diff options
Diffstat (limited to 'meta-openembedded/meta-networking/recipes-filter')
53 files changed, 8695 insertions, 0 deletions
diff --git a/meta-openembedded/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.0.1g.bb b/meta-openembedded/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.0.1g.bb new file mode 100644 index 000000000..6fd0affdf --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.0.1g.bb @@ -0,0 +1,35 @@ +SUMMARY = "IPTables based firewall scripts" +HOMEPAGE = "http://rocky.eld.leidenuniv.nl/joomla/index.php?option=com_content&view=article&id=45&Itemid=63" + +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://gpl_license.txt;md5=11c7b65c4a4acb9d5175f7e9bf99c403" + +SRC_URI = "http://rocky.eld.leidenuniv.nl/arno-iptables-firewall/${BPN}_${PV}.tar.gz \ + " +SRC_URI[md5sum] = "77eba7f148bf2840a3e35a6f50c9c353" +SRC_URI[sha256sum] = "0bafd85ddc235752250eaec0c7fdb21e530912483f6807a97f86158ed2d301f7" + +S = "${WORKDIR}/${BPN}_${PV}" + +inherit systemd + +do_install() { + install -d ${D}${sysconfdir} ${D}${sbindir} ${D}${bindir} ${D}${systemd_unitdir}/system ${D}${sysconfdir}/init.d + install -d ${D}${datadir}/arno-iptables-firewall ${D}${sysconfdir}/arno-iptables-firewall + cp -r ${S}${sysconfdir}/arno-iptables-firewall ${D}${sysconfdir}/ + install -m 0755 ${S}${sysconfdir}/init.d/arno-iptables-firewall ${D}${bindir} + install -m 0755 ${S}/bin/arno-iptables-firewall ${D}${sbindir} + install -m 0755 ${S}/bin/arno-fwfilter ${D}${bindir} + cp -r ${S}/share/arno-iptables-firewall/* ${D}${datadir}/arno-iptables-firewall + cp -r ${S}/etc/arno-iptables-firewall/* ${D}${sysconfdir}/arno-iptables-firewall + install -m 0644 ${S}/${systemd_unitdir}/system/arno-iptables-firewall.service ${D}${systemd_unitdir}/system + sed -i -e 's%/usr/local/sbin%${bindir}%g' ${D}${systemd_unitdir}/system/arno-iptables-firewall.service + sed -i -e 's%/usr/local/sbin%${sbindir}%g' ${D}${bindir}/arno-iptables-firewall + sed -i -e 's%/usr/local%${exec_prefix}%g' ${D}${sysconfdir}/arno-iptables-firewall/firewall.conf + sed -i -e 's%#!/bin/bash%#!/bin/sh%g' ${D}${bindir}/arno-fwfilter + sed -i -e 's%#!/bin/bash%#!/bin/sh%g' ${D}${datadir}/arno-iptables-firewall/plugins/traffic-accounting-helper + sed -i -e 's%#!/bin/bash%#!/bin/sh%g' ${D}${datadir}/arno-iptables-firewall/plugins/dyndns-host-open-helper +} + +SYSTEMD_SERVICE_${PN} = "arno-iptables-firewall.service" +FILES_${PN} += "${systemd_unitdir}/system/arno-iptables-firewall.service" diff --git a/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.4.bb b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.4.bb new file mode 100644 index 000000000..8b3490d7c --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.4.bb @@ -0,0 +1,36 @@ +SUMMARY = "Connection tracking userspace tools for Linux" +SECTION = "net" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b" + +DEPENDS = "libnfnetlink libnetfilter-conntrack libnetfilter-cttimeout \ + libnetfilter-cthelper libnetfilter-queue bison-native" + +DEPENDS_append_libc-musl = " libtirpc" +CFLAGS_append_libc-musl = " -I${STAGING_INCDIR}/tirpc" +LDFLAGS_append_libc-musl = " -ltirpc" + +SRC_URI = "http://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-${PV}.tar.bz2;name=tar \ + file://conntrack-failover \ + file://init \ +" +SRC_URI[tar.md5sum] = "acd9e0b27cf16ae3092ba900e4d7560e" +SRC_URI[tar.sha256sum] = "b7caf4fcc4c03575df57d25e5216584d597fd916c891f191dac616ce68bdba6c" + +inherit autotools update-rc.d pkgconfig + +INITSCRIPT_NAME = "conntrackd" + +do_install_append() { + install -d ${D}/${sysconfdir}/conntrackd + install -d ${D}/${sysconfdir}/init.d + install -m 0644 ${S}/doc/sync/ftfw/conntrackd.conf ${D}/${sysconfdir}/conntrackd/conntrackd.conf.sample + install -m 0755 ${WORKDIR}/conntrack-failover ${D}/${sysconfdir}/init.d/conntrack-failover + install -m 0755 ${WORKDIR}/init ${D}/${sysconfdir}/init.d/conntrackd + + # Fix hardcoded paths in scripts + sed -i 's!/usr/sbin/!${sbindir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd + sed -i 's!/etc/!${sysconfdir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd + sed -i 's!/var/!${localstatedir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd ${D}/${sysconfdir}/conntrackd/conntrackd.conf.sample + sed -i 's!^export PATH=.*!export PATH=${base_sbindir}:${base_bindir}:${sbindir}:${bindir}!' ${D}/${sysconfdir}/init.d/conntrackd +} diff --git a/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/conntrack-failover b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/conntrack-failover new file mode 100644 index 000000000..6d92e637f --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/conntrack-failover @@ -0,0 +1,77 @@ +#!/bin/sh +# +# (C) 2008 by Pablo Neira Ayuso <pablo@netfilter.org> +# (C) 2009 Roman I Khimov <khimov@altell.ru> +# +# This software may be used and distributed according to the terms +# of the GNU General Public License, incorporated herein by reference. +# +# Description: +# +# This is the script for primary-backup setups for keepalived +# (http://www.keepalived.org). You may adapt it to make it work with other +# high-availability managers. +# +# Do not forget to include the required modifications to your keepalived.conf +# file to invoke this script during keepalived's state transitions. +# +# Contributions to improve this script are welcome :). +# +## Modified to work as init.d script under pacemaker control + +CONNTRACKD_BIN=/usr/sbin/conntrackd +CONNTRACKD_LOCK=/var/lock/conntrack.lock +CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf + +case "$1" in + start) + # + # commit the external cache into the kernel table + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -c" + fi + + # + # flush the internal and the external caches + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -f" + fi + + # + # resynchronize my internal cache to the kernel table + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -R" + fi + + # + # send a bulk update to backups + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -B" + fi + ;; + stop) + $CONNTRACKD_BIN -t + $CONNTRACKD_BIN -n + ;; + status) + ;; + *) + logger "ERROR: unknown command" + echo "Usage: conntrack-failover {start|stop|status}" + exit 1 + ;; +esac + +exit 0 diff --git a/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/init b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/init new file mode 100644 index 000000000..bce2075a7 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/conntrack-tools/files/init @@ -0,0 +1,87 @@ +#!/bin/sh +# +# /etc/init.d/conntrackd +# +# Maximilian Wilhelm <max@rfc2324.org> +# -- Mon, 06 Nov 2006 18:39:07 +0100 +# +# Roman I Khimov <khimov@altell.ru> +# -- Tue, 27 Oct 2009 14:34:00 +0300 + +### BEGIN INIT INFO +# Provides: conntrackd +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Description: Starts conntrackd +# short-description: Starts conntrackd +### END INIT INFO + +export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +NAME="conntrackd" +DAEMON="/usr/sbin/conntrackd" +CONFIG="/etc/conntrackd/conntrackd.conf" +PIDFILE="/var/run/${NAME}.pid" + + +# Gracefully exit if there is no daemon (debian way of life) +if [ ! -x "${DAEMON}" ]; then + exit 0 +fi + +# Check for config file +if [ ! -f /etc/conntrackd/conntrackd.conf ]; then + echo "Error: There is no config file for $NAME" >&2 + exit 1; +fi + +case "$1" in + start) + echo -n "Starting $NAME: " + for i in nf_conntrack_netlink nf_conntrack_netbios_ns nf_conntrack_proto_dccp nf_conntrack_tftp \ + nf_conntrack_sane nf_conntrack_pptp nf_conntrack_irc nf_conntrack_amanda nf_conntrack_h323 \ + nf_conntrack_proto_udplite nf_conntrack_proto_gre nf_conntrack_proto_sctp nf_conntrack_ftp \ + nf_conntrack_sip; do + modprobe $i >/dev/null 2>/dev/null & + done + start-stop-daemon --start --quiet --make-pidfile --pidfile "/var/run/${NAME}.pid" --background --exec "${DAEMON}" + RET=$? + if [ "$?" = "0" ]; then + sleep 2 + # Sync with other server + conntrackd -n + echo "done." + else + echo "FAILED!" + fi + exit $RET + ;; + stop) + echo -n "Stopping $NAME:" + start-stop-daemon --stop --quiet --oknodo --pidfile "/var/run/${NAME}.pid" && echo "done." || echo "FAILED!" + ;; + status) + echo -n "conntrackd " + start-stop-daemon -q -K -t -x $DAEMON + RET=$? + if [ "$RET" = "0" ]; then + PID=`cat $PIDFILE` + echo "($PID) is running" + else + echo "is not running" + exit $RET + fi + ;; + restart) + $0 stop + $0 start + ;; + + *) + echo "Usage: /etc/init.d/conntrackd {start|stop|restart}" + exit 1 +esac + +exit 0 diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0001-add-RARP-and-update-iana-url.patch b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0001-add-RARP-and-update-iana-url.patch new file mode 100644 index 000000000..90b69792b --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0001-add-RARP-and-update-iana-url.patch @@ -0,0 +1,45 @@ +From dd35afc9ce1004128a754d5eeb8c5c2cb32ae420 Mon Sep 17 00:00:00 2001 +From: Bart De Schuymer <bdschuym@pandora.be> +Date: Tue, 3 Jul 2012 18:47:32 +0000 +Subject: [PATCH 01/10] add RARP and update iana url + +--- + ethertypes | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/ethertypes b/ethertypes +index 5e700f6..813177b 100644 +--- a/ethertypes ++++ b/ethertypes +@@ -5,6 +5,7 @@ + # + # This list could be found on: + # http://www.iana.org/assignments/ethernet-numbers ++# http://www.iana.org/assignments/ieee-802-numbers + # + # <name> <hexnumber> <alias1>...<alias35> #Comment + # +@@ -21,15 +22,16 @@ LAT 6004 # DEC LAT + DIAG 6005 # DEC Diagnostics + CUST 6006 # DEC Customer use + SCA 6007 # DEC Systems Comms Arch +-TEB 6558 # Trans Ether Bridging [RFC1701] +-RAW_FR 6559 # Raw Frame Relay [RFC1701] ++TEB 6558 # Trans Ether Bridging [RFC1701] ++RAW_FR 6559 # Raw Frame Relay [RFC1701] ++RARP 8035 # Reverse ARP [RFC903] + AARP 80F3 # Appletalk AARP +-ATALK 809B # Appletalk ++ATALK 809B # Appletalk + 802_1Q 8100 8021q 1q 802.1q dot1q # 802.1Q Virtual LAN tagged frame + IPX 8137 # Novell IPX + NetBEUI 8191 # NetBEUI + IPv6 86DD ip6 # IP version 6 +-PPP 880B # PPP ++PPP 880B # PPP + ATMMPOA 884C # MultiProtocol over ATM + PPP_DISC 8863 # PPPoE discovery messages + PPP_SES 8864 # PPPoE session messages +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0002-fix-compilation-warning.patch b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0002-fix-compilation-warning.patch new file mode 100644 index 000000000..87b0e9b87 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0002-fix-compilation-warning.patch @@ -0,0 +1,25 @@ +From 2a5333fc8b4825251adfb717d980d89cefde38d6 Mon Sep 17 00:00:00 2001 +From: Petri Gynther <petri.gynther@gmail.com> +Date: Sun, 24 Feb 2013 10:56:59 +0100 +Subject: [PATCH 02/10] fix compilation warning + +--- + communication.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/communication.c b/communication.c +index 62ed667..ba058c0 100644 +--- a/communication.c ++++ b/communication.c +@@ -282,7 +282,7 @@ static int store_counters_in_file(char *filename, struct ebt_u_replace *repl) + } + close_file: + fclose(file); +- return 0; ++ return ret; + } + + /* Gets executed after ebt_deliver_table. Delivers the counters to the kernel +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0003-add-info-about-Wl-no-as-needed.patch b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0003-add-info-about-Wl-no-as-needed.patch new file mode 100644 index 000000000..c8573a464 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0003-add-info-about-Wl-no-as-needed.patch @@ -0,0 +1,25 @@ +From a6faf3b50d6af4768b7b853cb536944fb18e1450 Mon Sep 17 00:00:00 2001 +From: Bart De Schuymer <bdschuym@pandora.be> +Date: Wed, 3 Jul 2013 22:12:47 +0200 +Subject: [PATCH 03/10] add info about -Wl,-no-as-needed + +--- + INSTALL | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/INSTALL b/INSTALL +index 4a05c67..e90d5c1 100644 +--- a/INSTALL ++++ b/INSTALL +@@ -39,6 +39,8 @@ That's all + You can also use a base directory different from the root directory (/), + using the DESTDIR option. See the Makefile for more details. + ++You might need to set LDFLAGS=-Wl,-no-as-needed to build ebtables correctly ++on your system. + + ADDITIONAL PROGRAMS: + ---------------------- +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0004-workaround-for-kernel-regression-bug-IPv6-source-des.patch b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0004-workaround-for-kernel-regression-bug-IPv6-source-des.patch new file mode 100644 index 000000000..d8f2795bc --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0004-workaround-for-kernel-regression-bug-IPv6-source-des.patch @@ -0,0 +1,28 @@ +From b0617af37b8b1aafb43e8019135bea44c2d94c28 Mon Sep 17 00:00:00 2001 +From: Luis Fernando <tdthp@terra.com.br> +Date: Wed, 3 Jul 2013 22:19:55 +0200 +Subject: [PATCH 04/10] workaround for kernel regression bug: IPv6 + source/destination addresses are potentially not matched correctly + +--- + extensions/ebt_ip6.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/extensions/ebt_ip6.c b/extensions/ebt_ip6.c +index 0465e77..bbdc4ae 100644 +--- a/extensions/ebt_ip6.c ++++ b/extensions/ebt_ip6.c +@@ -312,6 +312,10 @@ static void init(struct ebt_entry_match *match) + + ipinfo->invflags = 0; + ipinfo->bitmask = 0; ++ memset(ipinfo->saddr.s6_addr, 0, sizeof(ipinfo->saddr.s6_addr)); ++ memset(ipinfo->smsk.s6_addr, 0, sizeof(ipinfo->smsk.s6_addr)); ++ memset(ipinfo->daddr.s6_addr, 0, sizeof(ipinfo->daddr.s6_addr)); ++ memset(ipinfo->dmsk.s6_addr, 0, sizeof(ipinfo->dmsk.s6_addr)); + } + + #define OPT_SOURCE 0x01 +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0005-Add-noflush-command-line-support-for-ebtables-restor.patch b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0005-Add-noflush-command-line-support-for-ebtables-restor.patch new file mode 100644 index 000000000..9585fd20e --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0005-Add-noflush-command-line-support-for-ebtables-restor.patch @@ -0,0 +1,75 @@ +From 15d3ab8a4a167dc44396b003d2ec01841949972f Mon Sep 17 00:00:00 2001 +From: Sanket Shah <sanket.shah@cyberoam.com> +Date: Wed, 31 Jul 2013 21:40:08 +0200 +Subject: [PATCH 05/10] Add --noflush command line support for ebtables-restore + +--- + ebtables-restore.c | 29 +++++++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +diff --git a/ebtables-restore.c b/ebtables-restore.c +index ea02960..bb4d0cf 100644 +--- a/ebtables-restore.c ++++ b/ebtables-restore.c +@@ -22,13 +22,25 @@ + #include <string.h> + #include <errno.h> + #include <unistd.h> ++#include <getopt.h> + #include "include/ebtables_u.h" + ++static const struct option options[] = { ++ {.name = "noflush", .has_arg = 0, .val = 'n'}, ++ { 0 } ++}; ++ + static struct ebt_u_replace replace[3]; + void ebt_early_init_once(); + + #define OPT_KERNELDATA 0x800 /* Also defined in ebtables.c */ + ++static void print_usage() ++{ ++ fprintf(stderr, "Usage: ebtables-restore [ --noflush ]\n"); ++ exit(1); ++} ++ + static void copy_table_names() + { + strcpy(replace[0].name, "filter"); +@@ -41,11 +53,20 @@ static void copy_table_names() + int main(int argc_, char *argv_[]) + { + char *argv[EBTD_ARGC_MAX], cmdline[EBTD_CMDLINE_MAXLN]; +- int i, offset, quotemode = 0, argc, table_nr = -1, line = 0, whitespace; ++ int i, offset, quotemode = 0, argc, table_nr = -1, line = 0, whitespace, c, flush = 1; + char ebtables_str[] = "ebtables"; + +- if (argc_ != 1) +- ebtrest_print_error("options are not supported"); ++ while ((c = getopt_long(argc_, argv_, "n", options, NULL)) != -1) { ++ switch(c) { ++ case 'n': ++ flush = 0; ++ break; ++ default: ++ print_usage(); ++ break; ++ } ++ } ++ + ebt_silent = 0; + copy_table_names(); + ebt_early_init_once(); +@@ -68,7 +89,7 @@ int main(int argc_, char *argv_[]) + ebtrest_print_error("table '%s' was not recognized", cmdline+1); + table_nr = i; + replace[table_nr].command = 11; +- ebt_get_kernel_table(&replace[table_nr], 1); ++ ebt_get_kernel_table(&replace[table_nr], flush); + replace[table_nr].command = 0; + replace[table_nr].flags = OPT_KERNELDATA; /* Prevent do_command from initialising replace */ + continue; +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0006-don-t-print-IPv6-mask-if-it-s-all-ones-based-on-patc.patch b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0006-don-t-print-IPv6-mask-if-it-s-all-ones-based-on-patc.patch new file mode 100644 index 000000000..21f8e588d --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0006-don-t-print-IPv6-mask-if-it-s-all-ones-based-on-patc.patch @@ -0,0 +1,69 @@ +From 85a0f6d77a9d5c0e7ef7948395f0f6b1612dc987 Mon Sep 17 00:00:00 2001 +From: Bart De Schuymer <bdschuym@pandora.be> +Date: Mon, 14 Apr 2014 22:04:55 +0200 +Subject: [PATCH 06/10] don't print IPv6 mask if it's all ones (based on patch + by Mariusz Mazur <mmazur at axeos.com>) + +--- + extensions/ebt_ip6.c | 4 ++-- + include/ebtables_u.h | 1 + + useful_functions.c | 13 +++++++++++++ + 3 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/extensions/ebt_ip6.c b/extensions/ebt_ip6.c +index bbdc4ae..e3e0956 100644 +--- a/extensions/ebt_ip6.c ++++ b/extensions/ebt_ip6.c +@@ -449,14 +449,14 @@ static void print(const struct ebt_u_entry *entry, + if (ipinfo->invflags & EBT_IP6_SOURCE) + printf("! "); + printf("%s", ebt_ip6_to_numeric(&ipinfo->saddr)); +- printf("/%s ", ebt_ip6_to_numeric(&ipinfo->smsk)); ++ printf("%s ", ebt_ip6_mask_to_string(&ipinfo->smsk)); + } + if (ipinfo->bitmask & EBT_IP6_DEST) { + printf("--ip6-dst "); + if (ipinfo->invflags & EBT_IP6_DEST) + printf("! "); + printf("%s", ebt_ip6_to_numeric(&ipinfo->daddr)); +- printf("/%s ", ebt_ip6_to_numeric(&ipinfo->dmsk)); ++ printf("%s ", ebt_ip6_mask_to_string(&ipinfo->dmsk)); + } + if (ipinfo->bitmask & EBT_IP6_TCLASS) { + printf("--ip6-tclass "); +diff --git a/include/ebtables_u.h b/include/ebtables_u.h +index ab615c1..35a5bcc 100644 +--- a/include/ebtables_u.h ++++ b/include/ebtables_u.h +@@ -303,6 +303,7 @@ char *ebt_mask_to_dotted(uint32_t mask); + void ebt_parse_ip6_address(char *address, struct in6_addr *addr, + struct in6_addr *msk); + char *ebt_ip6_to_numeric(const struct in6_addr *addrp); ++char *ebt_ip6_mask_to_string(const struct in6_addr *msk); + + + int do_command(int argc, char *argv[], int exec_style, +diff --git a/useful_functions.c b/useful_functions.c +index d20b68e..d14cbe9 100644 +--- a/useful_functions.c ++++ b/useful_functions.c +@@ -411,3 +411,16 @@ char *ebt_ip6_to_numeric(const struct in6_addr *addrp) + static char buf[50+1]; + return (char *)inet_ntop(AF_INET6, addrp, buf, sizeof(buf)); + } ++ ++char *ebt_ip6_mask_to_string(const struct in6_addr *msk) ++{ ++ /* /0000:0000:0000:0000:0000:000.000.000.000 ++ * /0000:0000:0000:0000:0000:0000:0000:0000 */ ++ static char buf[51+1]; ++ if (msk->s6_addr32[0] == 0xFFFFFFFFL && msk->s6_addr32[1] == 0xFFFFFFFFL && ++ msk->s6_addr32[2] == 0xFFFFFFFFL && msk->s6_addr32[3] == 0xFFFFFFFFL) ++ *buf = '\0'; ++ else ++ sprintf(buf, "/%s", ebt_ip6_to_numeric(msk)); ++ return buf; ++} +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0007-extensions-Use-stdint-types.patch b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0007-extensions-Use-stdint-types.patch new file mode 100644 index 000000000..6fbe7df4c --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0007-extensions-Use-stdint-types.patch @@ -0,0 +1,67 @@ +From a60c7d4a6d05387aceb8ae9c38390d0f9bae84a2 Mon Sep 17 00:00:00 2001 +From: Felix Janda <felix.janda@posteo.de> +Date: Sat, 16 May 2015 12:22:39 +0200 +Subject: [PATCH 07/10] extensions: Use stdint types + +Signed-off-by: Felix Janda <felix.janda@posteo.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + extensions/ebt_ip6.c | 4 ++-- + extensions/ebt_limit.c | 10 +++++----- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/extensions/ebt_ip6.c b/extensions/ebt_ip6.c +index e3e0956..dd48547 100644 +--- a/extensions/ebt_ip6.c ++++ b/extensions/ebt_ip6.c +@@ -53,8 +53,8 @@ static const struct option opts[] = + + struct icmpv6_names { + const char *name; +- u_int8_t type; +- u_int8_t code_min, code_max; ++ uint8_t type; ++ uint8_t code_min, code_max; + }; + + static const struct icmpv6_names icmpv6_codes[] = { +diff --git a/extensions/ebt_limit.c b/extensions/ebt_limit.c +index ee40e5c..d189a09 100644 +--- a/extensions/ebt_limit.c ++++ b/extensions/ebt_limit.c +@@ -59,11 +59,11 @@ static void print_help(void) + " default %u\n", EBT_LIMIT_BURST); + } + +-static int parse_rate(const char *rate, u_int32_t *val) ++static int parse_rate(const char *rate, uint32_t *val) + { + const char *delim; +- u_int32_t r; +- u_int32_t mult = 1; /* Seconds by default. */ ++ uint32_t r; ++ uint32_t mult = 1; /* Seconds by default. */ + + delim = strchr(rate, '/'); + if (delim) { +@@ -151,7 +151,7 @@ static void final_check(const struct ebt_u_entry *entry, + struct rates + { + const char *name; +- u_int32_t mult; ++ uint32_t mult; + }; + + static struct rates g_rates[] = +@@ -162,7 +162,7 @@ static struct rates g_rates[] = + { "sec", EBT_LIMIT_SCALE } + }; + +-static void print_rate(u_int32_t period) ++static void print_rate(uint32_t period) + { + unsigned int i; + +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0008-ethernetdb.h-Remove-C-specific-compiler-hint-macro-_.patch b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0008-ethernetdb.h-Remove-C-specific-compiler-hint-macro-_.patch new file mode 100644 index 000000000..df3f52143 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0008-ethernetdb.h-Remove-C-specific-compiler-hint-macro-_.patch @@ -0,0 +1,48 @@ +From 6ed23c8c2bc5efc3956e7bb6155afc8f45e6ae1a Mon Sep 17 00:00:00 2001 +From: Felix Janda <felix.janda@posteo.de> +Date: Sat, 16 May 2015 12:31:58 +0200 +Subject: [PATCH 08/10] ethernetdb.h: Remove C++ specific compiler hint macro + _THROW + +Fixes compilation with musl libc + +Signed-off-by: Felix Janda <felix.janda@posteo.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + include/ethernetdb.h | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/include/ethernetdb.h b/include/ethernetdb.h +index 46d8bfd..1683abe 100644 +--- a/include/ethernetdb.h ++++ b/include/ethernetdb.h +@@ -38,21 +38,20 @@ struct ethertypeent { + + /* Open ethertype data base files and mark them as staying open even + after a later search if STAY_OPEN is non-zero. */ +-extern void setethertypeent(int __stay_open) __THROW; ++extern void setethertypeent(int __stay_open); + + /* Close ethertype data base files and clear `stay open' flag. */ +-extern void endethertypeent(void) __THROW; ++extern void endethertypeent(void); + + /* Get next entry from ethertype data base file. Open data base if + necessary. */ +-extern struct ethertypeent *getethertypeent(void) __THROW; ++extern struct ethertypeent *getethertypeent(void); + + /* Return entry from ethertype data base for network with NAME. */ +-extern struct ethertypeent *getethertypebyname(__const char *__name) +- __THROW; ++extern struct ethertypeent *getethertypebyname(__const char *__name); + + /* Return entry from ethertype data base which number is PROTO. */ +-extern struct ethertypeent *getethertypebynumber(int __ethertype) __THROW; ++extern struct ethertypeent *getethertypebynumber(int __ethertype); + + + #endif /* ethernetdb.h */ +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0009-ebtables-Allow-RETURN-target-rules-in-user-defined-c.patch b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0009-ebtables-Allow-RETURN-target-rules-in-user-defined-c.patch new file mode 100644 index 000000000..248582c18 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0009-ebtables-Allow-RETURN-target-rules-in-user-defined-c.patch @@ -0,0 +1,48 @@ +From e6b367c0c2668341c47242d099f4d2048ae575ef Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alin=20N=C4=83stac?= <alin.nastac@gmail.com> +Date: Thu, 22 Oct 2015 16:41:03 +0200 +Subject: [PATCH 09/10] ebtables: Allow RETURN target rules in user defined + chains + +During loop checking ebtables marks entries with '1 << NF_BR_NUMHOOKS' if +they're called from a base chain rather than a user defined chain. + +This can be used by ebtables targets that can encode a special return +value to bail out if e.g. RETURN is used from a base chain. + +Unfortunately, this is broken, since the '1 << NF_BR_NUMHOOKS' is also +copied to called user-defined-chains (i.e., a user defined chain can no +longer be distinguished from a base chain): + +root@OpenWrt:~# ebtables -N foo +root@OpenWrt:~# ebtables -A OUTPUT -j foo +root@OpenWrt:~# ebtables -A foo -j mark --mark-or 3 --mark-target RETURN +--mark-target RETURN not allowed on base chain. + +This works if -A OUTPUT -j foo is omitted, but will still appear +if we try to call foo from OUTPUT afterwards. + +After this patch we still reject +'-A OUTPUT -j mark .. --mark-target RETURN'. + +Signed-off-by: Florian Westphal <fw@strlen.de> +--- + libebtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libebtc.c b/libebtc.c +index 17ba8f2..74830ec 100644 +--- a/libebtc.c ++++ b/libebtc.c +@@ -1102,7 +1102,7 @@ void ebt_check_for_loops(struct ebt_u_replace *replace) + /* check if we've dealt with this chain already */ + if (entries2->hook_mask & (1<<i)) + goto letscontinue; +- entries2->hook_mask |= entries->hook_mask; ++ entries2->hook_mask |= entries->hook_mask & ~(1 << NF_BR_NUMHOOKS); + /* Jump to the chain, make sure we know how to get back */ + stack[sp].chain_nr = chain_nr; + stack[sp].n = j; +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0010-Adjust-header-include-sequence.patch b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0010-Adjust-header-include-sequence.patch new file mode 100644 index 000000000..a6ef9cd09 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/0010-Adjust-header-include-sequence.patch @@ -0,0 +1,216 @@ +From b7cee37734007fced7a4d5ed586c3a9e5ad92878 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sun, 26 Mar 2017 13:12:21 -0700 +Subject: [PATCH 10/10] Adjust header include sequence + +This fixes the build with musl + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + extensions/ebt_among.c | 2 +- + extensions/ebt_arpreply.c | 2 +- + extensions/ebt_nat.c | 2 +- + include/linux/if_ether.h | 126 ---------------------------------------------- + useful_functions.c | 4 +- + 5 files changed, 5 insertions(+), 131 deletions(-) + delete mode 100644 include/linux/if_ether.h + +diff --git a/extensions/ebt_among.c b/extensions/ebt_among.c +index f97d07e..b096847 100644 +--- a/extensions/ebt_among.c ++++ b/extensions/ebt_among.c +@@ -12,8 +12,8 @@ + #include <getopt.h> + #include <ctype.h> + #include <unistd.h> +-#include "../include/ebtables_u.h" + #include <netinet/ether.h> ++#include "../include/ebtables_u.h" + #include "../include/ethernetdb.h" + #include <linux/if_ether.h> + #include <linux/netfilter_bridge/ebt_among.h> +diff --git a/extensions/ebt_arpreply.c b/extensions/ebt_arpreply.c +index c3757f3..c5102a4 100644 +--- a/extensions/ebt_arpreply.c ++++ b/extensions/ebt_arpreply.c +@@ -11,8 +11,8 @@ + #include <stdlib.h> + #include <string.h> + #include <getopt.h> +-#include "../include/ebtables_u.h" + #include <netinet/ether.h> ++#include "../include/ebtables_u.h" + #include <linux/netfilter_bridge/ebt_arpreply.h> + + static int mac_supplied; +diff --git a/extensions/ebt_nat.c b/extensions/ebt_nat.c +index e6afbf8..8d318d1 100644 +--- a/extensions/ebt_nat.c ++++ b/extensions/ebt_nat.c +@@ -10,8 +10,8 @@ + #include <stdlib.h> + #include <string.h> + #include <getopt.h> +-#include "../include/ebtables_u.h" + #include <netinet/ether.h> ++#include "../include/ebtables_u.h" + #include <linux/netfilter_bridge/ebt_nat.h> + + static int to_source_supplied, to_dest_supplied; +diff --git a/include/linux/if_ether.h b/include/linux/if_ether.h +deleted file mode 100644 +index 28a15ff..0000000 +--- a/include/linux/if_ether.h ++++ /dev/null +@@ -1,126 +0,0 @@ +-/* +- * INET An implementation of the TCP/IP protocol suite for the LINUX +- * operating system. INET is implemented using the BSD Socket +- * interface as the means of communication with the user level. +- * +- * Global definitions for the Ethernet IEEE 802.3 interface. +- * +- * Version: @(#)if_ether.h 1.0.1a 02/08/94 +- * +- * Author: Fred N. van Kempen, <waltje@uWalt.NL.Mugnet.ORG> +- * Donald Becker, <becker@super.org> +- * Alan Cox, <alan@lxorguk.ukuu.org.uk> +- * Steve Whitehouse, <gw7rrm@eeshack3.swan.ac.uk> +- * +- * This program is free software; you can redistribute it and/or +- * modify it under the terms of the GNU General Public License +- * as published by the Free Software Foundation; either version +- * 2 of the License, or (at your option) any later version. +- */ +- +-#ifndef _LINUX_IF_ETHER_H +-#define _LINUX_IF_ETHER_H +- +-#include <linux/types.h> +- +-/* +- * IEEE 802.3 Ethernet magic constants. The frame sizes omit the preamble +- * and FCS/CRC (frame check sequence). +- */ +- +-#define ETH_ALEN 6 /* Octets in one ethernet addr */ +-#define ETH_HLEN 14 /* Total octets in header. */ +-#define ETH_ZLEN 60 /* Min. octets in frame sans FCS */ +-#define ETH_DATA_LEN 1500 /* Max. octets in payload */ +-#define ETH_FRAME_LEN 1514 /* Max. octets in frame sans FCS */ +-#define ETH_FCS_LEN 4 /* Octets in the FCS */ +- +-/* +- * These are the defined Ethernet Protocol ID's. +- */ +- +-#define ETH_P_LOOP 0x0060 /* Ethernet Loopback packet */ +-#define ETH_P_PUP 0x0200 /* Xerox PUP packet */ +-#define ETH_P_PUPAT 0x0201 /* Xerox PUP Addr Trans packet */ +-#define ETH_P_IP 0x0800 /* Internet Protocol packet */ +-#define ETH_P_X25 0x0805 /* CCITT X.25 */ +-#define ETH_P_ARP 0x0806 /* Address Resolution packet */ +-#define ETH_P_BPQ 0x08FF /* G8BPQ AX.25 Ethernet Packet [ NOT AN OFFICIALLY REGISTERED ID ] */ +-#define ETH_P_IEEEPUP 0x0a00 /* Xerox IEEE802.3 PUP packet */ +-#define ETH_P_IEEEPUPAT 0x0a01 /* Xerox IEEE802.3 PUP Addr Trans packet */ +-#define ETH_P_DEC 0x6000 /* DEC Assigned proto */ +-#define ETH_P_DNA_DL 0x6001 /* DEC DNA Dump/Load */ +-#define ETH_P_DNA_RC 0x6002 /* DEC DNA Remote Console */ +-#define ETH_P_DNA_RT 0x6003 /* DEC DNA Routing */ +-#define ETH_P_LAT 0x6004 /* DEC LAT */ +-#define ETH_P_DIAG 0x6005 /* DEC Diagnostics */ +-#define ETH_P_CUST 0x6006 /* DEC Customer use */ +-#define ETH_P_SCA 0x6007 /* DEC Systems Comms Arch */ +-#define ETH_P_TEB 0x6558 /* Trans Ether Bridging */ +-#define ETH_P_RARP 0x8035 /* Reverse Addr Res packet */ +-#define ETH_P_ATALK 0x809B /* Appletalk DDP */ +-#define ETH_P_AARP 0x80F3 /* Appletalk AARP */ +-#define ETH_P_8021Q 0x8100 /* 802.1Q VLAN Extended Header */ +-#define ETH_P_IPX 0x8137 /* IPX over DIX */ +-#define ETH_P_IPV6 0x86DD /* IPv6 over bluebook */ +-#define ETH_P_PAUSE 0x8808 /* IEEE Pause frames. See 802.3 31B */ +-#define ETH_P_SLOW 0x8809 /* Slow Protocol. See 802.3ad 43B */ +-#define ETH_P_WCCP 0x883E /* Web-cache coordination protocol +- * defined in draft-wilson-wrec-wccp-v2-00.txt */ +-#define ETH_P_PPP_DISC 0x8863 /* PPPoE discovery messages */ +-#define ETH_P_PPP_SES 0x8864 /* PPPoE session messages */ +-#define ETH_P_MPLS_UC 0x8847 /* MPLS Unicast traffic */ +-#define ETH_P_MPLS_MC 0x8848 /* MPLS Multicast traffic */ +-#define ETH_P_ATMMPOA 0x884c /* MultiProtocol Over ATM */ +-#define ETH_P_LINK_CTL 0x886c /* HPNA, wlan link local tunnel */ +-#define ETH_P_ATMFATE 0x8884 /* Frame-based ATM Transport +- * over Ethernet +- */ +-#define ETH_P_PAE 0x888E /* Port Access Entity (IEEE 802.1X) */ +-#define ETH_P_AOE 0x88A2 /* ATA over Ethernet */ +-#define ETH_P_TIPC 0x88CA /* TIPC */ +-#define ETH_P_1588 0x88F7 /* IEEE 1588 Timesync */ +-#define ETH_P_FCOE 0x8906 /* Fibre Channel over Ethernet */ +-#define ETH_P_FIP 0x8914 /* FCoE Initialization Protocol */ +-#define ETH_P_EDSA 0xDADA /* Ethertype DSA [ NOT AN OFFICIALLY REGISTERED ID ] */ +- +-/* +- * Non DIX types. Won't clash for 1500 types. +- */ +- +-#define ETH_P_802_3 0x0001 /* Dummy type for 802.3 frames */ +-#define ETH_P_AX25 0x0002 /* Dummy protocol id for AX.25 */ +-#define ETH_P_ALL 0x0003 /* Every packet (be careful!!!) */ +-#define ETH_P_802_2 0x0004 /* 802.2 frames */ +-#define ETH_P_SNAP 0x0005 /* Internal only */ +-#define ETH_P_DDCMP 0x0006 /* DEC DDCMP: Internal only */ +-#define ETH_P_WAN_PPP 0x0007 /* Dummy type for WAN PPP frames*/ +-#define ETH_P_PPP_MP 0x0008 /* Dummy type for PPP MP frames */ +-#define ETH_P_LOCALTALK 0x0009 /* Localtalk pseudo type */ +-#define ETH_P_CAN 0x000C /* Controller Area Network */ +-#define ETH_P_PPPTALK 0x0010 /* Dummy type for Atalk over PPP*/ +-#define ETH_P_TR_802_2 0x0011 /* 802.2 frames */ +-#define ETH_P_MOBITEX 0x0015 /* Mobitex (kaz@cafe.net) */ +-#define ETH_P_CONTROL 0x0016 /* Card specific control frames */ +-#define ETH_P_IRDA 0x0017 /* Linux-IrDA */ +-#define ETH_P_ECONET 0x0018 /* Acorn Econet */ +-#define ETH_P_HDLC 0x0019 /* HDLC frames */ +-#define ETH_P_ARCNET 0x001A /* 1A for ArcNet :-) */ +-#define ETH_P_DSA 0x001B /* Distributed Switch Arch. */ +-#define ETH_P_TRAILER 0x001C /* Trailer switch tagging */ +-#define ETH_P_PHONET 0x00F5 /* Nokia Phonet frames */ +-#define ETH_P_IEEE802154 0x00F6 /* IEEE802.15.4 frame */ +-#define ETH_P_CAIF 0x00F7 /* ST-Ericsson CAIF protocol */ +- +-/* +- * This is an Ethernet frame header. +- */ +- +-struct ethhdr { +- unsigned char h_dest[ETH_ALEN]; /* destination eth addr */ +- unsigned char h_source[ETH_ALEN]; /* source ether addr */ +- __be16 h_proto; /* packet type ID field */ +-} __attribute__((packed)); +- +- +-#endif /* _LINUX_IF_ETHER_H */ +diff --git a/useful_functions.c b/useful_functions.c +index d14cbe9..c304f4d 100644 +--- a/useful_functions.c ++++ b/useful_functions.c +@@ -22,8 +22,6 @@ + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ +-#include "include/ebtables_u.h" +-#include "include/ethernetdb.h" + #include <stdio.h> + #include <netinet/ether.h> + #include <string.h> +@@ -33,6 +31,8 @@ + #include <sys/types.h> + #include <sys/socket.h> + #include <arpa/inet.h> ++#include "include/ebtables_u.h" ++#include "include/ethernetdb.h" + + const unsigned char mac_type_unicast[ETH_ALEN] = {0,0,0,0,0,0}; + const unsigned char msk_type_unicast[ETH_ALEN] = {1,0,0,0,0,0}; +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/01debian_defaultconfig.patch b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/01debian_defaultconfig.patch new file mode 100644 index 000000000..c260403ea --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/01debian_defaultconfig.patch @@ -0,0 +1,50 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## debian_defaultconfig.dpatch by <hesso@pool.math.tu-berlin.de> +## +## DP: Debian enhancements to the ebtables "sysconfig" default settings. + +@DPATCH@ + +--- ebtables-2.0.8.1.orig/ebtables-config ++++ ebtables-2.0.8.1/ebtables-config +@@ -1,17 +1,3 @@ +-# Save (and possibly restore) in text format. +-# Value: yes|no, default: yes +-# Save the firewall rules in text format to __SYSCONFIG__/ebtables +-# If EBTABLES_BINARY_FORMAT="no" then restoring the firewall rules +-# is done using this text format. +-EBTABLES_TEXT_FORMAT="yes" +- +-# Save (and restore) in binary format. +-# Value: yes|no, default: yes +-# Save (and restore) the firewall rules in binary format to (and from) +-# __SYSCONFIG__/ebtables.<chain>. Enabling this option will make +-# firewall initialisation a lot faster. +-EBTABLES_BINARY_FORMAT="yes" +- + # Unload modules on restart and stop + # Value: yes|no, default: yes + # This option has to be 'yes' to get to a sane state for a firewall +@@ -19,6 +5,12 @@ + # modules. + EBTABLES_MODULES_UNLOAD="yes" + ++# Load firewall rules on system startup. ++# Value: yes|no, default: no ++# Restores the ebtables rulesets from the last saved state when the ++# system boots up. ++EBTABLES_LOAD_ON_START="no" ++ + # Save current firewall rules on stop. + # Value: yes|no, default: no + # Saves all firewall rules if firewall gets stopped +@@ -35,3 +27,9 @@ + # Save rule counters when saving a kernel table to a file. If the + # rule counters were saved, they will be restored when restoring the table. + EBTABLES_SAVE_COUNTER="no" ++ ++# Backup suffix for ruleset save files. ++# Value: <string>, default: "~" ++# Keep one backup level of saved rules. ++# Set this variable to the empty string to disable backups. ++EBTABLES_BACKUP_SUFFIX="~" diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables-save b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables-save new file mode 100755 index 000000000..2d7fc4ed7 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables-save @@ -0,0 +1,43 @@ +#!/bin/bash + +EBTABLES="/sbin/ebtables" + +[ -x "$EBTABLES" ] || exit 1 + +echo "# Generated by ebtables-save v1.0 on $(date)" + +cnt="" +[ "x$EBTABLES_SAVE_COUNTER" = "xyes" ] && cnt="--Lc" + +for table_name in $(grep -E '^ebtable_' /proc/modules | cut -f1 -d' ' | sed s/ebtable_//); do + table=$($EBTABLES -t $table_name -L $cnt) + [ $? -eq 0 ] || { echo "$table"; exit -1; } + + chain="" + rules="" + while read line; do + [ -z "$line" ] && continue + + case "$line" in + Bridge\ table:\ *) + echo "*${line:14}" + ;; + Bridge\ chain:\ *) + chain="${line:14}" + chain="${chain%%,*}" + policy="${line##*policy: }" + echo ":$chain $policy" + ;; + *) + if [ "$cnt" = "--Lc" ]; then + line=${line/, pcnt \=/ -c} + line=${line/-- bcnt \=/} + fi + rules="$rules-A $chain $line\n" + ;; + esac + done <<EOF +$table +EOF + echo -e $rules +done diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.common b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.common new file mode 100644 index 000000000..1ae18fed3 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.common @@ -0,0 +1,163 @@ +#!/bin/sh + +[ -x /sbin/ebtables ] || exit 1 + +EBTABLES_DUMPFILE_STEM=/etc/ebtables/dump + +RETVAL=0 +prog="ebtables" +desc="Ethernet bridge filtering" +umask 0077 + +#default configuration +EBTABLES_MODULES_UNLOAD="yes" +EBTABLES_LOAD_ON_START="no" +EBTABLES_SAVE_ON_STOP="no" +EBTABLES_SAVE_ON_RESTART="no" +EBTABLES_SAVE_COUNTER="no" +EBTABLES_BACKUP_SUFFIX="~" + +config=/etc/default/$prog +[ -f "$config" ] && . "$config" + +get_supported_tables() { + EBTABLES_SUPPORTED_TABLES= + /sbin/ebtables -t filter -L 2>&1 1>/dev/null | grep -q permission + if [ $? -eq 0 ]; then + echo "Error: insufficient privileges to access the ebtables rulesets." + exit 1 + fi + for table in filter nat broute; do + /sbin/ebtables -t $table -L &> /dev/null + if [ $? -eq 0 ]; then + EBTABLES_SUPPORTED_TABLES="${EBTABLES_SUPPORTED_TABLES} $table" + fi + done +} + +load() { + RETVAL=0 + get_supported_tables + echo -n "Restoring ebtables rulesets: " + for table in $EBTABLES_SUPPORTED_TABLES; do + echo -n "$table " + if [ -s ${EBTABLES_DUMPFILE_STEM}.$table ]; then + /sbin/ebtables -t $table --atomic-file ${EBTABLES_DUMPFILE_STEM}.$table --atomic-commit + RET=$? + if [ $RET -ne 0 ]; then + echo -n "(failed) " + RETVAL=$RET + fi + else + echo -n "(no saved state) " + fi + done + if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then + echo -n "no kernel support. " + else + echo -n "done. " + fi + if [ $RETVAL -eq 0 ]; then + echo "ok" + else + echo "fail" + fi +} + +clear_rules() { + RETVAL=0 + get_supported_tables + echo -n "Clearing ebtables rulesets: " + for table in $EBTABLES_SUPPORTED_TABLES; do + echo -n "$table " + /sbin/ebtables -t $table --init-table + done + + if [ "$EBTABLES_MODULES_UNLOAD" = "yes" ]; then + for mod in $(grep -E '^(ebt|ebtable)_' /proc/modules | cut -d' ' -f1) ebtables; do + rmmod $mod 2> /dev/null + done + fi + if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then + echo -n "no kernel support. " + else + echo -n "done. " + fi + if [ $RETVAL -eq 0 ]; then + echo "ok" + else + echo "fail" + fi +} + +save() { + RETVAL=0 + get_supported_tables + echo -n "Saving ebtables rulesets: " + for table in $EBTABLES_SUPPORTED_TABLES; do + echo -n "$table " + [ -n "$EBTABLES_BACKUP_SUFFIX" ] && [ -s ${EBTABLES_DUMPFILE_STEM}.$table ] && \ + mv ${EBTABLES_DUMPFILE_STEM}.$table ${EBTABLES_DUMPFILE_STEM}.$table$EBTABLES_BACKUP_SUFFIX + /sbin/ebtables -t $table --atomic-file ${EBTABLES_DUMPFILE_STEM}.$table --atomic-save + RET=$? + if [ $RET -ne 0 ]; then + echo -n "(failed) " + RETVAL=$RET + else + if [ "$EBTABLES_SAVE_COUNTER" = "no" ]; then + /sbin/ebtables -t $table --atomic-file ${EBTABLES_DUMPFILE_STEM}.$table -Z + fi + fi + done + if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then + echo -n "no kernel support. " + else + echo -n "done. " + fi + if [ $RETVAL -eq 0 ]; then + echo "ok" + else + echo "fail" + fi +} + +case "$1" in + start) + [ "$EBTABLES_LOAD_ON_START" = "yes" ] && load + ;; + stop) + [ "$EBTABLES_SAVE_ON_STOP" = "yes" ] && save + clear_rules + ;; + restart|reload|force-reload) + [ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save + clear_rules + [ "$EBTABLES_LOAD_ON_START" = "yes" ] && load + ;; + load) + load + ;; + save) + save + ;; + status) + get_supported_tables + if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then + echo "No kernel support for ebtables." + RETVAL=1 + else + echo -n "Ebtables support available, number of installed rules: " + for table in $EBTABLES_SUPPORTED_TABLES; do + COUNT=$(( $(/sbin/ebtables -t $table -L | sed -e "/^Bridge chain/! d" -e "s/^.*entries: //" -e "s/,.*$/ +/") 0 )) + echo -n "$table($COUNT) " + done + echo ok + RETVAL=0 + fi + ;; + *) + echo "Usage: $0 {start|stop|restart|reload|force-reload|load|save|status}" >&2 + RETVAL=1 +esac + +exit $RETVAL diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.init b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.init new file mode 100755 index 000000000..c9a77a29e --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.init @@ -0,0 +1,26 @@ +#!/bin/sh +# +# init script for the Ethernet Bridge filter tables +# +# Written by Dag Wieers <dag@wieers.com> +# Modified by Rok Papez <rok.papez@arnes.si> +# Bart De Schuymer <bdschuym@pandora.be> +# Adapted to Debian by Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> +# Adapted to OpenEmbedded by Roman I Khimov <khimov@altell.ru> +# +# chkconfig: - 15 85 +# description: Ethernet Bridge filtering tables +# +### BEGIN INIT INFO +# Provides: ebtables +# Required-Start: +# Required-Stop: +# Should-Start: $local_fs +# Should-Stop: $local_fs +# Default-Start: S +# Default-Stop: 0 6 +# Short-Description: ebtables ruleset management +# Description: Saves and restores the state of the ebtables rulesets. +### END INIT INFO + +/usr/sbin/ebtables.common $1 diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.service b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.service new file mode 100644 index 000000000..3abd1fe3e --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables.service @@ -0,0 +1,11 @@ +[Unit] +Description=Ethernet Bridge Filtering Tables + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=@SBINDIR@/ebtables.common start +ExecStop=@SBINDIR@/ebtables.common stop + +[Install] +WantedBy=multi-user.target diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/installnonroot.patch b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/installnonroot.patch new file mode 100644 index 000000000..bcd9bed23 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/installnonroot.patch @@ -0,0 +1,43 @@ +diff --git a/Makefile b/Makefile +index c1106a4..7ea6b7a 100644 +--- a/Makefile ++++ b/Makefile +@@ -157,31 +157,31 @@ tmp3:=$(shell printf $(PIPE) | sed 's/\//\\\//g') + scripts: ebtables-save ebtables.sysv ebtables-config + cat ebtables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > ebtables-save_ + mkdir -p $(DESTDIR)$(BINDIR) +- install -m 0755 -o root -g root ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save ++ install -m 0755 ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save + cat ebtables.sysv | sed 's/__EXEC_PATH__/$(tmp1)/g' | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables.sysv_ + if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(INITDIR); fi +- if test -d $(DESTDIR)$(INITDIR); then install -m 0755 -o root -g root ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi ++ if test -d $(DESTDIR)$(INITDIR); then install -m 0755 ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi + cat ebtables-config | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables-config_ + if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(SYSCONFIGDIR); fi +- if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 -o root -g root ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi ++ if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi + rm -f ebtables-save_ ebtables.sysv_ ebtables-config_ + + tmp4:=$(shell printf $(LOCKFILE) | sed 's/\//\\\//g') + $(MANDIR)/man8/ebtables.8: ebtables.8 + mkdir -p $(DESTDIR)$(@D) + sed -e 's/$$(VERSION)/$(PROGVERSION)/' -e 's/$$(DATE)/$(PROGDATE)/' -e 's/$$(LOCKFILE)/$(tmp4)/' ebtables.8 > ebtables.8_ +- install -m 0644 -o root -g root ebtables.8_ $(DESTDIR)$@ ++ install -m 0644 ebtables.8_ $(DESTDIR)$@ + rm -f ebtables.8_ + + $(DESTDIR)$(ETHERTYPESFILE): ethertypes + mkdir -p $(@D) +- install -m 0644 -o root -g root $< $@ ++ install -m 0644 $< $@ + + .PHONY: exec + exec: ebtables ebtables-restore + mkdir -p $(DESTDIR)$(BINDIR) +- install -m 0755 -o root -g root $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME) +- install -m 0755 -o root -g root ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore ++ install -m 0755 $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME) ++ install -m 0755 ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore + + .PHONY: install + install: $(MANDIR)/man8/ebtables.8 $(DESTDIR)$(ETHERTYPESFILE) exec scripts diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/no-as-needed.patch b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/no-as-needed.patch new file mode 100644 index 000000000..336119d6b --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/no-as-needed.patch @@ -0,0 +1,25 @@ +link ebtables with --no-as-needed and adjust the link order to fix runtime crash + +Program terminated with signal 11, Segmentation fault. +#0 0x00007ffaa837fb53 in ebt_initialize_entry () from /lib64/ebtables/libebtc.so +(gdb) bt +#0 0x00007ffaa837fb53 in ebt_initialize_entry () from /lib64/ebtables/libebtc.so +#1 0x00007ffaa83824dc in do_command () from /lib64/ebtables/libebtc.so +#2 0x000000000040065c in ?? () +#3 0x00007ffaa7fed755 in __libc_start_main () from /lib64/libc.so.6 +#4 0x0000000000400691 in ?? () + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +Index: ebtables-v2.0.10-4/Makefile +=================================================================== +--- ebtables-v2.0.10-4.orig/Makefile 2011-12-15 12:02:47.000000000 -0800 ++++ ebtables-v2.0.10-4/Makefile 2012-12-17 22:09:45.065973753 -0800 +@@ -90,7 +90,7 @@ + $(CC) -shared $(LDFLAGS) -Wl,-soname,libebtc.so -o libebtc.so -lc $(OBJECTS2) + + ebtables: $(OBJECTS) ebtables-standalone.o libebtc.so +- $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(LDFLAGS) -o $@ ebtables-standalone.o -I$(KERNEL_INCLUDES) -L. -Lextensions -lebtc $(EXT_LIBSI) \ ++ $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(LDFLAGS) -o $@ ebtables-standalone.o -I$(KERNEL_INCLUDES) -L. -Lextensions -Wl,--no-as-needed $(EXT_LIBSI) -lebtc \ + -Wl,-rpath,$(LIBDIR) + + ebtablesu: ebtablesu.c diff --git a/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb new file mode 100644 index 000000000..b9dce69ba --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb @@ -0,0 +1,103 @@ +SUMMARY = "Filtering tool for a Linux-based bridging firewall" +HOMEPAGE = "http://sourceforge.net/projects/ebtables/" +DESCRIPTION = "Utility for basic Ethernet frame filtering on a Linux bridge, \ + advanced logging, MAC DNAT/SNAT and brouting." +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=53b4a999993871a28ab1488fdbd2e73e" +SECTION = "net" +PR = "r4" + +RDEPENDS_${PN} += "bash" + +RRECOMMENDS_${PN} += "kernel-module-ebtables \ + " + +SRC_URI = "${SOURCEFORGE_MIRROR}/ebtables/ebtables-v${PV}.tar.gz \ + file://ebtables-save \ + file://installnonroot.patch \ + file://01debian_defaultconfig.patch \ + file://ebtables.init \ + file://ebtables.common \ + file://ebtables.service \ + file://no-as-needed.patch \ + file://0001-add-RARP-and-update-iana-url.patch \ + file://0002-fix-compilation-warning.patch \ + file://0003-add-info-about-Wl-no-as-needed.patch \ + file://0004-workaround-for-kernel-regression-bug-IPv6-source-des.patch \ + file://0005-Add-noflush-command-line-support-for-ebtables-restor.patch \ + file://0006-don-t-print-IPv6-mask-if-it-s-all-ones-based-on-patc.patch \ + file://0007-extensions-Use-stdint-types.patch \ + file://0008-ethernetdb.h-Remove-C-specific-compiler-hint-macro-_.patch \ + file://0009-ebtables-Allow-RETURN-target-rules-in-user-defined-c.patch \ + " + +SRC_URI_append_libc-musl = " file://0010-Adjust-header-include-sequence.patch" + +SRC_URI[md5sum] = "506742a3d44b9925955425a659c1a8d0" +SRC_URI[sha256sum] = "dc6f7b484f207dc712bfca81645f45120cb6aee3380e77a1771e9c34a9a4455d" + +S = "${WORKDIR}/ebtables-v${PV}" + +inherit update-rc.d systemd + +python __anonymous () { + import re + + karch = d.getVar('TARGET_ARCH') + multilib = d.getVar('MLPREFIX') + + if multilib and ( karch == 'powerpc64' or karch == 'arm' ): + searchstr = "lib.?32" + reg = re.compile(searchstr) + if reg.search(multilib): + d.appendVar('CFLAGS' ,' -DKERNEL_64_USERSPACE_32 -DEBT_MIN_ALIGN=8') +} + +EXTRA_OEMAKE = " \ + BINDIR=${base_sbindir} \ + MANDIR=${mandir} \ + ETHERTYPESPATH=${sysconfdir} \ + INITDIR=${sysconfdir}/init.d \ + SYSCONFIGDIR=${sysconfdir}/default \ + LIBDIR=${base_libdir}/ebtables \ + 'CC=${CC}' \ + 'CFLAGS=${CFLAGS}' \ + 'LDFLAGS=${LDFLAGS} -Wl,--no-as-needed' \ + 'LD=${LD}' \ +" + +do_install () { + install -d ${D}${sbindir} + install -m 0755 ${WORKDIR}/ebtables.common ${D}${sbindir}/ebtables.common + # Fix hardcoded paths in scripts + sed -i 's!/sbin/!${base_sbindir}/!g' ${D}${sbindir}/ebtables.common + sed -i 's!/etc/!${sysconfdir}/!g' ${D}${sbindir}/ebtables.common + + install -d ${D}${sysconfdir}/init.d + install -d ${D}${sysconfdir}/default + install -d ${D}${sysconfdir}/ebtables + oe_runmake DESTDIR='${D}' install + install -m 0755 ${WORKDIR}/ebtables.init ${D}/${sysconfdir}/init.d/ebtables + mv ${D}${sysconfdir}/default/ebtables-config ${D}${sysconfdir}/default/ebtables + sed -i 's!/usr/sbin/!${sbindir}/!g' ${D}${sysconfdir}/init.d/ebtables + + # Replace upstream ebtables-save perl script with Fedora bash based rewrite + # http://pkgs.fedoraproject.org/cgit/rpms/ebtables.git/tree/ebtables-save + install -m 0755 ${WORKDIR}/ebtables-save ${D}${base_sbindir}/ebtables-save + sed -i 's!/sbin/!${base_sbindir}/!g' ${D}${base_sbindir}/ebtables-save + + # Install systemd service files + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/ebtables.service ${D}${systemd_unitdir}/system + sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/ebtables.service +} + +CONFFILES_${PN} += "${sysconfdir}/default/ebtables" + +INITSCRIPT_NAME = "ebtables" +INITSCRIPT_PARAMS = "start 41 S . stop 41 6 ." + +SYSTEMD_SERVICE_${PN} = "ebtables.service" + +FILES_${PN}-dbg += "${base_libdir}/ebtables/.debug" +FILES_${PN} += "${base_libdir}/ebtables/*.so" diff --git a/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/0001-Correct-typo-in-the-location-of-internal.h-in-includ.patch b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/0001-Correct-typo-in-the-location-of-internal.h-in-includ.patch new file mode 100644 index 000000000..76d2d5d28 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/0001-Correct-typo-in-the-location-of-internal.h-in-includ.patch @@ -0,0 +1,26 @@ +From 32af64e1811c74292891dc4dc8455736f7d33ccf Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Thu, 30 Mar 2017 13:26:56 -0700 +Subject: [PATCH] Correct typo in the location of internal.h in #include + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/libnetfilter_queue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c +index 211a8ba..065d618 100644 +--- a/src/libnetfilter_queue.c ++++ b/src/libnetfilter_queue.c +@@ -32,7 +32,7 @@ + + #include <libnfnetlink/libnfnetlink.h> + #include <libnetfilter_queue/libnetfilter_queue.h> +-#include "src/internal.h" ++#include "internal.h" + + /** + * \mainpage +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/0001-libnetfilter-acct-Declare-the-define-visivility-attribute-together.patch b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/0001-libnetfilter-acct-Declare-the-define-visivility-attribute-together.patch new file mode 100644 index 000000000..9e0b420e0 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/0001-libnetfilter-acct-Declare-the-define-visivility-attribute-together.patch @@ -0,0 +1,255 @@ +From f3e3e8fa703e88b76b22c5486277dfca3c85a24b Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 10 Apr 2017 14:56:18 -0700 +Subject: [PATCH] Declare the define visivility attribute together + +clang ignores the visibility attribute if its not +defined before the definition. As a result these +symbols become hidden and consumers of this library +fail to link due to these missing symbols + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + doxygen.cfg.in | 2 +- + src/internal.h | 5 ++--- + src/libnetfilter_acct.c | 41 ++++++++++++++--------------------------- + 3 files changed, 17 insertions(+), 31 deletions(-) + +diff --git a/doxygen.cfg.in b/doxygen.cfg.in +index 7f4bd04..fe64d48 100644 +--- a/doxygen.cfg.in ++++ b/doxygen.cfg.in +@@ -72,7 +72,7 @@ RECURSIVE = YES + EXCLUDE = + EXCLUDE_SYMLINKS = NO + EXCLUDE_PATTERNS = */.git/* .*.d +-EXCLUDE_SYMBOLS = EXPORT_SYMBOL nfacct ++EXCLUDE_SYMBOLS = nfacct + EXAMPLE_PATH = + EXAMPLE_PATTERNS = + EXAMPLE_RECURSIVE = NO +diff --git a/src/internal.h b/src/internal.h +index f0cc2e1..e5c5ffd 100644 +--- a/src/internal.h ++++ b/src/internal.h +@@ -3,10 +3,9 @@ + + #include "config.h" + #ifdef HAVE_VISIBILITY_HIDDEN +-# define __visible __attribute__((visibility("default"))) +-# define EXPORT_SYMBOL(x) typeof(x) (x) __visible ++# define __EXPORT __attribute__((visibility("default"))) + #else +-# define EXPORT_SYMBOL ++# define __EXPORT + #endif + + #include <endian.h> +diff --git a/src/libnetfilter_acct.c b/src/libnetfilter_acct.c +index b0bcf67..0220d14 100644 +--- a/src/libnetfilter_acct.c ++++ b/src/libnetfilter_acct.c +@@ -76,21 +76,19 @@ struct nfacct { + * In case of success, this function returns a valid pointer, otherwise NULL + * s returned and errno is appropriately set. + */ +-struct nfacct *nfacct_alloc(void) ++struct nfacct __EXPORT *nfacct_alloc(void) + { + return calloc(1, sizeof(struct nfacct)); + } +-EXPORT_SYMBOL(nfacct_alloc); + + /** + * nfacct_free - release one accounting object + * \param nfacct pointer to the accounting object + */ +-void nfacct_free(struct nfacct *nfacct) ++void __EXPORT nfacct_free(struct nfacct *nfacct) + { + free(nfacct); + } +-EXPORT_SYMBOL(nfacct_free); + + /** + * nfacct_attr_set - set one attribute of the accounting object +@@ -98,7 +96,7 @@ EXPORT_SYMBOL(nfacct_free); + * \param type attribute type you want to set + * \param data pointer to data that will be used to set this attribute + */ +-void ++void __EXPORT + nfacct_attr_set(struct nfacct *nfacct, enum nfacct_attr_type type, + const void *data) + { +@@ -126,7 +124,6 @@ nfacct_attr_set(struct nfacct *nfacct, enum nfacct_attr_type type, + break; + } + } +-EXPORT_SYMBOL(nfacct_attr_set); + + /** + * nfacct_attr_set_str - set one attribute the accounting object +@@ -134,13 +131,12 @@ EXPORT_SYMBOL(nfacct_attr_set); + * \param type attribute type you want to set + * \param name string that will be used to set this attribute + */ +-void ++void __EXPORT + nfacct_attr_set_str(struct nfacct *nfacct, enum nfacct_attr_type type, + const char *name) + { + nfacct_attr_set(nfacct, type, name); + } +-EXPORT_SYMBOL(nfacct_attr_set_str); + + /** + * nfacct_attr_set_u64 - set one attribute the accounting object +@@ -148,20 +144,19 @@ EXPORT_SYMBOL(nfacct_attr_set_str); + * \param type attribute type you want to set + * \param value unsigned 64-bits integer + */ +-void ++void __EXPORT + nfacct_attr_set_u64(struct nfacct *nfacct, enum nfacct_attr_type type, + uint64_t value) + { + nfacct_attr_set(nfacct, type, &value); + } +-EXPORT_SYMBOL(nfacct_attr_set_u64); + + /** + * nfacct_attr_unset - unset one attribute the accounting object + * \param nfacct pointer to the accounting object + * \param type attribute type you want to set + */ +-void ++void __EXPORT + nfacct_attr_unset(struct nfacct *nfacct, enum nfacct_attr_type type) + { + switch(type) { +@@ -182,7 +177,6 @@ nfacct_attr_unset(struct nfacct *nfacct, enum nfacct_attr_type type) + break; + } + } +-EXPORT_SYMBOL(nfacct_attr_unset); + + /** + * nfacct_attr_get - get one attribute the accounting object +@@ -192,7 +186,7 @@ EXPORT_SYMBOL(nfacct_attr_unset); + * This function returns a valid pointer to the attribute data. If a + * unsupported attribute is used, this returns NULL. + */ +-const void *nfacct_attr_get(struct nfacct *nfacct, enum nfacct_attr_type type) ++const void __EXPORT *nfacct_attr_get(struct nfacct *nfacct, enum nfacct_attr_type type) + { + const void *ret = NULL; + +@@ -220,7 +214,6 @@ const void *nfacct_attr_get(struct nfacct *nfacct, enum nfacct_attr_type type) + } + return ret; + } +-EXPORT_SYMBOL(nfacct_attr_get); + + /** + * nfacct_attr_get_str - get one attribute the accounting object +@@ -230,12 +223,11 @@ EXPORT_SYMBOL(nfacct_attr_get); + * This function returns a valid pointer to the beginning of the string. + * If the attribute is unsupported, this returns NULL. + */ +-const char * ++const char __EXPORT * + nfacct_attr_get_str(struct nfacct *nfacct, enum nfacct_attr_type type) + { + return nfacct_attr_get(nfacct, type); + } +-EXPORT_SYMBOL(nfacct_attr_get_str); + + /** + * nfacct_attr_get_u64 - get one attribute the accounting object +@@ -245,12 +237,11 @@ EXPORT_SYMBOL(nfacct_attr_get_str); + * This function returns a unsigned 64-bits integer. If the attribute is + * unsupported, this returns NULL. + */ +-uint64_t nfacct_attr_get_u64(struct nfacct *nfacct, enum nfacct_attr_type type) ++uint64_t __EXPORT nfacct_attr_get_u64(struct nfacct *nfacct, enum nfacct_attr_type type) + { + const void *ret = nfacct_attr_get(nfacct, type); + return ret ? *((uint64_t *)ret) : 0; + } +-EXPORT_SYMBOL(nfacct_attr_get_u64); + + static int + nfacct_snprintf_plain(char *buf, size_t rem, struct nfacct *nfacct, +@@ -424,8 +415,8 @@ err: + * This function returns -1 in case that some mandatory attributes are + * missing. On sucess, it returns 0. + */ +-int nfacct_snprintf(char *buf, size_t size, struct nfacct *nfacct, +- uint16_t type, uint16_t flags) ++int __EXPORT nfacct_snprintf(char *buf, size_t size, struct nfacct *nfacct, ++ uint16_t type, uint16_t flags) + { + int ret = 0; + +@@ -445,7 +436,6 @@ int nfacct_snprintf(char *buf, size_t size, struct nfacct *nfacct, + } + return ret; + } +-EXPORT_SYMBOL(nfacct_snprintf); + + /** + * @} +@@ -484,7 +474,7 @@ EXPORT_SYMBOL(nfacct_snprintf); + * - Command NFNL_MSG_ACCT_DEL, to delete one specific nfacct object (if + * unused, otherwise you hit EBUSY). + */ +-struct nlmsghdr * ++struct nlmsghdr __EXPORT * + nfacct_nlmsg_build_hdr(char *buf, uint8_t cmd, uint16_t flags, uint32_t seq) + { + struct nlmsghdr *nlh; +@@ -502,14 +492,13 @@ nfacct_nlmsg_build_hdr(char *buf, uint8_t cmd, uint16_t flags, uint32_t seq) + + return nlh; + } +-EXPORT_SYMBOL(nfacct_nlmsg_build_hdr); + + /** + * nfacct_nlmsg_build_payload - build payload from accounting object + * \param nlh: netlink message that you want to use to add the payload. + * \param nfacct: pointer to a accounting object + */ +-void nfacct_nlmsg_build_payload(struct nlmsghdr *nlh, struct nfacct *nfacct) ++void __EXPORT nfacct_nlmsg_build_payload(struct nlmsghdr *nlh, struct nfacct *nfacct) + { + if (nfacct->bitset & (1 << NFACCT_ATTR_NAME)) + mnl_attr_put_strz(nlh, NFACCT_NAME, nfacct->name); +@@ -526,7 +515,6 @@ void nfacct_nlmsg_build_payload(struct nlmsghdr *nlh, struct nfacct *nfacct) + if (nfacct->bitset & (1 << NFACCT_ATTR_QUOTA)) + mnl_attr_put_u64(nlh, NFACCT_QUOTA, htobe64(nfacct->quota)); + } +-EXPORT_SYMBOL(nfacct_nlmsg_build_payload); + + static int nfacct_nlmsg_parse_attr_cb(const struct nlattr *attr, void *data) + { +@@ -563,7 +551,7 @@ static int nfacct_nlmsg_parse_attr_cb(const struct nlattr *attr, void *data) + * This function returns -1 in case that some mandatory attributes are + * missing. On sucess, it returns 0. + */ +-int ++int __EXPORT + nfacct_nlmsg_parse_payload(const struct nlmsghdr *nlh, struct nfacct *nfacct) + { + struct nlattr *tb[NFACCT_MAX+1] = {}; +@@ -589,7 +577,6 @@ nfacct_nlmsg_parse_payload(const struct nlmsghdr *nlh, struct nfacct *nfacct) + + return 0; + } +-EXPORT_SYMBOL(nfacct_nlmsg_parse_payload); + + /** + * @} +-- +2.12.2 + diff --git a/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/0001-libnetfilter-queue-Declare-the-define-visivility-attribute-together.patch b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/0001-libnetfilter-queue-Declare-the-define-visivility-attribute-together.patch new file mode 100644 index 000000000..946f1b71d --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/0001-libnetfilter-queue-Declare-the-define-visivility-attribute-together.patch @@ -0,0 +1,1229 @@ +From 06562244ac4a1a61e1a2c6b219a517658f7349bf Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 10 Apr 2017 12:09:41 -0700 +Subject: [PATCH] Declare the define visivility attribute together + +clang ignores the visibility attribute if its not +defined before the definition. As a result these +symbols become hidden and consumers of this library +fail to link due to these missing symbols + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + doxygen.cfg.in | 2 +- + src/extra/ipv4.c | 15 +++---- + src/extra/ipv6.c | 9 ++-- + src/extra/pktbuff.c | 42 ++++++------------ + src/extra/tcp.c | 21 +++------ + src/extra/udp.c | 21 +++------ + src/internal.h | 5 +-- + src/libnetfilter_queue.c | 108 ++++++++++++++++------------------------------- + src/nlmsg.c | 21 +++------ + 9 files changed, 82 insertions(+), 162 deletions(-) + +diff --git a/doxygen.cfg.in b/doxygen.cfg.in +index a7378ca..659abee 100644 +--- a/doxygen.cfg.in ++++ b/doxygen.cfg.in +@@ -72,7 +72,7 @@ RECURSIVE = YES + EXCLUDE = + EXCLUDE_SYMLINKS = NO + EXCLUDE_PATTERNS = +-EXCLUDE_SYMBOLS = EXPORT_SYMBOL ++EXCLUDE_SYMBOLS = + EXAMPLE_PATH = + EXAMPLE_PATTERNS = + EXAMPLE_RECURSIVE = NO +diff --git a/src/extra/ipv4.c b/src/extra/ipv4.c +index a93d113..56d5dc7 100644 +--- a/src/extra/ipv4.c ++++ b/src/extra/ipv4.c +@@ -32,7 +32,7 @@ + * This funcion returns NULL if the IPv4 is malformed or the protocol version + * is not 4. On success, it returns a valid pointer to the IPv4 header. + */ +-struct iphdr *nfq_ip_get_hdr(struct pkt_buff *pktb) ++struct iphdr __EXPORTED *nfq_ip_get_hdr(struct pkt_buff *pktb) + { + struct iphdr *iph; + unsigned int pktlen = pktb->tail - pktb->network_header; +@@ -53,14 +53,13 @@ struct iphdr *nfq_ip_get_hdr(struct pkt_buff *pktb) + + return iph; + } +-EXPORT_SYMBOL(nfq_ip_get_hdr); + + /** + * nfq_ip_set_transport_header - set transport header + * \param pktb: pointer to network packet buffer + * \param iph: pointer to the IPv4 header + */ +-int nfq_ip_set_transport_header(struct pkt_buff *pktb, struct iphdr *iph) ++int __EXPORTED nfq_ip_set_transport_header(struct pkt_buff *pktb, struct iphdr *iph) + { + int doff = iph->ihl * 4; + +@@ -71,7 +70,6 @@ int nfq_ip_set_transport_header(struct pkt_buff *pktb, struct iphdr *iph) + pktb->transport_header = pktb->network_header + doff; + return 0; + } +-EXPORT_SYMBOL(nfq_ip_set_transport_header); + + /** + * nfq_ip_set_checksum - set IPv4 checksum +@@ -80,14 +78,13 @@ EXPORT_SYMBOL(nfq_ip_set_transport_header); + * \note Call to this function if you modified the IPv4 header to update the + * checksum. + */ +-void nfq_ip_set_checksum(struct iphdr *iph) ++void __EXPORTED nfq_ip_set_checksum(struct iphdr *iph) + { + uint32_t iph_len = iph->ihl * 4; + + iph->check = 0; + iph->check = nfq_checksum(0, (uint16_t *)iph, iph_len); + } +-EXPORT_SYMBOL(nfq_ip_set_checksum); + + /** + * nfq_ip_mangle - mangle IPv4 packet buffer +@@ -100,7 +97,7 @@ EXPORT_SYMBOL(nfq_ip_set_checksum); + * + * \note This function recalculates the IPv4 checksum (if needed). + */ +-int nfq_ip_mangle(struct pkt_buff *pkt, unsigned int dataoff, ++int __EXPORTED nfq_ip_mangle(struct pkt_buff *pkt, unsigned int dataoff, + unsigned int match_offset, unsigned int match_len, + const char *rep_buffer, unsigned int rep_len) + { +@@ -116,7 +113,6 @@ int nfq_ip_mangle(struct pkt_buff *pkt, unsigned int dataoff, + + return 1; + } +-EXPORT_SYMBOL(nfq_ip_mangle); + + /** + * nfq_pkt_snprintf_ip - print IPv4 header into buffer in iptables LOG format +@@ -128,7 +124,7 @@ EXPORT_SYMBOL(nfq_ip_mangle); + * case that there is enough room in the buffer. Read snprintf manpage for more + * information to know more about this strange behaviour. + */ +-int nfq_ip_snprintf(char *buf, size_t size, const struct iphdr *iph) ++int __EXPORTED nfq_ip_snprintf(char *buf, size_t size, const struct iphdr *iph) + { + int ret; + struct in_addr src = { iph->saddr }; +@@ -147,7 +143,6 @@ int nfq_ip_snprintf(char *buf, size_t size, const struct iphdr *iph) + + return ret; + } +-EXPORT_SYMBOL(nfq_ip_snprintf); + + /** + * @} +diff --git a/src/extra/ipv6.c b/src/extra/ipv6.c +index 7c5dc9b..6641c6b 100644 +--- a/src/extra/ipv6.c ++++ b/src/extra/ipv6.c +@@ -33,7 +33,7 @@ + * This funcion returns NULL if an invalid header is found. On sucess, it + * returns a valid pointer to the header. + */ +-struct ip6_hdr *nfq_ip6_get_hdr(struct pkt_buff *pktb) ++struct ip6_hdr __EXPORTED *nfq_ip6_get_hdr(struct pkt_buff *pktb) + { + struct ip6_hdr *ip6h; + unsigned int pktlen = pktb->tail - pktb->network_header; +@@ -50,7 +50,6 @@ struct ip6_hdr *nfq_ip6_get_hdr(struct pkt_buff *pktb) + + return ip6h; + } +-EXPORT_SYMBOL(nfq_ip6_get_hdr); + + /** + * nfq_ip6_set_transport_header - set transport header pointer for IPv6 packet +@@ -61,7 +60,7 @@ EXPORT_SYMBOL(nfq_ip6_get_hdr); + * This function returns 1 if the protocol has been found and the transport + * header has been set. Otherwise, it returns 0. + */ +-int nfq_ip6_set_transport_header(struct pkt_buff *pktb, struct ip6_hdr *ip6h, ++int __EXPORTED nfq_ip6_set_transport_header(struct pkt_buff *pktb, struct ip6_hdr *ip6h, + uint8_t target) + { + uint8_t nexthdr = ip6h->ip6_nxt; +@@ -115,7 +114,6 @@ int nfq_ip6_set_transport_header(struct pkt_buff *pktb, struct ip6_hdr *ip6h, + pktb->transport_header = cur; + return cur ? 1 : 0; + } +-EXPORT_SYMBOL(nfq_ip6_set_transport_header); + + /** + * nfq_ip6_snprintf - print IPv6 header into one buffer in iptables LOG format +@@ -124,7 +122,7 @@ EXPORT_SYMBOL(nfq_ip6_set_transport_header); + * \param ip6_hdr: pointer to a valid IPv6 header. + * + */ +-int nfq_ip6_snprintf(char *buf, size_t size, const struct ip6_hdr *ip6h) ++int __EXPORTED nfq_ip6_snprintf(char *buf, size_t size, const struct ip6_hdr *ip6h) + { + int ret; + char src[INET6_ADDRSTRLEN]; +@@ -143,7 +141,6 @@ int nfq_ip6_snprintf(char *buf, size_t size, const struct ip6_hdr *ip6h) + + return ret; + } +-EXPORT_SYMBOL(nfq_ip6_snprintf); + + /** + * @} +diff --git a/src/extra/pktbuff.c b/src/extra/pktbuff.c +index 1c15a00..54d8244 100644 +--- a/src/extra/pktbuff.c ++++ b/src/extra/pktbuff.c +@@ -40,7 +40,7 @@ + * + * \return a pointer to a new queue handle or NULL on failure. + */ +-struct pkt_buff * ++struct pkt_buff __EXPORTED * + pktb_alloc(int family, void *data, size_t len, size_t extra) + { + struct pkt_buff *pktb; +@@ -84,120 +84,108 @@ pktb_alloc(int family, void *data, size_t len, size_t extra) + } + return pktb; + } +-EXPORT_SYMBOL(pktb_alloc); + + /** + * pktb_data - return pointer to the beginning of the packet buffer + * \param pktb Pointer to packet buffer + */ +-uint8_t *pktb_data(struct pkt_buff *pktb) ++uint8_t __EXPORTED *pktb_data(struct pkt_buff *pktb) + { + return pktb->data; + } +-EXPORT_SYMBOL(pktb_data); + + /** + * pktb_len - return length of the packet buffer + * \param pktb Pointer to packet buffer + */ +-uint32_t pktb_len(struct pkt_buff *pktb) ++uint32_t __EXPORTED pktb_len(struct pkt_buff *pktb) + { + return pktb->len; + } +-EXPORT_SYMBOL(pktb_len); + + /** + * pktb_free - release packet buffer + * \param pktb Pointer to packet buffer + */ +-void pktb_free(struct pkt_buff *pktb) ++void __EXPORTED pktb_free(struct pkt_buff *pktb) + { + free(pktb); + } +-EXPORT_SYMBOL(pktb_free); + + /** + * pktb_push - update pointer to the beginning of the packet buffer + * \param pktb Pointer to packet buffer + */ +-void pktb_push(struct pkt_buff *pktb, unsigned int len) ++void __EXPORTED pktb_push(struct pkt_buff *pktb, unsigned int len) + { + pktb->data -= len; + pktb->len += len; + } +-EXPORT_SYMBOL(pktb_push); + + /** + * pktb_pull - update pointer to the beginning of the packet buffer + * \param pktb Pointer to packet buffer + */ +-void pktb_pull(struct pkt_buff *pktb, unsigned int len) ++void __EXPORTED pktb_pull(struct pkt_buff *pktb, unsigned int len) + { + pktb->data += len; + pktb->len -= len; + } +-EXPORT_SYMBOL(pktb_pull); + + /** + * pktb_put - add extra bytes to the tail of the packet buffer + * \param pktb Pointer to packet buffer + */ +-void pktb_put(struct pkt_buff *pktb, unsigned int len) ++void __EXPORTED pktb_put(struct pkt_buff *pktb, unsigned int len) + { + pktb->tail += len; + pktb->len += len; + } +-EXPORT_SYMBOL(pktb_put); + + /** + * pktb_trim - set new length for this packet buffer + * \param pktb Pointer to packet buffer + */ +-void pktb_trim(struct pkt_buff *pktb, unsigned int len) ++void __EXPORTED pktb_trim(struct pkt_buff *pktb, unsigned int len) + { + pktb->len = len; + } +-EXPORT_SYMBOL(pktb_trim); + + /** + * pktb_tailroom - get room in bytes in the tail of the packet buffer + * \param pktb Pointer to packet buffer + */ +-unsigned int pktb_tailroom(struct pkt_buff *pktb) ++unsigned int __EXPORTED pktb_tailroom(struct pkt_buff *pktb) + { + return pktb->data_len - pktb->len; + } +-EXPORT_SYMBOL(pktb_tailroom); + + /** + * pktb_mac_header - return pointer to layer 2 header (if any) + * \param pktb Pointer to packet buffer + */ +-uint8_t *pktb_mac_header(struct pkt_buff *pktb) ++uint8_t __EXPORTED *pktb_mac_header(struct pkt_buff *pktb) + { + return pktb->mac_header; + } +-EXPORT_SYMBOL(pktb_mac_header); + + /** + * pktb_network_header - return pointer to layer 3 header + * \param pktb Pointer to packet buffer + */ +-uint8_t *pktb_network_header(struct pkt_buff *pktb) ++uint8_t __EXPORTED *pktb_network_header(struct pkt_buff *pktb) + { + return pktb->network_header; + } +-EXPORT_SYMBOL(pktb_network_header); + + /** + * pktb_transport_header - return pointer to layer 4 header (if any) + * \param pktb Pointer to packet buffer + */ +-uint8_t *pktb_transport_header(struct pkt_buff *pktb) ++uint8_t __EXPORTED *pktb_transport_header(struct pkt_buff *pktb) + { + return pktb->transport_header; + } +-EXPORT_SYMBOL(pktb_transport_header); + + static int pktb_expand_tail(struct pkt_buff *pkt, int extra) + { +@@ -224,7 +212,7 @@ static int enlarge_pkt(struct pkt_buff *pkt, unsigned int extra) + return 1; + } + +-int pktb_mangle(struct pkt_buff *pkt, ++int __EXPORTED pktb_mangle(struct pkt_buff *pkt, + unsigned int dataoff, + unsigned int match_offset, + unsigned int match_len, +@@ -258,17 +246,15 @@ int pktb_mangle(struct pkt_buff *pkt, + pkt->mangled = true; + return 1; + } +-EXPORT_SYMBOL(pktb_mangle); + + /** + * pktb_mangled - return true if packet has been mangled + * \param pktb Pointer to packet buffer + */ +-bool pktb_mangled(const struct pkt_buff *pkt) ++bool __EXPORTED pktb_mangled(const struct pkt_buff *pkt) + { + return pkt->mangled; + } +-EXPORT_SYMBOL(pktb_mangled); + + /** + * @} +diff --git a/src/extra/tcp.c b/src/extra/tcp.c +index d1cd79d..8038ce5 100644 +--- a/src/extra/tcp.c ++++ b/src/extra/tcp.c +@@ -40,7 +40,7 @@ + * \note You have to call nfq_ip_set_transport_header or + * nfq_ip6_set_transport_header first to access the TCP header. + */ +-struct tcphdr *nfq_tcp_get_hdr(struct pkt_buff *pktb) ++struct tcphdr __EXPORTED *nfq_tcp_get_hdr(struct pkt_buff *pktb) + { + if (pktb->transport_header == NULL) + return NULL; +@@ -51,14 +51,13 @@ struct tcphdr *nfq_tcp_get_hdr(struct pkt_buff *pktb) + + return (struct tcphdr *)pktb->transport_header; + } +-EXPORT_SYMBOL(nfq_tcp_get_hdr); + + /** + * nfq_tcp_get_payload - get the TCP packet payload + * \param tcph: pointer to the TCP header + * \param pktb: pointer to user-space network packet buffer + */ +-void *nfq_tcp_get_payload(struct tcphdr *tcph, struct pkt_buff *pktb) ++void __EXPORTED *nfq_tcp_get_payload(struct tcphdr *tcph, struct pkt_buff *pktb) + { + unsigned int len = tcph->doff * 4; + +@@ -72,47 +71,43 @@ void *nfq_tcp_get_payload(struct tcphdr *tcph, struct pkt_buff *pktb) + + return pktb->transport_header + len; + } +-EXPORT_SYMBOL(nfq_tcp_get_payload); + + /** + * nfq_tcp_get_payload_len - get the tcp packet payload + * \param tcph: pointer to the TCP header + * \param pktb: pointer to user-space network packet buffer + */ +-unsigned int ++unsigned int __EXPORTED + nfq_tcp_get_payload_len(struct tcphdr *tcph, struct pkt_buff *pktb) + { + return pktb->tail - pktb->transport_header; + } +-EXPORT_SYMBOL(nfq_tcp_get_payload_len); + + /** + * nfq_tcp_set_checksum_ipv4 - computes IPv4/TCP packet checksum + * \param tcph: pointer to the TCP header + * \param iph: pointer to the IPv4 header + */ +-void ++void __EXPORTED + nfq_tcp_compute_checksum_ipv4(struct tcphdr *tcph, struct iphdr *iph) + { + /* checksum field in header needs to be zero for calculation. */ + tcph->check = 0; + tcph->check = nfq_checksum_tcpudp_ipv4(iph); + } +-EXPORT_SYMBOL(nfq_tcp_compute_checksum_ipv4); + + /** + * nfq_tcp_set_checksum_ipv6 - computes IPv6/TCP packet checksum + * \param tcph: pointer to the TCP header + * \param iph: pointer to the IPv6 header + */ +-void ++void __EXPORTED + nfq_tcp_compute_checksum_ipv6(struct tcphdr *tcph, struct ip6_hdr *ip6h) + { + /* checksum field in header needs to be zero for calculation. */ + tcph->check = 0; + tcph->check = nfq_checksum_tcpudp_ipv6(ip6h, tcph); + } +-EXPORT_SYMBOL(nfq_tcp_compute_checksum_ipv6); + + /* + * The union cast uses a gcc extension to avoid aliasing problems +@@ -134,7 +129,7 @@ union tcp_word_hdr { + * \param tcp: pointer to a valid tcp header. + * + */ +-int nfq_tcp_snprintf(char *buf, size_t size, const struct tcphdr *tcph) ++int __EXPORTED nfq_tcp_snprintf(char *buf, size_t size, const struct tcphdr *tcph) + { + int ret, len = 0; + +@@ -177,7 +172,6 @@ int nfq_tcp_snprintf(char *buf, size_t size, const struct tcphdr *tcph) + + return ret; + } +-EXPORT_SYMBOL(nfq_tcp_snprintf); + + /** + * nfq_tcp_mangle_ipv4 - mangle TCP/IPv4 packet buffer +@@ -189,7 +183,7 @@ EXPORT_SYMBOL(nfq_tcp_snprintf); + * + * \note This function recalculates the IPv4 and TCP checksums for you. + */ +-int ++int __EXPORTED + nfq_tcp_mangle_ipv4(struct pkt_buff *pkt, + unsigned int match_offset, unsigned int match_len, + const char *rep_buffer, unsigned int rep_len) +@@ -208,7 +202,6 @@ nfq_tcp_mangle_ipv4(struct pkt_buff *pkt, + + return 1; + } +-EXPORT_SYMBOL(nfq_tcp_mangle_ipv4); + + /** + * @} +diff --git a/src/extra/udp.c b/src/extra/udp.c +index 8c44a66..99c8faa 100644 +--- a/src/extra/udp.c ++++ b/src/extra/udp.c +@@ -37,7 +37,7 @@ + * This function returns NULL if invalid UDP header is found. On success, + * it returns the UDP header. + */ +-struct udphdr *nfq_udp_get_hdr(struct pkt_buff *pktb) ++struct udphdr __EXPORTED *nfq_udp_get_hdr(struct pkt_buff *pktb) + { + if (pktb->transport_header == NULL) + return NULL; +@@ -48,14 +48,13 @@ struct udphdr *nfq_udp_get_hdr(struct pkt_buff *pktb) + + return (struct udphdr *)pktb->transport_header; + } +-EXPORT_SYMBOL(nfq_udp_get_hdr); + + /** + * nfq_udp_get_payload - get the UDP packet payload. + * \param udph: the pointer to the UDP header. + * \param tail: pointer to the tail of the packet + */ +-void *nfq_udp_get_payload(struct udphdr *udph, struct pkt_buff *pktb) ++void __EXPORTED *nfq_udp_get_payload(struct udphdr *udph, struct pkt_buff *pktb) + { + uint16_t len = ntohs(udph->len); + +@@ -69,17 +68,15 @@ void *nfq_udp_get_payload(struct udphdr *udph, struct pkt_buff *pktb) + + return pktb->transport_header + sizeof(struct udphdr); + } +-EXPORT_SYMBOL(nfq_udp_get_payload); + + /** + * nfq_udp_get_payload_len - get the udp packet payload. + * \param udp: the pointer to the udp header. + */ +-unsigned int nfq_udp_get_payload_len(struct udphdr *udph, struct pkt_buff *pktb) ++unsigned int __EXPORTED nfq_udp_get_payload_len(struct udphdr *udph, struct pkt_buff *pktb) + { + return pktb->tail - pktb->transport_header; + } +-EXPORT_SYMBOL(nfq_udp_get_payload_len); + + /** + * nfq_udp_set_checksum_ipv4 - computes a IPv4/TCP packet's segment +@@ -91,14 +88,13 @@ EXPORT_SYMBOL(nfq_udp_get_payload_len); + * \see nfq_pkt_compute_ip_checksum + * \see nfq_pkt_compute_udp_checksum + */ +-void ++void __EXPORTED + nfq_udp_compute_checksum_ipv4(struct udphdr *udph, struct iphdr *iph) + { + /* checksum field in header needs to be zero for calculation. */ + udph->check = 0; + udph->check = nfq_checksum_tcpudp_ipv4(iph); + } +-EXPORT_SYMBOL(nfq_udp_compute_checksum_ipv4); + + /** + * nfq_udp_set_checksum_ipv6 - computes a IPv6/TCP packet's segment +@@ -110,14 +106,13 @@ EXPORT_SYMBOL(nfq_udp_compute_checksum_ipv4); + * \see nfq_pkt_compute_ip_checksum + * \see nfq_pkt_compute_udp_checksum + */ +-void ++void __EXPORTED + nfq_udp_compute_checksum_ipv6(struct udphdr *udph, struct ip6_hdr *ip6h) + { + /* checksum field in header needs to be zero for calculation. */ + udph->check = 0; + udph->check = nfq_checksum_tcpudp_ipv6(ip6h, udph); + } +-EXPORT_SYMBOL(nfq_udp_compute_checksum_ipv6); + + /** + * nfq_tcp_mangle_ipv4 - mangle TCP/IPv4 packet buffer +@@ -129,7 +124,7 @@ EXPORT_SYMBOL(nfq_udp_compute_checksum_ipv6); + * + * \note This function recalculates the IPv4 and TCP checksums for you. + */ +-int ++int __EXPORTED + nfq_udp_mangle_ipv4(struct pkt_buff *pkt, + unsigned int match_offset, unsigned int match_len, + const char *rep_buffer, unsigned int rep_len) +@@ -148,7 +143,6 @@ nfq_udp_mangle_ipv4(struct pkt_buff *pkt, + + return 1; + } +-EXPORT_SYMBOL(nfq_udp_mangle_ipv4); + + /** + * nfq_pkt_snprintf_udp_hdr - print udp header into one buffer in a humnan +@@ -158,12 +152,11 @@ EXPORT_SYMBOL(nfq_udp_mangle_ipv4); + * \param udp: pointer to a valid udp header. + * + */ +-int nfq_udp_snprintf(char *buf, size_t size, const struct udphdr *udph) ++int __EXPORTED nfq_udp_snprintf(char *buf, size_t size, const struct udphdr *udph) + { + return snprintf(buf, size, "SPT=%u DPT=%u ", + htons(udph->source), htons(udph->dest)); + } +-EXPORT_SYMBOL(nfq_udp_snprintf); + + /** + * @} +diff --git a/src/internal.h b/src/internal.h +index 558d267..79b0752 100644 +--- a/src/internal.h ++++ b/src/internal.h +@@ -5,10 +5,9 @@ + #include <stdint.h> + #include <stdbool.h> + #ifdef HAVE_VISIBILITY_HIDDEN +-# define __visible __attribute__((visibility("default"))) +-# define EXPORT_SYMBOL(x) typeof(x) (x) __visible ++# define __EXPORTED __attribute__((visibility("default"))) + #else +-# define EXPORT_SYMBOL ++# define __EXPORTED + #endif + + struct iphdr; +diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c +index 065d618..ab0b66b 100644 +--- a/src/libnetfilter_queue.c ++++ b/src/libnetfilter_queue.c +@@ -133,8 +133,7 @@ struct nfq_data { + struct nfattr **data; + }; + +-int nfq_errno; +-EXPORT_SYMBOL(nfq_errno); ++int __EXPORTED nfq_errno; + + /*********************************************************************** + * low level stuff +@@ -218,11 +217,10 @@ static int __nfq_rcv_pkt(struct nlmsghdr *nlh, struct nfattr *nfa[], + + /* public interface */ + +-struct nfnl_handle *nfq_nfnlh(struct nfq_handle *h) ++struct nfnl_handle __EXPORTED *nfq_nfnlh(struct nfq_handle *h) + { + return h->nfnlh; + } +-EXPORT_SYMBOL(nfq_nfnlh); + + /** + * +@@ -294,11 +292,10 @@ EXPORT_SYMBOL(nfq_nfnlh); + * over the netlink connection associated with the given queue connection + * handle. + */ +-int nfq_fd(struct nfq_handle *h) ++int __EXPORTED nfq_fd(struct nfq_handle *h) + { + return nfnl_fd(nfq_nfnlh(h)); + } +-EXPORT_SYMBOL(nfq_fd); + /** + * @} + */ +@@ -349,7 +346,7 @@ EXPORT_SYMBOL(nfq_fd); + * + * \return a pointer to a new queue handle or NULL on failure. + */ +-struct nfq_handle *nfq_open(void) ++struct nfq_handle __EXPORTED *nfq_open(void) + { + struct nfnl_handle *nfnlh = nfnl_open(); + struct nfq_handle *qh; +@@ -366,7 +363,6 @@ struct nfq_handle *nfq_open(void) + + return qh; + } +-EXPORT_SYMBOL(nfq_open); + + /** + * @} +@@ -382,7 +378,7 @@ EXPORT_SYMBOL(nfq_open); + * + * \return a pointer to a new queue handle or NULL on failure. + */ +-struct nfq_handle *nfq_open_nfnl(struct nfnl_handle *nfnlh) ++struct nfq_handle __EXPORTED *nfq_open_nfnl(struct nfnl_handle *nfnlh) + { + struct nfnl_callback pkt_cb = { + .call = __nfq_rcv_pkt, +@@ -419,7 +415,6 @@ out_free: + free(h); + return NULL; + } +-EXPORT_SYMBOL(nfq_open_nfnl); + + /** + * \addtogroup LibrarySetup +@@ -438,7 +433,7 @@ EXPORT_SYMBOL(nfq_open_nfnl); + * + * \return 0 on success, non-zero on failure. + */ +-int nfq_close(struct nfq_handle *h) ++int __EXPORTED nfq_close(struct nfq_handle *h) + { + int ret; + +@@ -447,7 +442,6 @@ int nfq_close(struct nfq_handle *h) + free(h); + return ret; + } +-EXPORT_SYMBOL(nfq_close); + + /** + * nfq_bind_pf - bind a nfqueue handler to a given protocol family +@@ -460,11 +454,10 @@ EXPORT_SYMBOL(nfq_close); + * + * \return integer inferior to 0 in case of failure + */ +-int nfq_bind_pf(struct nfq_handle *h, uint16_t pf) ++int __EXPORTED nfq_bind_pf(struct nfq_handle *h, uint16_t pf) + { + return __build_send_cfg_msg(h, NFQNL_CFG_CMD_PF_BIND, 0, pf); + } +-EXPORT_SYMBOL(nfq_bind_pf); + + /** + * nfq_unbind_pf - unbind nfqueue handler from a protocol family +@@ -476,11 +469,10 @@ EXPORT_SYMBOL(nfq_bind_pf); + * + * This call is obsolete, Linux kernels from 3.8 onwards ignore it. + */ +-int nfq_unbind_pf(struct nfq_handle *h, uint16_t pf) ++int __EXPORTED nfq_unbind_pf(struct nfq_handle *h, uint16_t pf) + { + return __build_send_cfg_msg(h, NFQNL_CFG_CMD_PF_UNBIND, 0, pf); + } +-EXPORT_SYMBOL(nfq_unbind_pf); + + + /** +@@ -524,7 +516,7 @@ typedef int nfq_callback(struct nfq_q_handle *qh, + * The callback should return < 0 to stop processing. + */ + +-struct nfq_q_handle *nfq_create_queue(struct nfq_handle *h, ++struct nfq_q_handle __EXPORTED *nfq_create_queue(struct nfq_handle *h, + uint16_t num, + nfq_callback *cb, + void *data) +@@ -555,7 +547,6 @@ struct nfq_q_handle *nfq_create_queue(struct nfq_handle *h, + add_qh(qh); + return qh; + } +-EXPORT_SYMBOL(nfq_create_queue); + + /** + * @} +@@ -573,7 +564,7 @@ EXPORT_SYMBOL(nfq_create_queue); + * Removes the binding for the specified queue handle. This call also unbind + * from the nfqueue handler, so you don't have to call nfq_unbind_pf. + */ +-int nfq_destroy_queue(struct nfq_q_handle *qh) ++int __EXPORTED nfq_destroy_queue(struct nfq_q_handle *qh) + { + int ret = __build_send_cfg_msg(qh->h, NFQNL_CFG_CMD_UNBIND, qh->id, 0); + if (ret == 0) { +@@ -583,7 +574,6 @@ int nfq_destroy_queue(struct nfq_q_handle *qh) + + return ret; + } +-EXPORT_SYMBOL(nfq_destroy_queue); + + /** + * nfq_handle_packet - handle a packet received from the nfqueue subsystem +@@ -597,11 +587,10 @@ EXPORT_SYMBOL(nfq_destroy_queue); + * + * \return 0 on success, non-zero on failure. + */ +-int nfq_handle_packet(struct nfq_handle *h, char *buf, int len) ++int __EXPORTED nfq_handle_packet(struct nfq_handle *h, char *buf, int len) + { + return nfnl_handle_packet(h->nfnlh, buf, len); + } +-EXPORT_SYMBOL(nfq_handle_packet); + + /** + * nfq_set_mode - set the amount of packet data that nfqueue copies to userspace +@@ -618,7 +607,7 @@ EXPORT_SYMBOL(nfq_handle_packet); + * + * \return -1 on error; >=0 otherwise. + */ +-int nfq_set_mode(struct nfq_q_handle *qh, ++int __EXPORTED nfq_set_mode(struct nfq_q_handle *qh, + uint8_t mode, uint32_t range) + { + union { +@@ -638,7 +627,6 @@ int nfq_set_mode(struct nfq_q_handle *qh, + + return nfnl_query(qh->h->nfnlh, &u.nmh); + } +-EXPORT_SYMBOL(nfq_set_mode); + + /** + * nfq_set_queue_flags - set flags (options) for the kernel queue +@@ -690,7 +678,7 @@ EXPORT_SYMBOL(nfq_set_mode); + * + * \return -1 on error with errno set appropriately; =0 otherwise. + */ +-int nfq_set_queue_flags(struct nfq_q_handle *qh, ++int __EXPORTED nfq_set_queue_flags(struct nfq_q_handle *qh, + uint32_t mask, uint32_t flags) + { + union { +@@ -711,7 +699,6 @@ int nfq_set_queue_flags(struct nfq_q_handle *qh, + + return nfnl_query(qh->h->nfnlh, &u.nmh); + } +-EXPORT_SYMBOL(nfq_set_queue_flags); + + /** + * nfq_set_queue_maxlen - Set kernel queue maximum length parameter +@@ -724,7 +711,7 @@ EXPORT_SYMBOL(nfq_set_queue_flags); + * + * \return -1 on error; >=0 otherwise. + */ +-int nfq_set_queue_maxlen(struct nfq_q_handle *qh, ++int __EXPORTED nfq_set_queue_maxlen(struct nfq_q_handle *qh, + uint32_t queuelen) + { + union { +@@ -742,7 +729,6 @@ int nfq_set_queue_maxlen(struct nfq_q_handle *qh, + + return nfnl_query(qh->h->nfnlh, &u.nmh); + } +-EXPORT_SYMBOL(nfq_set_queue_maxlen); + + /** + * @} +@@ -829,14 +815,13 @@ static int __set_verdict(struct nfq_q_handle *qh, uint32_t id, + * + * \return -1 on error; >= 0 otherwise. + */ +-int nfq_set_verdict(struct nfq_q_handle *qh, uint32_t id, ++int __EXPORTED nfq_set_verdict(struct nfq_q_handle *qh, uint32_t id, + uint32_t verdict, uint32_t data_len, + const unsigned char *buf) + { + return __set_verdict(qh, id, verdict, 0, 0, data_len, buf, + NFQNL_MSG_VERDICT); + } +-EXPORT_SYMBOL(nfq_set_verdict); + + /** + * nfq_set_verdict2 - like nfq_set_verdict, but you can set the mark. +@@ -847,14 +832,13 @@ EXPORT_SYMBOL(nfq_set_verdict); + * \param data_len number of bytes of data pointed to by #buf + * \param buf the buffer that contains the packet data + */ +-int nfq_set_verdict2(struct nfq_q_handle *qh, uint32_t id, ++int __EXPORTED nfq_set_verdict2(struct nfq_q_handle *qh, uint32_t id, + uint32_t verdict, uint32_t mark, + uint32_t data_len, const unsigned char *buf) + { + return __set_verdict(qh, id, verdict, htonl(mark), 1, data_len, + buf, NFQNL_MSG_VERDICT); + } +-EXPORT_SYMBOL(nfq_set_verdict2); + + /** + * nfq_set_verdict_batch - issue verdicts on several packets at once +@@ -868,13 +852,12 @@ EXPORT_SYMBOL(nfq_set_verdict2); + * batch support was added in Linux 3.1. + * These functions will fail silently on older kernels. + */ +-int nfq_set_verdict_batch(struct nfq_q_handle *qh, uint32_t id, ++int __EXPORTED nfq_set_verdict_batch(struct nfq_q_handle *qh, uint32_t id, + uint32_t verdict) + { + return __set_verdict(qh, id, verdict, 0, 0, 0, NULL, + NFQNL_MSG_VERDICT_BATCH); + } +-EXPORT_SYMBOL(nfq_set_verdict_batch); + + /** + * nfq_set_verdict_batch2 - like nfq_set_verdict_batch, but you can set a mark. +@@ -883,13 +866,12 @@ EXPORT_SYMBOL(nfq_set_verdict_batch); + * \param verdict verdict to return to netfilter (NF_ACCEPT, NF_DROP) + * \param mark mark to put on packet + */ +-int nfq_set_verdict_batch2(struct nfq_q_handle *qh, uint32_t id, ++int __EXPORTED nfq_set_verdict_batch2(struct nfq_q_handle *qh, uint32_t id, + uint32_t verdict, uint32_t mark) + { + return __set_verdict(qh, id, verdict, htonl(mark), 1, 0, + NULL, NFQNL_MSG_VERDICT_BATCH); + } +-EXPORT_SYMBOL(nfq_set_verdict_batch2); + + /** + * nfq_set_verdict_mark - like nfq_set_verdict, but you can set the mark. +@@ -905,14 +887,13 @@ EXPORT_SYMBOL(nfq_set_verdict_batch2); + * This function is deprecated since it is broken, its use is highly + * discouraged. Please, use nfq_set_verdict2 instead. + */ +-int nfq_set_verdict_mark(struct nfq_q_handle *qh, uint32_t id, ++int __EXPORTED nfq_set_verdict_mark(struct nfq_q_handle *qh, uint32_t id, + uint32_t verdict, uint32_t mark, + uint32_t data_len, const unsigned char *buf) + { + return __set_verdict(qh, id, verdict, mark, 1, data_len, buf, + NFQNL_MSG_VERDICT); + } +-EXPORT_SYMBOL(nfq_set_verdict_mark); + + /** + * @} +@@ -947,12 +928,11 @@ EXPORT_SYMBOL(nfq_set_verdict_mark); + } __attribute__ ((packed)); + \endverbatim + */ +-struct nfqnl_msg_packet_hdr *nfq_get_msg_packet_hdr(struct nfq_data *nfad) ++struct nfqnl_msg_packet_hdr __EXPORTED *nfq_get_msg_packet_hdr(struct nfq_data *nfad) + { + return nfnl_get_pointer_to_data(nfad->data, NFQA_PACKET_HDR, + struct nfqnl_msg_packet_hdr); + } +-EXPORT_SYMBOL(nfq_get_msg_packet_hdr); + + /** + * nfq_get_nfmark - get the packet mark +@@ -960,11 +940,10 @@ EXPORT_SYMBOL(nfq_get_msg_packet_hdr); + * + * \return the netfilter mark currently assigned to the given queued packet. + */ +-uint32_t nfq_get_nfmark(struct nfq_data *nfad) ++uint32_t __EXPORTED nfq_get_nfmark(struct nfq_data *nfad) + { + return ntohl(nfnl_get_data(nfad->data, NFQA_MARK, uint32_t)); + } +-EXPORT_SYMBOL(nfq_get_nfmark); + + /** + * nfq_get_timestamp - get the packet timestamp +@@ -975,7 +954,7 @@ EXPORT_SYMBOL(nfq_get_nfmark); + * + * \return 0 on success, non-zero on failure. + */ +-int nfq_get_timestamp(struct nfq_data *nfad, struct timeval *tv) ++int __EXPORTED nfq_get_timestamp(struct nfq_data *nfad, struct timeval *tv) + { + struct nfqnl_msg_packet_timestamp *qpt; + qpt = nfnl_get_pointer_to_data(nfad->data, NFQA_TIMESTAMP, +@@ -988,7 +967,6 @@ int nfq_get_timestamp(struct nfq_data *nfad, struct timeval *tv) + + return 0; + } +-EXPORT_SYMBOL(nfq_get_timestamp); + + /** + * nfq_get_indev - get the interface that the packet was received through +@@ -1001,11 +979,10 @@ EXPORT_SYMBOL(nfq_get_timestamp); + * \warning all nfq_get_dev() functions return 0 if not set, since linux + * only allows ifindex >= 1, see net/core/dev.c:2600 (in 2.6.13.1) + */ +-uint32_t nfq_get_indev(struct nfq_data *nfad) ++uint32_t __EXPORTED nfq_get_indev(struct nfq_data *nfad) + { + return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_INDEV, uint32_t)); + } +-EXPORT_SYMBOL(nfq_get_indev); + + /** + * nfq_get_physindev - get the physical interface that the packet was received +@@ -1015,11 +992,10 @@ EXPORT_SYMBOL(nfq_get_indev); + * If the returned index is 0, the packet was locally generated or the + * physical input interface is no longer known (ie. POSTROUTING?). + */ +-uint32_t nfq_get_physindev(struct nfq_data *nfad) ++uint32_t __EXPORTED nfq_get_physindev(struct nfq_data *nfad) + { + return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_PHYSINDEV, uint32_t)); + } +-EXPORT_SYMBOL(nfq_get_physindev); + + /** + * nfq_get_outdev - gets the interface that the packet will be routed out +@@ -1029,11 +1005,10 @@ EXPORT_SYMBOL(nfq_get_physindev); + * returned index is 0, the packet is destined for localhost or the output + * interface is not yet known (ie. PREROUTING?). + */ +-uint32_t nfq_get_outdev(struct nfq_data *nfad) ++uint32_t __EXPORTED nfq_get_outdev(struct nfq_data *nfad) + { + return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_OUTDEV, uint32_t)); + } +-EXPORT_SYMBOL(nfq_get_outdev); + + /** + * nfq_get_physoutdev - get the physical interface that the packet output +@@ -1045,11 +1020,10 @@ EXPORT_SYMBOL(nfq_get_outdev); + * + * \return The index of physical interface that the packet output will be routed out. + */ +-uint32_t nfq_get_physoutdev(struct nfq_data *nfad) ++uint32_t __EXPORTED nfq_get_physoutdev(struct nfq_data *nfad) + { + return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_PHYSOUTDEV, uint32_t)); + } +-EXPORT_SYMBOL(nfq_get_physoutdev); + + /** + * nfq_get_indev_name - get the name of the interface the packet +@@ -1089,13 +1063,12 @@ EXPORT_SYMBOL(nfq_get_physoutdev); + \endverbatim + * + */ +-int nfq_get_indev_name(struct nlif_handle *nlif_handle, ++int __EXPORTED nfq_get_indev_name(struct nlif_handle *nlif_handle, + struct nfq_data *nfad, char *name) + { + uint32_t ifindex = nfq_get_indev(nfad); + return nlif_index2name(nlif_handle, ifindex, name); + } +-EXPORT_SYMBOL(nfq_get_indev_name); + + /** + * nfq_get_physindev_name - get the name of the physical interface the +@@ -1109,13 +1082,12 @@ EXPORT_SYMBOL(nfq_get_indev_name); + * + * \return -1 in case of error, > 0 if it succeed. + */ +-int nfq_get_physindev_name(struct nlif_handle *nlif_handle, ++int __EXPORTED nfq_get_physindev_name(struct nlif_handle *nlif_handle, + struct nfq_data *nfad, char *name) + { + uint32_t ifindex = nfq_get_physindev(nfad); + return nlif_index2name(nlif_handle, ifindex, name); + } +-EXPORT_SYMBOL(nfq_get_physindev_name); + + /** + * nfq_get_outdev_name - get the name of the physical interface the +@@ -1129,13 +1101,12 @@ EXPORT_SYMBOL(nfq_get_physindev_name); + * + * \return -1 in case of error, > 0 if it succeed. + */ +-int nfq_get_outdev_name(struct nlif_handle *nlif_handle, ++int __EXPORTED nfq_get_outdev_name(struct nlif_handle *nlif_handle, + struct nfq_data *nfad, char *name) + { + uint32_t ifindex = nfq_get_outdev(nfad); + return nlif_index2name(nlif_handle, ifindex, name); + } +-EXPORT_SYMBOL(nfq_get_outdev_name); + + /** + * nfq_get_physoutdev_name - get the name of the interface the +@@ -1150,13 +1121,12 @@ EXPORT_SYMBOL(nfq_get_outdev_name); + * \return -1 in case of error, > 0 if it succeed. + */ + +-int nfq_get_physoutdev_name(struct nlif_handle *nlif_handle, ++int __EXPORTED nfq_get_physoutdev_name(struct nlif_handle *nlif_handle, + struct nfq_data *nfad, char *name) + { + uint32_t ifindex = nfq_get_physoutdev(nfad); + return nlif_index2name(nlif_handle, ifindex, name); + } +-EXPORT_SYMBOL(nfq_get_physoutdev_name); + + /** + * nfq_get_packet_hw +@@ -1180,12 +1150,11 @@ EXPORT_SYMBOL(nfq_get_physoutdev_name); + } __attribute__ ((packed)); + \endverbatim + */ +-struct nfqnl_msg_packet_hw *nfq_get_packet_hw(struct nfq_data *nfad) ++struct nfqnl_msg_packet_hw __EXPORTED *nfq_get_packet_hw(struct nfq_data *nfad) + { + return nfnl_get_pointer_to_data(nfad->data, NFQA_HWADDR, + struct nfqnl_msg_packet_hw); + } +-EXPORT_SYMBOL(nfq_get_packet_hw); + + /** + * nfq_get_uid - get the UID of the user the packet belongs to +@@ -1193,7 +1162,7 @@ EXPORT_SYMBOL(nfq_get_packet_hw); + * + * \return 1 if there is a UID available, 0 otherwise. + */ +-int nfq_get_uid(struct nfq_data *nfad, uint32_t *uid) ++int __EXPORTED nfq_get_uid(struct nfq_data *nfad, uint32_t *uid) + { + if (!nfnl_attr_present(nfad->data, NFQA_UID)) + return 0; +@@ -1201,7 +1170,6 @@ int nfq_get_uid(struct nfq_data *nfad, uint32_t *uid) + *uid = ntohl(nfnl_get_data(nfad->data, NFQA_UID, uint32_t)); + return 1; + } +-EXPORT_SYMBOL(nfq_get_uid); + + /** + * nfq_get_gid - get the GID of the user the packet belongs to +@@ -1209,7 +1177,7 @@ EXPORT_SYMBOL(nfq_get_uid); + * + * \return 1 if there is a GID available, 0 otherwise. + */ +-int nfq_get_gid(struct nfq_data *nfad, uint32_t *gid) ++int __EXPORTED nfq_get_gid(struct nfq_data *nfad, uint32_t *gid) + { + if (!nfnl_attr_present(nfad->data, NFQA_GID)) + return 0; +@@ -1217,7 +1185,6 @@ int nfq_get_gid(struct nfq_data *nfad, uint32_t *gid) + *gid = ntohl(nfnl_get_data(nfad->data, NFQA_GID, uint32_t)); + return 1; + } +-EXPORT_SYMBOL(nfq_get_gid); + + + /** +@@ -1227,7 +1194,7 @@ EXPORT_SYMBOL(nfq_get_gid); + * + * \return -1 on error, otherwise > 0 + */ +-int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata) ++int __EXPORTED nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata) + { + if (!nfnl_attr_present(nfad->data, NFQA_SECCTX)) + return -1; +@@ -1240,7 +1207,6 @@ int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata) + + return 0; + } +-EXPORT_SYMBOL(nfq_get_secctx); + + /** + * nfq_get_payload - get payload +@@ -1253,7 +1219,7 @@ EXPORT_SYMBOL(nfq_get_secctx); + * + * \return -1 on error, otherwise > 0. + */ +-int nfq_get_payload(struct nfq_data *nfad, unsigned char **data) ++int __EXPORTED nfq_get_payload(struct nfq_data *nfad, unsigned char **data) + { + *data = (unsigned char *) + nfnl_get_pointer_to_data(nfad->data, NFQA_PAYLOAD, char); +@@ -1262,7 +1228,6 @@ int nfq_get_payload(struct nfq_data *nfad, unsigned char **data) + + return -1; + } +-EXPORT_SYMBOL(nfq_get_payload); + + /** + * @} +@@ -1307,7 +1272,7 @@ do { \ + * would have been printed into the buffer (in case that there is enough + * room in it). See snprintf() return value for more information. + */ +-int nfq_snprintf_xml(char *buf, size_t rem, struct nfq_data *tb, int flags) ++int __EXPORTED nfq_snprintf_xml(char *buf, size_t rem, struct nfq_data *tb, int flags) + { + struct nfqnl_msg_packet_hdr *ph; + struct nfqnl_msg_packet_hw *hwph; +@@ -1460,7 +1425,6 @@ int nfq_snprintf_xml(char *buf, size_t rem, struct nfq_data *tb, int flags) + + return len; + } +-EXPORT_SYMBOL(nfq_snprintf_xml); + + /** + * @} +diff --git a/src/nlmsg.c b/src/nlmsg.c +index ba28c77..5582407 100644 +--- a/src/nlmsg.c ++++ b/src/nlmsg.c +@@ -30,7 +30,7 @@ + * @{ + */ + +-void nfq_nlmsg_verdict_put(struct nlmsghdr *nlh, int id, int verdict) ++void __EXPORTED nfq_nlmsg_verdict_put(struct nlmsghdr *nlh, int id, int verdict) + { + struct nfqnl_msg_verdict_hdr vh = { + .verdict = htonl(verdict), +@@ -38,20 +38,17 @@ void nfq_nlmsg_verdict_put(struct nlmsghdr *nlh, int id, int verdict) + }; + mnl_attr_put(nlh, NFQA_VERDICT_HDR, sizeof(vh), &vh); + } +-EXPORT_SYMBOL(nfq_nlmsg_verdict_put); + +-void nfq_nlmsg_verdict_put_mark(struct nlmsghdr *nlh, uint32_t mark) ++void __EXPORTED nfq_nlmsg_verdict_put_mark(struct nlmsghdr *nlh, uint32_t mark) + { + mnl_attr_put_u32(nlh, NFQA_MARK, htonl(mark)); + } +-EXPORT_SYMBOL(nfq_nlmsg_verdict_put_mark); + +-void ++void __EXPORTED + nfq_nlmsg_verdict_put_pkt(struct nlmsghdr *nlh, const void *pkt, uint32_t plen) + { + mnl_attr_put(nlh, NFQA_PAYLOAD, plen, pkt); + } +-EXPORT_SYMBOL(nfq_nlmsg_verdict_put_pkt); + + /** + * @} +@@ -85,7 +82,7 @@ EXPORT_SYMBOL(nfq_nlmsg_verdict_put_pkt); + * given protocol family. Both commands are ignored by Linux kernel 3.8 and + * later versions. + */ +-void nfq_nlmsg_cfg_put_cmd(struct nlmsghdr *nlh, uint16_t pf, uint8_t cmd) ++void __EXPORTED nfq_nlmsg_cfg_put_cmd(struct nlmsghdr *nlh, uint16_t pf, uint8_t cmd) + { + struct nfqnl_msg_config_cmd command = { + .command = cmd, +@@ -93,9 +90,8 @@ void nfq_nlmsg_cfg_put_cmd(struct nlmsghdr *nlh, uint16_t pf, uint8_t cmd) + }; + mnl_attr_put(nlh, NFQA_CFG_CMD, sizeof(command), &command); + } +-EXPORT_SYMBOL(nfq_nlmsg_cfg_put_cmd); + +-void nfq_nlmsg_cfg_put_params(struct nlmsghdr *nlh, uint8_t mode, int range) ++void __EXPORTED nfq_nlmsg_cfg_put_params(struct nlmsghdr *nlh, uint8_t mode, int range) + { + struct nfqnl_msg_config_params params = { + .copy_range = htonl(range), +@@ -103,13 +99,11 @@ void nfq_nlmsg_cfg_put_params(struct nlmsghdr *nlh, uint8_t mode, int range) + }; + mnl_attr_put(nlh, NFQA_CFG_PARAMS, sizeof(params), ¶ms); + } +-EXPORT_SYMBOL(nfq_nlmsg_cfg_put_params); + +-void nfq_nlmsg_cfg_put_qmaxlen(struct nlmsghdr *nlh, uint32_t queue_maxlen) ++void __EXPORTED nfq_nlmsg_cfg_put_qmaxlen(struct nlmsghdr *nlh, uint32_t queue_maxlen) + { + mnl_attr_put_u32(nlh, NFQA_CFG_QUEUE_MAXLEN, htonl(queue_maxlen)); + } +-EXPORT_SYMBOL(nfq_nlmsg_cfg_put_qmaxlen); + + /** + * @} +@@ -179,12 +173,11 @@ static int nfq_pkt_parse_attr_cb(const struct nlattr *attr, void *data) + * This function returns MNL_CB_ERROR if any error occurs, or MNL_CB_OK on + * success. + */ +-int nfq_nlmsg_parse(const struct nlmsghdr *nlh, struct nlattr **attr) ++int __EXPORTED nfq_nlmsg_parse(const struct nlmsghdr *nlh, struct nlattr **attr) + { + return mnl_attr_parse(nlh, sizeof(struct nfgenmsg), + nfq_pkt_parse_attr_cb, attr); + } +-EXPORT_SYMBOL(nfq_nlmsg_parse); + + /** + * @} +-- +2.12.2 + diff --git a/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/libnetfilter-cthelper-visibility-hidden.patch b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/libnetfilter-cthelper-visibility-hidden.patch new file mode 100644 index 000000000..e717d5b0e --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/libnetfilter-cthelper-visibility-hidden.patch @@ -0,0 +1,382 @@ +From f58c5b09fb59baf07c942d373fc4d522b27e73c6 Mon Sep 17 00:00:00 2001 +From: Kevin Cernekee <cernekee@chromium.org> +Date: Wed, 4 Jan 2017 14:30:26 -0800 +Subject: Use __EXPORTED rather than EXPORT_SYMBOL + +clang is sensitive to the ordering of +__attribute__((visibility("default"))) relative to the function +body. gcc is not. So if we try to re-declare an existing function +with default visibility, clang prints a warning and generates +a broken .so file in which nfct_helper_* are not exported to library +callers. + +Move the attribute up into the function definition to make clang happy. + +Signed-off-by: Kevin Cernekee <cernekee@chromium.org> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + doxygen.cfg.in | 2 +- + src/internal.h | 5 ++- + src/libnetfilter_cthelper.c | 83 ++++++++++++++++++--------------------------- + 3 files changed, 36 insertions(+), 54 deletions(-) + +Index: libnetfilter_cthelper-1.0.0/doxygen.cfg.in +=================================================================== +--- libnetfilter_cthelper-1.0.0.orig/doxygen.cfg.in ++++ libnetfilter_cthelper-1.0.0/doxygen.cfg.in +@@ -72,7 +72,7 @@ RECURSIVE = YES + EXCLUDE = + EXCLUDE_SYMLINKS = NO + EXCLUDE_PATTERNS = */.git/* .*.d +-EXCLUDE_SYMBOLS = EXPORT_SYMBOL ++EXCLUDE_SYMBOLS = + EXAMPLE_PATH = + EXAMPLE_PATTERNS = + EXAMPLE_RECURSIVE = NO +Index: libnetfilter_cthelper-1.0.0/src/internal.h +=================================================================== +--- libnetfilter_cthelper-1.0.0.orig/src/internal.h ++++ libnetfilter_cthelper-1.0.0/src/internal.h +@@ -3,10 +3,9 @@ + + #include "config.h" + #ifdef HAVE_VISIBILITY_HIDDEN +-# define __visible __attribute__((visibility("default"))) +-# define EXPORT_SYMBOL(x) typeof(x) (x) __visible ++# define __EXPORTED __attribute__((visibility("default"))) + #else +-# define EXPORT_SYMBOL ++# define __EXPORTED + #endif + + #endif +Index: libnetfilter_cthelper-1.0.0/src/libnetfilter_cthelper.c +=================================================================== +--- libnetfilter_cthelper-1.0.0.orig/src/libnetfilter_cthelper.c ++++ libnetfilter_cthelper-1.0.0/src/libnetfilter_cthelper.c +@@ -99,17 +99,16 @@ struct nfct_helper { + * In case of success, this function returns a valid pointer, otherwise NULL + * s returned and errno is appropriately set. + */ +-struct nfct_helper *nfct_helper_alloc(void) ++struct nfct_helper __EXPORTED *nfct_helper_alloc(void) + { + return calloc(1, sizeof(struct nfct_helper)); + } +-EXPORT_SYMBOL(nfct_helper_alloc); + + /** + * nfct_helper_free - release one helper object + * \param nfct_helper pointer to the helper object + */ +-void nfct_helper_free(struct nfct_helper *h) ++void __EXPORTED nfct_helper_free(struct nfct_helper *h) + { + int i; + +@@ -119,7 +118,6 @@ void nfct_helper_free(struct nfct_helper + free(h->expect_policy[i]); + } + } +-EXPORT_SYMBOL(nfct_helper_free); + + /** + * nfct_helper_policy_alloc - allocate a new helper policy object +@@ -127,21 +125,19 @@ EXPORT_SYMBOL(nfct_helper_free); + * In case of success, this function returns a valid pointer, otherwise NULL + * s returned and errno is appropriately set. + */ +-struct nfct_helper_policy *nfct_helper_policy_alloc(void) ++struct nfct_helper_policy __EXPORTED *nfct_helper_policy_alloc(void) + { + return calloc(1, sizeof(struct nfct_helper_policy)); + } +-EXPORT_SYMBOL(nfct_helper_policy_alloc); + + /** + * nfct_helper_free - release one helper policy object + * \param nfct_helper pointer to the helper object + */ +-void nfct_helper_policy_free(struct nfct_helper_policy *p) ++void __EXPORTED nfct_helper_policy_free(struct nfct_helper_policy *p) + { + free(p); + } +-EXPORT_SYMBOL(nfct_helper_policy_free); + + /** + * nfct_helper_policy_attr_set - set one attribute of the helper object +@@ -149,7 +145,7 @@ EXPORT_SYMBOL(nfct_helper_policy_free); + * \param type attribute type you want to set + * \param data pointer to data that will be used to set this attribute + */ +-void ++void __EXPORTED + nfct_helper_policy_attr_set(struct nfct_helper_policy *p, + enum nfct_helper_policy_attr_type type, + const void *data) +@@ -170,7 +166,6 @@ nfct_helper_policy_attr_set(struct nfct_ + break; + } + } +-EXPORT_SYMBOL(nfct_helper_policy_attr_set); + + /** + * nfct_helper_attr_set_str - set one attribute the helper object +@@ -178,23 +173,21 @@ EXPORT_SYMBOL(nfct_helper_policy_attr_se + * \param type attribute type you want to set + * \param name string that will be used to set this attribute + */ +-void ++void __EXPORTED + nfct_helper_policy_attr_set_str(struct nfct_helper_policy *p, + enum nfct_helper_policy_attr_type type, + const char *name) + { + nfct_helper_policy_attr_set(p, type, name); + } +-EXPORT_SYMBOL(nfct_helper_policy_attr_set_str); + +-void ++void __EXPORTED + nfct_helper_policy_attr_set_u32(struct nfct_helper_policy *p, + enum nfct_helper_policy_attr_type type, + uint32_t value) + { + nfct_helper_policy_attr_set(p, type, &value); + } +-EXPORT_SYMBOL(nfct_helper_policy_attr_set_u32); + + /** + * nfct_helper_attr_set - set one attribute of the helper object +@@ -202,7 +195,7 @@ EXPORT_SYMBOL(nfct_helper_policy_attr_se + * \param type attribute type you want to set + * \param data pointer to data that will be used to set this attribute + */ +-void ++void __EXPORTED + nfct_helper_attr_set(struct nfct_helper *h, + enum nfct_helper_attr_type type, const void *data) + { +@@ -250,7 +243,6 @@ nfct_helper_attr_set(struct nfct_helper + break; + } + } +-EXPORT_SYMBOL(nfct_helper_attr_set); + + /** + * nfct_helper_attr_set_str - set one attribute the helper object +@@ -258,44 +250,40 @@ EXPORT_SYMBOL(nfct_helper_attr_set); + * \param type attribute type you want to set + * \param name string that will be used to set this attribute + */ +-void ++void __EXPORTED + nfct_helper_attr_set_str(struct nfct_helper *nfct_helper, enum nfct_helper_attr_type type, + const char *name) + { + nfct_helper_attr_set(nfct_helper, type, name); + } +-EXPORT_SYMBOL(nfct_helper_attr_set_str); + +-void ++void __EXPORTED + nfct_helper_attr_set_u8(struct nfct_helper *nfct_helper, + enum nfct_helper_attr_type type, uint8_t value) + { + nfct_helper_attr_set(nfct_helper, type, &value); + } +-EXPORT_SYMBOL(nfct_helper_attr_set_u8); + +-void ++void __EXPORTED + nfct_helper_attr_set_u16(struct nfct_helper *nfct_helper, + enum nfct_helper_attr_type type, uint16_t value) + { + nfct_helper_attr_set(nfct_helper, type, &value); + } +-EXPORT_SYMBOL(nfct_helper_attr_set_u16); + +-void ++void __EXPORTED + nfct_helper_attr_set_u32(struct nfct_helper *nfct_helper, + enum nfct_helper_attr_type type, uint32_t value) + { + nfct_helper_attr_set(nfct_helper, type, &value); + } +-EXPORT_SYMBOL(nfct_helper_attr_set_u32); + + /** + * nfct_helper_attr_unset - unset one attribute the helper object + * \param nfct_helper pointer to the helper object + * \param type attribute type you want to set + */ +-void ++void __EXPORTED + nfct_helper_attr_unset(struct nfct_helper *nfct_helper, enum nfct_helper_attr_type type) + { + switch(type) { +@@ -307,7 +295,6 @@ nfct_helper_attr_unset(struct nfct_helpe + break; + } + } +-EXPORT_SYMBOL(nfct_helper_attr_unset); + + /** + * nfct_helper_attr_get - get one attribute the helper object +@@ -317,8 +304,9 @@ EXPORT_SYMBOL(nfct_helper_attr_unset); + * This function returns a valid pointer to the attribute data. If a + * unsupported attribute is used, this returns NULL. + */ +-const void *nfct_helper_attr_get(struct nfct_helper *helper, +- enum nfct_helper_attr_type type) ++const void __EXPORTED * ++nfct_helper_attr_get(struct nfct_helper *helper, ++ enum nfct_helper_attr_type type) + { + const void *ret = NULL; + +@@ -358,7 +346,6 @@ const void *nfct_helper_attr_get(struct + } + return ret; + } +-EXPORT_SYMBOL(nfct_helper_attr_get); + + /** + * nfct_helper_attr_get_str - get one attribute the helper object +@@ -368,13 +355,12 @@ EXPORT_SYMBOL(nfct_helper_attr_get); + * This function returns a valid pointer to the beginning of the string. + * If the attribute is unsupported, this returns NULL. + */ +-const char * ++const char __EXPORTED * + nfct_helper_attr_get_str(struct nfct_helper *nfct_helper, + enum nfct_helper_attr_type type) + { + return (const char *)nfct_helper_attr_get(nfct_helper, type); + } +-EXPORT_SYMBOL(nfct_helper_attr_get_str); + + /** + * nfct_helper_attr_get_u8 - get one attribute the helper object +@@ -384,12 +370,12 @@ EXPORT_SYMBOL(nfct_helper_attr_get_str); + * This function returns a unsigned 8-bits integer. If the attribute is + * unsupported, this returns NULL. + */ +-uint8_t nfct_helper_attr_get_u8(struct nfct_helper *nfct_helper, +- enum nfct_helper_attr_type type) ++uint8_t __EXPORTED ++nfct_helper_attr_get_u8(struct nfct_helper *nfct_helper, ++ enum nfct_helper_attr_type type) + { + return *((uint8_t *)nfct_helper_attr_get(nfct_helper, type)); + } +-EXPORT_SYMBOL(nfct_helper_attr_get_u8); + + /** + * nfct_helper_attr_get_u16 - get one attribute the helper object +@@ -399,12 +385,12 @@ EXPORT_SYMBOL(nfct_helper_attr_get_u8); + * This function returns a unsigned 16-bits integer. If the attribute is + * unsupported, this returns NULL. + */ +-uint16_t nfct_helper_attr_get_u16(struct nfct_helper *nfct_helper, +- enum nfct_helper_attr_type type) ++uint16_t __EXPORTED ++nfct_helper_attr_get_u16(struct nfct_helper *nfct_helper, ++ enum nfct_helper_attr_type type) + { + return *((uint16_t *)nfct_helper_attr_get(nfct_helper, type)); + } +-EXPORT_SYMBOL(nfct_helper_attr_get_u16); + + /** + * nfct_helper_attr_get_u32 - get one attribute the helper object +@@ -414,12 +400,12 @@ EXPORT_SYMBOL(nfct_helper_attr_get_u16); + * This function returns a unsigned 32-bits integer. If the attribute is + * unsupported, this returns NULL. + */ +-uint32_t nfct_helper_attr_get_u32(struct nfct_helper *nfct_helper, +- enum nfct_helper_attr_type type) ++uint32_t __EXPORTED ++nfct_helper_attr_get_u32(struct nfct_helper *nfct_helper, ++ enum nfct_helper_attr_type type) + { + return *((uint32_t *)nfct_helper_attr_get(nfct_helper, type)); + } +-EXPORT_SYMBOL(nfct_helper_attr_get_u32); + + /** + * nfct_helper_snprintf - print helper object into one buffer +@@ -431,9 +417,10 @@ EXPORT_SYMBOL(nfct_helper_attr_get_u32); + * This function returns -1 in case that some mandatory attributes are + * missing. On sucess, it returns 0. + */ +-int nfct_helper_snprintf(char *buf, size_t size, +- struct nfct_helper *helper, +- unsigned int type, unsigned int flags) ++int __EXPORTED ++nfct_helper_snprintf(char *buf, size_t size, ++ struct nfct_helper *helper, ++ unsigned int type, unsigned int flags) + { + int ret; + +@@ -454,7 +441,6 @@ int nfct_helper_snprintf(char *buf, size + + return ret; + } +-EXPORT_SYMBOL(nfct_helper_snprintf); + + /** + * @} +@@ -490,7 +476,7 @@ EXPORT_SYMBOL(nfct_helper_snprintf); + * - Command NFNL_MSG_ACCT_DEL, to delete one specific nfct_helper object (if + * unused, otherwise you hit EBUSY). + */ +-struct nlmsghdr * ++struct nlmsghdr __EXPORTED * + nfct_helper_nlmsg_build_hdr(char *buf, uint8_t cmd, + uint16_t flags, uint32_t seq) + { +@@ -509,7 +495,6 @@ nfct_helper_nlmsg_build_hdr(char *buf, u + + return nlh; + } +-EXPORT_SYMBOL(nfct_helper_nlmsg_build_hdr); + + static void + nfct_helper_nlmsg_build_policy(struct nlmsghdr *nlh, +@@ -530,7 +515,7 @@ nfct_helper_nlmsg_build_policy(struct nl + * \param nlh: netlink message that you want to use to add the payload. + * \param nfct_helper: pointer to a helper object + */ +-void ++void __EXPORTED + nfct_helper_nlmsg_build_payload(struct nlmsghdr *nlh, struct nfct_helper *h) + { + struct nlattr *nest; +@@ -593,7 +578,6 @@ nfct_helper_nlmsg_build_payload(struct n + if (h->bitset & (1 << NFCTH_ATTR_STATUS)) + mnl_attr_put_u32(nlh, NFCTH_STATUS, ntohl(h->status)); + } +-EXPORT_SYMBOL(nfct_helper_nlmsg_build_payload); + + static int + nfct_helper_nlmsg_parse_tuple_cb(const struct nlattr *attr, void *data) +@@ -795,7 +779,7 @@ nfct_helper_nlmsg_parse_attr_cb(const st + * This function returns -1 in case that some mandatory attributes are + * missing. On sucess, it returns 0. + */ +-int ++int __EXPORTED + nfct_helper_nlmsg_parse_payload(const struct nlmsghdr *nlh, + struct nfct_helper *h) + { +@@ -832,7 +816,6 @@ nfct_helper_nlmsg_parse_payload(const st + } + return 0; + } +-EXPORT_SYMBOL(nfct_helper_nlmsg_parse_payload); + + /** + * @} diff --git a/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/libnetfilter-cttimeout-visibility-hidden.patch b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/libnetfilter-cttimeout-visibility-hidden.patch new file mode 100644 index 000000000..2c606c832 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/files/libnetfilter-cttimeout-visibility-hidden.patch @@ -0,0 +1,264 @@ +From d0c4e39d12f903e06db262656cff2e24d267bed7 Mon Sep 17 00:00:00 2001 +From: Kevin Cernekee <cernekee@chromium.org> +Date: Wed, 4 Jan 2017 14:30:25 -0800 +Subject: Use __EXPORTED rather than EXPORT_SYMBOL + +clang is sensitive to the ordering of +__attribute__((visibility("default"))) relative to the function +body. gcc is not. So if we try to re-declare an existing function +with default visibility, clang prints a warning and generates +a broken .so file in which nfct_timeout_* are not exported to library +callers. + +Move the attribute up into the function definition to make clang happy. + +Signed-off-by: Kevin Cernekee <cernekee@chromium.org> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + doxygen.cfg.in | 2 +- + src/internal.h | 5 ++--- + src/libnetfilter_cttimeout.c | 44 +++++++++++++++++--------------------------- + 3 files changed, 20 insertions(+), 31 deletions(-) + +diff --git a/doxygen.cfg.in b/doxygen.cfg.in +index 8e5d449..09c3ce0 100644 +--- a/doxygen.cfg.in ++++ b/doxygen.cfg.in +@@ -72,7 +72,7 @@ RECURSIVE = YES + EXCLUDE = + EXCLUDE_SYMLINKS = NO + EXCLUDE_PATTERNS = */.git/* .*.d +-EXCLUDE_SYMBOLS = EXPORT_SYMBOL nfct_timeout _container_policy_cb ++EXCLUDE_SYMBOLS = nfct_timeout _container_policy_cb + EXAMPLE_PATH = + EXAMPLE_PATTERNS = + EXAMPLE_RECURSIVE = NO +diff --git a/src/internal.h b/src/internal.h +index 3a88d1a..5d78171 100644 +--- a/src/internal.h ++++ b/src/internal.h +@@ -3,10 +3,9 @@ + + #include "config.h" + #ifdef HAVE_VISIBILITY_HIDDEN +-# define __visible __attribute__((visibility("default"))) +-# define EXPORT_SYMBOL(x) typeof(x) (x) __visible ++# define __EXPORTED __attribute__((visibility("default"))) + #else +-# define EXPORT_SYMBOL ++# define __EXPORTED + #endif + + #endif +diff --git a/src/libnetfilter_cttimeout.c b/src/libnetfilter_cttimeout.c +index 7844a1f..a0a7185 100644 +--- a/src/libnetfilter_cttimeout.c ++++ b/src/libnetfilter_cttimeout.c +@@ -187,7 +187,7 @@ struct nfct_timeout { + * In case of success, this function returns a valid pointer, otherwise NULL + * s returned and errno is appropriately set. + */ +-struct nfct_timeout *nfct_timeout_alloc(void) ++struct nfct_timeout __EXPORTED *nfct_timeout_alloc(void) + { + struct nfct_timeout *t; + +@@ -197,19 +197,17 @@ struct nfct_timeout *nfct_timeout_alloc(void) + + return t; + } +-EXPORT_SYMBOL(nfct_timeout_alloc); + + /** + * nfct_timeout_free - release one conntrack timeout object + * \param t pointer to the conntrack timeout object + */ +-void nfct_timeout_free(struct nfct_timeout *t) ++void __EXPORTED nfct_timeout_free(struct nfct_timeout *t) + { + if (t->timeout) + free(t->timeout); + free(t); + } +-EXPORT_SYMBOL(nfct_timeout_free); + + /** + * nfct_timeout_attr_set - set one attribute of the conntrack timeout object +@@ -217,7 +215,7 @@ EXPORT_SYMBOL(nfct_timeout_free); + * \param type attribute type you want to set + * \param data pointer to data that will be used to set this attribute + */ +-int ++int __EXPORTED + nfct_timeout_attr_set(struct nfct_timeout *t, uint32_t type, const void *data) + { + switch(type) { +@@ -236,7 +234,6 @@ nfct_timeout_attr_set(struct nfct_timeout *t, uint32_t type, const void *data) + t->attrset |= (1 << type); + return 0; + } +-EXPORT_SYMBOL(nfct_timeout_attr_set); + + /** + * nfct_timeout_attr_set_u8 - set one attribute of the conntrack timeout object +@@ -244,12 +241,11 @@ EXPORT_SYMBOL(nfct_timeout_attr_set); + * \param type attribute type you want to set + * \param data pointer to data that will be used to set this attribute + */ +-int ++int __EXPORTED + nfct_timeout_attr_set_u8(struct nfct_timeout *t, uint32_t type, uint8_t data) + { + return nfct_timeout_attr_set(t, type, &data); + } +-EXPORT_SYMBOL(nfct_timeout_attr_set_u8); + + /** + * nfct_timeout_attr_set_u16 - set one attribute of the conntrack timeout object +@@ -257,23 +253,21 @@ EXPORT_SYMBOL(nfct_timeout_attr_set_u8); + * \param type attribute type you want to set + * \param data pointer to data that will be used to set this attribute + */ +-int ++int __EXPORTED + nfct_timeout_attr_set_u16(struct nfct_timeout *t, uint32_t type, uint16_t data) + { + return nfct_timeout_attr_set(t, type, &data); + } +-EXPORT_SYMBOL(nfct_timeout_attr_set_u16); + + /** + * nfct_timeout_attr_unset - unset one attribute of the conntrack timeout object + * \param t pointer to the conntrack timeout object + * \param type attribute type you want to set + */ +-void nfct_timeout_attr_unset(struct nfct_timeout *t, uint32_t type) ++void __EXPORTED nfct_timeout_attr_unset(struct nfct_timeout *t, uint32_t type) + { + t->attrset &= ~(1 << type); + } +-EXPORT_SYMBOL(nfct_timeout_attr_unset); + + /** + * nfct_timeout_policy_attr_set_u32 - set one attribute of the policy +@@ -281,7 +275,7 @@ EXPORT_SYMBOL(nfct_timeout_attr_unset); + * \param type attribute type you want to set + * \param data data that will be used to set this attribute + */ +-int ++int __EXPORTED + nfct_timeout_policy_attr_set_u32(struct nfct_timeout *t, + uint32_t type, uint32_t data) + { +@@ -319,18 +313,17 @@ nfct_timeout_policy_attr_set_u32(struct nfct_timeout *t, + + return 0; + } +-EXPORT_SYMBOL(nfct_timeout_policy_attr_set_u32); + + /** + * nfct_timeout_policy_attr_unset - unset one attribute of the policy + * \param t pointer to the conntrack timeout object + * \param type attribute type you want to set + */ +-void nfct_timeout_policy_attr_unset(struct nfct_timeout *t, uint32_t type) ++void __EXPORTED ++nfct_timeout_policy_attr_unset(struct nfct_timeout *t, uint32_t type) + { + t->attrset &= ~(1 << type); + } +-EXPORT_SYMBOL(nfct_timeout_policy_attr_unset); + + /** + * nfct_timeout_policy_attr_to_name - get state name from protocol state number +@@ -340,7 +333,8 @@ EXPORT_SYMBOL(nfct_timeout_policy_attr_unset); + * This function returns NULL if unsupported protocol or state number is passed. + * Otherwise, a pointer to valid string is returned. + */ +-const char *nfct_timeout_policy_attr_to_name(uint8_t l4proto, uint32_t state) ++const char __EXPORTED * ++nfct_timeout_policy_attr_to_name(uint8_t l4proto, uint32_t state) + { + if (timeout_protocol[l4proto].state_to_name == NULL) { + printf("no array state name\n"); +@@ -354,7 +348,6 @@ const char *nfct_timeout_policy_attr_to_name(uint8_t l4proto, uint32_t state) + + return timeout_protocol[l4proto].state_to_name[state]; + } +-EXPORT_SYMBOL(nfct_timeout_policy_attr_to_name); + + /** + * @} +@@ -438,8 +431,9 @@ nfct_timeout_snprintf_default(char *buf, size_t size, + * This function returns -1 in case that some mandatory attributes are + * missing. On sucess, it returns 0. + */ +-int nfct_timeout_snprintf(char *buf, size_t size, const struct nfct_timeout *t, +- unsigned int type, unsigned int flags) ++int __EXPORTED ++nfct_timeout_snprintf(char *buf, size_t size, const struct nfct_timeout *t, ++ unsigned int type, unsigned int flags) + { + int ret = 0; + +@@ -454,7 +448,6 @@ int nfct_timeout_snprintf(char *buf, size_t size, const struct nfct_timeout *t, + + return ret; + } +-EXPORT_SYMBOL(nfct_timeout_snprintf); + + /** + * @} +@@ -477,7 +470,7 @@ EXPORT_SYMBOL(nfct_timeout_snprintf); + * - CTNL_MSG_TIMEOUT_GET: get conntrack timeout object. + * - CTNL_MSG_TIMEOUT_DEL: delete conntrack timeout object. + */ +-struct nlmsghdr * ++struct nlmsghdr __EXPORTED * + nfct_timeout_nlmsg_build_hdr(char *buf, uint8_t cmd, + uint16_t flags, uint32_t seq) + { +@@ -496,14 +489,13 @@ nfct_timeout_nlmsg_build_hdr(char *buf, uint8_t cmd, + + return nlh; + } +-EXPORT_SYMBOL(nfct_timeout_nlmsg_build_hdr); + + /** + * nfct_timeout_nlmsg_build_payload - build payload from ct timeout object + * \param nlh: netlink message that you want to use to add the payload. + * \param t: pointer to a conntrack timeout object + */ +-void ++void __EXPORTED + nfct_timeout_nlmsg_build_payload(struct nlmsghdr *nlh, + const struct nfct_timeout *t) + { +@@ -532,7 +524,6 @@ nfct_timeout_nlmsg_build_payload(struct nlmsghdr *nlh, + } + + } +-EXPORT_SYMBOL(nfct_timeout_nlmsg_build_payload); + + static int + timeout_nlmsg_parse_attr_cb(const struct nlattr *attr, void *data) +@@ -629,7 +620,7 @@ timeout_parse_attr_data(struct nfct_timeout *t, const struct nlattr *nest) + * This function returns -1 in case that some mandatory attributes are + * missing. On sucess, it returns 0. + */ +-int ++int __EXPORTED + nfct_timeout_nlmsg_parse_payload(const struct nlmsghdr *nlh, + struct nfct_timeout *t) + { +@@ -654,7 +645,6 @@ nfct_timeout_nlmsg_parse_payload(const struct nlmsghdr *nlh, + } + return 0; + } +-EXPORT_SYMBOL(nfct_timeout_nlmsg_parse_payload); + + /** + * @} +-- +cgit v1.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-acct_1.0.3.bb b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-acct_1.0.3.bb new file mode 100644 index 000000000..974035ccc --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-acct_1.0.3.bb @@ -0,0 +1,17 @@ +SUMMARY = "libnetfilter_acct accounting infrastructure." +DESCRIPTION = "libnetfilter_acct is the userspace library providing interface to extended accounting infrastructure." +HOMEPAGE = "http://netfilter.org/projects/libnetfilter_acct/index.html" +SECTION = "libs" +LICENSE = "LGPL-2.1" +LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" +DEPENDS = "libnfnetlink libmnl" + +SRC_URI = "http://ftp.netfilter.org/pub/libnetfilter_acct/libnetfilter_acct-1.0.3.tar.bz2 \ + file://0001-libnetfilter-acct-Declare-the-define-visivility-attribute-together.patch \ +" +SRC_URI[md5sum] = "814b2972b2f5c740ff87510bc109168b" +SRC_URI[sha256sum] = "4250ceef3efe2034f4ac05906c3ee427db31b9b0a2df41b2744f4bf79a959a1a" + +S = "${WORKDIR}/libnetfilter_acct-${PV}" + +inherit autotools pkgconfig diff --git a/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-conntrack_1.0.6.bb b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-conntrack_1.0.6.bb new file mode 100644 index 000000000..e4e186bdb --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-conntrack_1.0.6.bb @@ -0,0 +1,16 @@ +SUMMARY = "Netfilter connection tracking library" +DESCRIPTION = "Userspace library providing a programming interface (API) to the Linux kernel netfilter connection tracking state table" +HOMEPAGE = "http://www.netfilter.org/projects/libnetfilter_conntrack/index.html" +SECTION = "libs" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b" +DEPENDS = "libnfnetlink libmnl" + +SRC_URI = "http://www.netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-${PV}.tar.bz2;name=tar \ +" +SRC_URI[tar.md5sum] = "7139c5f408dd9606ffecfd5dcda8175b" +SRC_URI[tar.sha256sum] = "efcc08021284e75f4d96d3581c5155a11f08fd63316b1938cbcb269c87f37feb" + +S = "${WORKDIR}/libnetfilter_conntrack-${PV}" + +inherit autotools pkgconfig diff --git a/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-cthelper_1.0.0.bb b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-cthelper_1.0.0.bb new file mode 100644 index 000000000..92cb23d6e --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-cthelper_1.0.0.bb @@ -0,0 +1,17 @@ +SUMMARY = "Netfilter connection tracking helper library" +DESCRIPTION = "Userspace library providing a programming interface (API) to the Linux kernel netfilter user-space helper infrastructure" +HOMEPAGE = "http://www.netfilter.org/projects/libnetfilter_cthelper/index.html" +SECTION = "libs" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b" +DEPENDS = "libmnl" + +SRC_URI = "http://www.netfilter.org/projects/libnetfilter_cthelper/files/libnetfilter_cthelper-${PV}.tar.bz2;name=tar \ + file://libnetfilter-cthelper-visibility-hidden.patch \ +" +SRC_URI[tar.md5sum] = "b2efab1a3a198a5add448960ba011acd" +SRC_URI[tar.sha256sum] = "07618e71c4d9a6b6b3dc1986540486ee310a9838ba754926c7d14a17d8fccf3d" + +S = "${WORKDIR}/libnetfilter_cthelper-${PV}" + +inherit autotools pkgconfig diff --git a/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-cttimeout_1.0.0.bb b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-cttimeout_1.0.0.bb new file mode 100644 index 000000000..ff32f3409 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-cttimeout_1.0.0.bb @@ -0,0 +1,16 @@ +SUMMARY = "Netfilter connection tracking timeout library" +DESCRIPTION = "Userspace library providing a programming interface (API) to the Linux kernel netfilter fine-grain connection tracking timeout infrastructure" +SECTION = "libs" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b" +DEPENDS = "libmnl" + +SRC_URI = "http://www.netfilter.org/projects/libnetfilter_cttimeout/files/libnetfilter_cttimeout-${PV}.tar.bz2;name=tar \ + file://libnetfilter-cttimeout-visibility-hidden.patch \ +" +SRC_URI[tar.md5sum] = "7697437fc9ebb6f6b83df56a633db7f9" +SRC_URI[tar.sha256sum] = "aeab12754f557cba3ce2950a2029963d817490df7edb49880008b34d7ff8feba" + +S = "${WORKDIR}/libnetfilter_cttimeout-${PV}" + +inherit autotools pkgconfig diff --git a/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb new file mode 100644 index 000000000..2f627d458 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb @@ -0,0 +1,15 @@ +SUMMARY = "Netfilter logging library" +DESCRIPTION = "Userspace library providing a programming interface (API) to the Linux kernel netfilter log message (NFLOG)" +HOMEPAGE = "http://www.netfilter.org/projects/libnetfilter_log/index.html" +SECTION = "libs" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b" +DEPENDS = "libnfnetlink libmnl" +SRCREV = "ba196a97e810746e5660fe3f57c87c0ed0f2b324" +PV .= "+git${SRCPV}" + +SRC_URI = "git://git.netfilter.org/libnetfilter_log" + +S = "${WORKDIR}/git" + +inherit autotools pkgconfig diff --git a/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.2.bb b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.2.bb new file mode 100644 index 000000000..754e11d99 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.2.bb @@ -0,0 +1,19 @@ +SUMMARY = "Netfilter packet queue access library" +DESCRIPTION = "Userspace library providing a programming interface (API) to access the Linux kernel netfilter packet queue" +HOMEPAGE = "http://www.netfilter.org/projects/libnetfilter_queue/index.html" +SECTION = "libs" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b" +DEPENDS = "libnfnetlink libmnl" + +PV .= "+git${SRCREV}" +SRCREV = "981025e103d887fb6a9c9bb49c74ec323108d098" + +SRC_URI = "git://git.netfilter.org/libnetfilter_queue \ + file://0001-Correct-typo-in-the-location-of-internal.h-in-includ.patch \ + file://0001-libnetfilter-queue-Declare-the-define-visivility-attribute-together.patch \ + " + +S = "${WORKDIR}/git" + +inherit autotools pkgconfig diff --git a/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0001-build-resolve-automake-1.12-warnings.patch b/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0001-build-resolve-automake-1.12-warnings.patch new file mode 100644 index 000000000..00d95cd79 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0001-build-resolve-automake-1.12-warnings.patch @@ -0,0 +1,28 @@ +From 2e5f2b81fb8cbe0d1cd33e58caa19ac308e1f847 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt <jengelh@inai.de> +Date: Tue, 9 Oct 2012 15:59:48 +0200 +Subject: [PATCH 1/6] build: resolve automake-1.12 warnings + +am/ltlibrary.am: warning: 'libnfnetlink.la': linking libtool libraries +using a non-POSIX archiver requires 'AM_PROG_AR' in 'configure.ac' + +Signed-off-by: Jan Engelhardt <jengelh@inai.de> +--- + configure.ac | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/configure.ac b/configure.ac +index ed549df..0926a1c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -7,6 +7,7 @@ AC_CANONICAL_HOST + + AM_INIT_AUTOMAKE([-Wall foreign subdir-objects + tar-pax no-dist-gzip dist-bzip2 1.6]) ++m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) + + dnl kernel style compile messages + m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0002-src-get-source-code-license-header-in-sync-with-curr.patch b/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0002-src-get-source-code-license-header-in-sync-with-curr.patch new file mode 100644 index 000000000..c2fb5e05a --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0002-src-get-source-code-license-header-in-sync-with-curr.patch @@ -0,0 +1,49 @@ +From 5e6b6e23a8b04475c5a9de7eddb4c18103932fe5 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Wed, 7 Aug 2013 20:53:57 +0200 +Subject: [PATCH 2/6] src: get source code license header in sync with current + licensing terms + +Since (3956761 license: upgrade to GPLv2+), we upgraded to GPLv2+, +propagate that changes to src/iftable.c and src/rtnl.c + +Reported-by: Thomas Woerner <twoerner@redhat.com> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + src/iftable.c | 2 +- + src/rtnl.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/iftable.c b/src/iftable.c +index 0325335..5976ed8 100644 +--- a/src/iftable.c ++++ b/src/iftable.c +@@ -3,7 +3,7 @@ + * (C) 2004 by Astaro AG, written by Harald Welte <hwelte@astaro.com> + * (C) 2008 by Pablo Neira Ayuso <pablo@netfilter.org> + * +- * This software is Free Software and licensed under GNU GPLv2. ++ * This software is Free Software and licensed under GNU GPLv2+. + */ + + /* IFINDEX handling */ +diff --git a/src/rtnl.c b/src/rtnl.c +index 5ccb272..7b4ac7d 100644 +--- a/src/rtnl.c ++++ b/src/rtnl.c +@@ -1,10 +1,10 @@ + /* rtnl - rtnetlink utility functions + * + * (C) 2004 by Astaro AG, written by Harald Welte <hwelte@astaro.com> +- * ++ * + * Adapted to nfnetlink by Eric Leblond <eric@inl.fr> + * +- * This software is free software and licensed under GNU GPLv2. ++ * This software is free software and licensed under GNU GPLv2+. + * + */ + +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0003-configure-uclinux-is-also-linux.patch b/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0003-configure-uclinux-is-also-linux.patch new file mode 100644 index 000000000..6cb7ed6fa --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0003-configure-uclinux-is-also-linux.patch @@ -0,0 +1,27 @@ +From b259fe13826414c1bd5328a25c8d6d60e20e65f2 Mon Sep 17 00:00:00 2001 +From: Gustavo Zacarias <gustavo@zacarias.com.ar> +Date: Tue, 10 Sep 2013 16:23:29 -0300 +Subject: [PATCH 3/6] configure: uclinux is also linux + +Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 0926a1c..b979772 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -18,7 +18,7 @@ AC_DISABLE_STATIC + AM_PROG_LIBTOOL + + case "$host" in +-*-*-linux*) ;; ++*-*-linux* | *-*-uclinux*) ;; + *) AC_MSG_ERROR([Linux only, dude!]);; + esac + +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0004-libnfnetlink-initialize-attribute-padding-to-resolve.patch b/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0004-libnfnetlink-initialize-attribute-padding-to-resolve.patch new file mode 100644 index 000000000..cf3a84135 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0004-libnfnetlink-initialize-attribute-padding-to-resolve.patch @@ -0,0 +1,39 @@ +From b142da8d2c9e2e2dfbe4e89e680dd124f6064ac8 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Mon, 3 Feb 2014 12:09:29 +0100 +Subject: [PATCH 4/6] libnfnetlink: initialize attribute padding to resolve + valgrind warnings + +==12195== Syscall param socketcall.sendto(msg) points to uninitialised byte(s) +==12195== at 0x51209C3: __sendto_nocancel (syscall-template.S:81) +==12195== by 0x53E4D12: nfnl_send (libnfnetlink.c:391) +==12195== by 0x53E6952: nfnl_query (libnfnetlink.c:1569) +==12195== by 0x4E344AF: __build_send_cfg_msg.isra.1 (libnetfilter_log.c:143) +==12195== by 0x4E34710: nflog_bind_group (libnetfilter_log.c:413) +==12195== by 0x400CB1: main (nfulnl_test.c:77) +==12195== Address 0x7fefff3e9 is on thread 1's stack + +This patch sets to zero the padding that is included to align the +attribute payload. + +Reported-by: Ivan Homoliak <xhomol11@gmail.com> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + src/libnfnetlink.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libnfnetlink.c b/src/libnfnetlink.c +index 4b2bcd0..398b7d7 100644 +--- a/src/libnfnetlink.c ++++ b/src/libnfnetlink.c +@@ -809,6 +809,7 @@ int nfnl_addattr_l(struct nlmsghdr *n, int maxlen, int type, const void *data, + nfa->nfa_type = type; + nfa->nfa_len = len; + memcpy(NFA_DATA(nfa), data, alen); ++ memset((uint8_t *)nfa + nfa->nfa_len, 0, NFA_ALIGN(alen) - alen); + n->nlmsg_len = (NLMSG_ALIGN(n->nlmsg_len) + NFA_ALIGN(len)); + return 0; + } +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0005-include-Sync-with-kernel-headers.patch b/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0005-include-Sync-with-kernel-headers.patch new file mode 100644 index 000000000..383f0e8b3 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0005-include-Sync-with-kernel-headers.patch @@ -0,0 +1,110 @@ +From b10c90a61a5fc46f2be5aeecb9c96e84178f7717 Mon Sep 17 00:00:00 2001 +From: Felix Janda <felix.janda@posteo.de> +Date: Sat, 16 May 2015 14:49:07 +0200 +Subject: [PATCH 5/6] include: Sync with kernel headers + +Signed-off-by: Felix Janda <felix.janda@posteo.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + include/libnfnetlink/linux_nfnetlink.h | 44 ++++----------------------- + include/libnfnetlink/linux_nfnetlink_compat.h | 12 ++++---- + 2 files changed, 12 insertions(+), 44 deletions(-) + +diff --git a/include/libnfnetlink/linux_nfnetlink.h b/include/libnfnetlink/linux_nfnetlink.h +index 76a8550..44a38d6 100644 +--- a/include/libnfnetlink/linux_nfnetlink.h ++++ b/include/libnfnetlink/linux_nfnetlink.h +@@ -25,9 +25,9 @@ enum nfnetlink_groups { + /* General form of address family dependent message. + */ + struct nfgenmsg { +- u_int8_t nfgen_family; /* AF_xxx */ +- u_int8_t version; /* nfnetlink version */ +- u_int16_t res_id; /* resource id */ ++ __u8 nfgen_family; /* AF_xxx */ ++ __u8 version; /* nfnetlink version */ ++ __be16 res_id; /* resource id */ + }; + + #define NFNETLINK_V0 0 +@@ -46,40 +46,8 @@ struct nfgenmsg { + #define NFNL_SUBSYS_CTNETLINK_EXP 2 + #define NFNL_SUBSYS_QUEUE 3 + #define NFNL_SUBSYS_ULOG 4 +-#define NFNL_SUBSYS_COUNT 5 ++#define NFNL_SUBSYS_OSF 5 ++#define NFNL_SUBSYS_IPSET 6 ++#define NFNL_SUBSYS_COUNT 7 + +-#ifdef __KERNEL__ +- +-#include <linux/netlink.h> +-#include <linux/capability.h> +-#include <net/netlink.h> +- +-struct nfnl_callback +-{ +- int (*call)(struct sock *nl, struct sk_buff *skb, +- struct nlmsghdr *nlh, struct nlattr *cda[]); +- const struct nla_policy *policy; /* netlink attribute policy */ +- const u_int16_t attr_count; /* number of nlattr's */ +-}; +- +-struct nfnetlink_subsystem +-{ +- const char *name; +- __u8 subsys_id; /* nfnetlink subsystem ID */ +- __u8 cb_count; /* number of callbacks */ +- const struct nfnl_callback *cb; /* callback for individual types */ +-}; +- +-extern int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n); +-extern int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n); +- +-extern int nfnetlink_has_listeners(unsigned int group); +-extern int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group, +- int echo); +-extern int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags); +- +-#define MODULE_ALIAS_NFNL_SUBSYS(subsys) \ +- MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys)) +- +-#endif /* __KERNEL__ */ + #endif /* _NFNETLINK_H */ +diff --git a/include/libnfnetlink/linux_nfnetlink_compat.h b/include/libnfnetlink/linux_nfnetlink_compat.h +index e145176..74b9e55 100644 +--- a/include/libnfnetlink/linux_nfnetlink_compat.h ++++ b/include/libnfnetlink/linux_nfnetlink_compat.h +@@ -1,6 +1,8 @@ + #ifndef _NFNETLINK_COMPAT_H + #define _NFNETLINK_COMPAT_H +-#ifndef __KERNEL__ ++ ++#include <linux/types.h> ++ + /* Old nfnetlink macros for userspace */ + + /* nfnetlink groups: Up to 32 maximum */ +@@ -18,10 +20,9 @@ + * ! nfnetlink use the same attributes methods. - J. Schulist. + */ + +-struct nfattr +-{ +- u_int16_t nfa_len; +- u_int16_t nfa_type; /* we use 15 bits for the type, and the highest ++struct nfattr { ++ __u16 nfa_len; ++ __u16 nfa_type; /* we use 15 bits for the type, and the highest + * bit to indicate whether the payload is nested */ + }; + +@@ -57,5 +58,4 @@ struct nfattr + + NLMSG_ALIGN(sizeof(struct nfgenmsg)))) + #define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg)) + +-#endif /* ! __KERNEL__ */ + #endif /* _NFNETLINK_COMPAT_H */ +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0006-src-Use-stdint-types-everywhere.patch b/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0006-src-Use-stdint-types-everywhere.patch new file mode 100644 index 000000000..72c9987d1 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink/0006-src-Use-stdint-types-everywhere.patch @@ -0,0 +1,403 @@ +From 5cb589e246c91331ee6b3926b15f5e6cfc8ad95e Mon Sep 17 00:00:00 2001 +From: Felix Janda <felix.janda@posteo.de> +Date: Sat, 16 May 2015 14:59:57 +0200 +Subject: [PATCH 6/6] src: Use stdint types everywhere + +Signed-off-by: Felix Janda <felix.janda@posteo.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + include/libnfnetlink/libnfnetlink.h | 25 ++++++------- + src/iftable.c | 8 ++--- + src/iftable.h | 4 +-- + src/libnfnetlink.c | 72 ++++++++++++++++++------------------- + src/rtnl.c | 4 +-- + src/rtnl.h | 2 +- + 6 files changed, 58 insertions(+), 57 deletions(-) + +diff --git a/include/libnfnetlink/libnfnetlink.h b/include/libnfnetlink/libnfnetlink.h +index 1d8c49d..cd0be3d 100644 +--- a/include/libnfnetlink/libnfnetlink.h ++++ b/include/libnfnetlink/libnfnetlink.h +@@ -15,6 +15,7 @@ + #define aligned_u64 unsigned long long __attribute__((aligned(8))) + #endif + ++#include <stdint.h> + #include <sys/socket.h> /* for sa_family_t */ + #include <linux/netlink.h> + #include <libnfnetlink/linux_nfnetlink.h> +@@ -55,7 +56,7 @@ struct nfnlhdr { + struct nfnl_callback { + int (*call)(struct nlmsghdr *nlh, struct nfattr *nfa[], void *data); + void *data; +- u_int16_t attr_count; ++ uint16_t attr_count; + }; + + struct nfnl_handle; +@@ -69,7 +70,7 @@ extern struct nfnl_handle *nfnl_open(void); + extern int nfnl_close(struct nfnl_handle *); + + extern struct nfnl_subsys_handle *nfnl_subsys_open(struct nfnl_handle *, +- u_int8_t, u_int8_t, ++ uint8_t, uint8_t, + unsigned int); + extern void nfnl_subsys_close(struct nfnl_subsys_handle *); + +@@ -88,8 +89,8 @@ extern int nfnl_sendiov(const struct nfnl_handle *nfnlh, + const struct iovec *iov, unsigned int num, + unsigned int flags); + extern void nfnl_fill_hdr(struct nfnl_subsys_handle *, struct nlmsghdr *, +- unsigned int, u_int8_t, u_int16_t, u_int16_t, +- u_int16_t); ++ unsigned int, uint8_t, uint16_t, uint16_t, ++ uint16_t); + extern __attribute__((deprecated)) int + nfnl_talk(struct nfnl_handle *, struct nlmsghdr *, pid_t, + unsigned, struct nlmsghdr *, +@@ -103,8 +104,8 @@ nfnl_listen(struct nfnl_handle *, + /* receiving */ + extern ssize_t nfnl_recv(const struct nfnl_handle *h, unsigned char *buf, size_t len); + extern int nfnl_callback_register(struct nfnl_subsys_handle *, +- u_int8_t type, struct nfnl_callback *cb); +-extern int nfnl_callback_unregister(struct nfnl_subsys_handle *, u_int8_t type); ++ uint8_t type, struct nfnl_callback *cb); ++extern int nfnl_callback_unregister(struct nfnl_subsys_handle *, uint8_t type); + extern int nfnl_handle_packet(struct nfnl_handle *, char *buf, int len); + + /* parsing */ +@@ -180,12 +181,12 @@ extern int nfnl_query(struct nfnl_handle *h, struct nlmsghdr *nlh); + + /* nfnl attribute handling functions */ + extern int nfnl_addattr_l(struct nlmsghdr *, int, int, const void *, int); +-extern int nfnl_addattr8(struct nlmsghdr *, int, int, u_int8_t); +-extern int nfnl_addattr16(struct nlmsghdr *, int, int, u_int16_t); +-extern int nfnl_addattr32(struct nlmsghdr *, int, int, u_int32_t); ++extern int nfnl_addattr8(struct nlmsghdr *, int, int, uint8_t); ++extern int nfnl_addattr16(struct nlmsghdr *, int, int, uint16_t); ++extern int nfnl_addattr32(struct nlmsghdr *, int, int, uint32_t); + extern int nfnl_nfa_addattr_l(struct nfattr *, int, int, const void *, int); +-extern int nfnl_nfa_addattr16(struct nfattr *, int, int, u_int16_t); +-extern int nfnl_nfa_addattr32(struct nfattr *, int, int, u_int32_t); ++extern int nfnl_nfa_addattr16(struct nfattr *, int, int, uint16_t); ++extern int nfnl_nfa_addattr32(struct nfattr *, int, int, uint32_t); + extern int nfnl_parse_attr(struct nfattr **, int, struct nfattr *, int); + #define nfnl_parse_nested(tb, max, nfa) \ + nfnl_parse_attr((tb), (max), NFA_DATA((nfa)), NFA_PAYLOAD((nfa))) +@@ -197,7 +198,7 @@ extern int nfnl_parse_attr(struct nfattr **, int, struct nfattr *, int); + ({ (tail)->nfa_len = (void *) NLMSG_TAIL(nlh) - (void *) tail; }) + + extern void nfnl_build_nfa_iovec(struct iovec *iov, struct nfattr *nfa, +- u_int16_t type, u_int32_t len, ++ uint16_t type, uint32_t len, + unsigned char *val); + extern unsigned int nfnl_rcvbufsiz(const struct nfnl_handle *h, + unsigned int size); +diff --git a/src/iftable.c b/src/iftable.c +index 5976ed8..157f97b 100644 +--- a/src/iftable.c ++++ b/src/iftable.c +@@ -27,10 +27,10 @@ + struct ifindex_node { + struct list_head head; + +- u_int32_t index; +- u_int32_t type; +- u_int32_t alen; +- u_int32_t flags; ++ uint32_t index; ++ uint32_t type; ++ uint32_t alen; ++ uint32_t flags; + char addr[8]; + char name[16]; + }; +diff --git a/src/iftable.h b/src/iftable.h +index 8df7f24..655df6b 100644 +--- a/src/iftable.h ++++ b/src/iftable.h +@@ -1,8 +1,8 @@ + #ifndef _IFTABLE_H + #define _IFTABLE_H + +-int iftable_delete(u_int32_t dst, u_int32_t mask, u_int32_t gw, u_int32_t oif); +-int iftable_insert(u_int32_t dst, u_int32_t mask, u_int32_t gw, u_int32_t oif); ++int iftable_delete(uint32_t dst, uint32_t mask, uint32_t gw, uint32_t oif); ++int iftable_insert(uint32_t dst, uint32_t mask, uint32_t gw, uint32_t oif); + + int iftable_init(void); + void iftable_fini(void); +diff --git a/src/libnfnetlink.c b/src/libnfnetlink.c +index 398b7d7..df57533 100644 +--- a/src/libnfnetlink.c ++++ b/src/libnfnetlink.c +@@ -72,9 +72,9 @@ + + struct nfnl_subsys_handle { + struct nfnl_handle *nfnlh; +- u_int32_t subscriptions; +- u_int8_t subsys_id; +- u_int8_t cb_count; ++ uint32_t subscriptions; ++ uint8_t subsys_id; ++ uint8_t cb_count; + struct nfnl_callback *cb; /* array of callbacks */ + }; + +@@ -86,11 +86,11 @@ struct nfnl_handle { + int fd; + struct sockaddr_nl local; + struct sockaddr_nl peer; +- u_int32_t subscriptions; +- u_int32_t seq; +- u_int32_t dump; +- u_int32_t rcv_buffer_size; /* for nfnl_catch */ +- u_int32_t flags; ++ uint32_t subscriptions; ++ uint32_t seq; ++ uint32_t dump; ++ uint32_t rcv_buffer_size; /* for nfnl_catch */ ++ uint32_t flags; + struct nlmsghdr *last_nlhdr; + struct nfnl_subsys_handle subsys[NFNL_MAX_SUBSYS+1]; + }; +@@ -145,7 +145,7 @@ unsigned int nfnl_portid(const struct nfnl_handle *h) + static int recalc_rebind_subscriptions(struct nfnl_handle *nfnlh) + { + int i, err; +- u_int32_t new_subscriptions = nfnlh->subscriptions; ++ uint32_t new_subscriptions = nfnlh->subscriptions; + + for (i = 0; i < NFNL_MAX_SUBSYS; i++) + new_subscriptions |= nfnlh->subsys[i].subscriptions; +@@ -273,8 +273,8 @@ void nfnl_set_rcv_buffer_size(struct nfnl_handle *h, unsigned int size) + * a valid address that points to a nfnl_subsys_handle structure is returned. + */ + struct nfnl_subsys_handle * +-nfnl_subsys_open(struct nfnl_handle *nfnlh, u_int8_t subsys_id, +- u_int8_t cb_count, u_int32_t subscriptions) ++nfnl_subsys_open(struct nfnl_handle *nfnlh, uint8_t subsys_id, ++ uint8_t cb_count, uint32_t subscriptions) + { + struct nfnl_subsys_handle *ssh; + +@@ -435,10 +435,10 @@ int nfnl_sendiov(const struct nfnl_handle *nfnlh, const struct iovec *iov, + */ + void nfnl_fill_hdr(struct nfnl_subsys_handle *ssh, + struct nlmsghdr *nlh, unsigned int len, +- u_int8_t family, +- u_int16_t res_id, +- u_int16_t msg_type, +- u_int16_t msg_flags) ++ uint8_t family, ++ uint16_t res_id, ++ uint16_t msg_type, ++ uint16_t msg_flags) + { + assert(ssh); + assert(nlh); +@@ -815,7 +815,7 @@ int nfnl_addattr_l(struct nlmsghdr *n, int maxlen, int type, const void *data, + } + + /** +- * nfnl_nfa_addattr_l - Add variable length attribute to struct nfattr ++ * nfnl_nfa_addattr_l - Add variable length attribute to struct nfattr + * + * @nfa: struct nfattr + * @maxlen: maximal length of nfattr buffer +@@ -849,14 +849,14 @@ int nfnl_nfa_addattr_l(struct nfattr *nfa, int maxlen, int type, + } + + /** +- * nfnl_addattr8 - Add u_int8_t attribute to nlmsghdr ++ * nfnl_addattr8 - Add uint8_t attribute to nlmsghdr + * + * @n: netlink message header to which attribute is to be added + * @maxlen: maximum length of netlink message header + * @type: type of new attribute + * @data: content of new attribute + */ +-int nfnl_addattr8(struct nlmsghdr *n, int maxlen, int type, u_int8_t data) ++int nfnl_addattr8(struct nlmsghdr *n, int maxlen, int type, uint8_t data) + { + assert(n); + assert(maxlen > 0); +@@ -866,7 +866,7 @@ int nfnl_addattr8(struct nlmsghdr *n, int maxlen, int type, u_int8_t data) + } + + /** +- * nfnl_nfa_addattr16 - Add u_int16_t attribute to struct nfattr ++ * nfnl_nfa_addattr16 - Add uint16_t attribute to struct nfattr + * + * @nfa: struct nfattr + * @maxlen: maximal length of nfattr buffer +@@ -875,7 +875,7 @@ int nfnl_addattr8(struct nlmsghdr *n, int maxlen, int type, u_int8_t data) + * + */ + int nfnl_nfa_addattr16(struct nfattr *nfa, int maxlen, int type, +- u_int16_t data) ++ uint16_t data) + { + assert(nfa); + assert(maxlen > 0); +@@ -885,7 +885,7 @@ int nfnl_nfa_addattr16(struct nfattr *nfa, int maxlen, int type, + } + + /** +- * nfnl_addattr16 - Add u_int16_t attribute to nlmsghdr ++ * nfnl_addattr16 - Add uint16_t attribute to nlmsghdr + * + * @n: netlink message header to which attribute is to be added + * @maxlen: maximum length of netlink message header +@@ -894,7 +894,7 @@ int nfnl_nfa_addattr16(struct nfattr *nfa, int maxlen, int type, + * + */ + int nfnl_addattr16(struct nlmsghdr *n, int maxlen, int type, +- u_int16_t data) ++ uint16_t data) + { + assert(n); + assert(maxlen > 0); +@@ -904,7 +904,7 @@ int nfnl_addattr16(struct nlmsghdr *n, int maxlen, int type, + } + + /** +- * nfnl_nfa_addattr32 - Add u_int32_t attribute to struct nfattr ++ * nfnl_nfa_addattr32 - Add uint32_t attribute to struct nfattr + * + * @nfa: struct nfattr + * @maxlen: maximal length of nfattr buffer +@@ -913,7 +913,7 @@ int nfnl_addattr16(struct nlmsghdr *n, int maxlen, int type, + * + */ + int nfnl_nfa_addattr32(struct nfattr *nfa, int maxlen, int type, +- u_int32_t data) ++ uint32_t data) + { + assert(nfa); + assert(maxlen > 0); +@@ -923,7 +923,7 @@ int nfnl_nfa_addattr32(struct nfattr *nfa, int maxlen, int type, + } + + /** +- * nfnl_addattr32 - Add u_int32_t attribute to nlmsghdr ++ * nfnl_addattr32 - Add uint32_t attribute to nlmsghdr + * + * @n: netlink message header to which attribute is to be added + * @maxlen: maximum length of netlink message header +@@ -932,7 +932,7 @@ int nfnl_nfa_addattr32(struct nfattr *nfa, int maxlen, int type, + * + */ + int nfnl_addattr32(struct nlmsghdr *n, int maxlen, int type, +- u_int32_t data) ++ uint32_t data) + { + assert(n); + assert(maxlen > 0); +@@ -980,7 +980,7 @@ int nfnl_parse_attr(struct nfattr *tb[], int max, struct nfattr *nfa, int len) + * + */ + void nfnl_build_nfa_iovec(struct iovec *iov, struct nfattr *nfa, +- u_int16_t type, u_int32_t len, unsigned char *val) ++ uint16_t type, uint32_t len, unsigned char *val) + { + assert(iov); + assert(nfa); +@@ -1115,7 +1115,7 @@ struct nlmsghdr *nfnl_get_msg_next(struct nfnl_handle *h, + * appropiately. + */ + int nfnl_callback_register(struct nfnl_subsys_handle *ssh, +- u_int8_t type, struct nfnl_callback *cb) ++ uint8_t type, struct nfnl_callback *cb) + { + assert(ssh); + assert(cb); +@@ -1138,7 +1138,7 @@ int nfnl_callback_register(struct nfnl_subsys_handle *ssh, + * On sucess, 0 is returned. On error, -1 is returned and errno is + * set appropiately. + */ +-int nfnl_callback_unregister(struct nfnl_subsys_handle *ssh, u_int8_t type) ++int nfnl_callback_unregister(struct nfnl_subsys_handle *ssh, uint8_t type) + { + assert(ssh); + +@@ -1161,8 +1161,8 @@ int nfnl_check_attributes(const struct nfnl_handle *h, + assert(nfa); + + int min_len; +- u_int8_t type = NFNL_MSG_TYPE(nlh->nlmsg_type); +- u_int8_t subsys_id = NFNL_SUBSYS_ID(nlh->nlmsg_type); ++ uint8_t type = NFNL_MSG_TYPE(nlh->nlmsg_type); ++ uint8_t subsys_id = NFNL_SUBSYS_ID(nlh->nlmsg_type); + const struct nfnl_subsys_handle *ssh; + struct nfnl_callback *cb; + +@@ -1212,8 +1212,8 @@ static int __nfnl_handle_msg(struct nfnl_handle *h, struct nlmsghdr *nlh, + int len) + { + struct nfnl_subsys_handle *ssh; +- u_int8_t type = NFNL_MSG_TYPE(nlh->nlmsg_type); +- u_int8_t subsys_id = NFNL_SUBSYS_ID(nlh->nlmsg_type); ++ uint8_t type = NFNL_MSG_TYPE(nlh->nlmsg_type); ++ uint8_t subsys_id = NFNL_SUBSYS_ID(nlh->nlmsg_type); + int err = 0; + + if (subsys_id > NFNL_MAX_SUBSYS) +@@ -1243,7 +1243,7 @@ int nfnl_handle_packet(struct nfnl_handle *h, char *buf, int len) + { + + while (len >= NLMSG_SPACE(0)) { +- u_int32_t rlen; ++ uint32_t rlen; + struct nlmsghdr *nlh = (struct nlmsghdr *)buf; + + if (nlh->nlmsg_len < sizeof(struct nlmsghdr) +@@ -1285,8 +1285,8 @@ static int nfnl_is_error(struct nfnl_handle *h, struct nlmsghdr *nlh) + static int nfnl_step(struct nfnl_handle *h, struct nlmsghdr *nlh) + { + struct nfnl_subsys_handle *ssh; +- u_int8_t type = NFNL_MSG_TYPE(nlh->nlmsg_type); +- u_int8_t subsys_id = NFNL_SUBSYS_ID(nlh->nlmsg_type); ++ uint8_t type = NFNL_MSG_TYPE(nlh->nlmsg_type); ++ uint8_t subsys_id = NFNL_SUBSYS_ID(nlh->nlmsg_type); + + /* Is this an error message? */ + if (nfnl_is_error(h, nlh)) { +diff --git a/src/rtnl.c b/src/rtnl.c +index 7b4ac7d..284eecd 100644 +--- a/src/rtnl.c ++++ b/src/rtnl.c +@@ -30,7 +30,7 @@ + #define rtnl_log(x, ...) + + static inline struct rtnl_handler * +-find_handler(struct rtnl_handle *rtnl_handle, u_int16_t type) ++find_handler(struct rtnl_handle *rtnl_handle, uint16_t type) + { + struct rtnl_handler *h; + for (h = rtnl_handle->handlers; h; h = h->next) { +@@ -41,7 +41,7 @@ find_handler(struct rtnl_handle *rtnl_handle, u_int16_t type) + } + + static int call_handler(struct rtnl_handle *rtnl_handle, +- u_int16_t type, ++ uint16_t type, + struct nlmsghdr *hdr) + { + struct rtnl_handler *h = find_handler(rtnl_handle, type); +diff --git a/src/rtnl.h b/src/rtnl.h +index 0c403dc..2cb22a8 100644 +--- a/src/rtnl.h ++++ b/src/rtnl.h +@@ -7,7 +7,7 @@ + struct rtnl_handler { + struct rtnl_handler *next; + +- u_int16_t nlmsg_type; ++ uint16_t nlmsg_type; + int (*handlefn)(struct nlmsghdr *h, void *arg); + void *arg; + }; +-- +2.12.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink_1.0.1.bb b/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink_1.0.1.bb new file mode 100644 index 000000000..f7951ff8d --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnfnetlink/libnfnetlink_1.0.1.bb @@ -0,0 +1,25 @@ +SUMMARY = "Low-level library for netfilter related kernel/userspace communication" +DESCRIPTION = "libnfnetlink is the low-level library for netfilter related \ +kernel/userspace communication. It provides a generic messaging \ +infrastructure for in-kernel netfilter subsystems (such as nfnetlink_log, \ +nfnetlink_queue, nfnetlink_conntrack) and their respective users and/or \ +management tools in userspace." +HOMEPAGE = "http://www.netfilter.org/projects/libnfnetlink/index.html" +SECTION = "libs" +LICENSE = "GPLv2+" + + +LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b" + +SRC_URI = "http://www.netfilter.org/projects/libnfnetlink/files/libnfnetlink-${PV}.tar.bz2;name=tar \ + file://0001-build-resolve-automake-1.12-warnings.patch \ + file://0002-src-get-source-code-license-header-in-sync-with-curr.patch \ + file://0003-configure-uclinux-is-also-linux.patch \ + file://0004-libnfnetlink-initialize-attribute-padding-to-resolve.patch \ + file://0005-include-Sync-with-kernel-headers.patch \ + file://0006-src-Use-stdint-types-everywhere.patch \ + " +SRC_URI[tar.md5sum] = "98927583d2016a9fb1936fed992e2c5e" +SRC_URI[tar.sha256sum] = "f270e19de9127642d2a11589ef2ec97ef90a649a74f56cf9a96306b04817b51a" + +inherit autotools pkgconfig diff --git a/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl/0001-Declare-the-define-visivility-attribute-together.patch b/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl/0001-Declare-the-define-visivility-attribute-together.patch new file mode 100644 index 000000000..e82b23813 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl/0001-Declare-the-define-visivility-attribute-together.patch @@ -0,0 +1,2949 @@ +From bd01f785da5222d0662be3182fe2650e1c12f43e Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 10 Apr 2017 14:07:07 -0700 +Subject: [PATCH] Declare the define visivility attribute together + +clang ignores the visibility attribute if its not +defined before the definition. As a result these +symbols become hidden and consumers of this library +fail to link due to these missing symbols + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + doxygen.cfg.in | 2 +- + include/utils.h | 5 +-- + src/batch.c | 21 ++++------- + src/chain.c | 102 +++++++++++++++++--------------------------------- + src/common.c | 21 ++++------- + src/expr.c | 51 +++++++++---------------- + src/gen.c | 39 +++++++------------ + src/object.c | 99 ++++++++++++++++-------------------------------- + src/rule.c | 114 +++++++++++++++++++------------------------------------- + src/ruleset.c | 48 ++++++++---------------- + src/set.c | 96 ++++++++++++++++------------------------------- + src/set_elem.c | 72 ++++++++++++----------------------- + src/table.c | 90 +++++++++++++++----------------------------- + src/trace.c | 27 +++++--------- + src/udata.c | 48 ++++++++---------------- + 15 files changed, 279 insertions(+), 556 deletions(-) + +diff --git a/doxygen.cfg.in b/doxygen.cfg.in +index 23fcad4..e49f28d 100644 +--- a/doxygen.cfg.in ++++ b/doxygen.cfg.in +@@ -72,7 +72,7 @@ RECURSIVE = YES + EXCLUDE = + EXCLUDE_SYMLINKS = NO + EXCLUDE_PATTERNS = */.git/* .*.d +-EXCLUDE_SYMBOLS = EXPORT_SYMBOL ++EXCLUDE_SYMBOLS = + EXAMPLE_PATH = + EXAMPLE_PATTERNS = + EXAMPLE_RECURSIVE = NO +diff --git a/include/utils.h b/include/utils.h +index 2f5cf34..ff8207e 100644 +--- a/include/utils.h ++++ b/include/utils.h +@@ -9,10 +9,9 @@ + + #include "config.h" + #ifdef HAVE_VISIBILITY_HIDDEN +-# define __visible __attribute__((visibility("default"))) +-# define EXPORT_SYMBOL(x) typeof(x) (x) __visible; ++# define __EXPORTED __attribute__((visibility("default"))) + #else +-# define EXPORT_SYMBOL ++# define __EXPORT + #endif + + #define __noreturn __attribute__((__noreturn__)) +diff --git a/src/batch.c b/src/batch.c +index 5ee3fd7..3bedd26 100644 +--- a/src/batch.c ++++ b/src/batch.c +@@ -57,7 +57,7 @@ static void nftnl_batch_add_page(struct nftnl_batch_page *page, + list_add_tail(&page->head, &batch->page_list); + } + +-struct nftnl_batch *nftnl_batch_alloc(uint32_t pg_size, uint32_t pg_overrun_size) ++struct nftnl_batch __EXPORTED *nftnl_batch_alloc(uint32_t pg_size, uint32_t pg_overrun_size) + { + struct nftnl_batch *batch; + struct nftnl_batch_page *page; +@@ -80,9 +80,8 @@ err1: + free(batch); + return NULL; + } +-EXPORT_SYMBOL(nftnl_batch_alloc); + +-void nftnl_batch_free(struct nftnl_batch *batch) ++void __EXPORTED nftnl_batch_free(struct nftnl_batch *batch) + { + struct nftnl_batch_page *page, *next; + +@@ -94,9 +93,8 @@ void nftnl_batch_free(struct nftnl_batch *batch) + + free(batch); + } +-EXPORT_SYMBOL(nftnl_batch_free); + +-int nftnl_batch_update(struct nftnl_batch *batch) ++int __EXPORTED nftnl_batch_update(struct nftnl_batch *batch) + { + struct nftnl_batch_page *page; + struct nlmsghdr *last_nlh; +@@ -119,21 +117,18 @@ int nftnl_batch_update(struct nftnl_batch *batch) + err1: + return -1; + } +-EXPORT_SYMBOL(nftnl_batch_update); + +-void *nftnl_batch_buffer(struct nftnl_batch *batch) ++void __EXPORTED *nftnl_batch_buffer(struct nftnl_batch *batch) + { + return mnl_nlmsg_batch_current(batch->current_page->batch); + } +-EXPORT_SYMBOL(nftnl_batch_buffer); + +-uint32_t nftnl_batch_buffer_len(struct nftnl_batch *batch) ++uint32_t __EXPORTED nftnl_batch_buffer_len(struct nftnl_batch *batch) + { + return mnl_nlmsg_batch_size(batch->current_page->batch); + } +-EXPORT_SYMBOL(nftnl_batch_buffer_len); + +-int nftnl_batch_iovec_len(struct nftnl_batch *batch) ++int __EXPORTED nftnl_batch_iovec_len(struct nftnl_batch *batch) + { + int num_pages = batch->num_pages; + +@@ -143,9 +138,8 @@ int nftnl_batch_iovec_len(struct nftnl_batch *batch) + + return num_pages; + } +-EXPORT_SYMBOL(nftnl_batch_iovec_len); + +-void nftnl_batch_iovec(struct nftnl_batch *batch, struct iovec *iov, ++void __EXPORTED nftnl_batch_iovec(struct nftnl_batch *batch, struct iovec *iov, + uint32_t iovlen) + { + struct nftnl_batch_page *page; +@@ -160,4 +154,3 @@ void nftnl_batch_iovec(struct nftnl_batch *batch, struct iovec *iov, + i++; + } + } +-EXPORT_SYMBOL(nftnl_batch_iovec); +diff --git a/src/chain.c b/src/chain.c +index 29860c5..362fa0d 100644 +--- a/src/chain.c ++++ b/src/chain.c +@@ -87,13 +87,12 @@ static const char *nftnl_hooknum2str(int family, int hooknum) + return "unknown"; + } + +-struct nftnl_chain *nftnl_chain_alloc(void) ++struct nftnl_chain __EXPORTED *nftnl_chain_alloc(void) + { + return calloc(1, sizeof(struct nftnl_chain)); + } +-EXPORT_SYMBOL(nftnl_chain_alloc); + +-void nftnl_chain_free(const struct nftnl_chain *c) ++void __EXPORTED nftnl_chain_free(const struct nftnl_chain *c) + { + if (c->flags & (1 << NFTNL_CHAIN_NAME)) + xfree(c->name); +@@ -105,15 +104,13 @@ void nftnl_chain_free(const struct nftnl_chain *c) + xfree(c->dev); + xfree(c); + } +-EXPORT_SYMBOL(nftnl_chain_free); + +-bool nftnl_chain_is_set(const struct nftnl_chain *c, uint16_t attr) ++bool __EXPORTED nftnl_chain_is_set(const struct nftnl_chain *c, uint16_t attr) + { + return c->flags & (1 << attr); + } +-EXPORT_SYMBOL(nftnl_chain_is_set); + +-void nftnl_chain_unset(struct nftnl_chain *c, uint16_t attr) ++void __EXPORTED nftnl_chain_unset(struct nftnl_chain *c, uint16_t attr) + { + if (!(c->flags & (1 << attr))) + return; +@@ -147,7 +144,6 @@ void nftnl_chain_unset(struct nftnl_chain *c, uint16_t attr) + + c->flags &= ~(1 << attr); + } +-EXPORT_SYMBOL(nftnl_chain_unset); + + static uint32_t nftnl_chain_validate[NFTNL_CHAIN_MAX + 1] = { + [NFTNL_CHAIN_HOOKNUM] = sizeof(uint32_t), +@@ -159,7 +155,7 @@ static uint32_t nftnl_chain_validate[NFTNL_CHAIN_MAX + 1] = { + [NFTNL_CHAIN_FAMILY] = sizeof(uint32_t), + }; + +-int nftnl_chain_set_data(struct nftnl_chain *c, uint16_t attr, ++int __EXPORTED nftnl_chain_set_data(struct nftnl_chain *c, uint16_t attr, + const void *data, uint32_t data_len) + { + nftnl_assert_attr_exists(attr, NFTNL_CHAIN_MAX); +@@ -226,45 +222,38 @@ int nftnl_chain_set_data(struct nftnl_chain *c, uint16_t attr, + c->flags |= (1 << attr); + return 0; + } +-EXPORT_SYMBOL(nftnl_chain_set_data); + +-void nftnl_chain_set(struct nftnl_chain *c, uint16_t attr, const void *data) ++void __EXPORTED nftnl_chain_set(struct nftnl_chain *c, uint16_t attr, const void *data) + { + nftnl_chain_set_data(c, attr, data, nftnl_chain_validate[attr]); + } +-EXPORT_SYMBOL(nftnl_chain_set); + +-void nftnl_chain_set_u32(struct nftnl_chain *c, uint16_t attr, uint32_t data) ++void __EXPORTED nftnl_chain_set_u32(struct nftnl_chain *c, uint16_t attr, uint32_t data) + { + nftnl_chain_set_data(c, attr, &data, sizeof(uint32_t)); + } +-EXPORT_SYMBOL(nftnl_chain_set_u32); + +-void nftnl_chain_set_s32(struct nftnl_chain *c, uint16_t attr, int32_t data) ++void __EXPORTED nftnl_chain_set_s32(struct nftnl_chain *c, uint16_t attr, int32_t data) + { + nftnl_chain_set_data(c, attr, &data, sizeof(int32_t)); + } +-EXPORT_SYMBOL(nftnl_chain_set_s32); + +-void nftnl_chain_set_u64(struct nftnl_chain *c, uint16_t attr, uint64_t data) ++void __EXPORTED nftnl_chain_set_u64(struct nftnl_chain *c, uint16_t attr, uint64_t data) + { + nftnl_chain_set_data(c, attr, &data, sizeof(uint64_t)); + } +-EXPORT_SYMBOL(nftnl_chain_set_u64); + +-void nftnl_chain_set_u8(struct nftnl_chain *c, uint16_t attr, uint8_t data) ++void __EXPORTED nftnl_chain_set_u8(struct nftnl_chain *c, uint16_t attr, uint8_t data) + { + nftnl_chain_set_data(c, attr, &data, sizeof(uint8_t)); + } +-EXPORT_SYMBOL(nftnl_chain_set_u8); + +-int nftnl_chain_set_str(struct nftnl_chain *c, uint16_t attr, const char *str) ++int __EXPORTED nftnl_chain_set_str(struct nftnl_chain *c, uint16_t attr, const char *str) + { + return nftnl_chain_set_data(c, attr, str, strlen(str) + 1); + } +-EXPORT_SYMBOL(nftnl_chain_set_str); + +-const void *nftnl_chain_get_data(const struct nftnl_chain *c, uint16_t attr, ++const void __EXPORTED *nftnl_chain_get_data(const struct nftnl_chain *c, uint16_t attr, + uint32_t *data_len) + { + if (!(c->flags & (1 << attr))) +@@ -310,22 +299,19 @@ const void *nftnl_chain_get_data(const struct nftnl_chain *c, uint16_t attr, + } + return NULL; + } +-EXPORT_SYMBOL(nftnl_chain_get_data); + +-const void *nftnl_chain_get(const struct nftnl_chain *c, uint16_t attr) ++const void __EXPORTED *nftnl_chain_get(const struct nftnl_chain *c, uint16_t attr) + { + uint32_t data_len; + return nftnl_chain_get_data(c, attr, &data_len); + } +-EXPORT_SYMBOL(nftnl_chain_get); + +-const char *nftnl_chain_get_str(const struct nftnl_chain *c, uint16_t attr) ++const char __EXPORTED *nftnl_chain_get_str(const struct nftnl_chain *c, uint16_t attr) + { + return nftnl_chain_get(c, attr); + } +-EXPORT_SYMBOL(nftnl_chain_get_str); + +-uint32_t nftnl_chain_get_u32(const struct nftnl_chain *c, uint16_t attr) ++uint32_t __EXPORTED nftnl_chain_get_u32(const struct nftnl_chain *c, uint16_t attr) + { + uint32_t data_len; + const uint32_t *val = nftnl_chain_get_data(c, attr, &data_len); +@@ -334,9 +320,8 @@ uint32_t nftnl_chain_get_u32(const struct nftnl_chain *c, uint16_t attr) + + return val ? *val : 0; + } +-EXPORT_SYMBOL(nftnl_chain_get_u32); + +-int32_t nftnl_chain_get_s32(const struct nftnl_chain *c, uint16_t attr) ++int32_t __EXPORTED nftnl_chain_get_s32(const struct nftnl_chain *c, uint16_t attr) + { + uint32_t data_len; + const int32_t *val = nftnl_chain_get_data(c, attr, &data_len); +@@ -345,9 +330,8 @@ int32_t nftnl_chain_get_s32(const struct nftnl_chain *c, uint16_t attr) + + return val ? *val : 0; + } +-EXPORT_SYMBOL(nftnl_chain_get_s32); + +-uint64_t nftnl_chain_get_u64(const struct nftnl_chain *c, uint16_t attr) ++uint64_t __EXPORTED nftnl_chain_get_u64(const struct nftnl_chain *c, uint16_t attr) + { + uint32_t data_len; + const uint64_t *val = nftnl_chain_get_data(c, attr, &data_len); +@@ -356,9 +340,8 @@ uint64_t nftnl_chain_get_u64(const struct nftnl_chain *c, uint16_t attr) + + return val ? *val : 0; + } +-EXPORT_SYMBOL(nftnl_chain_get_u64); + +-uint8_t nftnl_chain_get_u8(const struct nftnl_chain *c, uint16_t attr) ++uint8_t __EXPORTED nftnl_chain_get_u8(const struct nftnl_chain *c, uint16_t attr) + { + uint32_t data_len; + const uint8_t *val = nftnl_chain_get_data(c, attr, &data_len); +@@ -367,9 +350,8 @@ uint8_t nftnl_chain_get_u8(const struct nftnl_chain *c, uint16_t attr) + + return val ? *val : 0; + } +-EXPORT_SYMBOL(nftnl_chain_get_u8); + +-void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_chain *c) ++void __EXPORTED nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_chain *c) + { + if (c->flags & (1 << NFTNL_CHAIN_TABLE)) + mnl_attr_put_strz(nlh, NFTA_CHAIN_TABLE, c->table); +@@ -404,7 +386,6 @@ void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_ch + if (c->flags & (1 << NFTNL_CHAIN_TYPE)) + mnl_attr_put_strz(nlh, NFTA_CHAIN_TYPE, c->type); + } +-EXPORT_SYMBOL(nftnl_chain_nlmsg_build_payload); + + static int nftnl_chain_parse_attr_cb(const struct nlattr *attr, void *data) + { +@@ -529,7 +510,7 @@ static int nftnl_chain_parse_hook(struct nlattr *attr, struct nftnl_chain *c) + return 0; + } + +-int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *c) ++int __EXPORTED nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *c) + { + struct nlattr *tb[NFTA_CHAIN_MAX+1] = {}; + struct nfgenmsg *nfg = mnl_nlmsg_get_payload(nlh); +@@ -590,7 +571,6 @@ int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *c) + + return ret; + } +-EXPORT_SYMBOL(nftnl_chain_nlmsg_parse); + + static inline int nftnl_str2hooknum(int family, const char *hook) + { +@@ -732,19 +712,17 @@ static int nftnl_chain_do_parse(struct nftnl_chain *c, enum nftnl_parse_type typ + return ret; + } + +-int nftnl_chain_parse(struct nftnl_chain *c, enum nftnl_parse_type type, ++int __EXPORTED nftnl_chain_parse(struct nftnl_chain *c, enum nftnl_parse_type type, + const char *data, struct nftnl_parse_err *err) + { + return nftnl_chain_do_parse(c, type, data, err, NFTNL_PARSE_BUFFER); + } +-EXPORT_SYMBOL(nftnl_chain_parse); + +-int nftnl_chain_parse_file(struct nftnl_chain *c, enum nftnl_parse_type type, ++int __EXPORTED nftnl_chain_parse_file(struct nftnl_chain *c, enum nftnl_parse_type type, + FILE *fp, struct nftnl_parse_err *err) + { + return nftnl_chain_do_parse(c, type, fp, err, NFTNL_PARSE_FILE); + } +-EXPORT_SYMBOL(nftnl_chain_parse_file); + + static int nftnl_chain_export(char *buf, size_t size, + const struct nftnl_chain *c, int type) +@@ -841,13 +819,12 @@ static int nftnl_chain_cmd_snprintf(char *buf, size_t size, + return offset; + } + +-int nftnl_chain_snprintf(char *buf, size_t size, const struct nftnl_chain *c, ++int __EXPORTED nftnl_chain_snprintf(char *buf, size_t size, const struct nftnl_chain *c, + uint32_t type, uint32_t flags) + { + return nftnl_chain_cmd_snprintf(buf, size, c, nftnl_flag2cmd(flags), type, + flags); + } +-EXPORT_SYMBOL(nftnl_chain_snprintf); + + static int nftnl_chain_do_snprintf(char *buf, size_t size, const void *c, + uint32_t cmd, uint32_t type, uint32_t flags) +@@ -855,19 +832,18 @@ static int nftnl_chain_do_snprintf(char *buf, size_t size, const void *c, + return nftnl_chain_snprintf(buf, size, c, type, flags); + } + +-int nftnl_chain_fprintf(FILE *fp, const struct nftnl_chain *c, uint32_t type, ++int __EXPORTED nftnl_chain_fprintf(FILE *fp, const struct nftnl_chain *c, uint32_t type, + uint32_t flags) + { + return nftnl_fprintf(fp, c, NFTNL_CMD_UNSPEC, type, flags, + nftnl_chain_do_snprintf); + } +-EXPORT_SYMBOL(nftnl_chain_fprintf); + + struct nftnl_chain_list { + struct list_head list; + }; + +-struct nftnl_chain_list *nftnl_chain_list_alloc(void) ++struct nftnl_chain_list __EXPORTED *nftnl_chain_list_alloc(void) + { + struct nftnl_chain_list *list; + +@@ -879,9 +855,8 @@ struct nftnl_chain_list *nftnl_chain_list_alloc(void) + + return list; + } +-EXPORT_SYMBOL(nftnl_chain_list_alloc); + +-void nftnl_chain_list_free(struct nftnl_chain_list *list) ++void __EXPORTED nftnl_chain_list_free(struct nftnl_chain_list *list) + { + struct nftnl_chain *r, *tmp; + +@@ -891,33 +866,28 @@ void nftnl_chain_list_free(struct nftnl_chain_list *list) + } + xfree(list); + } +-EXPORT_SYMBOL(nftnl_chain_list_free); + +-int nftnl_chain_list_is_empty(const struct nftnl_chain_list *list) ++int __EXPORTED nftnl_chain_list_is_empty(const struct nftnl_chain_list *list) + { + return list_empty(&list->list); + } +-EXPORT_SYMBOL(nftnl_chain_list_is_empty); + +-void nftnl_chain_list_add(struct nftnl_chain *r, struct nftnl_chain_list *list) ++void __EXPORTED nftnl_chain_list_add(struct nftnl_chain *r, struct nftnl_chain_list *list) + { + list_add(&r->head, &list->list); + } +-EXPORT_SYMBOL(nftnl_chain_list_add); + +-void nftnl_chain_list_add_tail(struct nftnl_chain *r, struct nftnl_chain_list *list) ++void __EXPORTED nftnl_chain_list_add_tail(struct nftnl_chain *r, struct nftnl_chain_list *list) + { + list_add_tail(&r->head, &list->list); + } +-EXPORT_SYMBOL(nftnl_chain_list_add_tail); + +-void nftnl_chain_list_del(struct nftnl_chain *r) ++void __EXPORTED nftnl_chain_list_del(struct nftnl_chain *r) + { + list_del(&r->head); + } +-EXPORT_SYMBOL(nftnl_chain_list_del); + +-int nftnl_chain_list_foreach(struct nftnl_chain_list *chain_list, ++int __EXPORTED nftnl_chain_list_foreach(struct nftnl_chain_list *chain_list, + int (*cb)(struct nftnl_chain *r, void *data), + void *data) + { +@@ -931,14 +901,13 @@ int nftnl_chain_list_foreach(struct nftnl_chain_list *chain_list, + } + return 0; + } +-EXPORT_SYMBOL(nftnl_chain_list_foreach); + + struct nftnl_chain_list_iter { + const struct nftnl_chain_list *list; + struct nftnl_chain *cur; + }; + +-struct nftnl_chain_list_iter * ++struct nftnl_chain_list_iter __EXPORTED * + nftnl_chain_list_iter_create(const struct nftnl_chain_list *l) + { + struct nftnl_chain_list_iter *iter; +@@ -955,9 +924,8 @@ nftnl_chain_list_iter_create(const struct nftnl_chain_list *l) + + return iter; + } +-EXPORT_SYMBOL(nftnl_chain_list_iter_create); + +-struct nftnl_chain *nftnl_chain_list_iter_next(struct nftnl_chain_list_iter *iter) ++struct nftnl_chain __EXPORTED *nftnl_chain_list_iter_next(struct nftnl_chain_list_iter *iter) + { + struct nftnl_chain *r = iter->cur; + +@@ -971,10 +939,8 @@ struct nftnl_chain *nftnl_chain_list_iter_next(struct nftnl_chain_list_iter *ite + + return r; + } +-EXPORT_SYMBOL(nftnl_chain_list_iter_next); + +-void nftnl_chain_list_iter_destroy(struct nftnl_chain_list_iter *iter) ++void __EXPORTED nftnl_chain_list_iter_destroy(struct nftnl_chain_list_iter *iter) + { + xfree(iter); + } +-EXPORT_SYMBOL(nftnl_chain_list_iter_destroy); +diff --git a/src/common.c b/src/common.c +index a95883c..68bce2e 100644 +--- a/src/common.c ++++ b/src/common.c +@@ -43,15 +43,14 @@ static struct nlmsghdr *__nftnl_nlmsg_build_hdr(char *buf, uint16_t type, + return nlh; + } + +-struct nlmsghdr *nftnl_nlmsg_build_hdr(char *buf, uint16_t type, uint16_t family, ++struct nlmsghdr __EXPORTED *nftnl_nlmsg_build_hdr(char *buf, uint16_t type, uint16_t family, + uint16_t flags, uint32_t seq) + { + return __nftnl_nlmsg_build_hdr(buf, (NFNL_SUBSYS_NFTABLES << 8) | type, + family, flags, seq, 0); + } +-EXPORT_SYMBOL(nftnl_nlmsg_build_hdr); + +-struct nftnl_parse_err *nftnl_parse_err_alloc(void) ++struct nftnl_parse_err __EXPORTED *nftnl_parse_err_alloc(void) + { + struct nftnl_parse_err *err; + +@@ -63,15 +62,13 @@ struct nftnl_parse_err *nftnl_parse_err_alloc(void) + + return err; + } +-EXPORT_SYMBOL(nftnl_parse_err_alloc); + +-void nftnl_parse_err_free(struct nftnl_parse_err *err) ++void __EXPORTED nftnl_parse_err_free(struct nftnl_parse_err *err) + { + xfree(err); + } +-EXPORT_SYMBOL(nftnl_parse_err_free); + +-int nftnl_parse_perror(const char *msg, struct nftnl_parse_err *err) ++int __EXPORTED nftnl_parse_perror(const char *msg, struct nftnl_parse_err *err) + { + switch (err->error) { + case NFTNL_PARSE_EBADINPUT: +@@ -89,7 +86,6 @@ int nftnl_parse_perror(const char *msg, struct nftnl_parse_err *err) + return fprintf(stderr, "%s: Undefined error\n", msg); + } + } +-EXPORT_SYMBOL(nftnl_parse_perror); + + int nftnl_cmd_header_snprintf(char *buf, size_t size, uint32_t cmd, uint32_t type, + uint32_t flags) +@@ -165,21 +161,19 @@ int nftnl_cmd_footer_fprintf(FILE *fp, uint32_t cmd, uint32_t type, + nftnl_cmd_footer_fprintf_cb); + } + +-struct nlmsghdr *nftnl_batch_begin(char *buf, uint32_t seq) ++struct nlmsghdr __EXPORTED *nftnl_batch_begin(char *buf, uint32_t seq) + { + return __nftnl_nlmsg_build_hdr(buf, NFNL_MSG_BATCH_BEGIN, AF_UNSPEC, + 0, seq, NFNL_SUBSYS_NFTABLES); + } +-EXPORT_SYMBOL(nftnl_batch_begin); + +-struct nlmsghdr *nftnl_batch_end(char *buf, uint32_t seq) ++struct nlmsghdr __EXPORTED *nftnl_batch_end(char *buf, uint32_t seq) + { + return __nftnl_nlmsg_build_hdr(buf, NFNL_MSG_BATCH_END, AF_UNSPEC, + 0, seq, NFNL_SUBSYS_NFTABLES); + } +-EXPORT_SYMBOL(nftnl_batch_end); + +-int nftnl_batch_is_supported(void) ++int __EXPORTED nftnl_batch_is_supported(void) + { + struct mnl_socket *nl; + struct mnl_nlmsg_batch *b; +@@ -236,4 +230,3 @@ err: + mnl_nlmsg_batch_stop(b); + return -1; + } +-EXPORT_SYMBOL(nftnl_batch_is_supported); +diff --git a/src/expr.c b/src/expr.c +index 10ba2c4..c7eb2b4 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -24,7 +24,7 @@ + + #include <libnftnl/expr.h> + +-struct nftnl_expr *nftnl_expr_alloc(const char *name) ++struct nftnl_expr __EXPORTED *nftnl_expr_alloc(const char *name) + { + struct nftnl_expr *expr; + struct expr_ops *ops; +@@ -43,24 +43,21 @@ struct nftnl_expr *nftnl_expr_alloc(const char *name) + + return expr; + } +-EXPORT_SYMBOL(nftnl_expr_alloc); + +-void nftnl_expr_free(const struct nftnl_expr *expr) ++void __EXPORTED nftnl_expr_free(const struct nftnl_expr *expr) + { + if (expr->ops->free) + expr->ops->free(expr); + + xfree(expr); + } +-EXPORT_SYMBOL(nftnl_expr_free); + +-bool nftnl_expr_is_set(const struct nftnl_expr *expr, uint16_t type) ++bool __EXPORTED nftnl_expr_is_set(const struct nftnl_expr *expr, uint16_t type) + { + return expr->flags & (1 << type); + } +-EXPORT_SYMBOL(nftnl_expr_is_set); + +-int nftnl_expr_set(struct nftnl_expr *expr, uint16_t type, ++int __EXPORTED nftnl_expr_set(struct nftnl_expr *expr, uint16_t type, + const void *data, uint32_t data_len) + { + switch(type) { +@@ -73,43 +70,37 @@ int nftnl_expr_set(struct nftnl_expr *expr, uint16_t type, + expr->flags |= (1 << type); + return 0; + } +-EXPORT_SYMBOL(nftnl_expr_set); + +-void ++void __EXPORTED + nftnl_expr_set_u8(struct nftnl_expr *expr, uint16_t type, uint8_t data) + { + nftnl_expr_set(expr, type, &data, sizeof(uint8_t)); + } +-EXPORT_SYMBOL(nftnl_expr_set_u8); + +-void ++void __EXPORTED + nftnl_expr_set_u16(struct nftnl_expr *expr, uint16_t type, uint16_t data) + { + nftnl_expr_set(expr, type, &data, sizeof(uint16_t)); + } +-EXPORT_SYMBOL(nftnl_expr_set_u16); + +-void ++void __EXPORTED + nftnl_expr_set_u32(struct nftnl_expr *expr, uint16_t type, uint32_t data) + { + nftnl_expr_set(expr, type, &data, sizeof(uint32_t)); + } +-EXPORT_SYMBOL(nftnl_expr_set_u32); + +-void ++void __EXPORTED + nftnl_expr_set_u64(struct nftnl_expr *expr, uint16_t type, uint64_t data) + { + nftnl_expr_set(expr, type, &data, sizeof(uint64_t)); + } +-EXPORT_SYMBOL(nftnl_expr_set_u64); + +-int nftnl_expr_set_str(struct nftnl_expr *expr, uint16_t type, const char *str) ++int __EXPORTED nftnl_expr_set_str(struct nftnl_expr *expr, uint16_t type, const char *str) + { + return nftnl_expr_set(expr, type, str, strlen(str) + 1); + } +-EXPORT_SYMBOL(nftnl_expr_set_str); + +-const void *nftnl_expr_get(const struct nftnl_expr *expr, ++const void __EXPORTED *nftnl_expr_get(const struct nftnl_expr *expr, + uint16_t type, uint32_t *data_len) + { + const void *ret; +@@ -129,9 +120,8 @@ const void *nftnl_expr_get(const struct nftnl_expr *expr, + + return ret; + } +-EXPORT_SYMBOL(nftnl_expr_get); + +-uint8_t nftnl_expr_get_u8(const struct nftnl_expr *expr, uint16_t type) ++uint8_t __EXPORTED nftnl_expr_get_u8(const struct nftnl_expr *expr, uint16_t type) + { + const void *data; + uint32_t data_len; +@@ -145,9 +135,8 @@ uint8_t nftnl_expr_get_u8(const struct nftnl_expr *expr, uint16_t type) + + return *((uint8_t *)data); + } +-EXPORT_SYMBOL(nftnl_expr_get_u8); + +-uint16_t nftnl_expr_get_u16(const struct nftnl_expr *expr, uint16_t type) ++uint16_t __EXPORTED nftnl_expr_get_u16(const struct nftnl_expr *expr, uint16_t type) + { + const void *data; + uint32_t data_len; +@@ -161,9 +150,8 @@ uint16_t nftnl_expr_get_u16(const struct nftnl_expr *expr, uint16_t type) + + return *((uint16_t *)data); + } +-EXPORT_SYMBOL(nftnl_expr_get_u16); + +-uint32_t nftnl_expr_get_u32(const struct nftnl_expr *expr, uint16_t type) ++uint32_t __EXPORTED nftnl_expr_get_u32(const struct nftnl_expr *expr, uint16_t type) + { + const void *data; + uint32_t data_len; +@@ -177,9 +165,8 @@ uint32_t nftnl_expr_get_u32(const struct nftnl_expr *expr, uint16_t type) + + return *((uint32_t *)data); + } +-EXPORT_SYMBOL(nftnl_expr_get_u32); + +-uint64_t nftnl_expr_get_u64(const struct nftnl_expr *expr, uint16_t type) ++uint64_t __EXPORTED nftnl_expr_get_u64(const struct nftnl_expr *expr, uint16_t type) + { + const void *data; + uint32_t data_len; +@@ -193,17 +180,15 @@ uint64_t nftnl_expr_get_u64(const struct nftnl_expr *expr, uint16_t type) + + return *((uint64_t *)data); + } +-EXPORT_SYMBOL(nftnl_expr_get_u64); + +-const char *nftnl_expr_get_str(const struct nftnl_expr *expr, uint16_t type) ++const char __EXPORTED *nftnl_expr_get_str(const struct nftnl_expr *expr, uint16_t type) + { + uint32_t data_len; + + return (const char *)nftnl_expr_get(expr, type, &data_len); + } +-EXPORT_SYMBOL(nftnl_expr_get_str); + +-bool nftnl_expr_cmp(const struct nftnl_expr *e1, const struct nftnl_expr *e2) ++bool __EXPORTED nftnl_expr_cmp(const struct nftnl_expr *e1, const struct nftnl_expr *e2) + { + if (e1->flags != e2->flags || + strcmp(e1->ops->name, e2->ops->name) != 0) +@@ -211,7 +196,6 @@ bool nftnl_expr_cmp(const struct nftnl_expr *e1, const struct nftnl_expr *e2) + + return e1->ops->cmp(e1, e2); + } +-EXPORT_SYMBOL(nftnl_expr_cmp); + + void nftnl_expr_build_payload(struct nlmsghdr *nlh, struct nftnl_expr *expr) + { +@@ -275,7 +259,7 @@ err1: + return NULL; + } + +-int nftnl_expr_snprintf(char *buf, size_t size, const struct nftnl_expr *expr, ++int __EXPORTED nftnl_expr_snprintf(char *buf, size_t size, const struct nftnl_expr *expr, + uint32_t type, uint32_t flags) + { + int ret; +@@ -289,4 +273,3 @@ int nftnl_expr_snprintf(char *buf, size_t size, const struct nftnl_expr *expr, + + return offset; + } +-EXPORT_SYMBOL(nftnl_expr_snprintf); +diff --git a/src/gen.c b/src/gen.c +index 213562e..8b45caa 100644 +--- a/src/gen.c ++++ b/src/gen.c +@@ -29,25 +29,22 @@ struct nftnl_gen { + uint32_t flags; + }; + +-struct nftnl_gen *nftnl_gen_alloc(void) ++struct nftnl_gen __EXPORTED *nftnl_gen_alloc(void) + { + return calloc(1, sizeof(struct nftnl_gen)); + } +-EXPORT_SYMBOL(nftnl_gen_alloc); + +-void nftnl_gen_free(const struct nftnl_gen *gen) ++void __EXPORTED nftnl_gen_free(const struct nftnl_gen *gen) + { + xfree(gen); + } +-EXPORT_SYMBOL(nftnl_gen_free); + +-bool nftnl_gen_is_set(const struct nftnl_gen *gen, uint16_t attr) ++bool __EXPORTED nftnl_gen_is_set(const struct nftnl_gen *gen, uint16_t attr) + { + return gen->flags & (1 << attr); + } +-EXPORT_SYMBOL(nftnl_gen_is_set); + +-void nftnl_gen_unset(struct nftnl_gen *gen, uint16_t attr) ++void __EXPORTED nftnl_gen_unset(struct nftnl_gen *gen, uint16_t attr) + { + if (!(gen->flags & (1 << attr))) + return; +@@ -58,13 +55,12 @@ void nftnl_gen_unset(struct nftnl_gen *gen, uint16_t attr) + } + gen->flags &= ~(1 << attr); + } +-EXPORT_SYMBOL(nftnl_gen_unset); + + static uint32_t nftnl_gen_validate[NFTNL_GEN_MAX + 1] = { + [NFTNL_GEN_ID] = sizeof(uint32_t), + }; + +-int nftnl_gen_set_data(struct nftnl_gen *gen, uint16_t attr, ++int __EXPORTED nftnl_gen_set_data(struct nftnl_gen *gen, uint16_t attr, + const void *data, uint32_t data_len) + { + nftnl_assert_attr_exists(attr, NFTNL_GEN_MAX); +@@ -78,21 +74,18 @@ int nftnl_gen_set_data(struct nftnl_gen *gen, uint16_t attr, + gen->flags |= (1 << attr); + return 0; + } +-EXPORT_SYMBOL(nftnl_gen_set_data); + +-int nftnl_gen_set(struct nftnl_gen *gen, uint16_t attr, const void *data) ++int __EXPORTED nftnl_gen_set(struct nftnl_gen *gen, uint16_t attr, const void *data) + { + return nftnl_gen_set_data(gen, attr, data, nftnl_gen_validate[attr]); + } +-EXPORT_SYMBOL(nftnl_gen_set); + +-void nftnl_gen_set_u32(struct nftnl_gen *gen, uint16_t attr, uint32_t val) ++void __EXPORTED nftnl_gen_set_u32(struct nftnl_gen *gen, uint16_t attr, uint32_t val) + { + nftnl_gen_set_data(gen, attr, &val, sizeof(uint32_t)); + } +-EXPORT_SYMBOL(nftnl_gen_set_u32); + +-const void *nftnl_gen_get_data(const struct nftnl_gen *gen, uint16_t attr, ++const void __EXPORTED *nftnl_gen_get_data(const struct nftnl_gen *gen, uint16_t attr, + uint32_t *data_len) + { + if (!(gen->flags & (1 << attr))) +@@ -105,21 +98,18 @@ const void *nftnl_gen_get_data(const struct nftnl_gen *gen, uint16_t attr, + } + return NULL; + } +-EXPORT_SYMBOL(nftnl_gen_get_data); + +-const void *nftnl_gen_get(const struct nftnl_gen *gen, uint16_t attr) ++const void __EXPORTED *nftnl_gen_get(const struct nftnl_gen *gen, uint16_t attr) + { + uint32_t data_len; + return nftnl_gen_get_data(gen, attr, &data_len); + } +-EXPORT_SYMBOL(nftnl_gen_get); + +-uint32_t nftnl_gen_get_u32(const struct nftnl_gen *gen, uint16_t attr) ++uint32_t __EXPORTED nftnl_gen_get_u32(const struct nftnl_gen *gen, uint16_t attr) + { + const void *ret = nftnl_gen_get(gen, attr); + return ret == NULL ? 0 : *((uint32_t *)ret); + } +-EXPORT_SYMBOL(nftnl_gen_get_u32); + + static int nftnl_gen_parse_attr_cb(const struct nlattr *attr, void *data) + { +@@ -140,7 +130,7 @@ static int nftnl_gen_parse_attr_cb(const struct nlattr *attr, void *data) + return MNL_CB_OK; + } + +-int nftnl_gen_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_gen *gen) ++int __EXPORTED nftnl_gen_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_gen *gen) + { + struct nlattr *tb[NFTA_GEN_MAX + 1] = {}; + struct nfgenmsg *nfg = mnl_nlmsg_get_payload(nlh); +@@ -154,7 +144,6 @@ int nftnl_gen_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_gen *gen) + } + return 0; + } +-EXPORT_SYMBOL(nftnl_gen_nlmsg_parse); + + static int nftnl_gen_snprintf_default(char *buf, size_t size, + const struct nftnl_gen *gen) +@@ -186,13 +175,12 @@ static int nftnl_gen_cmd_snprintf(char *buf, size_t size, + return offset; + } + +-int nftnl_gen_snprintf(char *buf, size_t size, const struct nftnl_gen *gen, ++int __EXPORTED nftnl_gen_snprintf(char *buf, size_t size, const struct nftnl_gen *gen, + uint32_t type, uint32_t flags) + {; + return nftnl_gen_cmd_snprintf(buf, size, gen, nftnl_flag2cmd(flags), type, + flags); + } +-EXPORT_SYMBOL(nftnl_gen_snprintf); + + static int nftnl_gen_do_snprintf(char *buf, size_t size, const void *gen, + uint32_t cmd, uint32_t type, uint32_t flags) +@@ -200,10 +188,9 @@ static int nftnl_gen_do_snprintf(char *buf, size_t size, const void *gen, + return nftnl_gen_snprintf(buf, size, gen, type, flags); + } + +-int nftnl_gen_fprintf(FILE *fp, const struct nftnl_gen *gen, uint32_t type, ++int __EXPORTED nftnl_gen_fprintf(FILE *fp, const struct nftnl_gen *gen, uint32_t type, + uint32_t flags) + { + return nftnl_fprintf(fp, gen, NFTNL_CMD_UNSPEC, type, flags, + nftnl_gen_do_snprintf); + } +-EXPORT_SYMBOL(nftnl_gen_fprintf); +diff --git a/src/object.c b/src/object.c +index e1a5ac4..d409c6d 100644 +--- a/src/object.c ++++ b/src/object.c +@@ -39,13 +39,12 @@ static struct obj_ops *nftnl_obj_ops_lookup(uint32_t type) + return obj_ops[type]; + } + +-struct nftnl_obj *nftnl_obj_alloc(void) ++struct nftnl_obj __EXPORTED *nftnl_obj_alloc(void) + { + return calloc(1, sizeof(struct nftnl_obj)); + } +-EXPORT_SYMBOL(nftnl_obj_alloc); + +-void nftnl_obj_free(const struct nftnl_obj *obj) ++void __EXPORTED nftnl_obj_free(const struct nftnl_obj *obj) + { + if (obj->flags & (1 << NFTNL_OBJ_TABLE)) + xfree(obj->table); +@@ -54,20 +53,18 @@ void nftnl_obj_free(const struct nftnl_obj *obj) + + xfree(obj); + } +-EXPORT_SYMBOL(nftnl_obj_free); + +-bool nftnl_obj_is_set(const struct nftnl_obj *obj, uint16_t attr) ++bool __EXPORTED nftnl_obj_is_set(const struct nftnl_obj *obj, uint16_t attr) + { + return obj->flags & (1 << attr); + } +-EXPORT_SYMBOL(nftnl_obj_is_set); + + static uint32_t nftnl_obj_validate[NFTNL_OBJ_MAX + 1] = { + [NFTNL_OBJ_FAMILY] = sizeof(uint32_t), + [NFTNL_OBJ_USE] = sizeof(uint32_t), + }; + +-void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, ++void __EXPORTED nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, + const void *data, uint32_t data_len) + { + if (attr < NFTNL_OBJ_MAX) +@@ -100,45 +97,38 @@ void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, + } + obj->flags |= (1 << attr); + } +-EXPORT_SYMBOL(nftnl_obj_set_data); + +-void nftnl_obj_set(struct nftnl_obj *obj, uint16_t attr, const void *data) ++void __EXPORTED nftnl_obj_set(struct nftnl_obj *obj, uint16_t attr, const void *data) + { + nftnl_obj_set_data(obj, attr, data, nftnl_obj_validate[attr]); + } +-EXPORT_SYMBOL(nftnl_obj_set); + +-void nftnl_obj_set_u8(struct nftnl_obj *obj, uint16_t attr, uint8_t val) ++void __EXPORTED nftnl_obj_set_u8(struct nftnl_obj *obj, uint16_t attr, uint8_t val) + { + nftnl_obj_set_data(obj, attr, &val, sizeof(uint8_t)); + } +-EXPORT_SYMBOL(nftnl_obj_set_u8); + +-void nftnl_obj_set_u16(struct nftnl_obj *obj, uint16_t attr, uint16_t val) ++void __EXPORTED nftnl_obj_set_u16(struct nftnl_obj *obj, uint16_t attr, uint16_t val) + { + nftnl_obj_set_data(obj, attr, &val, sizeof(uint16_t)); + } +-EXPORT_SYMBOL(nftnl_obj_set_u16); + +-void nftnl_obj_set_u32(struct nftnl_obj *obj, uint16_t attr, uint32_t val) ++void __EXPORTED nftnl_obj_set_u32(struct nftnl_obj *obj, uint16_t attr, uint32_t val) + { + nftnl_obj_set_data(obj, attr, &val, sizeof(uint32_t)); + } +-EXPORT_SYMBOL(nftnl_obj_set_u32); + +-void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val) ++void __EXPORTED nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val) + { + nftnl_obj_set_data(obj, attr, &val, sizeof(uint64_t)); + } +-EXPORT_SYMBOL(nftnl_obj_set_u64); + +-void nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str) ++void __EXPORTED nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str) + { + nftnl_obj_set_data(obj, attr, str, 0); + } +-EXPORT_SYMBOL(nftnl_obj_set_str); + +-const void *nftnl_obj_get_data(struct nftnl_obj *obj, uint16_t attr, ++const void __EXPORTED *nftnl_obj_get_data(struct nftnl_obj *obj, uint16_t attr, + uint32_t *data_len) + { + if (!(obj->flags & (1 << attr))) +@@ -168,50 +158,43 @@ const void *nftnl_obj_get_data(struct nftnl_obj *obj, uint16_t attr, + } + return NULL; + } +-EXPORT_SYMBOL(nftnl_obj_get_data); + +-const void *nftnl_obj_get(struct nftnl_obj *obj, uint16_t attr) ++const void __EXPORTED *nftnl_obj_get(struct nftnl_obj *obj, uint16_t attr) + { + uint32_t data_len; + return nftnl_obj_get_data(obj, attr, &data_len); + } +-EXPORT_SYMBOL(nftnl_obj_get); + +-uint8_t nftnl_obj_get_u8(struct nftnl_obj *obj, uint16_t attr) ++uint8_t __EXPORTED nftnl_obj_get_u8(struct nftnl_obj *obj, uint16_t attr) + { + const void *ret = nftnl_obj_get(obj, attr); + return ret == NULL ? 0 : *((uint8_t *)ret); + } +-EXPORT_SYMBOL(nftnl_obj_get_u8); + +-uint16_t nftnl_obj_get_u16(struct nftnl_obj *obj, uint16_t attr) ++uint16_t __EXPORTED nftnl_obj_get_u16(struct nftnl_obj *obj, uint16_t attr) + { + const void *ret = nftnl_obj_get(obj, attr); + return ret == NULL ? 0 : *((uint16_t *)ret); + } +-EXPORT_SYMBOL(nftnl_obj_get_u16); + +-uint32_t nftnl_obj_get_u32(struct nftnl_obj *obj, uint16_t attr) ++uint32_t __EXPORTED nftnl_obj_get_u32(struct nftnl_obj *obj, uint16_t attr) + { + const void *ret = nftnl_obj_get(obj, attr); + return ret == NULL ? 0 : *((uint32_t *)ret); + } +-EXPORT_SYMBOL(nftnl_obj_get_u32); + +-uint64_t nftnl_obj_get_u64(struct nftnl_obj *obj, uint16_t attr) ++uint64_t __EXPORTED nftnl_obj_get_u64(struct nftnl_obj *obj, uint16_t attr) + { + const void *ret = nftnl_obj_get(obj, attr); + return ret == NULL ? 0 : *((uint64_t *)ret); + } +-EXPORT_SYMBOL(nftnl_obj_get_u64); + +-const char *nftnl_obj_get_str(struct nftnl_obj *obj, uint16_t attr) ++const char __EXPORTED *nftnl_obj_get_str(struct nftnl_obj *obj, uint16_t attr) + { + return nftnl_obj_get(obj, attr); + } +-EXPORT_SYMBOL(nftnl_obj_get_str); + +-void nftnl_obj_nlmsg_build_payload(struct nlmsghdr *nlh, ++void __EXPORTED nftnl_obj_nlmsg_build_payload(struct nlmsghdr *nlh, + const struct nftnl_obj *obj) + { + if (obj->flags & (1 << NFTNL_OBJ_TABLE)) +@@ -228,7 +211,6 @@ void nftnl_obj_nlmsg_build_payload(struct nlmsghdr *nlh, + mnl_attr_nest_end(nlh, nest); + } + } +-EXPORT_SYMBOL(nftnl_obj_nlmsg_build_payload); + + static int nftnl_obj_parse_attr_cb(const struct nlattr *attr, void *data) + { +@@ -258,7 +240,7 @@ static int nftnl_obj_parse_attr_cb(const struct nlattr *attr, void *data) + return MNL_CB_OK; + } + +-int nftnl_obj_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_obj *obj) ++int __EXPORTED nftnl_obj_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_obj *obj) + { + struct nfgenmsg *nfg = mnl_nlmsg_get_payload(nlh); + struct nlattr *tb[NFTA_OBJ_MAX + 1] = {}; +@@ -299,7 +281,6 @@ int nftnl_obj_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_obj *obj) + + return 0; + } +-EXPORT_SYMBOL(nftnl_obj_nlmsg_parse); + + #ifdef JSON_PARSING + static int nftnl_jansson_parse_obj(struct nftnl_obj *t, json_t *tree, +@@ -377,19 +358,17 @@ static int nftnl_obj_do_parse(struct nftnl_obj *obj, enum nftnl_parse_type type, + return ret; + } + +-int nftnl_obj_parse(struct nftnl_obj *obj, enum nftnl_parse_type type, ++int __EXPORTED nftnl_obj_parse(struct nftnl_obj *obj, enum nftnl_parse_type type, + const char *data, struct nftnl_parse_err *err) + { + return nftnl_obj_do_parse(obj, type, data, err, NFTNL_PARSE_BUFFER); + } +-EXPORT_SYMBOL(nftnl_obj_parse); + +-int nftnl_obj_parse_file(struct nftnl_obj *obj, enum nftnl_parse_type type, ++int __EXPORTED nftnl_obj_parse_file(struct nftnl_obj *obj, enum nftnl_parse_type type, + FILE *fp, struct nftnl_parse_err *err) + { + return nftnl_obj_do_parse(obj, type, fp, err, NFTNL_PARSE_FILE); + } +-EXPORT_SYMBOL(nftnl_obj_parse_file); + + static int nftnl_obj_export(char *buf, size_t size, + const struct nftnl_obj *obj, +@@ -469,13 +448,12 @@ static int nftnl_obj_cmd_snprintf(char *buf, size_t size, + return offset; + } + +-int nftnl_obj_snprintf(char *buf, size_t size, const struct nftnl_obj *obj, ++int __EXPORTED nftnl_obj_snprintf(char *buf, size_t size, const struct nftnl_obj *obj, + uint32_t type, uint32_t flags) + { + return nftnl_obj_cmd_snprintf(buf, size, obj, nftnl_flag2cmd(flags), + type, flags); + } +-EXPORT_SYMBOL(nftnl_obj_snprintf); + + static int nftnl_obj_do_snprintf(char *buf, size_t size, const void *obj, + uint32_t cmd, uint32_t type, uint32_t flags) +@@ -483,19 +461,18 @@ static int nftnl_obj_do_snprintf(char *buf, size_t size, const void *obj, + return nftnl_obj_snprintf(buf, size, obj, type, flags); + } + +-int nftnl_obj_fprintf(FILE *fp, const struct nftnl_obj *obj, uint32_t type, ++int __EXPORTED nftnl_obj_fprintf(FILE *fp, const struct nftnl_obj *obj, uint32_t type, + uint32_t flags) + { + return nftnl_fprintf(fp, obj, NFTNL_CMD_UNSPEC, type, flags, + nftnl_obj_do_snprintf); + } +-EXPORT_SYMBOL(nftnl_obj_fprintf); + + struct nftnl_obj_list { + struct list_head list; + }; + +-struct nftnl_obj_list *nftnl_obj_list_alloc(void) ++struct nftnl_obj_list __EXPORTED *nftnl_obj_list_alloc(void) + { + struct nftnl_obj_list *list; + +@@ -507,9 +484,8 @@ struct nftnl_obj_list *nftnl_obj_list_alloc(void) + + return list; + } +-EXPORT_SYMBOL(nftnl_obj_list_alloc); + +-void nftnl_obj_list_free(struct nftnl_obj_list *list) ++void __EXPORTED nftnl_obj_list_free(struct nftnl_obj_list *list) + { + struct nftnl_obj *r, *tmp; + +@@ -519,34 +495,29 @@ void nftnl_obj_list_free(struct nftnl_obj_list *list) + } + xfree(list); + } +-EXPORT_SYMBOL(nftnl_obj_list_free); + +-int nftnl_obj_list_is_empty(struct nftnl_obj_list *list) ++int __EXPORTED nftnl_obj_list_is_empty(struct nftnl_obj_list *list) + { + return list_empty(&list->list); + } +-EXPORT_SYMBOL(nftnl_obj_list_is_empty); + +-void nftnl_obj_list_add(struct nftnl_obj *r, struct nftnl_obj_list *list) ++void __EXPORTED nftnl_obj_list_add(struct nftnl_obj *r, struct nftnl_obj_list *list) + { + list_add(&r->head, &list->list); + } +-EXPORT_SYMBOL(nftnl_obj_list_add); + +-void nftnl_obj_list_add_tail(struct nftnl_obj *r, ++void __EXPORTED nftnl_obj_list_add_tail(struct nftnl_obj *r, + struct nftnl_obj_list *list) + { + list_add_tail(&r->head, &list->list); + } +-EXPORT_SYMBOL(nftnl_obj_list_add_tail); + +-void nftnl_obj_list_del(struct nftnl_obj *t) ++void __EXPORTED nftnl_obj_list_del(struct nftnl_obj *t) + { + list_del(&t->head); + } +-EXPORT_SYMBOL(nftnl_obj_list_del); + +-int nftnl_obj_list_foreach(struct nftnl_obj_list *table_list, ++int __EXPORTED nftnl_obj_list_foreach(struct nftnl_obj_list *table_list, + int (*cb)(struct nftnl_obj *t, void *data), + void *data) + { +@@ -560,14 +531,13 @@ int nftnl_obj_list_foreach(struct nftnl_obj_list *table_list, + } + return 0; + } +-EXPORT_SYMBOL(nftnl_obj_list_foreach); + + struct nftnl_obj_list_iter { + struct nftnl_obj_list *list; + struct nftnl_obj *cur; + }; + +-struct nftnl_obj_list_iter * ++struct nftnl_obj_list_iter __EXPORTED * + nftnl_obj_list_iter_create(struct nftnl_obj_list *l) + { + struct nftnl_obj_list_iter *iter; +@@ -584,9 +554,8 @@ nftnl_obj_list_iter_create(struct nftnl_obj_list *l) + + return iter; + } +-EXPORT_SYMBOL(nftnl_obj_list_iter_create); + +-struct nftnl_obj *nftnl_obj_list_iter_next(struct nftnl_obj_list_iter *iter) ++struct nftnl_obj __EXPORTED *nftnl_obj_list_iter_next(struct nftnl_obj_list_iter *iter) + { + struct nftnl_obj *r = iter->cur; + +@@ -600,10 +569,8 @@ struct nftnl_obj *nftnl_obj_list_iter_next(struct nftnl_obj_list_iter *iter) + + return r; + } +-EXPORT_SYMBOL(nftnl_obj_list_iter_next); + +-void nftnl_obj_list_iter_destroy(struct nftnl_obj_list_iter *iter) ++void __EXPORTED nftnl_obj_list_iter_destroy(struct nftnl_obj_list_iter *iter) + { + xfree(iter); + } +-EXPORT_SYMBOL(nftnl_obj_list_iter_destroy); +diff --git a/src/rule.c b/src/rule.c +index 6c22141..ad8609f 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -52,7 +52,7 @@ struct nftnl_rule { + struct list_head expr_list; + }; + +-struct nftnl_rule *nftnl_rule_alloc(void) ++struct nftnl_rule __EXPORTED *nftnl_rule_alloc(void) + { + struct nftnl_rule *r; + +@@ -64,9 +64,8 @@ struct nftnl_rule *nftnl_rule_alloc(void) + + return r; + } +-EXPORT_SYMBOL(nftnl_rule_alloc); + +-void nftnl_rule_free(const struct nftnl_rule *r) ++void __EXPORTED nftnl_rule_free(const struct nftnl_rule *r) + { + struct nftnl_expr *e, *tmp; + +@@ -82,15 +81,13 @@ void nftnl_rule_free(const struct nftnl_rule *r) + + xfree(r); + } +-EXPORT_SYMBOL(nftnl_rule_free); + +-bool nftnl_rule_is_set(const struct nftnl_rule *r, uint16_t attr) ++bool __EXPORTED nftnl_rule_is_set(const struct nftnl_rule *r, uint16_t attr) + { + return r->flags & (1 << attr); + } +-EXPORT_SYMBOL(nftnl_rule_is_set); + +-void nftnl_rule_unset(struct nftnl_rule *r, uint16_t attr) ++void __EXPORTED nftnl_rule_unset(struct nftnl_rule *r, uint16_t attr) + { + if (!(r->flags & (1 << attr))) + return; +@@ -116,7 +113,6 @@ void nftnl_rule_unset(struct nftnl_rule *r, uint16_t attr) + + r->flags &= ~(1 << attr); + } +-EXPORT_SYMBOL(nftnl_rule_unset); + + static uint32_t nftnl_rule_validate[NFTNL_RULE_MAX + 1] = { + [NFTNL_RULE_HANDLE] = sizeof(uint64_t), +@@ -127,7 +123,7 @@ static uint32_t nftnl_rule_validate[NFTNL_RULE_MAX + 1] = { + [NFTNL_RULE_ID] = sizeof(uint32_t), + }; + +-int nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr, ++int __EXPORTED nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr, + const void *data, uint32_t data_len) + { + nftnl_assert_attr_exists(attr, NFTNL_RULE_MAX); +@@ -183,33 +179,28 @@ int nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr, + r->flags |= (1 << attr); + return 0; + } +-EXPORT_SYMBOL(nftnl_rule_set_data); + +-int nftnl_rule_set(struct nftnl_rule *r, uint16_t attr, const void *data) ++int __EXPORTED nftnl_rule_set(struct nftnl_rule *r, uint16_t attr, const void *data) + { + return nftnl_rule_set_data(r, attr, data, nftnl_rule_validate[attr]); + } +-EXPORT_SYMBOL(nftnl_rule_set); + +-void nftnl_rule_set_u32(struct nftnl_rule *r, uint16_t attr, uint32_t val) ++void __EXPORTED nftnl_rule_set_u32(struct nftnl_rule *r, uint16_t attr, uint32_t val) + { + nftnl_rule_set_data(r, attr, &val, sizeof(uint32_t)); + } +-EXPORT_SYMBOL(nftnl_rule_set_u32); + +-void nftnl_rule_set_u64(struct nftnl_rule *r, uint16_t attr, uint64_t val) ++void __EXPORTED nftnl_rule_set_u64(struct nftnl_rule *r, uint16_t attr, uint64_t val) + { + nftnl_rule_set_data(r, attr, &val, sizeof(uint64_t)); + } +-EXPORT_SYMBOL(nftnl_rule_set_u64); + +-int nftnl_rule_set_str(struct nftnl_rule *r, uint16_t attr, const char *str) ++int __EXPORTED nftnl_rule_set_str(struct nftnl_rule *r, uint16_t attr, const char *str) + { + return nftnl_rule_set_data(r, attr, str, strlen(str) + 1); + } +-EXPORT_SYMBOL(nftnl_rule_set_str); + +-const void *nftnl_rule_get_data(const struct nftnl_rule *r, uint16_t attr, ++const void __EXPORTED *nftnl_rule_get_data(const struct nftnl_rule *r, uint16_t attr, + uint32_t *data_len) + { + if (!(r->flags & (1 << attr))) +@@ -246,22 +237,19 @@ const void *nftnl_rule_get_data(const struct nftnl_rule *r, uint16_t attr, + } + return NULL; + } +-EXPORT_SYMBOL(nftnl_rule_get_data); + +-const void *nftnl_rule_get(const struct nftnl_rule *r, uint16_t attr) ++const void __EXPORTED *nftnl_rule_get(const struct nftnl_rule *r, uint16_t attr) + { + uint32_t data_len; + return nftnl_rule_get_data(r, attr, &data_len); + } +-EXPORT_SYMBOL(nftnl_rule_get); + +-const char *nftnl_rule_get_str(const struct nftnl_rule *r, uint16_t attr) ++const char __EXPORTED *nftnl_rule_get_str(const struct nftnl_rule *r, uint16_t attr) + { + return nftnl_rule_get(r, attr); + } +-EXPORT_SYMBOL(nftnl_rule_get_str); + +-uint32_t nftnl_rule_get_u32(const struct nftnl_rule *r, uint16_t attr) ++uint32_t __EXPORTED nftnl_rule_get_u32(const struct nftnl_rule *r, uint16_t attr) + { + uint32_t data_len; + const uint32_t *val = nftnl_rule_get_data(r, attr, &data_len); +@@ -270,9 +258,8 @@ uint32_t nftnl_rule_get_u32(const struct nftnl_rule *r, uint16_t attr) + + return val ? *val : 0; + } +-EXPORT_SYMBOL(nftnl_rule_get_u32); + +-uint64_t nftnl_rule_get_u64(const struct nftnl_rule *r, uint16_t attr) ++uint64_t __EXPORTED nftnl_rule_get_u64(const struct nftnl_rule *r, uint16_t attr) + { + uint32_t data_len; + const uint64_t *val = nftnl_rule_get_data(r, attr, &data_len); +@@ -281,9 +268,8 @@ uint64_t nftnl_rule_get_u64(const struct nftnl_rule *r, uint16_t attr) + + return val ? *val : 0; + } +-EXPORT_SYMBOL(nftnl_rule_get_u64); + +-uint8_t nftnl_rule_get_u8(const struct nftnl_rule *r, uint16_t attr) ++uint8_t __EXPORTED nftnl_rule_get_u8(const struct nftnl_rule *r, uint16_t attr) + { + uint32_t data_len; + const uint8_t *val = nftnl_rule_get_data(r, attr, &data_len); +@@ -292,9 +278,8 @@ uint8_t nftnl_rule_get_u8(const struct nftnl_rule *r, uint16_t attr) + + return val ? *val : 0; + } +-EXPORT_SYMBOL(nftnl_rule_get_u8); + +-void nftnl_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_rule *r) ++void __EXPORTED nftnl_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_rule *r) + { + struct nftnl_expr *expr; + struct nlattr *nest, *nest2; +@@ -335,13 +320,11 @@ void nftnl_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_rule *r) + if (r->flags & (1 << NFTNL_RULE_ID)) + mnl_attr_put_u32(nlh, NFTA_RULE_ID, htonl(r->id)); + } +-EXPORT_SYMBOL(nftnl_rule_nlmsg_build_payload); + +-void nftnl_rule_add_expr(struct nftnl_rule *r, struct nftnl_expr *expr) ++void __EXPORTED nftnl_rule_add_expr(struct nftnl_rule *r, struct nftnl_expr *expr) + { + list_add_tail(&expr->head, &r->expr_list); + } +-EXPORT_SYMBOL(nftnl_rule_add_expr); + + static int nftnl_rule_parse_attr_cb(const struct nlattr *attr, void *data) + { +@@ -441,7 +424,7 @@ static int nftnl_rule_parse_compat(struct nlattr *nest, struct nftnl_rule *r) + return 0; + } + +-int nftnl_rule_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_rule *r) ++int __EXPORTED nftnl_rule_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_rule *r) + { + struct nlattr *tb[NFTA_RULE_MAX+1] = {}; + struct nfgenmsg *nfg = mnl_nlmsg_get_payload(nlh); +@@ -510,7 +493,6 @@ int nftnl_rule_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_rule *r) + + return 0; + } +-EXPORT_SYMBOL(nftnl_rule_nlmsg_parse); + + #ifdef JSON_PARSING + int nftnl_jansson_parse_rule(struct nftnl_rule *r, json_t *tree, +@@ -658,19 +640,17 @@ static int nftnl_rule_do_parse(struct nftnl_rule *r, enum nftnl_parse_type type, + + return ret; + } +-int nftnl_rule_parse(struct nftnl_rule *r, enum nftnl_parse_type type, ++int __EXPORTED nftnl_rule_parse(struct nftnl_rule *r, enum nftnl_parse_type type, + const char *data, struct nftnl_parse_err *err) + { + return nftnl_rule_do_parse(r, type, data, err, NFTNL_PARSE_BUFFER); + } +-EXPORT_SYMBOL(nftnl_rule_parse); + +-int nftnl_rule_parse_file(struct nftnl_rule *r, enum nftnl_parse_type type, ++int __EXPORTED nftnl_rule_parse_file(struct nftnl_rule *r, enum nftnl_parse_type type, + FILE *fp, struct nftnl_parse_err *err) + { + return nftnl_rule_do_parse(r, type, fp, err, NFTNL_PARSE_FILE); + } +-EXPORT_SYMBOL(nftnl_rule_parse_file); + + static int nftnl_rule_export(char *buf, size_t size, + const struct nftnl_rule *r, +@@ -819,13 +799,12 @@ static int nftnl_rule_cmd_snprintf(char *buf, size_t size, + return offset; + } + +-int nftnl_rule_snprintf(char *buf, size_t size, const struct nftnl_rule *r, ++int __EXPORTED nftnl_rule_snprintf(char *buf, size_t size, const struct nftnl_rule *r, + uint32_t type, uint32_t flags) + { + return nftnl_rule_cmd_snprintf(buf, size, r, nftnl_flag2cmd(flags), type, + flags); + } +-EXPORT_SYMBOL(nftnl_rule_snprintf); + + static int nftnl_rule_do_snprintf(char *buf, size_t size, const void *r, + uint32_t cmd, uint32_t type, uint32_t flags) +@@ -833,15 +812,14 @@ static int nftnl_rule_do_snprintf(char *buf, size_t size, const void *r, + return nftnl_rule_snprintf(buf, size, r, type, flags); + } + +-int nftnl_rule_fprintf(FILE *fp, const struct nftnl_rule *r, uint32_t type, ++int __EXPORTED nftnl_rule_fprintf(FILE *fp, const struct nftnl_rule *r, uint32_t type, + uint32_t flags) + { + return nftnl_fprintf(fp, r, NFTNL_CMD_UNSPEC, type, flags, + nftnl_rule_do_snprintf); + } +-EXPORT_SYMBOL(nftnl_rule_fprintf); + +-int nftnl_expr_foreach(struct nftnl_rule *r, ++int __EXPORTED nftnl_expr_foreach(struct nftnl_rule *r, + int (*cb)(struct nftnl_expr *e, void *data), + void *data) + { +@@ -855,7 +833,6 @@ int nftnl_expr_foreach(struct nftnl_rule *r, + } + return 0; + } +-EXPORT_SYMBOL(nftnl_expr_foreach); + + struct nftnl_expr_iter { + const struct nftnl_rule *r; +@@ -873,7 +850,7 @@ static void nftnl_expr_iter_init(const struct nftnl_rule *r, + head); + } + +-struct nftnl_expr_iter *nftnl_expr_iter_create(const struct nftnl_rule *r) ++struct nftnl_expr_iter __EXPORTED *nftnl_expr_iter_create(const struct nftnl_rule *r) + { + struct nftnl_expr_iter *iter; + +@@ -885,9 +862,8 @@ struct nftnl_expr_iter *nftnl_expr_iter_create(const struct nftnl_rule *r) + + return iter; + } +-EXPORT_SYMBOL(nftnl_expr_iter_create); + +-struct nftnl_expr *nftnl_expr_iter_next(struct nftnl_expr_iter *iter) ++struct nftnl_expr __EXPORTED *nftnl_expr_iter_next(struct nftnl_expr_iter *iter) + { + struct nftnl_expr *expr = iter->cur; + +@@ -901,15 +877,13 @@ struct nftnl_expr *nftnl_expr_iter_next(struct nftnl_expr_iter *iter) + + return expr; + } +-EXPORT_SYMBOL(nftnl_expr_iter_next); + +-void nftnl_expr_iter_destroy(struct nftnl_expr_iter *iter) ++void __EXPORTED nftnl_expr_iter_destroy(struct nftnl_expr_iter *iter) + { + xfree(iter); + } +-EXPORT_SYMBOL(nftnl_expr_iter_destroy); + +-bool nftnl_rule_cmp(const struct nftnl_rule *r1, const struct nftnl_rule *r2) ++bool __EXPORTED nftnl_rule_cmp(const struct nftnl_rule *r1, const struct nftnl_rule *r2) + { + struct nftnl_expr_iter it1, it2; + struct nftnl_expr *e1, *e2; +@@ -938,13 +912,12 @@ bool nftnl_rule_cmp(const struct nftnl_rule *r1, const struct nftnl_rule *r2) + + return eq; + } +-EXPORT_SYMBOL(nftnl_rule_cmp); + + struct nftnl_rule_list { + struct list_head list; + }; + +-struct nftnl_rule_list *nftnl_rule_list_alloc(void) ++struct nftnl_rule_list __EXPORTED *nftnl_rule_list_alloc(void) + { + struct nftnl_rule_list *list; + +@@ -956,9 +929,8 @@ struct nftnl_rule_list *nftnl_rule_list_alloc(void) + + return list; + } +-EXPORT_SYMBOL(nftnl_rule_list_alloc); + +-void nftnl_rule_list_free(struct nftnl_rule_list *list) ++void __EXPORTED nftnl_rule_list_free(struct nftnl_rule_list *list) + { + struct nftnl_rule *r, *tmp; + +@@ -968,33 +940,28 @@ void nftnl_rule_list_free(struct nftnl_rule_list *list) + } + xfree(list); + } +-EXPORT_SYMBOL(nftnl_rule_list_free); + +-int nftnl_rule_list_is_empty(const struct nftnl_rule_list *list) ++int __EXPORTED nftnl_rule_list_is_empty(const struct nftnl_rule_list *list) + { + return list_empty(&list->list); + } +-EXPORT_SYMBOL(nftnl_rule_list_is_empty); + +-void nftnl_rule_list_add(struct nftnl_rule *r, struct nftnl_rule_list *list) ++void __EXPORTED nftnl_rule_list_add(struct nftnl_rule *r, struct nftnl_rule_list *list) + { + list_add(&r->head, &list->list); + } +-EXPORT_SYMBOL(nftnl_rule_list_add); + +-void nftnl_rule_list_add_tail(struct nftnl_rule *r, struct nftnl_rule_list *list) ++void __EXPORTED nftnl_rule_list_add_tail(struct nftnl_rule *r, struct nftnl_rule_list *list) + { + list_add_tail(&r->head, &list->list); + } +-EXPORT_SYMBOL(nftnl_rule_list_add_tail); + +-void nftnl_rule_list_del(struct nftnl_rule *r) ++void __EXPORTED nftnl_rule_list_del(struct nftnl_rule *r) + { + list_del(&r->head); + } +-EXPORT_SYMBOL(nftnl_rule_list_del); + +-int nftnl_rule_list_foreach(struct nftnl_rule_list *rule_list, ++int __EXPORTED nftnl_rule_list_foreach(struct nftnl_rule_list *rule_list, + int (*cb)(struct nftnl_rule *r, void *data), + void *data) + { +@@ -1008,14 +975,13 @@ int nftnl_rule_list_foreach(struct nftnl_rule_list *rule_list, + } + return 0; + } +-EXPORT_SYMBOL(nftnl_rule_list_foreach); + + struct nftnl_rule_list_iter { + const struct nftnl_rule_list *list; + struct nftnl_rule *cur; + }; + +-struct nftnl_rule_list_iter * ++struct nftnl_rule_list_iter __EXPORTED * + nftnl_rule_list_iter_create(const struct nftnl_rule_list *l) + { + struct nftnl_rule_list_iter *iter; +@@ -1032,15 +998,13 @@ nftnl_rule_list_iter_create(const struct nftnl_rule_list *l) + + return iter; + } +-EXPORT_SYMBOL(nftnl_rule_list_iter_create); + +-struct nftnl_rule *nftnl_rule_list_iter_cur(struct nftnl_rule_list_iter *iter) ++struct nftnl_rule __EXPORTED *nftnl_rule_list_iter_cur(struct nftnl_rule_list_iter *iter) + { + return iter->cur; + } +-EXPORT_SYMBOL(nftnl_rule_list_iter_cur); + +-struct nftnl_rule *nftnl_rule_list_iter_next(struct nftnl_rule_list_iter *iter) ++struct nftnl_rule __EXPORTED *nftnl_rule_list_iter_next(struct nftnl_rule_list_iter *iter) + { + struct nftnl_rule *r = iter->cur; + +@@ -1054,10 +1018,8 @@ struct nftnl_rule *nftnl_rule_list_iter_next(struct nftnl_rule_list_iter *iter) + + return r; + } +-EXPORT_SYMBOL(nftnl_rule_list_iter_next); + +-void nftnl_rule_list_iter_destroy(const struct nftnl_rule_list_iter *iter) ++void __EXPORTED nftnl_rule_list_iter_destroy(const struct nftnl_rule_list_iter *iter) + { + xfree(iter); + } +-EXPORT_SYMBOL(nftnl_rule_list_iter_destroy); +diff --git a/src/ruleset.c b/src/ruleset.c +index 6ef2956..10d48f6 100644 +--- a/src/ruleset.c ++++ b/src/ruleset.c +@@ -55,13 +55,12 @@ struct nftnl_parse_ctx { + uint16_t flags; + }; + +-struct nftnl_ruleset *nftnl_ruleset_alloc(void) ++struct nftnl_ruleset __EXPORTED *nftnl_ruleset_alloc(void) + { + return calloc(1, sizeof(struct nftnl_ruleset)); + } +-EXPORT_SYMBOL(nftnl_ruleset_alloc); + +-void nftnl_ruleset_free(const struct nftnl_ruleset *r) ++void __EXPORTED nftnl_ruleset_free(const struct nftnl_ruleset *r) + { + if (r->flags & (1 << NFTNL_RULESET_TABLELIST)) + nftnl_table_list_free(r->table_list); +@@ -73,15 +72,13 @@ void nftnl_ruleset_free(const struct nftnl_ruleset *r) + nftnl_rule_list_free(r->rule_list); + xfree(r); + } +-EXPORT_SYMBOL(nftnl_ruleset_free); + +-bool nftnl_ruleset_is_set(const struct nftnl_ruleset *r, uint16_t attr) ++bool __EXPORTED nftnl_ruleset_is_set(const struct nftnl_ruleset *r, uint16_t attr) + { + return r->flags & (1 << attr); + } +-EXPORT_SYMBOL(nftnl_ruleset_is_set); + +-void nftnl_ruleset_unset(struct nftnl_ruleset *r, uint16_t attr) ++void __EXPORTED nftnl_ruleset_unset(struct nftnl_ruleset *r, uint16_t attr) + { + if (!(r->flags & (1 << attr))) + return; +@@ -102,9 +99,8 @@ void nftnl_ruleset_unset(struct nftnl_ruleset *r, uint16_t attr) + } + r->flags &= ~(1 << attr); + } +-EXPORT_SYMBOL(nftnl_ruleset_unset); + +-void nftnl_ruleset_set(struct nftnl_ruleset *r, uint16_t attr, void *data) ++void __EXPORTED nftnl_ruleset_set(struct nftnl_ruleset *r, uint16_t attr, void *data) + { + switch (attr) { + case NFTNL_RULESET_TABLELIST: +@@ -128,9 +124,8 @@ void nftnl_ruleset_set(struct nftnl_ruleset *r, uint16_t attr, void *data) + } + r->flags |= (1 << attr); + } +-EXPORT_SYMBOL(nftnl_ruleset_set); + +-void *nftnl_ruleset_get(const struct nftnl_ruleset *r, uint16_t attr) ++void __EXPORTED *nftnl_ruleset_get(const struct nftnl_ruleset *r, uint16_t attr) + { + if (!(r->flags & (1 << attr))) + return NULL; +@@ -148,9 +143,8 @@ void *nftnl_ruleset_get(const struct nftnl_ruleset *r, uint16_t attr) + return NULL; + } + } +-EXPORT_SYMBOL(nftnl_ruleset_get); + +-void nftnl_ruleset_ctx_free(const struct nftnl_parse_ctx *ctx) ++void __EXPORTED nftnl_ruleset_ctx_free(const struct nftnl_parse_ctx *ctx) + { + switch (ctx->type) { + case NFTNL_RULESET_TABLE: +@@ -171,15 +165,13 @@ void nftnl_ruleset_ctx_free(const struct nftnl_parse_ctx *ctx) + break; + } + } +-EXPORT_SYMBOL(nftnl_ruleset_ctx_free); + +-bool nftnl_ruleset_ctx_is_set(const struct nftnl_parse_ctx *ctx, uint16_t attr) ++bool __EXPORTED nftnl_ruleset_ctx_is_set(const struct nftnl_parse_ctx *ctx, uint16_t attr) + { + return ctx->flags & (1 << attr); + } +-EXPORT_SYMBOL(nftnl_ruleset_ctx_is_set); + +-void *nftnl_ruleset_ctx_get(const struct nftnl_parse_ctx *ctx, uint16_t attr) ++void __EXPORTED *nftnl_ruleset_ctx_get(const struct nftnl_parse_ctx *ctx, uint16_t attr) + { + if (!(ctx->flags & (1 << attr))) + return NULL; +@@ -203,14 +195,12 @@ void *nftnl_ruleset_ctx_get(const struct nftnl_parse_ctx *ctx, uint16_t attr) + return NULL; + } + } +-EXPORT_SYMBOL(nftnl_ruleset_ctx_get); + +-uint32_t nftnl_ruleset_ctx_get_u32(const struct nftnl_parse_ctx *ctx, uint16_t attr) ++uint32_t __EXPORTED nftnl_ruleset_ctx_get_u32(const struct nftnl_parse_ctx *ctx, uint16_t attr) + { + const void *ret = nftnl_ruleset_ctx_get(ctx, attr); + return ret == NULL ? 0 : *((uint32_t *)ret); + } +-EXPORT_SYMBOL(nftnl_ruleset_ctx_get_u32); + + #if defined(JSON_PARSING) + static void nftnl_ruleset_ctx_set(struct nftnl_parse_ctx *ctx, uint16_t attr, +@@ -593,22 +583,20 @@ nftnl_ruleset_do_parse(enum nftnl_parse_type type, const void *data, + return ret; + } + +-int nftnl_ruleset_parse_file_cb(enum nftnl_parse_type type, FILE *fp, ++int __EXPORTED nftnl_ruleset_parse_file_cb(enum nftnl_parse_type type, FILE *fp, + struct nftnl_parse_err *err, void *data, + int (*cb)(const struct nftnl_parse_ctx *ctx)) + { + return nftnl_ruleset_do_parse(type, fp, err, NFTNL_PARSE_FILE, data, cb); + } +-EXPORT_SYMBOL(nftnl_ruleset_parse_file_cb); + +-int nftnl_ruleset_parse_buffer_cb(enum nftnl_parse_type type, const char *buffer, ++int __EXPORTED nftnl_ruleset_parse_buffer_cb(enum nftnl_parse_type type, const char *buffer, + struct nftnl_parse_err *err, void *data, + int (*cb)(const struct nftnl_parse_ctx *ctx)) + { + return nftnl_ruleset_do_parse(type, buffer, err, NFTNL_PARSE_BUFFER, data, + cb); + } +-EXPORT_SYMBOL(nftnl_ruleset_parse_buffer_cb); + + static int nftnl_ruleset_cb(const struct nftnl_parse_ctx *ctx) + { +@@ -671,19 +659,17 @@ static int nftnl_ruleset_cb(const struct nftnl_parse_ctx *ctx) + return 0; + } + +-int nftnl_ruleset_parse(struct nftnl_ruleset *r, enum nftnl_parse_type type, ++int __EXPORTED nftnl_ruleset_parse(struct nftnl_ruleset *r, enum nftnl_parse_type type, + const char *data, struct nftnl_parse_err *err) + { + return nftnl_ruleset_parse_buffer_cb(type, data, err, r, nftnl_ruleset_cb); + } +-EXPORT_SYMBOL(nftnl_ruleset_parse); + +-int nftnl_ruleset_parse_file(struct nftnl_ruleset *rs, enum nftnl_parse_type type, ++int __EXPORTED nftnl_ruleset_parse_file(struct nftnl_ruleset *rs, enum nftnl_parse_type type, + FILE *fp, struct nftnl_parse_err *err) + { + return nftnl_ruleset_parse_file_cb(type, fp, err, rs, nftnl_ruleset_cb); + } +-EXPORT_SYMBOL(nftnl_ruleset_parse_file); + + static const char *nftnl_ruleset_o_opentag(uint32_t type) + { +@@ -928,7 +914,7 @@ static int nftnl_ruleset_cmd_snprintf(char *buf, size_t size, + } + } + +-int nftnl_ruleset_snprintf(char *buf, size_t size, const struct nftnl_ruleset *r, ++int __EXPORTED nftnl_ruleset_snprintf(char *buf, size_t size, const struct nftnl_ruleset *r, + uint32_t type, uint32_t flags) + { + switch (type) { +@@ -943,7 +929,6 @@ int nftnl_ruleset_snprintf(char *buf, size_t size, const struct nftnl_ruleset *r + return -1; + } + } +-EXPORT_SYMBOL(nftnl_ruleset_snprintf); + + static int nftnl_ruleset_fprintf_tables(FILE *fp, const struct nftnl_ruleset *rs, + uint32_t type, uint32_t flags) +@@ -1157,10 +1142,9 @@ static int nftnl_ruleset_cmd_fprintf(FILE *fp, const struct nftnl_ruleset *rs, + return len; + } + +-int nftnl_ruleset_fprintf(FILE *fp, const struct nftnl_ruleset *rs, uint32_t type, ++int __EXPORTED nftnl_ruleset_fprintf(FILE *fp, const struct nftnl_ruleset *rs, uint32_t type, + uint32_t flags) + { + return nftnl_ruleset_cmd_fprintf(fp, rs, nftnl_flag2cmd(flags), type, + flags); + } +-EXPORT_SYMBOL(nftnl_ruleset_fprintf); +diff --git a/src/set.c b/src/set.c +index cce5e63..33a6794 100644 +--- a/src/set.c ++++ b/src/set.c +@@ -27,7 +27,7 @@ + #include <libnftnl/set.h> + #include <libnftnl/expr.h> + +-struct nftnl_set *nftnl_set_alloc(void) ++struct nftnl_set __EXPORTED *nftnl_set_alloc(void) + { + struct nftnl_set *s; + +@@ -38,9 +38,8 @@ struct nftnl_set *nftnl_set_alloc(void) + INIT_LIST_HEAD(&s->element_list); + return s; + } +-EXPORT_SYMBOL(nftnl_set_alloc); + +-void nftnl_set_free(const struct nftnl_set *s) ++void __EXPORTED nftnl_set_free(const struct nftnl_set *s) + { + struct nftnl_set_elem *elem, *tmp; + +@@ -55,15 +54,13 @@ void nftnl_set_free(const struct nftnl_set *s) + } + xfree(s); + } +-EXPORT_SYMBOL(nftnl_set_free); + +-bool nftnl_set_is_set(const struct nftnl_set *s, uint16_t attr) ++bool __EXPORTED nftnl_set_is_set(const struct nftnl_set *s, uint16_t attr) + { + return s->flags & (1 << attr); + } +-EXPORT_SYMBOL(nftnl_set_is_set); + +-void nftnl_set_unset(struct nftnl_set *s, uint16_t attr) ++void __EXPORTED nftnl_set_unset(struct nftnl_set *s, uint16_t attr) + { + if (!(s->flags & (1 << attr))) + return; +@@ -97,7 +94,6 @@ void nftnl_set_unset(struct nftnl_set *s, uint16_t attr) + + s->flags &= ~(1 << attr); + } +-EXPORT_SYMBOL(nftnl_set_unset); + + static uint32_t nftnl_set_validate[NFTNL_SET_MAX + 1] = { + [NFTNL_SET_FLAGS] = sizeof(uint32_t), +@@ -113,7 +109,7 @@ static uint32_t nftnl_set_validate[NFTNL_SET_MAX + 1] = { + [NFTNL_SET_GC_INTERVAL] = sizeof(uint32_t), + }; + +-int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data, ++int __EXPORTED nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data, + uint32_t data_len) + { + nftnl_assert_attr_exists(attr, NFTNL_SET_MAX); +@@ -186,33 +182,28 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data, + s->flags |= (1 << attr); + return 0; + } +-EXPORT_SYMBOL(nftnl_set_set_data); + +-int nftnl_set_set(struct nftnl_set *s, uint16_t attr, const void *data) ++int __EXPORTED nftnl_set_set(struct nftnl_set *s, uint16_t attr, const void *data) + { + return nftnl_set_set_data(s, attr, data, nftnl_set_validate[attr]); + } +-EXPORT_SYMBOL(nftnl_set_set); + +-void nftnl_set_set_u32(struct nftnl_set *s, uint16_t attr, uint32_t val) ++void __EXPORTED nftnl_set_set_u32(struct nftnl_set *s, uint16_t attr, uint32_t val) + { + nftnl_set_set(s, attr, &val); + } +-EXPORT_SYMBOL(nftnl_set_set_u32); + +-void nftnl_set_set_u64(struct nftnl_set *s, uint16_t attr, uint64_t val) ++void __EXPORTED nftnl_set_set_u64(struct nftnl_set *s, uint16_t attr, uint64_t val) + { + nftnl_set_set(s, attr, &val); + } +-EXPORT_SYMBOL(nftnl_set_set_u64); + +-int nftnl_set_set_str(struct nftnl_set *s, uint16_t attr, const char *str) ++int __EXPORTED nftnl_set_set_str(struct nftnl_set *s, uint16_t attr, const char *str) + { + return nftnl_set_set_data(s, attr, str, strlen(str) + 1); + } +-EXPORT_SYMBOL(nftnl_set_set_str); + +-const void *nftnl_set_get_data(const struct nftnl_set *s, uint16_t attr, ++const void __EXPORTED *nftnl_set_get_data(const struct nftnl_set *s, uint16_t attr, + uint32_t *data_len) + { + if (!(s->flags & (1 << attr))) +@@ -267,22 +258,19 @@ const void *nftnl_set_get_data(const struct nftnl_set *s, uint16_t attr, + } + return NULL; + } +-EXPORT_SYMBOL(nftnl_set_get_data); + +-const void *nftnl_set_get(const struct nftnl_set *s, uint16_t attr) ++const void __EXPORTED *nftnl_set_get(const struct nftnl_set *s, uint16_t attr) + { + uint32_t data_len; + return nftnl_set_get_data(s, attr, &data_len); + } +-EXPORT_SYMBOL(nftnl_set_get); + +-const char *nftnl_set_get_str(const struct nftnl_set *s, uint16_t attr) ++const char __EXPORTED *nftnl_set_get_str(const struct nftnl_set *s, uint16_t attr) + { + return nftnl_set_get(s, attr); + } +-EXPORT_SYMBOL(nftnl_set_get_str); + +-uint32_t nftnl_set_get_u32(const struct nftnl_set *s, uint16_t attr) ++uint32_t __EXPORTED nftnl_set_get_u32(const struct nftnl_set *s, uint16_t attr) + { + uint32_t data_len; + const uint32_t *val = nftnl_set_get_data(s, attr, &data_len); +@@ -291,9 +279,8 @@ uint32_t nftnl_set_get_u32(const struct nftnl_set *s, uint16_t attr) + + return val ? *val : 0; + } +-EXPORT_SYMBOL(nftnl_set_get_u32); + +-uint64_t nftnl_set_get_u64(const struct nftnl_set *s, uint16_t attr) ++uint64_t __EXPORTED nftnl_set_get_u64(const struct nftnl_set *s, uint16_t attr) + { + uint32_t data_len; + const uint64_t *val = nftnl_set_get_data(s, attr, &data_len); +@@ -302,7 +289,6 @@ uint64_t nftnl_set_get_u64(const struct nftnl_set *s, uint16_t attr) + + return val ? *val : 0; + } +-EXPORT_SYMBOL(nftnl_set_get_u64); + + struct nftnl_set *nftnl_set_clone(const struct nftnl_set *set) + { +@@ -351,7 +337,7 @@ nftnl_set_nlmsg_build_desc_payload(struct nlmsghdr *nlh, struct nftnl_set *s) + mnl_attr_nest_end(nlh, nest); + } + +-void nftnl_set_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_set *s) ++void __EXPORTED nftnl_set_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_set *s) + { + if (s->flags & (1 << NFTNL_SET_TABLE)) + mnl_attr_put_strz(nlh, NFTA_SET_TABLE, s->table); +@@ -383,7 +369,6 @@ void nftnl_set_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_set *s) + if (s->flags & (1 << NFTNL_SET_USERDATA)) + mnl_attr_put(nlh, NFTA_SET_USERDATA, s->user.len, s->user.data); + } +-EXPORT_SYMBOL(nftnl_set_nlmsg_build_payload); + + static int nftnl_set_parse_attr_cb(const struct nlattr *attr, void *data) + { +@@ -463,7 +448,7 @@ static int nftnl_set_desc_parse(struct nftnl_set *s, + return 0; + } + +-int nftnl_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_set *s) ++int __EXPORTED nftnl_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_set *s) + { + struct nlattr *tb[NFTA_SET_MAX+1] = {}; + struct nfgenmsg *nfg = mnl_nlmsg_get_payload(nlh); +@@ -546,7 +531,6 @@ int nftnl_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_set *s) + + return 0; + } +-EXPORT_SYMBOL(nftnl_set_nlmsg_parse); + + #ifdef JSON_PARSING + static int nftnl_jansson_parse_set_info(struct nftnl_set *s, json_t *tree, +@@ -718,19 +702,17 @@ static int nftnl_set_do_parse(struct nftnl_set *s, enum nftnl_parse_type type, + + return ret; + } +-int nftnl_set_parse(struct nftnl_set *s, enum nftnl_parse_type type, ++int __EXPORTED nftnl_set_parse(struct nftnl_set *s, enum nftnl_parse_type type, + const char *data, struct nftnl_parse_err *err) + { + return nftnl_set_do_parse(s, type, data, err, NFTNL_PARSE_BUFFER); + } +-EXPORT_SYMBOL(nftnl_set_parse); + +-int nftnl_set_parse_file(struct nftnl_set *s, enum nftnl_parse_type type, ++int __EXPORTED nftnl_set_parse_file(struct nftnl_set *s, enum nftnl_parse_type type, + FILE *fp, struct nftnl_parse_err *err) + { + return nftnl_set_do_parse(s, type, fp, err, NFTNL_PARSE_FILE); + } +-EXPORT_SYMBOL(nftnl_set_parse_file); + + static int nftnl_set_snprintf_json(char *buf, size_t size, + const struct nftnl_set *s, +@@ -918,13 +900,12 @@ static int nftnl_set_cmd_snprintf(char *buf, size_t size, + return offset; + } + +-int nftnl_set_snprintf(char *buf, size_t size, const struct nftnl_set *s, ++int __EXPORTED nftnl_set_snprintf(char *buf, size_t size, const struct nftnl_set *s, + uint32_t type, uint32_t flags) + { + return nftnl_set_cmd_snprintf(buf, size, s, nftnl_flag2cmd(flags), type, + flags); + } +-EXPORT_SYMBOL(nftnl_set_snprintf); + + static int nftnl_set_do_snprintf(char *buf, size_t size, const void *s, + uint32_t cmd, uint32_t type, uint32_t flags) +@@ -932,25 +913,23 @@ static int nftnl_set_do_snprintf(char *buf, size_t size, const void *s, + return nftnl_set_snprintf(buf, size, s, type, flags); + } + +-int nftnl_set_fprintf(FILE *fp, const struct nftnl_set *s, uint32_t type, ++int __EXPORTED nftnl_set_fprintf(FILE *fp, const struct nftnl_set *s, uint32_t type, + uint32_t flags) + { + return nftnl_fprintf(fp, s, NFTNL_CMD_UNSPEC, type, flags, + nftnl_set_do_snprintf); + } +-EXPORT_SYMBOL(nftnl_set_fprintf); + +-void nftnl_set_elem_add(struct nftnl_set *s, struct nftnl_set_elem *elem) ++void __EXPORTED nftnl_set_elem_add(struct nftnl_set *s, struct nftnl_set_elem *elem) + { + list_add_tail(&elem->head, &s->element_list); + } +-EXPORT_SYMBOL(nftnl_set_elem_add); + + struct nftnl_set_list { + struct list_head list; + }; + +-struct nftnl_set_list *nftnl_set_list_alloc(void) ++struct nftnl_set_list __EXPORTED *nftnl_set_list_alloc(void) + { + struct nftnl_set_list *list; + +@@ -962,9 +941,8 @@ struct nftnl_set_list *nftnl_set_list_alloc(void) + + return list; + } +-EXPORT_SYMBOL(nftnl_set_list_alloc); + +-void nftnl_set_list_free(struct nftnl_set_list *list) ++void __EXPORTED nftnl_set_list_free(struct nftnl_set_list *list) + { + struct nftnl_set *s, *tmp; + +@@ -974,33 +952,28 @@ void nftnl_set_list_free(struct nftnl_set_list *list) + } + xfree(list); + } +-EXPORT_SYMBOL(nftnl_set_list_free); + +-int nftnl_set_list_is_empty(const struct nftnl_set_list *list) ++int __EXPORTED nftnl_set_list_is_empty(const struct nftnl_set_list *list) + { + return list_empty(&list->list); + } +-EXPORT_SYMBOL(nftnl_set_list_is_empty); + +-void nftnl_set_list_add(struct nftnl_set *s, struct nftnl_set_list *list) ++void __EXPORTED nftnl_set_list_add(struct nftnl_set *s, struct nftnl_set_list *list) + { + list_add(&s->head, &list->list); + } +-EXPORT_SYMBOL(nftnl_set_list_add); + +-void nftnl_set_list_add_tail(struct nftnl_set *s, struct nftnl_set_list *list) ++void __EXPORTED nftnl_set_list_add_tail(struct nftnl_set *s, struct nftnl_set_list *list) + { + list_add_tail(&s->head, &list->list); + } +-EXPORT_SYMBOL(nftnl_set_list_add_tail); + +-void nftnl_set_list_del(struct nftnl_set *s) ++void __EXPORTED nftnl_set_list_del(struct nftnl_set *s) + { + list_del(&s->head); + } +-EXPORT_SYMBOL(nftnl_set_list_del); + +-int nftnl_set_list_foreach(struct nftnl_set_list *set_list, ++int __EXPORTED nftnl_set_list_foreach(struct nftnl_set_list *set_list, + int (*cb)(struct nftnl_set *t, void *data), void *data) + { + struct nftnl_set *cur, *tmp; +@@ -1013,14 +986,13 @@ int nftnl_set_list_foreach(struct nftnl_set_list *set_list, + } + return 0; + } +-EXPORT_SYMBOL(nftnl_set_list_foreach); + + struct nftnl_set_list_iter { + const struct nftnl_set_list *list; + struct nftnl_set *cur; + }; + +-struct nftnl_set_list_iter * ++struct nftnl_set_list_iter __EXPORTED * + nftnl_set_list_iter_create(const struct nftnl_set_list *l) + { + struct nftnl_set_list_iter *iter; +@@ -1037,16 +1009,14 @@ nftnl_set_list_iter_create(const struct nftnl_set_list *l) + + return iter; + } +-EXPORT_SYMBOL(nftnl_set_list_iter_create); + +-struct nftnl_set * ++struct nftnl_set __EXPORTED * + nftnl_set_list_iter_cur(const struct nftnl_set_list_iter *iter) + { + return iter->cur; + } +-EXPORT_SYMBOL(nftnl_set_list_iter_cur); + +-struct nftnl_set *nftnl_set_list_iter_next(struct nftnl_set_list_iter *iter) ++struct nftnl_set __EXPORTED *nftnl_set_list_iter_next(struct nftnl_set_list_iter *iter) + { + struct nftnl_set *s = iter->cur; + +@@ -1060,13 +1030,11 @@ struct nftnl_set *nftnl_set_list_iter_next(struct nftnl_set_list_iter *iter) + + return s; + } +-EXPORT_SYMBOL(nftnl_set_list_iter_next); + +-void nftnl_set_list_iter_destroy(const struct nftnl_set_list_iter *iter) ++void __EXPORTED nftnl_set_list_iter_destroy(const struct nftnl_set_list_iter *iter) + { + xfree(iter); + } +-EXPORT_SYMBOL(nftnl_set_list_iter_destroy); + + static struct nftnl_set *nftnl_set_lookup(const char *this_set_name, + struct nftnl_set_list *set_list) +diff --git a/src/set_elem.c b/src/set_elem.c +index 433b896..bd1e895 100644 +--- a/src/set_elem.c ++++ b/src/set_elem.c +@@ -27,7 +27,7 @@ + #include <libnftnl/rule.h> + #include <libnftnl/expr.h> + +-struct nftnl_set_elem *nftnl_set_elem_alloc(void) ++struct nftnl_set_elem __EXPORTED *nftnl_set_elem_alloc(void) + { + struct nftnl_set_elem *s; + +@@ -37,9 +37,8 @@ struct nftnl_set_elem *nftnl_set_elem_alloc(void) + + return s; + } +-EXPORT_SYMBOL(nftnl_set_elem_alloc); + +-void nftnl_set_elem_free(struct nftnl_set_elem *s) ++void __EXPORTED nftnl_set_elem_free(struct nftnl_set_elem *s) + { + if (s->flags & (1 << NFTNL_SET_ELEM_CHAIN)) + xfree(s->data.chain); +@@ -55,15 +54,13 @@ void nftnl_set_elem_free(struct nftnl_set_elem *s) + + xfree(s); + } +-EXPORT_SYMBOL(nftnl_set_elem_free); + +-bool nftnl_set_elem_is_set(const struct nftnl_set_elem *s, uint16_t attr) ++bool __EXPORTED nftnl_set_elem_is_set(const struct nftnl_set_elem *s, uint16_t attr) + { + return s->flags & (1 << attr); + } +-EXPORT_SYMBOL(nftnl_set_elem_is_set); + +-void nftnl_set_elem_unset(struct nftnl_set_elem *s, uint16_t attr) ++void __EXPORTED nftnl_set_elem_unset(struct nftnl_set_elem *s, uint16_t attr) + { + if (!(s->flags & (1 << attr))) + return; +@@ -94,9 +91,8 @@ void nftnl_set_elem_unset(struct nftnl_set_elem *s, uint16_t attr) + + s->flags &= ~(1 << attr); + } +-EXPORT_SYMBOL(nftnl_set_elem_unset); + +-int nftnl_set_elem_set(struct nftnl_set_elem *s, uint16_t attr, ++int __EXPORTED nftnl_set_elem_set(struct nftnl_set_elem *s, uint16_t attr, + const void *data, uint32_t data_len) + { + switch(attr) { +@@ -147,27 +143,23 @@ int nftnl_set_elem_set(struct nftnl_set_elem *s, uint16_t attr, + s->flags |= (1 << attr); + return -1; + } +-EXPORT_SYMBOL(nftnl_set_elem_set); + +-void nftnl_set_elem_set_u32(struct nftnl_set_elem *s, uint16_t attr, uint32_t val) ++void __EXPORTED nftnl_set_elem_set_u32(struct nftnl_set_elem *s, uint16_t attr, uint32_t val) + { + nftnl_set_elem_set(s, attr, &val, sizeof(uint32_t)); + } +-EXPORT_SYMBOL(nftnl_set_elem_set_u32); + +-void nftnl_set_elem_set_u64(struct nftnl_set_elem *s, uint16_t attr, uint64_t val) ++void __EXPORTED nftnl_set_elem_set_u64(struct nftnl_set_elem *s, uint16_t attr, uint64_t val) + { + nftnl_set_elem_set(s, attr, &val, sizeof(uint64_t)); + } +-EXPORT_SYMBOL(nftnl_set_elem_set_u64); + +-int nftnl_set_elem_set_str(struct nftnl_set_elem *s, uint16_t attr, const char *str) ++int __EXPORTED nftnl_set_elem_set_str(struct nftnl_set_elem *s, uint16_t attr, const char *str) + { + return nftnl_set_elem_set(s, attr, str, strlen(str) + 1); + } +-EXPORT_SYMBOL(nftnl_set_elem_set_str); + +-const void *nftnl_set_elem_get(struct nftnl_set_elem *s, uint16_t attr, uint32_t *data_len) ++const void __EXPORTED *nftnl_set_elem_get(struct nftnl_set_elem *s, uint16_t attr, uint32_t *data_len) + { + if (!(s->flags & (1 << attr))) + return NULL; +@@ -205,31 +197,27 @@ const void *nftnl_set_elem_get(struct nftnl_set_elem *s, uint16_t attr, uint32_t + } + return NULL; + } +-EXPORT_SYMBOL(nftnl_set_elem_get); + +-const char *nftnl_set_elem_get_str(struct nftnl_set_elem *s, uint16_t attr) ++const char __EXPORTED *nftnl_set_elem_get_str(struct nftnl_set_elem *s, uint16_t attr) + { + uint32_t size; + + return nftnl_set_elem_get(s, attr, &size); + } +-EXPORT_SYMBOL(nftnl_set_elem_get_str); + +-uint32_t nftnl_set_elem_get_u32(struct nftnl_set_elem *s, uint16_t attr) ++uint32_t __EXPORTED nftnl_set_elem_get_u32(struct nftnl_set_elem *s, uint16_t attr) + { + uint32_t size; + uint32_t val = *((uint32_t *)nftnl_set_elem_get(s, attr, &size)); + return val; + } +-EXPORT_SYMBOL(nftnl_set_elem_get_u32); + +-uint64_t nftnl_set_elem_get_u64(struct nftnl_set_elem *s, uint16_t attr) ++uint64_t __EXPORTED nftnl_set_elem_get_u64(struct nftnl_set_elem *s, uint16_t attr) + { + uint32_t size; + uint64_t val = *((uint64_t *)nftnl_set_elem_get(s, attr, &size)); + return val; + } +-EXPORT_SYMBOL(nftnl_set_elem_get_u64); + + struct nftnl_set_elem *nftnl_set_elem_clone(struct nftnl_set_elem *elem) + { +@@ -315,7 +303,7 @@ static struct nlattr *nftnl_set_elem_build(struct nlmsghdr *nlh, + return nest2; + } + +-void nftnl_set_elems_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_set *s) ++void __EXPORTED nftnl_set_elems_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_set *s) + { + struct nftnl_set_elem *elem; + struct nlattr *nest1; +@@ -332,7 +320,6 @@ void nftnl_set_elems_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_set + + mnl_attr_nest_end(nlh, nest1); + } +-EXPORT_SYMBOL(nftnl_set_elems_nlmsg_build_payload); + + static int nftnl_set_elem_parse_attr_cb(const struct nlattr *attr, void *data) + { +@@ -503,7 +490,7 @@ static int nftnl_set_elems_parse(struct nftnl_set *s, const struct nlattr *nest) + return ret; + } + +-int nftnl_set_elems_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_set *s) ++int __EXPORTED nftnl_set_elems_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_set *s) + { + struct nlattr *tb[NFTA_SET_ELEM_LIST_MAX+1] = {}; + struct nfgenmsg *nfg = mnl_nlmsg_get_payload(nlh); +@@ -546,7 +533,6 @@ int nftnl_set_elems_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_set *s) + + return 0; + } +-EXPORT_SYMBOL(nftnl_set_elems_nlmsg_parse); + + static int nftnl_set_elem_json_parse(struct nftnl_set_elem *e, const void *json, + struct nftnl_parse_err *err, +@@ -587,19 +573,17 @@ nftnl_set_elem_do_parse(struct nftnl_set_elem *e, enum nftnl_parse_type type, + + return ret; + } +-int nftnl_set_elem_parse(struct nftnl_set_elem *e, enum nftnl_parse_type type, ++int __EXPORTED nftnl_set_elem_parse(struct nftnl_set_elem *e, enum nftnl_parse_type type, + const char *data, struct nftnl_parse_err *err) + { + return nftnl_set_elem_do_parse(e, type, data, err, NFTNL_PARSE_BUFFER); + } +-EXPORT_SYMBOL(nftnl_set_elem_parse); + +-int nftnl_set_elem_parse_file(struct nftnl_set_elem *e, enum nftnl_parse_type type, ++int __EXPORTED nftnl_set_elem_parse_file(struct nftnl_set_elem *e, enum nftnl_parse_type type, + FILE *fp, struct nftnl_parse_err *err) + { + return nftnl_set_elem_do_parse(e, type, fp, err, NFTNL_PARSE_FILE); + } +-EXPORT_SYMBOL(nftnl_set_elem_parse_file); + + static int nftnl_set_elem_snprintf_json(char *buf, size_t size, + const struct nftnl_set_elem *e, +@@ -719,14 +703,13 @@ static int nftnl_set_elem_cmd_snprintf(char *buf, size_t size, + return offset; + } + +-int nftnl_set_elem_snprintf(char *buf, size_t size, ++int __EXPORTED nftnl_set_elem_snprintf(char *buf, size_t size, + const struct nftnl_set_elem *e, + uint32_t type, uint32_t flags) + { + return nftnl_set_elem_cmd_snprintf(buf, size, e, nftnl_flag2cmd(flags), + type, flags); + } +-EXPORT_SYMBOL(nftnl_set_elem_snprintf); + + static int nftnl_set_elem_do_snprintf(char *buf, size_t size, const void *e, + uint32_t cmd, uint32_t type, +@@ -735,15 +718,14 @@ static int nftnl_set_elem_do_snprintf(char *buf, size_t size, const void *e, + return nftnl_set_elem_snprintf(buf, size, e, type, flags); + } + +-int nftnl_set_elem_fprintf(FILE *fp, struct nftnl_set_elem *se, uint32_t type, ++int __EXPORTED nftnl_set_elem_fprintf(FILE *fp, struct nftnl_set_elem *se, uint32_t type, + uint32_t flags) + { + return nftnl_fprintf(fp, se, NFTNL_CMD_UNSPEC, type, flags, + nftnl_set_elem_do_snprintf); + } +-EXPORT_SYMBOL(nftnl_set_elem_fprintf); + +-int nftnl_set_elem_foreach(struct nftnl_set *s, ++int __EXPORTED nftnl_set_elem_foreach(struct nftnl_set *s, + int (*cb)(struct nftnl_set_elem *e, void *data), + void *data) + { +@@ -757,7 +739,6 @@ int nftnl_set_elem_foreach(struct nftnl_set *s, + } + return 0; + } +-EXPORT_SYMBOL(nftnl_set_elem_foreach); + + struct nftnl_set_elems_iter { + const struct nftnl_set *set; +@@ -765,7 +746,7 @@ struct nftnl_set_elems_iter { + struct nftnl_set_elem *cur; + }; + +-struct nftnl_set_elems_iter * ++struct nftnl_set_elems_iter __EXPORTED * + nftnl_set_elems_iter_create(const struct nftnl_set *s) + { + struct nftnl_set_elems_iter *iter; +@@ -784,16 +765,14 @@ nftnl_set_elems_iter_create(const struct nftnl_set *s) + + return iter; + } +-EXPORT_SYMBOL(nftnl_set_elems_iter_create); + +-struct nftnl_set_elem * ++struct nftnl_set_elem __EXPORTED * + nftnl_set_elems_iter_cur(const struct nftnl_set_elems_iter *iter) + { + return iter->cur; + } +-EXPORT_SYMBOL(nftnl_set_elems_iter_cur); + +-struct nftnl_set_elem *nftnl_set_elems_iter_next(struct nftnl_set_elems_iter *iter) ++struct nftnl_set_elem __EXPORTED *nftnl_set_elems_iter_next(struct nftnl_set_elems_iter *iter) + { + struct nftnl_set_elem *s = iter->cur; + +@@ -806,13 +785,11 @@ struct nftnl_set_elem *nftnl_set_elems_iter_next(struct nftnl_set_elems_iter *it + + return s; + } +-EXPORT_SYMBOL(nftnl_set_elems_iter_next); + +-void nftnl_set_elems_iter_destroy(struct nftnl_set_elems_iter *iter) ++void __EXPORTED nftnl_set_elems_iter_destroy(struct nftnl_set_elems_iter *iter) + { + xfree(iter); + } +-EXPORT_SYMBOL(nftnl_set_elems_iter_destroy); + + static bool nftnl_attr_nest_overflow(struct nlmsghdr *nlh, + const struct nlattr *from, +@@ -831,7 +808,7 @@ static bool nftnl_attr_nest_overflow(struct nlmsghdr *nlh, + return false; + } + +-int nftnl_set_elems_nlmsg_build_payload_iter(struct nlmsghdr *nlh, ++int __EXPORTED nftnl_set_elems_nlmsg_build_payload_iter(struct nlmsghdr *nlh, + struct nftnl_set_elems_iter *iter) + { + struct nftnl_set_elem *elem; +@@ -861,4 +838,3 @@ int nftnl_set_elems_nlmsg_build_payload_iter(struct nlmsghdr *nlh, + + return ret; + } +-EXPORT_SYMBOL(nftnl_set_elems_nlmsg_build_payload_iter); +diff --git a/src/table.c b/src/table.c +index a7d5a8f..0e99f3c 100644 +--- a/src/table.c ++++ b/src/table.c +@@ -36,28 +36,25 @@ struct nftnl_table { + uint32_t flags; + }; + +-struct nftnl_table *nftnl_table_alloc(void) ++struct nftnl_table __EXPORTED *nftnl_table_alloc(void) + { + return calloc(1, sizeof(struct nftnl_table)); + } +-EXPORT_SYMBOL(nftnl_table_alloc); + +-void nftnl_table_free(const struct nftnl_table *t) ++void __EXPORTED nftnl_table_free(const struct nftnl_table *t) + { + if (t->flags & (1 << NFTNL_TABLE_NAME)) + xfree(t->name); + + xfree(t); + } +-EXPORT_SYMBOL(nftnl_table_free); + +-bool nftnl_table_is_set(const struct nftnl_table *t, uint16_t attr) ++bool __EXPORTED nftnl_table_is_set(const struct nftnl_table *t, uint16_t attr) + { + return t->flags & (1 << attr); + } +-EXPORT_SYMBOL(nftnl_table_is_set); + +-void nftnl_table_unset(struct nftnl_table *t, uint16_t attr) ++void __EXPORTED nftnl_table_unset(struct nftnl_table *t, uint16_t attr) + { + if (!(t->flags & (1 << attr))) + return; +@@ -74,14 +71,13 @@ void nftnl_table_unset(struct nftnl_table *t, uint16_t attr) + } + t->flags &= ~(1 << attr); + } +-EXPORT_SYMBOL(nftnl_table_unset); + + static uint32_t nftnl_table_validate[NFTNL_TABLE_MAX + 1] = { + [NFTNL_TABLE_FLAGS] = sizeof(uint32_t), + [NFTNL_TABLE_FAMILY] = sizeof(uint32_t), + }; + +-int nftnl_table_set_data(struct nftnl_table *t, uint16_t attr, ++int __EXPORTED nftnl_table_set_data(struct nftnl_table *t, uint16_t attr, + const void *data, uint32_t data_len) + { + nftnl_assert_attr_exists(attr, NFTNL_TABLE_MAX); +@@ -109,33 +105,28 @@ int nftnl_table_set_data(struct nftnl_table *t, uint16_t attr, + t->flags |= (1 << attr); + return 0; + } +-EXPORT_SYMBOL(nftnl_table_set_data); + +-void nftnl_table_set(struct nftnl_table *t, uint16_t attr, const void *data) ++void __EXPORTED nftnl_table_set(struct nftnl_table *t, uint16_t attr, const void *data) + { + nftnl_table_set_data(t, attr, data, nftnl_table_validate[attr]); + } +-EXPORT_SYMBOL(nftnl_table_set); + +-void nftnl_table_set_u32(struct nftnl_table *t, uint16_t attr, uint32_t val) ++void __EXPORTED nftnl_table_set_u32(struct nftnl_table *t, uint16_t attr, uint32_t val) + { + nftnl_table_set_data(t, attr, &val, sizeof(uint32_t)); + } +-EXPORT_SYMBOL(nftnl_table_set_u32); + +-void nftnl_table_set_u8(struct nftnl_table *t, uint16_t attr, uint8_t val) ++void __EXPORTED nftnl_table_set_u8(struct nftnl_table *t, uint16_t attr, uint8_t val) + { + nftnl_table_set_data(t, attr, &val, sizeof(uint8_t)); + } +-EXPORT_SYMBOL(nftnl_table_set_u8); + +-int nftnl_table_set_str(struct nftnl_table *t, uint16_t attr, const char *str) ++int __EXPORTED nftnl_table_set_str(struct nftnl_table *t, uint16_t attr, const char *str) + { + return nftnl_table_set_data(t, attr, str, strlen(str) + 1); + } +-EXPORT_SYMBOL(nftnl_table_set_str); + +-const void *nftnl_table_get_data(const struct nftnl_table *t, uint16_t attr, ++const void __EXPORTED *nftnl_table_get_data(const struct nftnl_table *t, uint16_t attr, + uint32_t *data_len) + { + if (!(t->flags & (1 << attr))) +@@ -157,43 +148,37 @@ const void *nftnl_table_get_data(const struct nftnl_table *t, uint16_t attr, + } + return NULL; + } +-EXPORT_SYMBOL(nftnl_table_get_data); + +-const void *nftnl_table_get(const struct nftnl_table *t, uint16_t attr) ++const void __EXPORTED *nftnl_table_get(const struct nftnl_table *t, uint16_t attr) + { + uint32_t data_len; + return nftnl_table_get_data(t, attr, &data_len); + } +-EXPORT_SYMBOL(nftnl_table_get); + +-uint32_t nftnl_table_get_u32(const struct nftnl_table *t, uint16_t attr) ++uint32_t __EXPORTED nftnl_table_get_u32(const struct nftnl_table *t, uint16_t attr) + { + const void *ret = nftnl_table_get(t, attr); + return ret == NULL ? 0 : *((uint32_t *)ret); + } +-EXPORT_SYMBOL(nftnl_table_get_u32); + +-uint8_t nftnl_table_get_u8(const struct nftnl_table *t, uint16_t attr) ++uint8_t __EXPORTED nftnl_table_get_u8(const struct nftnl_table *t, uint16_t attr) + { + const void *ret = nftnl_table_get(t, attr); + return ret == NULL ? 0 : *((uint8_t *)ret); + } +-EXPORT_SYMBOL(nftnl_table_get_u8); + +-const char *nftnl_table_get_str(const struct nftnl_table *t, uint16_t attr) ++const char __EXPORTED *nftnl_table_get_str(const struct nftnl_table *t, uint16_t attr) + { + return nftnl_table_get(t, attr); + } +-EXPORT_SYMBOL(nftnl_table_get_str); + +-void nftnl_table_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_table *t) ++void __EXPORTED nftnl_table_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_table *t) + { + if (t->flags & (1 << NFTNL_TABLE_NAME)) + mnl_attr_put_strz(nlh, NFTA_TABLE_NAME, t->name); + if (t->flags & (1 << NFTNL_TABLE_FLAGS)) + mnl_attr_put_u32(nlh, NFTA_TABLE_FLAGS, htonl(t->table_flags)); + } +-EXPORT_SYMBOL(nftnl_table_nlmsg_build_payload); + + static int nftnl_table_parse_attr_cb(const struct nlattr *attr, void *data) + { +@@ -219,7 +204,7 @@ static int nftnl_table_parse_attr_cb(const struct nlattr *attr, void *data) + return MNL_CB_OK; + } + +-int nftnl_table_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_table *t) ++int __EXPORTED nftnl_table_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_table *t) + { + struct nlattr *tb[NFTA_TABLE_MAX+1] = {}; + struct nfgenmsg *nfg = mnl_nlmsg_get_payload(nlh); +@@ -249,7 +234,6 @@ int nftnl_table_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_table *t) + + return 0; + } +-EXPORT_SYMBOL(nftnl_table_nlmsg_parse); + + #ifdef JSON_PARSING + int nftnl_jansson_parse_table(struct nftnl_table *t, json_t *tree, +@@ -330,19 +314,17 @@ static int nftnl_table_do_parse(struct nftnl_table *t, enum nftnl_parse_type typ + return ret; + } + +-int nftnl_table_parse(struct nftnl_table *t, enum nftnl_parse_type type, ++int __EXPORTED nftnl_table_parse(struct nftnl_table *t, enum nftnl_parse_type type, + const char *data, struct nftnl_parse_err *err) + { + return nftnl_table_do_parse(t, type, data, err, NFTNL_PARSE_BUFFER); + } +-EXPORT_SYMBOL(nftnl_table_parse); + +-int nftnl_table_parse_file(struct nftnl_table *t, enum nftnl_parse_type type, ++int __EXPORTED nftnl_table_parse_file(struct nftnl_table *t, enum nftnl_parse_type type, + FILE *fp, struct nftnl_parse_err *err) + { + return nftnl_table_do_parse(t, type, fp, err, NFTNL_PARSE_FILE); + } +-EXPORT_SYMBOL(nftnl_table_parse_file); + + static int nftnl_table_export(char *buf, size_t size, + const struct nftnl_table *t, int type) +@@ -400,13 +382,12 @@ static int nftnl_table_cmd_snprintf(char *buf, size_t size, + return offset; + } + +-int nftnl_table_snprintf(char *buf, size_t size, const struct nftnl_table *t, ++int __EXPORTED nftnl_table_snprintf(char *buf, size_t size, const struct nftnl_table *t, + uint32_t type, uint32_t flags) + { + return nftnl_table_cmd_snprintf(buf, size, t, nftnl_flag2cmd(flags), type, + flags); + } +-EXPORT_SYMBOL(nftnl_table_snprintf); + + static int nftnl_table_do_snprintf(char *buf, size_t size, const void *t, + uint32_t cmd, uint32_t type, uint32_t flags) +@@ -414,19 +395,18 @@ static int nftnl_table_do_snprintf(char *buf, size_t size, const void *t, + return nftnl_table_snprintf(buf, size, t, type, flags); + } + +-int nftnl_table_fprintf(FILE *fp, const struct nftnl_table *t, uint32_t type, ++int __EXPORTED nftnl_table_fprintf(FILE *fp, const struct nftnl_table *t, uint32_t type, + uint32_t flags) + { + return nftnl_fprintf(fp, t, NFTNL_CMD_UNSPEC, type, flags, + nftnl_table_do_snprintf); + } +-EXPORT_SYMBOL(nftnl_table_fprintf); + + struct nftnl_table_list { + struct list_head list; + }; + +-struct nftnl_table_list *nftnl_table_list_alloc(void) ++struct nftnl_table_list __EXPORTED *nftnl_table_list_alloc(void) + { + struct nftnl_table_list *list; + +@@ -438,9 +418,8 @@ struct nftnl_table_list *nftnl_table_list_alloc(void) + + return list; + } +-EXPORT_SYMBOL(nftnl_table_list_alloc); + +-void nftnl_table_list_free(struct nftnl_table_list *list) ++void __EXPORTED nftnl_table_list_free(struct nftnl_table_list *list) + { + struct nftnl_table *r, *tmp; + +@@ -450,33 +429,28 @@ void nftnl_table_list_free(struct nftnl_table_list *list) + } + xfree(list); + } +-EXPORT_SYMBOL(nftnl_table_list_free); + +-int nftnl_table_list_is_empty(const struct nftnl_table_list *list) ++int __EXPORTED nftnl_table_list_is_empty(const struct nftnl_table_list *list) + { + return list_empty(&list->list); + } +-EXPORT_SYMBOL(nftnl_table_list_is_empty); + +-void nftnl_table_list_add(struct nftnl_table *r, struct nftnl_table_list *list) ++void __EXPORTED nftnl_table_list_add(struct nftnl_table *r, struct nftnl_table_list *list) + { + list_add(&r->head, &list->list); + } +-EXPORT_SYMBOL(nftnl_table_list_add); + +-void nftnl_table_list_add_tail(struct nftnl_table *r, struct nftnl_table_list *list) ++void __EXPORTED nftnl_table_list_add_tail(struct nftnl_table *r, struct nftnl_table_list *list) + { + list_add_tail(&r->head, &list->list); + } +-EXPORT_SYMBOL(nftnl_table_list_add_tail); + +-void nftnl_table_list_del(struct nftnl_table *t) ++void __EXPORTED nftnl_table_list_del(struct nftnl_table *t) + { + list_del(&t->head); + } +-EXPORT_SYMBOL(nftnl_table_list_del); + +-int nftnl_table_list_foreach(struct nftnl_table_list *table_list, ++int __EXPORTED nftnl_table_list_foreach(struct nftnl_table_list *table_list, + int (*cb)(struct nftnl_table *t, void *data), + void *data) + { +@@ -490,14 +464,13 @@ int nftnl_table_list_foreach(struct nftnl_table_list *table_list, + } + return 0; + } +-EXPORT_SYMBOL(nftnl_table_list_foreach); + + struct nftnl_table_list_iter { + const struct nftnl_table_list *list; + struct nftnl_table *cur; + }; + +-struct nftnl_table_list_iter * ++struct nftnl_table_list_iter __EXPORTED * + nftnl_table_list_iter_create(const struct nftnl_table_list *l) + { + struct nftnl_table_list_iter *iter; +@@ -514,9 +487,8 @@ nftnl_table_list_iter_create(const struct nftnl_table_list *l) + + return iter; + } +-EXPORT_SYMBOL(nftnl_table_list_iter_create); + +-struct nftnl_table *nftnl_table_list_iter_next(struct nftnl_table_list_iter *iter) ++struct nftnl_table __EXPORTED *nftnl_table_list_iter_next(struct nftnl_table_list_iter *iter) + { + struct nftnl_table *r = iter->cur; + +@@ -530,10 +502,8 @@ struct nftnl_table *nftnl_table_list_iter_next(struct nftnl_table_list_iter *ite + + return r; + } +-EXPORT_SYMBOL(nftnl_table_list_iter_next); + +-void nftnl_table_list_iter_destroy(const struct nftnl_table_list_iter *iter) ++void __EXPORTED nftnl_table_list_iter_destroy(const struct nftnl_table_list_iter *iter) + { + xfree(iter); + } +-EXPORT_SYMBOL(nftnl_table_list_iter_destroy); +diff --git a/src/trace.c b/src/trace.c +index bd05d3c..4739ef9 100644 +--- a/src/trace.c ++++ b/src/trace.c +@@ -52,14 +52,12 @@ struct nftnl_trace { + uint32_t flags; + }; + +-EXPORT_SYMBOL(nftnl_trace_alloc); +-struct nftnl_trace *nftnl_trace_alloc(void) ++struct nftnl_trace __EXPORTED *nftnl_trace_alloc(void) + { + return calloc(1, sizeof(struct nftnl_trace)); + } + +-EXPORT_SYMBOL(nftnl_trace_free); +-void nftnl_trace_free(const struct nftnl_trace *t) ++void __EXPORTED nftnl_trace_free(const struct nftnl_trace *t) + { + xfree(t->chain); + xfree(t->table); +@@ -70,8 +68,7 @@ void nftnl_trace_free(const struct nftnl_trace *t) + xfree(t); + } + +-EXPORT_SYMBOL(nftnl_trace_is_set); +-bool nftnl_trace_is_set(const struct nftnl_trace *t, uint16_t attr) ++bool __EXPORTED nftnl_trace_is_set(const struct nftnl_trace *t, uint16_t attr) + { + return t->flags & (1 << attr); + } +@@ -130,8 +127,7 @@ static int nftnl_trace_parse_attr_cb(const struct nlattr *attr, void *data) + return MNL_CB_OK; + } + +-EXPORT_SYMBOL(nftnl_trace_get_data); +-const void *nftnl_trace_get_data(const struct nftnl_trace *trace, ++const void __EXPORTED *nftnl_trace_get_data(const struct nftnl_trace *trace, + uint16_t type, uint32_t *data_len) + { + enum nftnl_trace_attr attr = type; +@@ -201,8 +197,7 @@ const void *nftnl_trace_get_data(const struct nftnl_trace *trace, + return NULL; + } + +-EXPORT_SYMBOL(nftnl_trace_get_str); +-const char *nftnl_trace_get_str(const struct nftnl_trace *trace, uint16_t type) ++const char __EXPORTED *nftnl_trace_get_str(const struct nftnl_trace *trace, uint16_t type) + { + if (!nftnl_trace_is_set(trace, type)) + return NULL; +@@ -216,8 +211,7 @@ const char *nftnl_trace_get_str(const struct nftnl_trace *trace, uint16_t type) + return NULL; + } + +-EXPORT_SYMBOL(nftnl_trace_get_u16); +-uint16_t nftnl_trace_get_u16(const struct nftnl_trace *trace, uint16_t type) ++uint16_t __EXPORTED nftnl_trace_get_u16(const struct nftnl_trace *trace, uint16_t type) + { + const uint16_t *d; + uint32_t dlen; +@@ -229,8 +223,7 @@ uint16_t nftnl_trace_get_u16(const struct nftnl_trace *trace, uint16_t type) + return 0; + } + +-EXPORT_SYMBOL(nftnl_trace_get_u32); +-uint32_t nftnl_trace_get_u32(const struct nftnl_trace *trace, uint16_t type) ++uint32_t __EXPORTED nftnl_trace_get_u32(const struct nftnl_trace *trace, uint16_t type) + { + const uint32_t *d; + uint32_t dlen; +@@ -242,8 +235,7 @@ uint32_t nftnl_trace_get_u32(const struct nftnl_trace *trace, uint16_t type) + return 0; + } + +-EXPORT_SYMBOL(nftnl_trace_get_u64); +-uint64_t nftnl_trace_get_u64(const struct nftnl_trace *trace, uint16_t type) ++uint64_t __EXPORTED nftnl_trace_get_u64(const struct nftnl_trace *trace, uint16_t type) + { + const uint64_t *d; + uint32_t dlen; +@@ -323,9 +315,8 @@ static int nftnl_trace_parse_verdict(const struct nlattr *attr, + } + return 0; + } +-EXPORT_SYMBOL(nftnl_trace_nlmsg_parse); + +-int nftnl_trace_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_trace *t) ++int __EXPORTED nftnl_trace_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_trace *t) + { + struct nfgenmsg *nfg = mnl_nlmsg_get_payload(nlh); + struct nlattr *tb[NFTA_TRACE_MAX+1] = {}; +diff --git a/src/udata.c b/src/udata.c +index d679dd0..7e2de0f 100644 +--- a/src/udata.c ++++ b/src/udata.c +@@ -16,7 +16,7 @@ + #include <stdint.h> + #include <string.h> + +-struct nftnl_udata_buf *nftnl_udata_buf_alloc(uint32_t data_size) ++struct nftnl_udata_buf __EXPORTED *nftnl_udata_buf_alloc(uint32_t data_size) + { + struct nftnl_udata_buf *buf; + +@@ -28,47 +28,40 @@ struct nftnl_udata_buf *nftnl_udata_buf_alloc(uint32_t data_size) + + return buf; + } +-EXPORT_SYMBOL(nftnl_udata_buf_alloc); + +-void nftnl_udata_buf_free(const struct nftnl_udata_buf *buf) ++void __EXPORTED nftnl_udata_buf_free(const struct nftnl_udata_buf *buf) + { + xfree(buf); + } +-EXPORT_SYMBOL(nftnl_udata_buf_free); + +-uint32_t nftnl_udata_buf_len(const struct nftnl_udata_buf *buf) ++uint32_t __EXPORTED nftnl_udata_buf_len(const struct nftnl_udata_buf *buf) + { + return (uint32_t)(buf->end - buf->data); + } +-EXPORT_SYMBOL(nftnl_udata_buf_len); + +-void *nftnl_udata_buf_data(const struct nftnl_udata_buf *buf) ++void __EXPORTED *nftnl_udata_buf_data(const struct nftnl_udata_buf *buf) + { + return (void *)buf->data; + } +-EXPORT_SYMBOL(nftnl_udata_buf_data); + +-void nftnl_udata_buf_put(struct nftnl_udata_buf *buf, const void *data, ++void __EXPORTED nftnl_udata_buf_put(struct nftnl_udata_buf *buf, const void *data, + uint32_t len) + { + memcpy(buf->data, data, len <= buf->size ? len : buf->size); + buf->end = buf->data + len; + } +-EXPORT_SYMBOL(nftnl_udata_buf_put); + +-struct nftnl_udata *nftnl_udata_start(const struct nftnl_udata_buf *buf) ++struct nftnl_udata __EXPORTED *nftnl_udata_start(const struct nftnl_udata_buf *buf) + { + return (struct nftnl_udata *)buf->data; + } +-EXPORT_SYMBOL(nftnl_udata_start); + +-struct nftnl_udata *nftnl_udata_end(const struct nftnl_udata_buf *buf) ++struct nftnl_udata __EXPORTED *nftnl_udata_end(const struct nftnl_udata_buf *buf) + { + return (struct nftnl_udata *)buf->end; + } +-EXPORT_SYMBOL(nftnl_udata_end); + +-bool nftnl_udata_put(struct nftnl_udata_buf *buf, uint8_t type, uint32_t len, ++bool __EXPORTED nftnl_udata_put(struct nftnl_udata_buf *buf, uint8_t type, uint32_t len, + const void *value) + { + struct nftnl_udata *attr; +@@ -85,55 +78,47 @@ bool nftnl_udata_put(struct nftnl_udata_buf *buf, uint8_t type, uint32_t len, + + return true; + } +-EXPORT_SYMBOL(nftnl_udata_put); + +-bool nftnl_udata_put_strz(struct nftnl_udata_buf *buf, uint8_t type, ++bool __EXPORTED nftnl_udata_put_strz(struct nftnl_udata_buf *buf, uint8_t type, + const char *strz) + { + return nftnl_udata_put(buf, type, strlen(strz) + 1, strz); + } +-EXPORT_SYMBOL(nftnl_udata_put_strz); + +-bool nftnl_udata_put_u32(struct nftnl_udata_buf *buf, uint8_t type, ++bool __EXPORTED nftnl_udata_put_u32(struct nftnl_udata_buf *buf, uint8_t type, + uint32_t data) + { + return nftnl_udata_put(buf, type, sizeof(data), &data); + } +-EXPORT_SYMBOL(nftnl_udata_put_u32); + +-uint8_t nftnl_udata_type(const struct nftnl_udata *attr) ++uint8_t __EXPORTED nftnl_udata_type(const struct nftnl_udata *attr) + { + return attr->type; + } +-EXPORT_SYMBOL(nftnl_udata_type); + +-uint8_t nftnl_udata_len(const struct nftnl_udata *attr) ++uint8_t __EXPORTED nftnl_udata_len(const struct nftnl_udata *attr) + { + return attr->len; + } +-EXPORT_SYMBOL(nftnl_udata_len); + +-void *nftnl_udata_get(const struct nftnl_udata *attr) ++void __EXPORTED *nftnl_udata_get(const struct nftnl_udata *attr) + { + return (void *)attr->value; + } +-EXPORT_SYMBOL(nftnl_udata_get); + +-uint32_t nftnl_udata_get_u32(const struct nftnl_udata *attr) ++uint32_t __EXPORTED nftnl_udata_get_u32(const struct nftnl_udata *attr) + { + uint32_t *data = (uint32_t *)attr->value; + + return *data; + } +-EXPORT_SYMBOL(nftnl_udata_get_u32); + +-struct nftnl_udata *nftnl_udata_next(const struct nftnl_udata *attr) ++struct nftnl_udata __EXPORTED *nftnl_udata_next(const struct nftnl_udata *attr) + { + return (struct nftnl_udata *)&attr->value[attr->len]; + } +-EXPORT_SYMBOL(nftnl_udata_next); + +-int nftnl_udata_parse(const void *data, uint32_t data_len, nftnl_udata_cb_t cb, ++int __EXPORTED nftnl_udata_parse(const void *data, uint32_t data_len, nftnl_udata_cb_t cb, + void *cb_data) + { + int ret = 0; +@@ -147,4 +132,3 @@ int nftnl_udata_parse(const void *data, uint32_t data_len, nftnl_udata_cb_t cb, + + return ret; + } +-EXPORT_SYMBOL(nftnl_udata_parse); +-- +2.11.0 (Apple Git-81) + diff --git a/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl/0001-avoid-naming-local-function-as-one-of-printf-family.patch b/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl/0001-avoid-naming-local-function-as-one-of-printf-family.patch new file mode 100644 index 000000000..06e68177c --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl/0001-avoid-naming-local-function-as-one-of-printf-family.patch @@ -0,0 +1,514 @@ +From f840cc0da571d98beb17855c177e9986bd096b72 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Thu, 13 Apr 2017 11:46:09 -0700 +Subject: [PATCH] avoid naming local function as one of printf family + +Fixes build issues with clang +error: no member named '__builtin___snprintf_chk' in 'struct expr_ops' + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + include/expr_ops.h | 2 +- + include/obj.h | 2 +- + src/buffer.c | 2 +- + src/expr.c | 4 ++-- + src/expr/bitwise.c | 2 +- + src/expr/byteorder.c | 2 +- + src/expr/cmp.c | 2 +- + src/expr/counter.c | 2 +- + src/expr/ct.c | 2 +- + src/expr/dup.c | 2 +- + src/expr/dynset.c | 2 +- + src/expr/exthdr.c | 2 +- + src/expr/fib.c | 2 +- + src/expr/fwd.c | 2 +- + src/expr/hash.c | 2 +- + src/expr/immediate.c | 2 +- + src/expr/limit.c | 2 +- + src/expr/log.c | 2 +- + src/expr/lookup.c | 2 +- + src/expr/masq.c | 2 +- + src/expr/match.c | 2 +- + src/expr/meta.c | 2 +- + src/expr/nat.c | 2 +- + src/expr/numgen.c | 2 +- + src/expr/objref.c | 2 +- + src/expr/payload.c | 2 +- + src/expr/queue.c | 2 +- + src/expr/quota.c | 2 +- + src/expr/range.c | 2 +- + src/expr/redir.c | 2 +- + src/expr/reject.c | 2 +- + src/expr/rt.c | 2 +- + src/expr/target.c | 2 +- + src/obj/counter.c | 2 +- + src/obj/ct_helper.c | 2 +- + src/obj/quota.c | 2 +- + src/object.c | 4 ++-- + 37 files changed, 39 insertions(+), 39 deletions(-) + +diff --git a/include/expr_ops.h b/include/expr_ops.h +index e639390..c4fe050 100644 +--- a/include/expr_ops.h ++++ b/include/expr_ops.h +@@ -18,7 +18,7 @@ struct expr_ops { + const void *(*get)(const struct nftnl_expr *e, uint16_t type, uint32_t *data_len); + int (*parse)(struct nftnl_expr *e, struct nlattr *attr); + void (*build)(struct nlmsghdr *nlh, const struct nftnl_expr *e); +- int (*snprintf)(char *buf, size_t len, uint32_t type, uint32_t flags, const struct nftnl_expr *e); ++ int (*snprintf_)(char *buf, size_t len, uint32_t type, uint32_t flags, const struct nftnl_expr *e); + int (*json_parse)(struct nftnl_expr *e, json_t *data, + struct nftnl_parse_err *err); + }; +diff --git a/include/obj.h b/include/obj.h +index d90919f..772caff 100644 +--- a/include/obj.h ++++ b/include/obj.h +@@ -47,7 +47,7 @@ struct obj_ops { + const void *(*get)(const struct nftnl_obj *e, uint16_t type, uint32_t *data_len); + int (*parse)(struct nftnl_obj *e, struct nlattr *attr); + void (*build)(struct nlmsghdr *nlh, const struct nftnl_obj *e); +- int (*snprintf)(char *buf, size_t len, uint32_t type, uint32_t flags, const struct nftnl_obj *e); ++ int (*snprintf_)(char *buf, size_t len, uint32_t type, uint32_t flags, const struct nftnl_obj *e); + int (*json_parse)(struct nftnl_obj *e, json_t *data, + struct nftnl_parse_err *err); + }; +diff --git a/src/buffer.c b/src/buffer.c +index f9d5a83..db656e2 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -206,7 +206,7 @@ int nftnl_buf_expr(struct nftnl_buf *b, int type, uint32_t flags, + case NFTNL_OUTPUT_JSON: + nftnl_buf_put(b, "{"); + nftnl_buf_str(b, type, expr->ops->name, TYPE); +- ret = expr->ops->snprintf(b->buf + b->off, b->len, type, flags, ++ ret = expr->ops->snprintf_(b->buf + b->off, b->len, type, flags, + expr); + if (ret > 0) + nftnl_buf_update(b, ret); +diff --git a/src/expr.c b/src/expr.c +index c7eb2b4..24f8f8c 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -265,10 +265,10 @@ int __EXPORTED nftnl_expr_snprintf(char *buf, size_t size, const struct nftnl_ex + int ret; + unsigned int offset = 0, len = size; + +- if (!expr->ops->snprintf) ++ if (!expr->ops->snprintf_) + return 0; + +- ret = expr->ops->snprintf(buf+offset, len, type, flags, expr); ++ ret = expr->ops->snprintf_(buf+offset, len, type, flags, expr); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + + return offset; +diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c +index 0febc9d..9b48e79 100644 +--- a/src/expr/bitwise.c ++++ b/src/expr/bitwise.c +@@ -299,6 +299,6 @@ struct expr_ops expr_ops_bitwise = { + .get = nftnl_expr_bitwise_get, + .parse = nftnl_expr_bitwise_parse, + .build = nftnl_expr_bitwise_build, +- .snprintf = nftnl_expr_bitwise_snprintf, ++ .snprintf_ = nftnl_expr_bitwise_snprintf, + .json_parse = nftnl_expr_bitwise_json_parse, + }; +diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c +index 3805307..079582f 100644 +--- a/src/expr/byteorder.c ++++ b/src/expr/byteorder.c +@@ -314,6 +314,6 @@ struct expr_ops expr_ops_byteorder = { + .get = nftnl_expr_byteorder_get, + .parse = nftnl_expr_byteorder_parse, + .build = nftnl_expr_byteorder_build, +- .snprintf = nftnl_expr_byteorder_snprintf, ++ .snprintf_ = nftnl_expr_byteorder_snprintf, + .json_parse = nftnl_expr_byteorder_json_parse, + }; +diff --git a/src/expr/cmp.c b/src/expr/cmp.c +index 353e907..99b497c 100644 +--- a/src/expr/cmp.c ++++ b/src/expr/cmp.c +@@ -284,6 +284,6 @@ struct expr_ops expr_ops_cmp = { + .get = nftnl_expr_cmp_get, + .parse = nftnl_expr_cmp_parse, + .build = nftnl_expr_cmp_build, +- .snprintf = nftnl_expr_cmp_snprintf, ++ .snprintf_ = nftnl_expr_cmp_snprintf, + .json_parse = nftnl_expr_cmp_json_parse, + }; +diff --git a/src/expr/counter.c b/src/expr/counter.c +index 21901e8..9fd7655 100644 +--- a/src/expr/counter.c ++++ b/src/expr/counter.c +@@ -200,6 +200,6 @@ struct expr_ops expr_ops_counter = { + .get = nftnl_expr_counter_get, + .parse = nftnl_expr_counter_parse, + .build = nftnl_expr_counter_build, +- .snprintf = nftnl_expr_counter_snprintf, ++ .snprintf_ = nftnl_expr_counter_snprintf, + .json_parse = nftnl_expr_counter_json_parse, + }; +diff --git a/src/expr/ct.c b/src/expr/ct.c +index cdd08e9..6ce5478 100644 +--- a/src/expr/ct.c ++++ b/src/expr/ct.c +@@ -356,6 +356,6 @@ struct expr_ops expr_ops_ct = { + .get = nftnl_expr_ct_get, + .parse = nftnl_expr_ct_parse, + .build = nftnl_expr_ct_build, +- .snprintf = nftnl_expr_ct_snprintf, ++ .snprintf_ = nftnl_expr_ct_snprintf, + .json_parse = nftnl_expr_ct_json_parse, + }; +diff --git a/src/expr/dup.c b/src/expr/dup.c +index 9aa332b..2f491d8 100644 +--- a/src/expr/dup.c ++++ b/src/expr/dup.c +@@ -206,6 +206,6 @@ struct expr_ops expr_ops_dup = { + .get = nftnl_expr_dup_get, + .parse = nftnl_expr_dup_parse, + .build = nftnl_expr_dup_build, +- .snprintf = nftnl_expr_dup_snprintf, ++ .snprintf_ = nftnl_expr_dup_snprintf, + .json_parse = nftnl_expr_dup_json_parse, + }; +diff --git a/src/expr/dynset.c b/src/expr/dynset.c +index f7b99ea..758f07c 100644 +--- a/src/expr/dynset.c ++++ b/src/expr/dynset.c +@@ -368,6 +368,6 @@ struct expr_ops expr_ops_dynset = { + .get = nftnl_expr_dynset_get, + .parse = nftnl_expr_dynset_parse, + .build = nftnl_expr_dynset_build, +- .snprintf = nftnl_expr_dynset_snprintf, ++ .snprintf_ = nftnl_expr_dynset_snprintf, + .json_parse = nftnl_expr_dynset_json_parse, + }; +diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c +index d4f1665..a834782 100644 +--- a/src/expr/exthdr.c ++++ b/src/expr/exthdr.c +@@ -356,6 +356,6 @@ struct expr_ops expr_ops_exthdr = { + .get = nftnl_expr_exthdr_get, + .parse = nftnl_expr_exthdr_parse, + .build = nftnl_expr_exthdr_build, +- .snprintf = nftnl_expr_exthdr_snprintf, ++ .snprintf_ = nftnl_expr_exthdr_snprintf, + .json_parse = nftnl_expr_exthdr_json_parse, + }; +diff --git a/src/expr/fib.c b/src/expr/fib.c +index f3be081..3c353b2 100644 +--- a/src/expr/fib.c ++++ b/src/expr/fib.c +@@ -272,6 +272,6 @@ struct expr_ops expr_ops_fib = { + .get = nftnl_expr_fib_get, + .parse = nftnl_expr_fib_parse, + .build = nftnl_expr_fib_build, +- .snprintf = nftnl_expr_fib_snprintf, ++ .snprintf_ = nftnl_expr_fib_snprintf, + .json_parse = nftnl_expr_fib_json_parse, + }; +diff --git a/src/expr/fwd.c b/src/expr/fwd.c +index c30d494..f6e41f1 100644 +--- a/src/expr/fwd.c ++++ b/src/expr/fwd.c +@@ -180,6 +180,6 @@ struct expr_ops expr_ops_fwd = { + .get = nftnl_expr_fwd_get, + .parse = nftnl_expr_fwd_parse, + .build = nftnl_expr_fwd_build, +- .snprintf = nftnl_expr_fwd_snprintf, ++ .snprintf_ = nftnl_expr_fwd_snprintf, + .json_parse = nftnl_expr_fwd_json_parse, + }; +diff --git a/src/expr/hash.c b/src/expr/hash.c +index d870510..5acb66a 100644 +--- a/src/expr/hash.c ++++ b/src/expr/hash.c +@@ -332,6 +332,6 @@ struct expr_ops expr_ops_hash = { + .get = nftnl_expr_hash_get, + .parse = nftnl_expr_hash_parse, + .build = nftnl_expr_hash_build, +- .snprintf = nftnl_expr_hash_snprintf, ++ .snprintf_ = nftnl_expr_hash_snprintf, + .json_parse = nftnl_expr_hash_json_parse, + }; +diff --git a/src/expr/immediate.c b/src/expr/immediate.c +index 0b188cc..94bd6da 100644 +--- a/src/expr/immediate.c ++++ b/src/expr/immediate.c +@@ -316,6 +316,6 @@ struct expr_ops expr_ops_immediate = { + .get = nftnl_expr_immediate_get, + .parse = nftnl_expr_immediate_parse, + .build = nftnl_expr_immediate_build, +- .snprintf = nftnl_expr_immediate_snprintf, ++ .snprintf_ = nftnl_expr_immediate_snprintf, + .json_parse = nftnl_expr_immediate_json_parse, + }; +diff --git a/src/expr/limit.c b/src/expr/limit.c +index 856ab18..e71fc2f 100644 +--- a/src/expr/limit.c ++++ b/src/expr/limit.c +@@ -285,6 +285,6 @@ struct expr_ops expr_ops_limit = { + .get = nftnl_expr_limit_get, + .parse = nftnl_expr_limit_parse, + .build = nftnl_expr_limit_build, +- .snprintf = nftnl_expr_limit_snprintf, ++ .snprintf_ = nftnl_expr_limit_snprintf, + .json_parse = nftnl_expr_limit_json_parse, + }; +diff --git a/src/expr/log.c b/src/expr/log.c +index b642255..71dd83a 100644 +--- a/src/expr/log.c ++++ b/src/expr/log.c +@@ -352,6 +352,6 @@ struct expr_ops expr_ops_log = { + .get = nftnl_expr_log_get, + .parse = nftnl_expr_log_parse, + .build = nftnl_expr_log_build, +- .snprintf = nftnl_expr_log_snprintf, ++ .snprintf_ = nftnl_expr_log_snprintf, + .json_parse = nftnl_expr_log_json_parse, + }; +diff --git a/src/expr/lookup.c b/src/expr/lookup.c +index 861815f..6049913 100644 +--- a/src/expr/lookup.c ++++ b/src/expr/lookup.c +@@ -293,6 +293,6 @@ struct expr_ops expr_ops_lookup = { + .get = nftnl_expr_lookup_get, + .parse = nftnl_expr_lookup_parse, + .build = nftnl_expr_lookup_build, +- .snprintf = nftnl_expr_lookup_snprintf, ++ .snprintf_ = nftnl_expr_lookup_snprintf, + .json_parse = nftnl_expr_lookup_json_parse, + }; +diff --git a/src/expr/masq.c b/src/expr/masq.c +index 7c235d3..adec325 100644 +--- a/src/expr/masq.c ++++ b/src/expr/masq.c +@@ -228,6 +228,6 @@ struct expr_ops expr_ops_masq = { + .get = nftnl_expr_masq_get, + .parse = nftnl_expr_masq_parse, + .build = nftnl_expr_masq_build, +- .snprintf = nftnl_expr_masq_snprintf, ++ .snprintf_ = nftnl_expr_masq_snprintf, + .json_parse = nftnl_expr_masq_json_parse, + }; +diff --git a/src/expr/match.c b/src/expr/match.c +index dd09e1e..f0d8868 100644 +--- a/src/expr/match.c ++++ b/src/expr/match.c +@@ -249,6 +249,6 @@ struct expr_ops expr_ops_match = { + .get = nftnl_expr_match_get, + .parse = nftnl_expr_match_parse, + .build = nftnl_expr_match_build, +- .snprintf = nftnl_expr_match_snprintf, ++ .snprintf_ = nftnl_expr_match_snprintf, + .json_parse = nftnl_expr_match_json_parse, + }; +diff --git a/src/expr/meta.c b/src/expr/meta.c +index 2c75841..907a677 100644 +--- a/src/expr/meta.c ++++ b/src/expr/meta.c +@@ -290,6 +290,6 @@ struct expr_ops expr_ops_meta = { + .get = nftnl_expr_meta_get, + .parse = nftnl_expr_meta_parse, + .build = nftnl_expr_meta_build, +- .snprintf = nftnl_expr_meta_snprintf, ++ .snprintf_ = nftnl_expr_meta_snprintf, + .json_parse = nftnl_expr_meta_json_parse, + }; +diff --git a/src/expr/nat.c b/src/expr/nat.c +index 29bc3a2..d476283 100644 +--- a/src/expr/nat.c ++++ b/src/expr/nat.c +@@ -383,6 +383,6 @@ struct expr_ops expr_ops_nat = { + .get = nftnl_expr_nat_get, + .parse = nftnl_expr_nat_parse, + .build = nftnl_expr_nat_build, +- .snprintf = nftnl_expr_nat_snprintf, ++ .snprintf_ = nftnl_expr_nat_snprintf, + .json_parse = nftnl_expr_nat_json_parse, + }; +diff --git a/src/expr/numgen.c b/src/expr/numgen.c +index a15f03a..28ef741 100644 +--- a/src/expr/numgen.c ++++ b/src/expr/numgen.c +@@ -264,6 +264,6 @@ struct expr_ops expr_ops_ng = { + .get = nftnl_expr_ng_get, + .parse = nftnl_expr_ng_parse, + .build = nftnl_expr_ng_build, +- .snprintf = nftnl_expr_ng_snprintf, ++ .snprintf_ = nftnl_expr_ng_snprintf, + .json_parse = nftnl_expr_ng_json_parse, + }; +diff --git a/src/expr/objref.c b/src/expr/objref.c +index 4cfa3cb..c394290 100644 +--- a/src/expr/objref.c ++++ b/src/expr/objref.c +@@ -278,6 +278,6 @@ struct expr_ops expr_ops_objref = { + .get = nftnl_expr_objref_get, + .parse = nftnl_expr_objref_parse, + .build = nftnl_expr_objref_build, +- .snprintf = nftnl_expr_objref_snprintf, ++ .snprintf_ = nftnl_expr_objref_snprintf, + .json_parse = nftnl_expr_objref_json_parse, + }; +diff --git a/src/expr/payload.c b/src/expr/payload.c +index 91e1587..894ac08 100644 +--- a/src/expr/payload.c ++++ b/src/expr/payload.c +@@ -348,6 +348,6 @@ struct expr_ops expr_ops_payload = { + .get = nftnl_expr_payload_get, + .parse = nftnl_expr_payload_parse, + .build = nftnl_expr_payload_build, +- .snprintf = nftnl_expr_payload_snprintf, ++ .snprintf_ = nftnl_expr_payload_snprintf, + .json_parse = nftnl_expr_payload_json_parse, + }; +diff --git a/src/expr/queue.c b/src/expr/queue.c +index 8a9deda..389af83 100644 +--- a/src/expr/queue.c ++++ b/src/expr/queue.c +@@ -276,6 +276,6 @@ struct expr_ops expr_ops_queue = { + .get = nftnl_expr_queue_get, + .parse = nftnl_expr_queue_parse, + .build = nftnl_expr_queue_build, +- .snprintf = nftnl_expr_queue_snprintf, ++ .snprintf_ = nftnl_expr_queue_snprintf, + .json_parse = nftnl_expr_queue_json_parse, + }; +diff --git a/src/expr/quota.c b/src/expr/quota.c +index 667e6e1..ff5d182 100644 +--- a/src/expr/quota.c ++++ b/src/expr/quota.c +@@ -203,6 +203,6 @@ struct expr_ops expr_ops_quota = { + .get = nftnl_expr_quota_get, + .parse = nftnl_expr_quota_parse, + .build = nftnl_expr_quota_build, +- .snprintf = nftnl_expr_quota_snprintf, ++ .snprintf_ = nftnl_expr_quota_snprintf, + .json_parse = nftnl_expr_quota_json_parse, + }; +diff --git a/src/expr/range.c b/src/expr/range.c +index 8c8ce12..34d422b 100644 +--- a/src/expr/range.c ++++ b/src/expr/range.c +@@ -283,6 +283,6 @@ struct expr_ops expr_ops_range = { + .get = nftnl_expr_range_get, + .parse = nftnl_expr_range_parse, + .build = nftnl_expr_range_build, +- .snprintf = nftnl_expr_range_snprintf, ++ .snprintf_ = nftnl_expr_range_snprintf, + .json_parse = nftnl_expr_range_json_parse, + }; +diff --git a/src/expr/redir.c b/src/expr/redir.c +index 43538d5..8a21f93 100644 +--- a/src/expr/redir.c ++++ b/src/expr/redir.c +@@ -242,6 +242,6 @@ struct expr_ops expr_ops_redir = { + .get = nftnl_expr_redir_get, + .parse = nftnl_expr_redir_parse, + .build = nftnl_expr_redir_build, +- .snprintf = nftnl_expr_redir_snprintf, ++ .snprintf_ = nftnl_expr_redir_snprintf, + .json_parse = nftnl_expr_redir_json_parse, + }; +diff --git a/src/expr/reject.c b/src/expr/reject.c +index 11d8b20..b10e729 100644 +--- a/src/expr/reject.c ++++ b/src/expr/reject.c +@@ -200,6 +200,6 @@ struct expr_ops expr_ops_reject = { + .get = nftnl_expr_reject_get, + .parse = nftnl_expr_reject_parse, + .build = nftnl_expr_reject_build, +- .snprintf = nftnl_expr_reject_snprintf, ++ .snprintf_ = nftnl_expr_reject_snprintf, + .json_parse = nftnl_expr_reject_json_parse, + }; +diff --git a/src/expr/rt.c b/src/expr/rt.c +index 5088e66..9f44b29 100644 +--- a/src/expr/rt.c ++++ b/src/expr/rt.c +@@ -238,6 +238,6 @@ struct expr_ops expr_ops_rt = { + .get = nftnl_expr_rt_get, + .parse = nftnl_expr_rt_parse, + .build = nftnl_expr_rt_build, +- .snprintf = nftnl_expr_rt_snprintf, ++ .snprintf_ = nftnl_expr_rt_snprintf, + .json_parse = nftnl_expr_rt_json_parse, + }; +diff --git a/src/expr/target.c b/src/expr/target.c +index ed4bf7d..2ef4078 100644 +--- a/src/expr/target.c ++++ b/src/expr/target.c +@@ -249,6 +249,6 @@ struct expr_ops expr_ops_target = { + .get = nftnl_expr_target_get, + .parse = nftnl_expr_target_parse, + .build = nftnl_expr_target_build, +- .snprintf = nftnl_expr_target_snprintf, ++ .snprintf_ = nftnl_expr_target_snprintf, + .json_parse = nftnl_expr_target_json_parse, + }; +diff --git a/src/obj/counter.c b/src/obj/counter.c +index beadc93..8c4cc25 100644 +--- a/src/obj/counter.c ++++ b/src/obj/counter.c +@@ -179,6 +179,6 @@ struct obj_ops obj_ops_counter = { + .get = nftnl_obj_counter_get, + .parse = nftnl_obj_counter_parse, + .build = nftnl_obj_counter_build, +- .snprintf = nftnl_obj_counter_snprintf, ++ .snprintf_ = nftnl_obj_counter_snprintf, + .json_parse = nftnl_obj_counter_json_parse, + }; +diff --git a/src/obj/ct_helper.c b/src/obj/ct_helper.c +index d6d3111..4c7c88b 100644 +--- a/src/obj/ct_helper.c ++++ b/src/obj/ct_helper.c +@@ -205,6 +205,6 @@ struct obj_ops obj_ops_ct_helper = { + .get = nftnl_obj_ct_helper_get, + .parse = nftnl_obj_ct_helper_parse, + .build = nftnl_obj_ct_helper_build, +- .snprintf = nftnl_obj_ct_helper_snprintf, ++ .snprintf_ = nftnl_obj_ct_helper_snprintf, + .json_parse = nftnl_obj_quota_json_parse, + }; +diff --git a/src/obj/quota.c b/src/obj/quota.c +index d5757b2..e959ff8 100644 +--- a/src/obj/quota.c ++++ b/src/obj/quota.c +@@ -200,6 +200,6 @@ struct obj_ops obj_ops_quota = { + .get = nftnl_obj_quota_get, + .parse = nftnl_obj_quota_parse, + .build = nftnl_obj_quota_build, +- .snprintf = nftnl_obj_quota_snprintf, ++ .snprintf_ = nftnl_obj_quota_snprintf, + .json_parse = nftnl_obj_quota_json_parse, + }; +diff --git a/src/object.c b/src/object.c +index d409c6d..b938c97 100644 +--- a/src/object.c ++++ b/src/object.c +@@ -389,7 +389,7 @@ static int nftnl_obj_export(char *buf, size_t size, + nftnl_buf_u32(&b, type, obj->use, USE); + + if (obj->ops) +- ret = obj->ops->snprintf(buf + b.len, size - b.len, type, ++ ret = obj->ops->snprintf_(buf + b.len, size - b.len, type, + flags, obj); + + b.len += ret; +@@ -410,7 +410,7 @@ static int nftnl_obj_snprintf_dflt(char *buf, size_t size, + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + + if (obj->ops) { +- ret = obj->ops->snprintf(buf + offset, offset, type, flags, obj); ++ ret = obj->ops->snprintf_(buf + offset, offset, type, flags, obj); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + } + ret = snprintf(buf + offset, offset, "]"); +-- +2.12.2 + diff --git a/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl_1.0.7.bb b/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl_1.0.7.bb new file mode 100644 index 000000000..ca01c0a61 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/libnftnl/libnftnl_1.0.7.bb @@ -0,0 +1,17 @@ +SUMMARY = "Library for low-level interaction with nftables Netlink's API over libmnl" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=79808397c3355f163c012616125c9e26" +SECTION = "libs" +DEPENDS = "libmnl" +PV .= "+git${SRCPV}" +SRCREV = "4b89c0cb0883f638ff1abbc2ff47c43cdc26aac5" +SRC_URI = "git://git.netfilter.org/libnftnl \ + file://0001-Declare-the-define-visivility-attribute-together.patch \ + file://0001-avoid-naming-local-function-as-one-of-printf-family.patch \ + " +SRC_URI[md5sum] = "82183867168eb6644926c48b991b8aac" +SRC_URI[sha256sum] = "9bb66ecbc64b8508249402f0093829f44177770ad99f6042b86b3a467d963982" + +S = "${WORKDIR}/git" + +inherit autotools pkgconfig diff --git a/meta-openembedded/meta-networking/recipes-filter/nfacct/nfacct_1.0.2.bb b/meta-openembedded/meta-networking/recipes-filter/nfacct/nfacct_1.0.2.bb new file mode 100644 index 000000000..8177ebcc2 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/nfacct/nfacct_1.0.2.bb @@ -0,0 +1,15 @@ +SUMMARY = "nfacct is the command line tool to create/retrieve/delete accounting objects" +HOMEPAGE = "http://netfilter.org/projects/nfacct/" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b" + +SRC_URI = "ftp://ftp.netfilter.org/pub/${BPN}/${BP}.tar.bz2" + +SRC_URI[md5sum] = "94faafdaaed85ca9220c5692be8a408e" +SRC_URI[sha256sum] = "ecff2218754be318bce3c3a5d1775bab93bf4168b2c4aac465785de5655fbd69" +DEPENDS = "libnfnetlink libmnl libnetfilter-acct" + +EXTRA_OEMAKE += 'HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}"' + +inherit autotools pkgconfig + diff --git a/meta-openembedded/meta-networking/recipes-filter/nftables/files/0001-payload-explicit-network-ctx-assignment-for-icmp-icm.patch b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0001-payload-explicit-network-ctx-assignment-for-icmp-icm.patch new file mode 100644 index 000000000..86a3d53df --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0001-payload-explicit-network-ctx-assignment-for-icmp-icm.patch @@ -0,0 +1,323 @@ +From 0011985554e269e1cc8f8e5b41eb9dcd795ebe8c Mon Sep 17 00:00:00 2001 +From: Arturo Borrero Gonzalez <arturo@debian.org> +Date: Wed, 25 Jan 2017 12:51:08 +0100 +Subject: [PATCH] payload: explicit network ctx assignment for icmp/icmp6 in + special families + +In the inet, bridge and netdev families, we can add rules like these: + +% nft add rule inet t c ip protocol icmp icmp type echo-request +% nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request + +However, when we print the ruleset: + +% nft list ruleset +table inet t { + chain c { + icmpv6 type echo-request + icmp type echo-request + } +} + +These rules we obtain can't be added again: + +% nft add rule inet t c icmp type echo-request +<cmdline>:1:19-27: Error: conflicting protocols specified: inet-service vs. icmp +add rule inet t c icmp type echo-request + ^^^^^^^^^ + +% nft add rule inet t c icmpv6 type echo-request +<cmdline>:1:19-29: Error: conflicting protocols specified: inet-service vs. icmpv6 +add rule inet t c icmpv6 type echo-request + ^^^^^^^^^^^ + +Since I wouldn't expect an IP packet carrying ICMPv6, or IPv6 packet +carrying ICMP, if the link layer is inet, the network layer protocol context +can be safely update to 'ip' or 'ip6'. + +Moreover, nft currently generates a 'meta nfproto ipvX' depedency when +using icmp or icmp6 in the inet family, and similar in netdev and bridge +families. + +While at it, a bit of code factorization is introduced. + +Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1073 +Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- +Upstream-Status: Backport +Signed-off-by: André Draszik <adraszik@tycoint.com> + src/payload.c | 70 ++++++++++++++++--------------------- + tests/py/any/icmpX.t.netdev | 8 +++++ + tests/py/any/icmpX.t.netdev.payload | 36 +++++++++++++++++++ + tests/py/bridge/icmpX.t | 8 +++++ + tests/py/bridge/icmpX.t.payload | 36 +++++++++++++++++++ + tests/py/inet/icmpX.t | 8 +++++ + tests/py/inet/icmpX.t.payload | 36 +++++++++++++++++++ + 7 files changed, 162 insertions(+), 40 deletions(-) + create mode 100644 tests/py/any/icmpX.t.netdev + create mode 100644 tests/py/any/icmpX.t.netdev.payload + create mode 100644 tests/py/bridge/icmpX.t + create mode 100644 tests/py/bridge/icmpX.t.payload + create mode 100644 tests/py/inet/icmpX.t + create mode 100644 tests/py/inet/icmpX.t.payload + +diff --git a/src/payload.c b/src/payload.c +index af533b2..74f8254 100644 +--- a/src/payload.c ++++ b/src/payload.c +@@ -223,6 +223,34 @@ static int payload_add_dependency(struct eval_ctx *ctx, + return 0; + } + ++static const struct proto_desc * ++payload_gen_special_dependency(struct eval_ctx *ctx, const struct expr *expr) ++{ ++ switch (expr->payload.base) { ++ case PROTO_BASE_LL_HDR: ++ switch (ctx->pctx.family) { ++ case NFPROTO_INET: ++ return &proto_inet; ++ case NFPROTO_BRIDGE: ++ return &proto_eth; ++ case NFPROTO_NETDEV: ++ return &proto_netdev; ++ default: ++ break; ++ } ++ break; ++ case PROTO_BASE_TRANSPORT_HDR: ++ if (expr->payload.desc == &proto_icmp) ++ return &proto_ip; ++ if (expr->payload.desc == &proto_icmp6) ++ return &proto_ip6; ++ return &proto_inet_service; ++ default: ++ break; ++ } ++ return NULL; ++} ++ + /** + * payload_gen_dependency - generate match expression on payload dependency + * +@@ -276,46 +304,8 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, + + desc = ctx->pctx.protocol[expr->payload.base - 1].desc; + /* Special case for mixed IPv4/IPv6 and bridge tables */ +- if (desc == NULL) { +- switch (ctx->pctx.family) { +- case NFPROTO_INET: +- switch (expr->payload.base) { +- case PROTO_BASE_LL_HDR: +- desc = &proto_inet; +- break; +- case PROTO_BASE_TRANSPORT_HDR: +- desc = &proto_inet_service; +- break; +- default: +- break; +- } +- break; +- case NFPROTO_BRIDGE: +- switch (expr->payload.base) { +- case PROTO_BASE_LL_HDR: +- desc = &proto_eth; +- break; +- case PROTO_BASE_TRANSPORT_HDR: +- desc = &proto_inet_service; +- break; +- default: +- break; +- } +- break; +- case NFPROTO_NETDEV: +- switch (expr->payload.base) { +- case PROTO_BASE_LL_HDR: +- desc = &proto_netdev; +- break; +- case PROTO_BASE_TRANSPORT_HDR: +- desc = &proto_inet_service; +- break; +- default: +- break; +- } +- break; +- } +- } ++ if (desc == NULL) ++ desc = payload_gen_special_dependency(ctx, expr); + + if (desc == NULL) + return expr_error(ctx->msgs, expr, +diff --git a/tests/py/any/icmpX.t.netdev b/tests/py/any/icmpX.t.netdev +new file mode 100644 +index 0000000..a327ce6 +--- /dev/null ++++ b/tests/py/any/icmpX.t.netdev +@@ -0,0 +1,8 @@ ++:ingress;type filter hook ingress device lo priority 0 ++ ++*netdev;test-netdev;ingress ++ ++ip protocol icmp icmp type echo-request;ok;icmp type echo-request ++icmp type echo-request;ok ++ip6 nexthdr icmpv6 icmpv6 type echo-request;ok;icmpv6 type echo-request ++icmpv6 type echo-request;ok +diff --git a/tests/py/any/icmpX.t.netdev.payload b/tests/py/any/icmpX.t.netdev.payload +new file mode 100644 +index 0000000..8b8107c +--- /dev/null ++++ b/tests/py/any/icmpX.t.netdev.payload +@@ -0,0 +1,36 @@ ++# ip protocol icmp icmp type echo-request ++netdev test-netdev ingress ++ [ meta load protocol => reg 1 ] ++ [ cmp eq reg 1 0x00000008 ] ++ [ payload load 1b @ network header + 9 => reg 1 ] ++ [ cmp eq reg 1 0x00000001 ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x00000008 ] ++ ++# icmp type echo-request ++netdev test-netdev ingress ++ [ meta load protocol => reg 1 ] ++ [ cmp eq reg 1 0x00000008 ] ++ [ payload load 1b @ network header + 9 => reg 1 ] ++ [ cmp eq reg 1 0x00000001 ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x00000008 ] ++ ++# ip6 nexthdr icmpv6 icmpv6 type echo-request ++netdev test-netdev ingress ++ [ meta load protocol => reg 1 ] ++ [ cmp eq reg 1 0x0000dd86 ] ++ [ payload load 1b @ network header + 6 => reg 1 ] ++ [ cmp eq reg 1 0x0000003a ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x00000080 ] ++ ++# icmpv6 type echo-request ++netdev test-netdev ingress ++ [ meta load protocol => reg 1 ] ++ [ cmp eq reg 1 0x0000dd86 ] ++ [ payload load 1b @ network header + 6 => reg 1 ] ++ [ cmp eq reg 1 0x0000003a ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x00000080 ] ++ +diff --git a/tests/py/bridge/icmpX.t b/tests/py/bridge/icmpX.t +new file mode 100644 +index 0000000..8c0a597 +--- /dev/null ++++ b/tests/py/bridge/icmpX.t +@@ -0,0 +1,8 @@ ++:input;type filter hook input priority 0 ++ ++*bridge;test-bridge;input ++ ++ip protocol icmp icmp type echo-request;ok;icmp type echo-request ++icmp type echo-request;ok ++ip6 nexthdr icmpv6 icmpv6 type echo-request;ok;icmpv6 type echo-request ++icmpv6 type echo-request;ok +diff --git a/tests/py/bridge/icmpX.t.payload b/tests/py/bridge/icmpX.t.payload +new file mode 100644 +index 0000000..19efdd8 +--- /dev/null ++++ b/tests/py/bridge/icmpX.t.payload +@@ -0,0 +1,36 @@ ++# ip protocol icmp icmp type echo-request ++bridge test-bridge input ++ [ payload load 2b @ link header + 12 => reg 1 ] ++ [ cmp eq reg 1 0x00000008 ] ++ [ payload load 1b @ network header + 9 => reg 1 ] ++ [ cmp eq reg 1 0x00000001 ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x00000008 ] ++ ++# icmp type echo-request ++bridge test-bridge input ++ [ payload load 2b @ link header + 12 => reg 1 ] ++ [ cmp eq reg 1 0x00000008 ] ++ [ payload load 1b @ network header + 9 => reg 1 ] ++ [ cmp eq reg 1 0x00000001 ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x00000008 ] ++ ++# ip6 nexthdr icmpv6 icmpv6 type echo-request ++bridge test-bridge input ++ [ payload load 2b @ link header + 12 => reg 1 ] ++ [ cmp eq reg 1 0x0000dd86 ] ++ [ payload load 1b @ network header + 6 => reg 1 ] ++ [ cmp eq reg 1 0x0000003a ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x00000080 ] ++ ++# icmpv6 type echo-request ++bridge test-bridge input ++ [ payload load 2b @ link header + 12 => reg 1 ] ++ [ cmp eq reg 1 0x0000dd86 ] ++ [ payload load 1b @ network header + 6 => reg 1 ] ++ [ cmp eq reg 1 0x0000003a ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x00000080 ] ++ +diff --git a/tests/py/inet/icmpX.t b/tests/py/inet/icmpX.t +new file mode 100644 +index 0000000..1b467a1 +--- /dev/null ++++ b/tests/py/inet/icmpX.t +@@ -0,0 +1,8 @@ ++:input;type filter hook input priority 0 ++ ++*inet;test-inet;input ++ ++ip protocol icmp icmp type echo-request;ok;icmp type echo-request ++icmp type echo-request;ok ++ip6 nexthdr icmpv6 icmpv6 type echo-request;ok;icmpv6 type echo-request ++icmpv6 type echo-request;ok +diff --git a/tests/py/inet/icmpX.t.payload b/tests/py/inet/icmpX.t.payload +new file mode 100644 +index 0000000..81ca774 +--- /dev/null ++++ b/tests/py/inet/icmpX.t.payload +@@ -0,0 +1,36 @@ ++# ip protocol icmp icmp type echo-request ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x00000002 ] ++ [ payload load 1b @ network header + 9 => reg 1 ] ++ [ cmp eq reg 1 0x00000001 ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x00000008 ] ++ ++# icmp type echo-request ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x00000002 ] ++ [ payload load 1b @ network header + 9 => reg 1 ] ++ [ cmp eq reg 1 0x00000001 ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x00000008 ] ++ ++# ip6 nexthdr icmpv6 icmpv6 type echo-request ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x0000000a ] ++ [ payload load 1b @ network header + 6 => reg 1 ] ++ [ cmp eq reg 1 0x0000003a ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x00000080 ] ++ ++# icmpv6 type echo-request ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x0000000a ] ++ [ payload load 1b @ network header + 6 => reg 1 ] ++ [ cmp eq reg 1 0x0000003a ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x00000080 ] ++ +-- +2.11.0 + diff --git a/meta-openembedded/meta-networking/recipes-filter/nftables/files/0002-proto-Add-some-exotic-ICMPv6-types.patch b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0002-proto-Add-some-exotic-ICMPv6-types.patch new file mode 100644 index 000000000..4d9e9d11a --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0002-proto-Add-some-exotic-ICMPv6-types.patch @@ -0,0 +1,147 @@ +From 9ade8fb75f8963375b45b3f2973b8bb7aa66ad76 Mon Sep 17 00:00:00 2001 +From: Phil Sutter <phil@nwl.cc> +Date: Thu, 16 Mar 2017 13:43:20 +0100 +Subject: [PATCH] proto: Add some exotic ICMPv6 types + +This adds support for matching on inverse ND messages as defined by +RFC3122 (not implemented in Linux) and MLDv2 as defined by RFC3810. + +Note that ICMPV6_MLD2_REPORT macro is defined in linux/icmpv6.h but +including that header leads to conflicts with symbols defined in +netinet/icmp6.h. + +In addition to the above, "mld-listener-done" is introduced as an alias +for "mld-listener-reduction". + +Signed-off-by: Phil Sutter <phil@nwl.cc> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- +Upstream-Status: Backport +Signed-off-by: André Draszik <adraszik@tycoint.com> + src/proto.c | 8 ++++++++ + tests/py/ip6/icmpv6.t | 8 ++++++-- + tests/py/ip6/icmpv6.t.payload.ip6 | 34 +++++++++++++++++++++++++++++++++- + 3 files changed, 47 insertions(+), 3 deletions(-) + +diff --git a/src/proto.c b/src/proto.c +index fb96530..79e9dbf 100644 +--- a/src/proto.c ++++ b/src/proto.c +@@ -632,6 +632,10 @@ const struct proto_desc proto_ip = { + + #include <netinet/icmp6.h> + ++#define IND_NEIGHBOR_SOLICIT 141 ++#define IND_NEIGHBOR_ADVERT 142 ++#define ICMPV6_MLD2_REPORT 143 ++ + static const struct symbol_table icmp6_type_tbl = { + .base = BASE_DECIMAL, + .symbols = { +@@ -643,6 +647,7 @@ static const struct symbol_table icmp6_type_tbl = { + SYMBOL("echo-reply", ICMP6_ECHO_REPLY), + SYMBOL("mld-listener-query", MLD_LISTENER_QUERY), + SYMBOL("mld-listener-report", MLD_LISTENER_REPORT), ++ SYMBOL("mld-listener-done", MLD_LISTENER_REDUCTION), + SYMBOL("mld-listener-reduction", MLD_LISTENER_REDUCTION), + SYMBOL("nd-router-solicit", ND_ROUTER_SOLICIT), + SYMBOL("nd-router-advert", ND_ROUTER_ADVERT), +@@ -650,6 +655,9 @@ static const struct symbol_table icmp6_type_tbl = { + SYMBOL("nd-neighbor-advert", ND_NEIGHBOR_ADVERT), + SYMBOL("nd-redirect", ND_REDIRECT), + SYMBOL("router-renumbering", ICMP6_ROUTER_RENUMBERING), ++ SYMBOL("ind-neighbor-solicit", IND_NEIGHBOR_SOLICIT), ++ SYMBOL("ind-neighbor-advert", IND_NEIGHBOR_ADVERT), ++ SYMBOL("mld2-listener-report", ICMPV6_MLD2_REPORT), + SYMBOL_LIST_END + }, + }; +diff --git a/tests/py/ip6/icmpv6.t b/tests/py/ip6/icmpv6.t +index afbd451..a898fe3 100644 +--- a/tests/py/ip6/icmpv6.t ++++ b/tests/py/ip6/icmpv6.t +@@ -11,7 +11,8 @@ icmpv6 type echo-request accept;ok + icmpv6 type echo-reply accept;ok + icmpv6 type mld-listener-query accept;ok + icmpv6 type mld-listener-report accept;ok +-icmpv6 type mld-listener-reduction accept;ok ++icmpv6 type mld-listener-done accept;ok ++icmpv6 type mld-listener-reduction accept;ok;icmpv6 type mld-listener-done accept + icmpv6 type nd-router-solicit accept;ok + icmpv6 type nd-router-advert accept;ok + icmpv6 type nd-neighbor-solicit accept;ok +@@ -19,8 +20,11 @@ icmpv6 type nd-neighbor-advert accept;ok + icmpv6 type nd-redirect accept;ok + icmpv6 type parameter-problem accept;ok + icmpv6 type router-renumbering accept;ok ++icmpv6 type ind-neighbor-solicit accept;ok ++icmpv6 type ind-neighbor-advert accept;ok ++icmpv6 type mld2-listener-report accept;ok + icmpv6 type {destination-unreachable, time-exceeded, nd-router-solicit} accept;ok +-icmpv6 type {router-renumbering, mld-listener-reduction, time-exceeded, nd-router-solicit} accept;ok ++icmpv6 type {router-renumbering, mld-listener-done, time-exceeded, nd-router-solicit} accept;ok + icmpv6 type {mld-listener-query, time-exceeded, nd-router-advert} accept;ok + icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept;ok + +diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6 +index 9fe2496..30f58ca 100644 +--- a/tests/py/ip6/icmpv6.t.payload.ip6 ++++ b/tests/py/ip6/icmpv6.t.payload.ip6 +@@ -54,6 +54,14 @@ ip6 test-ip6 input + [ cmp eq reg 1 0x00000083 ] + [ immediate reg 0 accept ] + ++# icmpv6 type mld-listener-done accept ++ip6 test-ip6 input ++ [ payload load 1b @ network header + 6 => reg 1 ] ++ [ cmp eq reg 1 0x0000003a ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x00000084 ] ++ [ immediate reg 0 accept ] ++ + # icmpv6 type mld-listener-reduction accept + ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] +@@ -118,6 +126,30 @@ ip6 test-ip6 input + [ cmp eq reg 1 0x0000008a ] + [ immediate reg 0 accept ] + ++# icmpv6 type ind-neighbor-solicit accept ++ip6 test-ip6 input ++ [ payload load 1b @ network header + 6 => reg 1 ] ++ [ cmp eq reg 1 0x0000003a ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x0000008d ] ++ [ immediate reg 0 accept ] ++ ++# icmpv6 type ind-neighbor-advert accept ++ip6 test-ip6 input ++ [ payload load 1b @ network header + 6 => reg 1 ] ++ [ cmp eq reg 1 0x0000003a ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x0000008e ] ++ [ immediate reg 0 accept ] ++ ++# icmpv6 type mld2-listener-report accept ++ip6 test-ip6 input ++ [ payload load 1b @ network header + 6 => reg 1 ] ++ [ cmp eq reg 1 0x0000003a ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x0000008f ] ++ [ immediate reg 0 accept ] ++ + # icmpv6 type {destination-unreachable, time-exceeded, nd-router-solicit} accept + __set%d test-ip6 3 + __set%d test-ip6 0 +@@ -129,7 +161,7 @@ ip6 test-ip6 input + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + +-# icmpv6 type {router-renumbering, mld-listener-reduction, time-exceeded, nd-router-solicit} accept ++# icmpv6 type {router-renumbering, mld-listener-done, time-exceeded, nd-router-solicit} accept + __set%d test-ip6 3 + __set%d test-ip6 0 + element 0000008a : 0 [end] element 00000084 : 0 [end] element 00000003 : 0 [end] element 00000085 : 0 [end] +-- +2.11.0 + diff --git a/meta-openembedded/meta-networking/recipes-filter/nftables/files/0003-payload-split-ll-proto-dependency-into-helper.patch b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0003-payload-split-ll-proto-dependency-into-helper.patch new file mode 100644 index 000000000..50cac300e --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0003-payload-split-ll-proto-dependency-into-helper.patch @@ -0,0 +1,62 @@ +From 8d8cfe5ad6ca460a5262fb15fdbef3601058c784 Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Thu, 18 May 2017 13:30:54 +0200 +Subject: [PATCH 1/4] payload: split ll proto dependency into helper + +will be re-used in folloup patch for icmp/icmpv6 depenency +handling. + +Signed-off-by: Florian Westphal <fw@strlen.de> +--- +Upstream-Status: Backport +Signed-off-by: André Draszik <adraszik@tycoint.com> + src/payload.c | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +diff --git a/src/payload.c b/src/payload.c +index 55128fe..31e5a02 100644 +--- a/src/payload.c ++++ b/src/payload.c +@@ -224,21 +224,28 @@ static int payload_add_dependency(struct eval_ctx *ctx, + } + + static const struct proto_desc * ++payload_get_get_ll_hdr(const struct eval_ctx *ctx) ++{ ++ switch (ctx->pctx.family) { ++ case NFPROTO_INET: ++ return &proto_inet; ++ case NFPROTO_BRIDGE: ++ return &proto_eth; ++ case NFPROTO_NETDEV: ++ return &proto_netdev; ++ default: ++ break; ++ } ++ ++ return NULL; ++} ++ ++static const struct proto_desc * + payload_gen_special_dependency(struct eval_ctx *ctx, const struct expr *expr) + { + switch (expr->payload.base) { + case PROTO_BASE_LL_HDR: +- switch (ctx->pctx.family) { +- case NFPROTO_INET: +- return &proto_inet; +- case NFPROTO_BRIDGE: +- return &proto_eth; +- case NFPROTO_NETDEV: +- return &proto_netdev; +- default: +- break; +- } +- break; ++ return payload_get_get_ll_hdr(ctx); + case PROTO_BASE_TRANSPORT_HDR: + if (expr->payload.desc == &proto_icmp) + return &proto_ip; +-- +2.11.0 + diff --git a/meta-openembedded/meta-networking/recipes-filter/nftables/files/0004-src-allow-update-of-net-base-w.-meta-l4proto-icmpv6.patch b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0004-src-allow-update-of-net-base-w.-meta-l4proto-icmpv6.patch new file mode 100644 index 000000000..180edb350 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0004-src-allow-update-of-net-base-w.-meta-l4proto-icmpv6.patch @@ -0,0 +1,65 @@ +From 9a1f2bbf3cd2417e0c10d18578e224abe2071d68 Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Tue, 21 Mar 2017 19:47:22 +0100 +Subject: [PATCH 2/4] src: allow update of net base w. meta l4proto icmpv6 + +nft add rule ip6 f i meta l4proto ipv6-icmp icmpv6 type nd-router-advert +<cmdline>:1:50-60: Error: conflicting protocols specified: unknown vs. icmpv6 + +add icmpv6 to nexthdr list so base gets updated correctly. + +Reported-by: Thomas Woerner <twoerner@redhat.com> +Signed-off-by: Florian Westphal <fw@strlen.de> +--- +Upstream-Status: Backport +Signed-off-by: André Draszik <adraszik@tycoint.com> + src/proto.c | 1 + + tests/py/any/meta.t | 1 + + tests/py/any/meta.t.payload | 7 +++++++ + 3 files changed, 9 insertions(+) + +diff --git a/src/proto.c b/src/proto.c +index 79e9dbf..fcdfbe7 100644 +--- a/src/proto.c ++++ b/src/proto.c +@@ -779,6 +779,7 @@ const struct proto_desc proto_inet_service = { + PROTO_LINK(IPPROTO_TCP, &proto_tcp), + PROTO_LINK(IPPROTO_DCCP, &proto_dccp), + PROTO_LINK(IPPROTO_SCTP, &proto_sctp), ++ PROTO_LINK(IPPROTO_ICMPV6, &proto_icmp6), + }, + .templates = { + [0] = PROTO_META_TEMPLATE("l4proto", &inet_protocol_type, NFT_META_L4PROTO, 8), +diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t +index c3ac0a4..2ff942f 100644 +--- a/tests/py/any/meta.t ++++ b/tests/py/any/meta.t +@@ -38,6 +38,7 @@ meta l4proto { 33, 55, 67, 88};ok;meta l4proto { 33, 55, 67, 88} + meta l4proto != { 33, 55, 67, 88};ok + meta l4proto { 33-55};ok + meta l4proto != { 33-55};ok ++meta l4proto ipv6-icmp icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert + + meta priority root;ok + meta priority none;ok +diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload +index e432656..871f1ad 100644 +--- a/tests/py/any/meta.t.payload ++++ b/tests/py/any/meta.t.payload +@@ -187,6 +187,13 @@ ip test-ip4 input + [ byteorder reg 1 = hton(reg 1, 2, 1) ] + [ lookup reg 1 set __set%d 0x1 ] + ++# meta l4proto ipv6-icmp icmpv6 type nd-router-advert ++ip test-ip4 input ++ [ meta load l4proto => reg 1 ] ++ [ cmp eq reg 1 0x0000003a ] ++ [ payload load 1b @ transport header + 0 => reg 1 ] ++ [ cmp eq reg 1 0x00000086 ] ++ + # meta mark 0x4 + ip test-ip4 input + [ meta load mark => reg 1 ] +-- +2.11.0 + diff --git a/meta-openembedded/meta-networking/recipes-filter/nftables/files/0005-src-ipv6-switch-implicit-dependencies-to-meta-l4prot.patch b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0005-src-ipv6-switch-implicit-dependencies-to-meta-l4prot.patch new file mode 100644 index 000000000..f600ae05c --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0005-src-ipv6-switch-implicit-dependencies-to-meta-l4prot.patch @@ -0,0 +1,98 @@ +From 2366ed9ffcb4f5f5341f10f0a1d1a4688d37ad87 Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Wed, 22 Mar 2017 15:08:48 +0100 +Subject: [PATCH 3/4] src: ipv6: switch implicit dependencies to meta l4proto + +when using rule like + +ip6 filter input tcp dport 22 +nft generates: + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +which is: ip6 filter input ip6 nexthdr tcp dport 22 +IOW, such a rule won't match if e.g. a fragment header is in place. + +This changes ip6_proto to use 'meta l4proto' which is the protocol header +found by exthdr walk. + +A side effect is that for bridge we get a shorter dependency chain as it +no longer needs to prepend 'ether proto ipv6' for old 'ip6 nexthdr' dep. + +Only problem: + +ip6 nexthdr tcp tcp dport 22 +will now inject a (useless) meta l4 dependency as ip6 nexthdr is no +longer flagged as EXPR_F_PROTOCOL, to avoid this add a small helper +that skips the unneded meta dependency in that case. + +Signed-off-by: Florian Westphal <fw@strlen.de> +--- +Upstream-Status: Backport +Signed-off-by: André Draszik <adraszik@tycoint.com> + src/payload.c | 19 ++++++++++++++++++- + src/proto.c | 2 +- + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/payload.c b/src/payload.c +index 31e5a02..38db15e 100644 +--- a/src/payload.c ++++ b/src/payload.c +@@ -117,6 +117,23 @@ static const struct expr_ops payload_expr_ops = { + .pctx_update = payload_expr_pctx_update, + }; + ++/* ++ * ipv6 is special case, we normally use 'meta l4proto' to fetch the last ++ * l4 header of the ipv6 extension header chain so we will also match ++ * tcp after a fragmentation header, for instance. ++ * ++ * If user specifically asks for nexthdr x, treat is as a full ++ * dependency rather than injecting another (useless) meta l4 one. ++ */ ++static bool proto_key_is_protocol(const struct proto_desc *desc, unsigned int type) ++{ ++ if (type == desc->protocol_key || ++ (desc == &proto_ip6 && type == IP6HDR_NEXTHDR)) ++ return true; ++ ++ return false; ++} ++ + struct expr *payload_expr_alloc(const struct location *loc, + const struct proto_desc *desc, + unsigned int type) +@@ -129,7 +146,7 @@ struct expr *payload_expr_alloc(const struct location *loc, + if (desc != NULL) { + tmpl = &desc->templates[type]; + base = desc->base; +- if (type == desc->protocol_key) ++ if (proto_key_is_protocol(desc, type)) + flags = EXPR_F_PROTOCOL; + } else { + tmpl = &proto_unknown_template; +diff --git a/src/proto.c b/src/proto.c +index fcdfbe7..3b20a5f 100644 +--- a/src/proto.c ++++ b/src/proto.c +@@ -707,7 +707,6 @@ const struct proto_desc proto_icmp6 = { + const struct proto_desc proto_ip6 = { + .name = "ip6", + .base = PROTO_BASE_NETWORK_HDR, +- .protocol_key = IP6HDR_NEXTHDR, + .protocols = { + PROTO_LINK(IPPROTO_ESP, &proto_esp), + PROTO_LINK(IPPROTO_AH, &proto_ah), +@@ -720,6 +719,7 @@ const struct proto_desc proto_ip6 = { + PROTO_LINK(IPPROTO_ICMPV6, &proto_icmp6), + }, + .templates = { ++ [0] = PROTO_META_TEMPLATE("l4proto", &inet_protocol_type, NFT_META_L4PROTO, 8), + [IP6HDR_VERSION] = HDR_BITFIELD("version", &integer_type, 0, 4), + [IP6HDR_DSCP] = HDR_BITFIELD("dscp", &dscp_type, 4, 6), + [IP6HDR_ECN] = HDR_BITFIELD("ecn", &ecn_type, 10, 2), +-- +2.11.0 + diff --git a/meta-openembedded/meta-networking/recipes-filter/nftables/files/0006-payload-enforce-ip-ip6-protocol-depending-on-icmp-or.patch b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0006-payload-enforce-ip-ip6-protocol-depending-on-icmp-or.patch new file mode 100644 index 000000000..00076d7ce --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0006-payload-enforce-ip-ip6-protocol-depending-on-icmp-or.patch @@ -0,0 +1,84 @@ +From f21a7a4849b50c30341ec571813bd7fe37040ad3 Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Thu, 18 May 2017 13:30:54 +0200 +Subject: [PATCH 4/4] payload: enforce ip/ip6 protocol depending on icmp or + icmpv6 + +After some discussion with Pablo we agreed to treat icmp/icmpv6 specially. + +in the case of a rule like 'tcp dport 22' the inet, bridge and netdev +families only care about the lower layer protocol. + +In the icmpv6 case however we'd like to also enforce an ipv6 protocol check +(and ipv4 check in icmp case). + +This extends payload_gen_special_dependency() to consider this. +With this patch: + +add rule $pf filter input meta l4proto icmpv6 +add rule $pf filter input meta l4proto icmpv6 icmpv6 type echo-request +add rule $pf filter input icmpv6 type echo-request + +will work in all tables and all families. +For inet/bridge/netdev, an ipv6 protocol dependency is added; this will +not match ipv4 packets with ip->protocol == icmpv6, EXCEPT in the case +of the ip family. + +Its still possible to match icmpv6-in-ipv4 in inet/bridge/netdev with an +explicit dependency: + +add rule inet f i ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type ... + +Implicit dependencies won't get removed at the moment, so + bridge ... icmp type echo-request +will be shown as + ether type ip meta l4proto 1 icmp type echo-request + +Signed-off-by: Florian Westphal <fw@strlen.de> +--- +Upstream-Status: Backport +Signed-off-by: André Draszik <adraszik@tycoint.com> + src/payload.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/src/payload.c b/src/payload.c +index 38db15e..8796ee5 100644 +--- a/src/payload.c ++++ b/src/payload.c +@@ -264,10 +264,29 @@ payload_gen_special_dependency(struct eval_ctx *ctx, const struct expr *expr) + case PROTO_BASE_LL_HDR: + return payload_get_get_ll_hdr(ctx); + case PROTO_BASE_TRANSPORT_HDR: +- if (expr->payload.desc == &proto_icmp) +- return &proto_ip; +- if (expr->payload.desc == &proto_icmp6) +- return &proto_ip6; ++ if (expr->payload.desc == &proto_icmp || ++ expr->payload.desc == &proto_icmp6) { ++ const struct proto_desc *desc, *desc_upper; ++ struct stmt *nstmt; ++ ++ desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc; ++ if (!desc) { ++ desc = payload_get_get_ll_hdr(ctx); ++ if (!desc) ++ break; ++ } ++ ++ desc_upper = &proto_ip6; ++ if (expr->payload.desc == &proto_icmp) ++ desc_upper = &proto_ip; ++ ++ if (payload_add_dependency(ctx, desc, desc_upper, ++ expr, &nstmt) < 0) ++ return NULL; ++ ++ list_add_tail(&nstmt->list, &ctx->stmt->list); ++ return desc_upper; ++ } + return &proto_inet_service; + default: + break; +-- +2.11.0 + diff --git a/meta-openembedded/meta-networking/recipes-filter/nftables/files/0007-src-ip-switch-implicit-dependencies-to-meta-l4proto-.patch b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0007-src-ip-switch-implicit-dependencies-to-meta-l4proto-.patch new file mode 100644 index 000000000..5b72437d2 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/nftables/files/0007-src-ip-switch-implicit-dependencies-to-meta-l4proto-.patch @@ -0,0 +1,86 @@ +From 0825c57d571bb7121e7048e198b9b023f7e7f358 Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Sun, 7 May 2017 03:53:30 +0200 +Subject: [PATCH] src: ip: switch implicit dependencies to meta l4proto too + +after ip6 nexthdr also switch ip to meta l4proto instead of ip protocol. + +While its needed for ipv6 (due to extension headers) this isn't needed +for ip but it has the advantage that + +tcp dport 22 + +produces same expressions for ip/ip6/inet families. + +Signed-off-by: Florian Westphal <fw@strlen.de> +--- +Upstream-Status: Backport +Signed-off-by: André Draszik <adraszik@tycoint.com> + src/payload.c | 17 +++++++++++------ + src/proto.c | 3 ++- + 2 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/src/payload.c b/src/payload.c +index 8796ee5..11b6df3 100644 +--- a/src/payload.c ++++ b/src/payload.c +@@ -118,17 +118,22 @@ static const struct expr_ops payload_expr_ops = { + }; + + /* +- * ipv6 is special case, we normally use 'meta l4proto' to fetch the last +- * l4 header of the ipv6 extension header chain so we will also match ++ * We normally use 'meta l4proto' to fetch the last l4 header of the ++ * ipv6 extension header chain so we will also match + * tcp after a fragmentation header, for instance. ++ * For consistency we also use meta l4proto for ipv4. + * +- * If user specifically asks for nexthdr x, treat is as a full +- * dependency rather than injecting another (useless) meta l4 one. ++ * If user specifically asks for nexthdr x, don't add another (useless) ++ * meta dependency. + */ + static bool proto_key_is_protocol(const struct proto_desc *desc, unsigned int type) + { +- if (type == desc->protocol_key || +- (desc == &proto_ip6 && type == IP6HDR_NEXTHDR)) ++ if (type == desc->protocol_key) ++ return true; ++ ++ if (desc == &proto_ip6 && type == IP6HDR_NEXTHDR) ++ return true; ++ if (desc == &proto_ip && type == IPHDR_PROTOCOL) + return true; + + return false; +diff --git a/src/proto.c b/src/proto.c +index 3b20a5f..2afedf7 100644 +--- a/src/proto.c ++++ b/src/proto.c +@@ -587,7 +587,6 @@ const struct proto_desc proto_ip = { + .name = "ip", + .base = PROTO_BASE_NETWORK_HDR, + .checksum_key = IPHDR_CHECKSUM, +- .protocol_key = IPHDR_PROTOCOL, + .protocols = { + PROTO_LINK(IPPROTO_ICMP, &proto_icmp), + PROTO_LINK(IPPROTO_ESP, &proto_esp), +@@ -600,6 +599,7 @@ const struct proto_desc proto_ip = { + PROTO_LINK(IPPROTO_SCTP, &proto_sctp), + }, + .templates = { ++ [0] = PROTO_META_TEMPLATE("l4proto", &inet_protocol_type, NFT_META_L4PROTO, 8), + [IPHDR_VERSION] = HDR_BITFIELD("version", &integer_type, 0, 4), + [IPHDR_HDRLENGTH] = HDR_BITFIELD("hdrlength", &integer_type, 4, 4), + [IPHDR_DSCP] = HDR_BITFIELD("dscp", &dscp_type, 8, 6), +@@ -779,6 +779,7 @@ const struct proto_desc proto_inet_service = { + PROTO_LINK(IPPROTO_TCP, &proto_tcp), + PROTO_LINK(IPPROTO_DCCP, &proto_dccp), + PROTO_LINK(IPPROTO_SCTP, &proto_sctp), ++ PROTO_LINK(IPPROTO_ICMP, &proto_icmp), + PROTO_LINK(IPPROTO_ICMPV6, &proto_icmp6), + }, + .templates = { +-- +2.11.0 + diff --git a/meta-openembedded/meta-networking/recipes-filter/nftables/files/fix-to-generate-ntf.8.patch b/meta-openembedded/meta-networking/recipes-filter/nftables/files/fix-to-generate-ntf.8.patch new file mode 100644 index 000000000..8dce90a75 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/nftables/files/fix-to-generate-ntf.8.patch @@ -0,0 +1,26 @@ +[PATCH] disable to make ntf.8 man + +Upstream-Status: Pending + +$DB2MAN do not support the xinclude parameter whether it is +docbook2x-man or other, so disable to make ntf.8 man + +Signed-off-by: Roy Li <rongqing.li@windriver.com> +--- + doc/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/Makefile.am b/doc/Makefile.am +index a92de7f..537c36b 100644 +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -1,5 +1,5 @@ + if BUILD_MAN +-man_MANS = nft.8 ++#man_MANS = nft.8 + endif + + if BUILD_PDF +-- +1.9.1 + diff --git a/meta-openembedded/meta-networking/recipes-filter/nftables/nftables_0.7.bb b/meta-openembedded/meta-networking/recipes-filter/nftables/nftables_0.7.bb new file mode 100644 index 000000000..0ea79953b --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-filter/nftables/nftables_0.7.bb @@ -0,0 +1,27 @@ +SUMMARY = "Netfilter Tables userspace utillites" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=d1a78fdd879a263a5e0b42d1fc565e79" +SECTION = "net" + +DEPENDS = "libmnl libnftnl readline gmp" +RRECOMMENDS_${PN} += "kernel-module-nf-tables \ + " + +SRC_URI = "http://www.netfilter.org/projects/nftables/files/${BP}.tar.bz2 \ + file://fix-to-generate-ntf.8.patch \ + \ + file://0001-payload-explicit-network-ctx-assignment-for-icmp-icm.patch \ + file://0002-proto-Add-some-exotic-ICMPv6-types.patch \ + \ + file://0003-payload-split-ll-proto-dependency-into-helper.patch \ + file://0004-src-allow-update-of-net-base-w.-meta-l4proto-icmpv6.patch \ + file://0005-src-ipv6-switch-implicit-dependencies-to-meta-l4prot.patch \ + file://0006-payload-enforce-ip-ip6-protocol-depending-on-icmp-or.patch \ + file://0007-src-ip-switch-implicit-dependencies-to-meta-l4proto-.patch \ + " +SRC_URI[md5sum] = "4c005e76a15a029afaba71d7db21d065" +SRC_URI[sha256sum] = "fe639239d801ce5890397f6f4391c58a934bfc27d8b7d5ef922692de5ec4ed43" + +ASNEEDED = "" + +inherit autotools pkgconfig |