iptables-1.2.11-r3 does not compile agains hardened-dev-sources-2.6.10-r3 Reproducible: Always Steps to Reproduce: 1.USE=extensions ebuild iptables-1.2.11-r3.ebuild compile 2. 3. Actual Results: In file included from /usr/src/linux/include/linux/netfilter_ipv4.h:11, from /usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:26, from include/libiptc/libiptc.h:6, from include/iptables.h:5, from extensions/libipt_stealth.c:10: /usr/src/linux/include/net/protocol.h:38: warning: "struct sk_buff" declared inside parameter list /usr/src/linux/include/net/protocol.h:38: warning: its scope is only this definition or declaration, which is probably not what you want /usr/src/linux/include/net/protocol.h:39: error: parse error before "u32" /usr/src/linux/include/net/protocol.h:62: error: field `list' has incomplete type make: *** [extensions/libipt_stealth_sh.o] Error 1 Portage 2.0.51-r14 (default-linux/x86/2004.3, gcc-3.4.3, glibc-2.3.4.20040808-r1, 2.6.10-hardened-r3-b1 i686) ================================================================= System uname: 2.6.10-hardened-r3-b1 i686 AMD Duron(tm) Gentoo Base System version 1.6.8 Python: dev-lang/python-2.3.4 [2.3.4 (#1, Jan 18 2005, 15:26:08)] dev-lang/python: 2.3.4 sys-devel/autoconf: 2.59-r5 sys-devel/automake: 1.8.5-r1 sys-devel/binutils: 2.15.92.0.2-r1 sys-devel/libtool: 1.4.3-r4, 1.5.2-r7 virtual/os-headers: 2.6.8.1-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=athlon -fomit-frame-pointer -pipe -fforce-addr" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon -fomit-frame-pointer -pipe -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" GENTOO_MIRRORS="http://gentoo.itdnet.net/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://10.0.0.1/gentoo-portage" USE="x86 3dnow X acl adns apm arts avi berkdb bitmap-fonts crypt curl curlwrappers encode font-server foomaticdb gd gdbm gif gpm gtk2 imap imlib ithreads jpeg kde libg++ libwww mad mikmod motif mpeg mysql ncurses nls nptl nptlonly oggvorbis opengl oss pam pcre pdflib perl pic png pwdb python qt quicktime readline snmp sqlite ssl svga tcpd threads tiff truetype truetype-fonts type1-fonts userlocales xml2 xmms xv zlib" Unset: ASFLAGS, CBUILD, CTARGET, LDFLAGS, PORTDIR_OVERLAY
* You may have to patch your kernel to allow iptables to build. * Please check http://cvs.iptables.org/patch-o-matic-ng/updates/ for patches iptables compiles without USE=extensions This should be fixed, albeit I've NEVER seen iptables compiled with USE=extensions personally. What does it do? My profile seems to disable it explicitly unless I specify it (resulting in "+extensions*" in green on emerge -av)
USE=extensions ebuild iptables-1.2.11-r3.ebuild compile Extensions found: IPv4:CLUSTERIP IPv4:addrtype IPv4:recent IPv6:ah IPv6:esp IPv6:frag IPv6:ipv6header IPv6:hbh IPv6:dst IPv6:rt USE=-extensions ebuild iptables-1.2.11-r3.ebuild compile Extensions found: IPv4:addrtype IPv4:recent
OK so I'm just an unfortunate louse who never got it to work :P
Aliz, would you mind updating the iptables grsecurity patch? This appears to be a problem with the stealth module provided by grsecurity. Currently, iptables-1.2.11 is patched with an older grsecurity patch, version 1.2.8. The newest version for 1.2.11 can be found here: http://grsecurity.net/grsecurity-1.2.11-iptables.patch
I don't think that's a problem with the stealth extension. I removed it from the Makefile, but it just stop with the same error on the next extension.
Ok, solved. The problem is the IPSEC+NAT patch included in hardened-sources (1503_ipsec-nat-fixes.patch), as you can read here: https://lists.netfilter.org/pipermail/netfilter-devel/2005-March/018672.html The post refer to an updated version of the patch, for the 2.6.11 kernel version, but the issue is exactly this one. I tested the patch, which I attach also to this post, and now iptables compiles just fine. Bye, Paper PS: as you can notice the patch is #05, the other four parts are the other ipsec+nat fixes, already included in hardened-sources. In the netfilter-devel archive of February had been posted the revision needed for 2.6.11
Created attachment 52580 [details, diff] Patch that enable iptables to compile correctly This patch is needed to compile iptables against a kernel tree patched with the ipsec+nat fixes.
*** Bug 83444 has been marked as a duplicate of this bug. ***
this should now be resolved with recent hardened-sources-2.6 kernels/iptables-1.3.5-r1. Please re-open if you are still experiencing problems.