-gentoo-2.1 Timestamp of tree: Sun, 17 Feb 2013 13:30:01 +0000 ld GNU ld (GNU Binutils) 2.22 app-shells/bash: 4.2_p37 dev-lang/python: 2.7.3-r2, 3.2.3 dev-util/cmake: 2.8.9 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.6 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -g0 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps y --keep-going y -1" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch protect-owned sandbox sfperms split-log strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://gentoo.llarian.net/ http://lug.mtu.edu/gentoo/" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acl amd64 berkdb bzip2 cli cracklib crypt cxx dbus dri fortran gdbm gpm gudev hwdb iconv ipv6 kde mmx modules mudflap multilib ncurses nls nptl openmp pam pcre qt3support qt4 readline session sse sse2 ssl tcpd unicode zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" ELIBC="glibc" KERNEL="linux" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" PHP_TARGETS="php5-3 php5-4" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" QEMU_SOFTMMU_TARGETS="x86_64" QEMU_USER_TARGETS="x86_64" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" USE_PYTHON="2.7 3.2"
Hm, strange, i see check for NF_CONNTRACK_MARK in ebuild. Did you try to build it with USE="modules" or without? Regarding build.log output, it seems that with USE="modules" enabled, but i am not sure...
(In reply to comment #1) > Hm, strange, i see check for NF_CONNTRACK_MARK in ebuild. Did you try to > build it with USE="modules" or without? Regarding build.log output, it seems > that with USE="modules" enabled, but i am not sure... with
(In reply to comment #2) > (In reply to comment #1) > > Hm, strange, i see check for NF_CONNTRACK_MARK in ebuild. Did you try to > > build it with USE="modules" or without? Regarding build.log output, it seems > > that with USE="modules" enabled, but i am not sure... > > with Okay I can't reproduce this but there is an issue here. There is no guarantee that 1) your installed kernel headers (sys-kernel/linux-headers) and 2) your kernel source tree (/usr/src/linux), or 3) your running kernel (as reported by emerge --info) are in sync. The code is dying on const struct nf_conn missing .mark which is being pulled in by extensions/xt_LOGMARK.c which inherits one of two definitions of nf_conn --- take a look at extensions/compat_xtables.h. Either its #defined nf_conn ip_conntrack where the later is pulled in from linux/netfilter_ipv4/ip_conntrack.h, or it uses the struct in net/netfilter/nf_conntrack.h when the struct contains u_int32_t mark; when defined(CONFIG_NF_CONNTRACK_MARK) --- there have been some recent changes here (see bug #376873). So I get how this works, but I don't get what happened on ago's system to cause the mismatch. My best guess is that there is mismatch between the two sources of the definition of nf_conn. Bottom line. The whole idea behind linux-info.eclass is wrong minded since it doesn't take into account the above three way desync. I don't know how to fix this because header files xtables-addons uses is from /usr/include while it's going to be use the kernel source tree from /usr/src/linux. I would just add a pkg_postint() message saying something to the effect that you should expect breakage if sys-kernel/linux-headers-<version> doesn't match the kernel version under /usr/src/linux, and that you'll have problems if this further doesn't match the running kernel that you want to insert modules into. Onces that's added, I'd remove the block but leave this bug open for reference.
I'm are can't reproduce this bug. Please test in fresh system
Please try: XTABLES_ADDONS="account chaos checksum condition delude dhcpmac dnetmap echo fuzzy geoip gradm iface ipmark ipp2p ipv4options length2 logmark lscan pknock psd quota2 rawnat steal sysrq tarpit tee" emerge -v net-firewall/xtables-addons
Created attachment 339782 [details] xtables-addons-2.1:20130223-103357.log
Comment on attachment 339782 [details] xtables-addons-2.1:20130223-103357.log XTABLES_ADDONS="account chaos checksum condition delude dhcpmac dnetmap echo fuzzy geoip gradm iface ipmark ipp2p ipv4options length2 logmark lscan pknock psd quota2 rawnat steal sysrq tarpit tee" emerge -av1O net-firewall/xtables-addons
(In reply to comment #5) > Please try: > > XTABLES_ADDONS="account chaos checksum condition delude dhcpmac dnetmap echo > fuzzy geoip gradm iface ipmark ipp2p ipv4options length2 logmark lscan > pknock psd quota2 rawnat steal sysrq tarpit tee" emerge -v > net-firewall/xtables-addons Ago, can you please post the following items from the system on which you get the failure: 1) uname -a 2) zcat /proc/config.gz 3) cat /usr/src/linux/.config 4) equery l linux-headers
Created attachment 339788 [details] xtables-addons-1.47.1:20130223-114426.log" build fine ( from my notebook )
Created attachment 339790 [details] build.log build fine, install not due use el6+openvz( in DomU ) kernel - ebuild not detect this combination
(In reply to comment #10) > Created attachment 339790 [details] > build.log > > build fine, install not due use el6+openvz( in DomU ) kernel - ebuild not > detect this combination This failure differnet from this bug and require special confiured kernel
Created attachment 339792 [details] net-firewall:xtables-addons-1.47.1:20130223-114306.log another machine build log
(In reply to comment #8) > (In reply to comment #5) > > Please try: > > > > XTABLES_ADDONS="account chaos checksum condition delude dhcpmac dnetmap echo > > fuzzy geoip gradm iface ipmark ipp2p ipv4options length2 logmark lscan > > pknock psd quota2 rawnat steal sysrq tarpit tee" emerge -v > > net-firewall/xtables-addons > > Ago, can you please post the following items from the system on which you > get the failure: > > 1) uname -a > > 2) zcat /proc/config.gz > > 3) cat /usr/src/linux/.config > > 4) equery l linux-headers ago, can you please give us this info to try to reproduce, otherwise this bug is invalid.
(In reply to comment #8) > 1) uname -a I'm in a chroot: Linux devbox 3.4.6-hardened-r1-osl-guest-x86_64-1 #1 SMP Thu Aug 2 23:32:26 UTC 2012 x86_64 QEMU Virtual CPU version 0.13.0 AuthenticAMD GNU/Linux > 2) zcat /proc/config.gz Since I'm in a chroot I guess this is not needed > 3) cat /usr/src/linux/.config Just type make allmodconfig && make modules_prepare > 4) equery l linux-headers [IP-] [ ] sys-kernel/linux-headers-3.6:0 Now, btw I have another ype of failure: CC [M] /var/tmp/portage/net-firewall/xtables-addons-1.47.1/work/xtables-addons-1.47.1/extensions/compat_xtables.o CC [M] /var/tmp/portage/net-firewall/xtables-addons-1.47.1/work/xtables-addons-1.47.1/extensions/xt_CHAOS.o CC [M] /var/tmp/portage/net-firewall/xtables-addons-1.47.1/work/xtables-addons-1.47.1/extensions/xt_DELUDE.o CC [M] /var/tmp/portage/net-firewall/xtables-addons-1.47.1/work/xtables-addons-1.47.1/extensions/xt_DHCPMAC.o CC [M] /var/tmp/portage/net-firewall/xtables-addons-1.47.1/work/xtables-addons-1.47.1/extensions/xt_DNETMAP.o CC [M] /var/tmp/portage/net-firewall/xtables-addons-1.47.1/work/xtables-addons-1.47.1/extensions/xt_ECHO.o CC [M] /var/tmp/portage/net-firewall/xtables-addons-1.47.1/work/xtables-addons-1.47.1/extensions/xt_IPMARK.o /var/tmp/portage/net-firewall/xtables-addons-1.47.1/work/xtables-addons-1.47.1/extensions/xt_DNETMAP.c:30:39: fatal error: net/netfilter/nf_nat_rule.h: No such file or directory compilation terminated. CC [M] /var/tmp/portage/net-firewall/xtables-addons-1.47.1/work/xtables-addons-1.47.1/extensions/xt_LOGMARK.o make[2]: *** [/var/tmp/portage/net-firewall/xtables-addons-1.47.1/work/xtables-addons-1.47.1/extensions/xt_DNETMAP.o] Error 1 make[2]: *** Waiting for unfinished jobs.... make[1]: *** [_module_/var/tmp/portage/net-firewall/xtables-addons-1.47.1/work/xtables-addons-1.47.1/extensions] Error 2 make[1]: Leaving directory `/usr/src/linux-3.7.9-gentoo' make: *** [modules] Error 2
(In reply to comment #14) > (In reply to comment #8) > > 1) uname -a > I'm in a chroot: > Linux devbox 3.4.6-hardened-r1-osl-guest-x86_64-1 #1 SMP Thu Aug 2 23:32:26 > UTC 2012 x86_64 QEMU Virtual CPU version 0.13.0 AuthenticAMD GNU/Linux Are there any patches against this kernel beyond the hardened-sources? > > > 2) zcat /proc/config.gz > Since I'm in a chroot I guess this is not needed No this is very much needed. I need to know how your running kernel is configured. > > > 3) cat /usr/src/linux/.config > Just type make allmodconfig && make modules_prepare So you are starting from a totally clean source. What version kernel are you using? If /usr/src/linux is a sym link, what does it point to? > > > 4) equery l linux-headers > [IP-] [ ] sys-kernel/linux-headers-3.6:0 > Okay that's one piece of info. I still need the above three.
Created attachment 340564 [details] /proc/config.gz (In reply to comment #15) > Are there any patches against this kernel beyond the hardened-sources? ask antarus > No this is very much needed. I need to know how your running kernel is > configured. attached > So you are starting from a totally clean source. What version kernel are > you using? If /usr/src/linux is a sym link, what does it point to? yes, clean source amd64 ~ # ls -la /usr/src/ total 12 drwxr-xr-x 3 root root 4096 Feb 28 19:13 . drwxr-xr-x 13 root root 4096 Jan 25 13:05 .. -rw-r--r-- 1 root root 0 Jan 10 02:12 .keep lrwxrwxrwx 1 root root 18 Feb 28 19:13 linux -> linux-3.7.9-gentoo drwxr-xr-x 24 root root 4096 Feb 28 19:14 linux-3.7.9-gentoo
(In reply to comment #14) > Now, btw I have another ype of failure: > /var/tmp/portage/net-firewall/xtables-addons-1.47.1/work/xtables-addons-1.47.1/extensions/xt_DNETMAP.c:30:39: fatal error: net/netfilter/nf_nat_rule.h: No such file or directory It appears you upgraded to gentoo-sources-3.7.9. Your original report was against 3.6.11. I am able to reproduce the net/netfilter/nf_nat_rule.h error with 3.7.9. I cannot produce the original error with 3.6.11.
(In reply to comment #16) > Created attachment 340564 [details] > /proc/config.gz > > (In reply to comment #15) > > Are there any patches against this kernel beyond the hardened-sources? > ask antarus > Hi Alec, are your qemu vms running 3.4.6-hardened-r1-osl-guest-x86_64-1 just running straight hardened-sources? @ago, while I don't think what I'm about to say is the issue here, you have to watch chroots in hardened-envirnoments because many things are disallowed. The config file has max chroot protection: CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y CONFIG_GRKERNSEC_CHROOT_DOUBLE=y CONFIG_GRKERNSEC_CHROOT_PIVOT=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y CONFIG_GRKERNSEC_CHROOT_CHMOD=y CONFIG_GRKERNSEC_CHROOT_FCHDIR=y CONFIG_GRKERNSEC_CHROOT_MKNOD=y CONFIG_GRKERNSEC_CHROOT_SHMAT=y CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y CONFIG_GRKERNSEC_CHROOT_CAPS=y You can turn these protections off at run time by doing for i in /proc/sys/kernel/grsecurity/chroot_*; do echo 0 > $i ; done
(In reply to comment #17) > I am able to reproduce the net/netfilter/nf_nat_rule.h error with 3.7.9. Hm, probably i should add check for kernels <3.7 for this version, cause for 3.7 there is xtables-addons-2.1
(In reply to comment #17) > (In reply to comment #14) > > Now, btw I have another ype of failure: > > /var/tmp/portage/net-firewall/xtables-addons-1.47.1/work/xtables-addons-1.47.1/extensions/xt_DNETMAP.c:30:39: fatal error: net/netfilter/nf_nat_rule.h: No such file or directory > > It appears you upgraded to gentoo-sources-3.7.9. Your original report was > against 3.6.11. > > I am able to reproduce the net/netfilter/nf_nat_rule.h error with 3.7.9. > > I cannot produce the original error with 3.6.11. Hi Mike, if you're not working in a chroot, can you give me: 1) uname -a 2) zcat /proc/config.gz 3) cat /usr/src/linux/.config 4) equery l linux-headers (well i gues syou already gave me 1)
(In reply to comment #19) > (In reply to comment #17) > > I am able to reproduce the net/netfilter/nf_nat_rule.h error with 3.7.9. > > Hm, probably i should add check for kernels <3.7 for this version, cause for > 3.7 there is xtables-addons-2.1 Maybe, but ago hit it the other way around. I'm still working on the hunch that there are mismatched headers here, but I could be wrong. I'd like just one test case I can easily reproduce. ago's is a chroot under hardened-sources and that just adds a whole new level of complication.
(In reply to comment #20) This was in a non-hardended chroot. Do you still want all the info?
(In reply to comment #22) > (In reply to comment #20) > > This was in a non-hardended chroot. Do you still want all the info? yes precisely because its non hardened, no complications to chroot protections.
(In reply to comment #18) > (In reply to comment #16) > > Created attachment 340564 [details] > > /proc/config.gz > > > > (In reply to comment #15) > > > Are there any patches against this kernel beyond the hardened-sources? > > ask antarus > > > > Hi Alec, are your qemu vms running 3.4.6-hardened-r1-osl-guest-x86_64-1 just > running straight hardened-sources? I presume lance is running unpatched hardened, but there is no way for me to know short of asking. We are working on a new system where infra runs the kernels. Also due to the recent local priv vulns we are likely to get a new kernel anyways. In terms of headers vs installed kernel. We don't have the src for the kernel on this box (it is kvm, and afaik the kernel is not even in /boot.) > > > @ago, while I don't think what I'm about to say is the issue here, you have > to watch chroots in hardened-envirnoments because many things are > disallowed. The config file has max chroot protection: > > CONFIG_GRKERNSEC_CHROOT=y > CONFIG_GRKERNSEC_CHROOT_MOUNT=y > CONFIG_GRKERNSEC_CHROOT_DOUBLE=y > CONFIG_GRKERNSEC_CHROOT_PIVOT=y > CONFIG_GRKERNSEC_CHROOT_CHDIR=y > CONFIG_GRKERNSEC_CHROOT_CHMOD=y > CONFIG_GRKERNSEC_CHROOT_FCHDIR=y > CONFIG_GRKERNSEC_CHROOT_MKNOD=y > CONFIG_GRKERNSEC_CHROOT_SHMAT=y > CONFIG_GRKERNSEC_CHROOT_UNIX=y > CONFIG_GRKERNSEC_CHROOT_FINDTASK=y > CONFIG_GRKERNSEC_CHROOT_NICE=y > CONFIG_GRKERNSEC_CHROOT_SYSCTL=y > CONFIG_GRKERNSEC_CHROOT_CAPS=y > > You can turn these protections off at run time by doing > > for i in /proc/sys/kernel/grsecurity/chroot_*; do echo 0 > $i ; done
(In reply to comment #23) Per our exchange in IRC, my info is not relevant since I cannot reproduce the original error reported by Ago.
(In reply to comment #19) > (In reply to comment #17) > > I am able to reproduce the net/netfilter/nf_nat_rule.h error with 3.7.9. > > Hm, probably i should add check for kernels <3.7 for this version, cause for > 3.7 there is xtables-addons-2.1 Okay we're off topic of the original bug, but let's address this one. You're suggesting a line like: kernel_is ge 3.7 && die "${PN} requires kernel version < 3.7" in pkg_setup()?
(In reply to comment #26) > (In reply to comment #19) > > (In reply to comment #17) > > > I am able to reproduce the net/netfilter/nf_nat_rule.h error with 3.7.9. > > > > Hm, probably i should add check for kernels <3.7 for this version, cause for > > 3.7 there is xtables-addons-2.1 > > Okay we're off topic of the original bug, but let's address this one. > You're suggesting a line like: > > kernel_is ge 3.7 && die "${PN} requires kernel version < 3.7" > > in pkg_setup()? err ... kernel_is ge 3 7 && die "${PN} requires kernel version < 3.7" I meant a space, not a dot between the 3 and 7.
(In reply to comment #17) > (In reply to comment #14) > > Now, btw I have another ype of failure: > > /var/tmp/portage/net-firewall/xtables-addons-1.47.1/work/xtables-addons-1.47.1/extensions/xt_DNETMAP.c:30:39: fatal error: net/netfilter/nf_nat_rule.h: No such file or directory > > It appears you upgraded to gentoo-sources-3.7.9. Your original report was > against 3.6.11. > > I am able to reproduce the net/netfilter/nf_nat_rule.h error with 3.7.9. > > I cannot produce the original error with 3.6.11. Yes, it's Ok; this version ( 1.x ) run only with <=3.6 kernel; if you have xtables-addons to >=3.7, use 2.x version ( 2.1 version ebuild block in pkg_prepare faze build <=3.6 kernel )
Okay I've fixed it in the tree. Although it is not the original bug which I can't reproduce, once you've tested I'll close this bug.
(In reply to comment #29) > Okay I've fixed it in the tree. Although it is not the original bug which I > can't reproduce, once you've tested I'll close this bug. okay reopen if this is still a problem
