On Tue, Feb 08, 2022 at 05:01:00PM +0100, Phil Sutter wrote:
> For security purposes, distributions might want to pass -Wl,-z,now
> linker flags to all builds, thereby disabling lazy binding globally.
>
> In the past, nfct relied upon lazy binding: It uses the helper objects'
> parsing functions without but doesn't provide all symbols the objects
> use.
>
> Add a --disable-lazy configure option to add those missing symbols to
> nfct so it may be used in those environments.
>
> Signed-off-by: Phil Sutter <phil@xxxxxx>
> ---
> This patch supersedes the previously submitted "Merge nfct tool into
> conntrackd", providing a solution which is a) optional and b) doesn't
> bloat nfct-only use-cases that much.
> ---
> configure.ac | 12 ++++++++++--
> src/Makefile.am | 7 +++++++
> 2 files changed, 17 insertions(+), 2 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index b12b722a3396d..43baf8244ad64 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -48,6 +48,9 @@ AC_ARG_ENABLE([cttimeout],
> AC_ARG_ENABLE([systemd],
> AS_HELP_STRING([--enable-systemd], [Build systemd support]),
> [enable_systemd="$enableval"], [enable_systemd="no"])
> +AC_ARG_ENABLE([lazy],
> + AS_HELP_STRING([--disable-lazy], [Disable lazy binding in nfct]),
> + [enable_lazy="$enableval"], [enable_lazy="yes"])
>
> AC_CHECK_HEADER([rpc/rpc_msg.h], [AC_SUBST([LIBTIRPC_CFLAGS],'')], [PKG_CHECK_MODULES([LIBTIRPC], [libtirpc])])
>
> @@ -78,7 +81,11 @@ AC_CHECK_HEADERS(arpa/inet.h)
> AC_CHECK_FUNCS(inet_pton)
>
> # Let nfct use dlopen() on helper libraries without resolving all symbols.
> -AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
> +AS_IF([test "x$enable_lazy" = "xyes"], [
> + AX_CHECK_LINK_FLAG([-Wl,-z,lazy],
> + [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
> +])
> +AM_CONDITIONAL([HAVE_LAZY], [test "x$enable_lazy" = "xyes"])
>
> if test ! -z "$libdir"; then
> MODULE_DIR="\\\"$libdir/conntrack-tools/\\\""
> @@ -92,4 +99,5 @@ echo "
> conntrack-tools configuration:
> userspace conntrack helper support: ${enable_cthelper}
> conntrack timeout support: ${enable_cttimeout}
> - systemd support: ${enable_systemd}"
> + systemd support: ${enable_systemd}
> + use lazy binding: ${enable_lazy}"
> diff --git a/src/Makefile.am b/src/Makefile.am
> index 1d56394698a68..95cff7d528d44 100644
> --- a/src/Makefile.am
> +++ b/src/Makefile.am
> @@ -18,6 +18,9 @@ nfct_SOURCES = nfct.c
> if HAVE_CTHELPER
> nfct_SOURCES += helpers.c \
> nfct-extensions/helper.c
> +if !HAVE_LAZY
> +nfct_SOURCES += expect.c utils.c
> +endif
If the problem are the symbols in these two files, could you just
build them always into nfct? No need for the extra --disable-lazy at
./configure time.
> endif
>
> if HAVE_CTTIMEOUT
> @@ -33,6 +36,10 @@ endif
>
> if HAVE_CTHELPER
> nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS}
> +if !HAVE_LAZY
> +nfct_LDADD += ${LIBNETFILTER_CONNTRACK_LIBS} \
> + ${LIBNETFILTER_QUEUE_LIBS}
> +endif
> endif
>
> nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS}
> --
> 2.34.1
>
