iptables: reduce binary size
* drop unused lenient restore patch * instead of statically linking core extensions, build shared libraries for reuse in fw3 * strip outdated match revisions and aliases to trim down library size Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 45758
This commit is contained in:
Jo-Philipp Wich
parent
ecb14f4a5d
commit
1c00b6bc7f
4 changed files with 195 additions and 176 deletions
|
|
@ -392,7 +392,7 @@ define Package/libiptc
|
|||
$(call Package/iptables/Default)
|
||||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
DEPENDS:=+libip4tc +libip6tc
|
||||
DEPENDS:=+libip4tc +libip6tc +libxtables
|
||||
TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
|
||||
endef
|
||||
|
||||
|
|
@ -401,6 +401,7 @@ $(call Package/iptables/Default)
|
|||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
TITLE:=IPv4 firewall - shared libiptc library
|
||||
DEPENDS:=+libxtables
|
||||
endef
|
||||
|
||||
define Package/libip6tc
|
||||
|
|
@ -408,6 +409,7 @@ $(call Package/iptables/Default)
|
|||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
TITLE:=IPv6 firewall - shared libiptc library
|
||||
DEPENDS:=+libxtables
|
||||
endef
|
||||
|
||||
define Package/libxtables
|
||||
|
|
@ -425,7 +427,8 @@ TARGET_CPPFLAGS := \
|
|||
TARGET_CFLAGS += \
|
||||
-I$(PKG_BUILD_DIR)/include \
|
||||
-I$(LINUX_DIR)/user_headers/include \
|
||||
-ffunction-sections -fdata-sections
|
||||
-ffunction-sections -fdata-sections \
|
||||
-DNO_LEGACY
|
||||
|
||||
TARGET_LDFLAGS += \
|
||||
-Wl,--gc-sections
|
||||
|
|
@ -466,8 +469,7 @@ define Build/InstallDev
|
|||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
|
||||
|
||||
# XXX: needed by firewall3
|
||||
$(INSTALL_DIR) $(1)/usr/lib/iptables
|
||||
$(CP) $(PKG_BUILD_DIR)/extensions/libext*.a $(1)/usr/lib/iptables/
|
||||
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
|
||||
endef
|
||||
|
||||
define Package/iptables/install
|
||||
|
|
@ -490,16 +492,19 @@ endef
|
|||
define Package/libip4tc/install
|
||||
$(INSTALL_DIR) $(1)/usr/lib
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
|
||||
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
|
||||
endef
|
||||
|
||||
define Package/libip6tc/install
|
||||
$(INSTALL_DIR) $(1)/usr/lib
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
|
||||
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
|
||||
endef
|
||||
|
||||
define Package/libxtables/install
|
||||
$(INSTALL_DIR) $(1)/usr/lib
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
|
||||
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
|
||||
endef
|
||||
|
||||
define BuildPlugin
|
||||
|
|
|
|||
|
|
@ -1,172 +0,0 @@
|
|||
--- a/iptables/ip6tables-restore.c
|
||||
+++ b/iptables/ip6tables-restore.c
|
||||
@@ -14,6 +14,8 @@
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <setjmp.h>
|
||||
#include "ip6tables.h"
|
||||
#include "xtables.h"
|
||||
#include "libiptc/libip6tc.h"
|
||||
@@ -25,6 +27,7 @@
|
||||
#define DEBUGP(x, args...)
|
||||
#endif
|
||||
|
||||
+static jmp_buf jmp;
|
||||
static int binary = 0, counters = 0, verbose = 0, noflush = 0;
|
||||
|
||||
/* Keeping track of external matches and targets. */
|
||||
@@ -35,6 +38,7 @@ static const struct option options[] = {
|
||||
{.name = "test", .has_arg = false, .val = 't'},
|
||||
{.name = "help", .has_arg = false, .val = 'h'},
|
||||
{.name = "noflush", .has_arg = false, .val = 'n'},
|
||||
+ {.name = "lenient", .has_arg = false, .val = 'l'},
|
||||
{.name = "modprobe", .has_arg = true, .val = 'M'},
|
||||
{.name = "table", .has_arg = true, .val = 'T'},
|
||||
{NULL},
|
||||
@@ -51,6 +55,7 @@ static void print_usage(const char *name
|
||||
" [ --test ]\n"
|
||||
" [ --help ]\n"
|
||||
" [ --noflush ]\n"
|
||||
+ " [ --lenient ]\n"
|
||||
" [ --modprobe=<command>]\n", name);
|
||||
|
||||
exit(1);
|
||||
@@ -114,6 +119,17 @@ static void free_argv(void) {
|
||||
free(newargv[i]);
|
||||
}
|
||||
|
||||
+static void catch_exit_error(enum xtables_exittype status, const char *msg, ...)
|
||||
+{
|
||||
+ va_list args;
|
||||
+ fprintf(stderr, "line %d: ", line);
|
||||
+ va_start(args, msg);
|
||||
+ vfprintf(stderr, msg, args);
|
||||
+ va_end(args);
|
||||
+ fprintf(stderr, "\n");
|
||||
+ longjmp(jmp, status);
|
||||
+}
|
||||
+
|
||||
static void add_param_to_argv(char *parsestart)
|
||||
{
|
||||
int quote_open = 0, escaped = 0, param_len = 0;
|
||||
@@ -204,7 +220,7 @@ int ip6tables_restore_main(int argc, cha
|
||||
init_extensions6();
|
||||
#endif
|
||||
|
||||
- while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
|
||||
+ while ((c = getopt_long(argc, argv, "bcvthnlM:T:", options, NULL)) != -1) {
|
||||
switch (c) {
|
||||
case 'b':
|
||||
binary = 1;
|
||||
@@ -225,6 +241,9 @@ int ip6tables_restore_main(int argc, cha
|
||||
case 'n':
|
||||
noflush = 1;
|
||||
break;
|
||||
+ case 'l':
|
||||
+ ip6tables_globals.exit_err = catch_exit_error;
|
||||
+ break;
|
||||
case 'M':
|
||||
xtables_modprobe_program = optarg;
|
||||
break;
|
||||
@@ -437,8 +456,11 @@ int ip6tables_restore_main(int argc, cha
|
||||
for (a = 0; a < newargc; a++)
|
||||
DEBUGP("argv[%u]: %s\n", a, newargv[a]);
|
||||
|
||||
- ret = do_command6(newargc, newargv,
|
||||
- &newargv[2], &handle, true);
|
||||
+ if (!setjmp(jmp))
|
||||
+ ret = do_command6(newargc, newargv,
|
||||
+ &newargv[2], &handle, true);
|
||||
+ else
|
||||
+ ret = 1;
|
||||
|
||||
free_argv();
|
||||
fflush(stdout);
|
||||
--- a/iptables/iptables-restore.c
|
||||
+++ b/iptables/iptables-restore.c
|
||||
@@ -11,6 +11,8 @@
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <setjmp.h>
|
||||
#include "iptables.h"
|
||||
#include "xtables.h"
|
||||
#include "libiptc/libiptc.h"
|
||||
@@ -22,6 +24,7 @@
|
||||
#define DEBUGP(x, args...)
|
||||
#endif
|
||||
|
||||
+static jmp_buf jmp;
|
||||
static int binary = 0, counters = 0, verbose = 0, noflush = 0;
|
||||
|
||||
/* Keeping track of external matches and targets. */
|
||||
@@ -32,6 +35,7 @@ static const struct option options[] = {
|
||||
{.name = "test", .has_arg = false, .val = 't'},
|
||||
{.name = "help", .has_arg = false, .val = 'h'},
|
||||
{.name = "noflush", .has_arg = false, .val = 'n'},
|
||||
+ {.name = "lenient", .has_arg = false, .val = 'l'},
|
||||
{.name = "modprobe", .has_arg = true, .val = 'M'},
|
||||
{.name = "table", .has_arg = true, .val = 'T'},
|
||||
{NULL},
|
||||
@@ -50,6 +54,7 @@ static void print_usage(const char *name
|
||||
" [ --test ]\n"
|
||||
" [ --help ]\n"
|
||||
" [ --noflush ]\n"
|
||||
+ " [ --lenient ]\n"
|
||||
" [ --table=<TABLE> ]\n"
|
||||
" [ --modprobe=<command>]\n", name);
|
||||
|
||||
@@ -113,6 +118,17 @@ static void free_argv(void) {
|
||||
free(newargv[i]);
|
||||
}
|
||||
|
||||
+static void catch_exit_error(enum xtables_exittype status, const char *msg, ...)
|
||||
+{
|
||||
+ va_list args;
|
||||
+ fprintf(stderr, "line %d: ", line);
|
||||
+ va_start(args, msg);
|
||||
+ vfprintf(stderr, msg, args);
|
||||
+ va_end(args);
|
||||
+ fprintf(stderr, "\n");
|
||||
+ longjmp(jmp, status);
|
||||
+}
|
||||
+
|
||||
static void add_param_to_argv(char *parsestart)
|
||||
{
|
||||
int quote_open = 0, escaped = 0, param_len = 0;
|
||||
@@ -204,7 +220,7 @@ iptables_restore_main(int argc, char *ar
|
||||
init_extensions4();
|
||||
#endif
|
||||
|
||||
- while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
|
||||
+ while ((c = getopt_long(argc, argv, "bcvthnlM:T:", options, NULL)) != -1) {
|
||||
switch (c) {
|
||||
case 'b':
|
||||
binary = 1;
|
||||
@@ -225,6 +241,9 @@ iptables_restore_main(int argc, char *ar
|
||||
case 'n':
|
||||
noflush = 1;
|
||||
break;
|
||||
+ case 'l':
|
||||
+ iptables_globals.exit_err = catch_exit_error;
|
||||
+ break;
|
||||
case 'M':
|
||||
xtables_modprobe_program = optarg;
|
||||
break;
|
||||
@@ -437,8 +456,11 @@ iptables_restore_main(int argc, char *ar
|
||||
for (a = 0; a < newargc; a++)
|
||||
DEBUGP("argv[%u]: %s\n", a, newargv[a]);
|
||||
|
||||
- ret = do_command4(newargc, newargv,
|
||||
- &newargv[2], &handle, true);
|
||||
+ if (!setjmp(jmp))
|
||||
+ ret = do_command4(newargc, newargv,
|
||||
+ &newargv[2], &handle, true);
|
||||
+ else
|
||||
+ ret = 1;
|
||||
|
||||
free_argv();
|
||||
fflush(stdout);
|
||||
|
|
@ -0,0 +1,78 @@
|
|||
Index: iptables-1.4.21/extensions/GNUmakefile.in
|
||||
===================================================================
|
||||
--- iptables-1.4.21.orig/extensions/GNUmakefile.in
|
||||
+++ iptables-1.4.21/extensions/GNUmakefile.in
|
||||
@@ -71,7 +71,7 @@ pf6_solibs := $(patsubst %,libip6t_%.
|
||||
#
|
||||
# Building blocks
|
||||
#
|
||||
-targets := libext.a libext4.a libext6.a matches.man targets.man
|
||||
+targets := libiptext.so libiptext4.so libiptext6.so matches.man targets.man
|
||||
targets_install :=
|
||||
libext_objs := ${pfx_objs}
|
||||
libext4_objs := ${pf4_objs}
|
||||
@@ -96,7 +96,7 @@ clean:
|
||||
distclean: clean
|
||||
|
||||
init%.o: init%.c
|
||||
- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init ${CFLAGS} -o $@ -c $<;
|
||||
+ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
|
||||
|
||||
-include .*.d
|
||||
|
||||
@@ -130,16 +130,16 @@ xt_statistic_LIBADD = -lm
|
||||
# handling code in the Makefiles.
|
||||
#
|
||||
lib%.o: ${srcdir}/lib%.c
|
||||
- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<;
|
||||
+ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
|
||||
|
||||
-libext.a: initext.o ${libext_objs}
|
||||
- ${AM_VERBOSE_AR} ${AR} crs $@ $^;
|
||||
+libiptext.so: initext.o ${libext_objs}
|
||||
+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
|
||||
|
||||
-libext4.a: initext4.o ${libext4_objs}
|
||||
- ${AM_VERBOSE_AR} ${AR} crs $@ $^;
|
||||
+libiptext4.so: initext4.o ${libext4_objs}
|
||||
+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
|
||||
|
||||
-libext6.a: initext6.o ${libext6_objs}
|
||||
- ${AM_VERBOSE_AR} ${AR} crs $@ $^;
|
||||
+libiptext6.so: initext6.o ${libext6_objs}
|
||||
+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
|
||||
|
||||
initext_func := $(addprefix xt_,${pfx_build_static})
|
||||
initext4_func := $(addprefix ipt_,${pf4_build_static})
|
||||
Index: iptables-1.4.21/iptables/Makefile.am
|
||||
===================================================================
|
||||
--- iptables-1.4.21.orig/iptables/Makefile.am
|
||||
+++ iptables-1.4.21/iptables/Makefile.am
|
||||
@@ -5,7 +5,8 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -
|
||||
|
||||
xtables_multi_SOURCES = xtables-multi.c iptables-xml.c
|
||||
xtables_multi_CFLAGS = ${AM_CFLAGS}
|
||||
-xtables_multi_LDADD = ../extensions/libext.a
|
||||
+xtables_multi_LDADD =
|
||||
+xtables_multi_LDFLAGS = -L../extensions/ -liptext
|
||||
if ENABLE_STATIC
|
||||
xtables_multi_CFLAGS += -DALL_INCLUSIVE
|
||||
endif
|
||||
@@ -13,13 +14,15 @@ if ENABLE_IPV4
|
||||
xtables_multi_SOURCES += iptables-save.c iptables-restore.c \
|
||||
iptables-standalone.c iptables.c
|
||||
xtables_multi_CFLAGS += -DENABLE_IPV4
|
||||
-xtables_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a
|
||||
+xtables_multi_LDADD += ../libiptc/libip4tc.la
|
||||
+xtables_multi_LDFLAGS += -liptext4
|
||||
endif
|
||||
if ENABLE_IPV6
|
||||
xtables_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \
|
||||
ip6tables-standalone.c ip6tables.c
|
||||
xtables_multi_CFLAGS += -DENABLE_IPV6
|
||||
-xtables_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a
|
||||
+xtables_multi_LDADD += ../libiptc/libip6tc.la
|
||||
+xtables_multi_LDFLAGS += -liptext6
|
||||
endif
|
||||
xtables_multi_SOURCES += xshared.c
|
||||
xtables_multi_LDADD += ../libxtables/libxtables.la -lm
|
||||
|
|
@ -0,0 +1,108 @@
|
|||
Index: iptables-1.4.21/extensions/libxt_conntrack.c
|
||||
===================================================================
|
||||
--- iptables-1.4.21.orig/extensions/libxt_conntrack.c
|
||||
+++ iptables-1.4.21/extensions/libxt_conntrack.c
|
||||
@@ -1157,6 +1157,7 @@ static void state_save(const void *ip, c
|
||||
}
|
||||
|
||||
static struct xtables_match conntrack_mt_reg[] = {
|
||||
+#ifndef NO_LEGACY
|
||||
{
|
||||
.version = XTABLES_VERSION,
|
||||
.name = "conntrack",
|
||||
@@ -1232,6 +1233,7 @@ static struct xtables_match conntrack_mt
|
||||
.alias = conntrack_print_name_alias,
|
||||
.x6_options = conntrack2_mt_opts,
|
||||
},
|
||||
+#endif
|
||||
{
|
||||
.version = XTABLES_VERSION,
|
||||
.name = "conntrack",
|
||||
@@ -1262,6 +1264,7 @@ static struct xtables_match conntrack_mt
|
||||
.alias = conntrack_print_name_alias,
|
||||
.x6_options = conntrack3_mt_opts,
|
||||
},
|
||||
+#ifndef NO_LEGACY
|
||||
{
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.name = "state",
|
||||
@@ -1292,6 +1295,7 @@ static struct xtables_match conntrack_mt
|
||||
.x6_parse = state_ct23_parse,
|
||||
.x6_options = state_opts,
|
||||
},
|
||||
+#endif
|
||||
{
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.name = "state",
|
||||
@@ -1307,6 +1311,7 @@ static struct xtables_match conntrack_mt
|
||||
.x6_parse = state_ct23_parse,
|
||||
.x6_options = state_opts,
|
||||
},
|
||||
+#ifndef NO_LEGACY
|
||||
{
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.name = "state",
|
||||
@@ -1320,6 +1325,7 @@ static struct xtables_match conntrack_mt
|
||||
.x6_parse = state_parse,
|
||||
.x6_options = state_opts,
|
||||
},
|
||||
+#endif
|
||||
};
|
||||
|
||||
void _init(void)
|
||||
Index: iptables-1.4.21/extensions/libxt_CT.c
|
||||
===================================================================
|
||||
--- iptables-1.4.21.orig/extensions/libxt_CT.c
|
||||
+++ iptables-1.4.21/extensions/libxt_CT.c
|
||||
@@ -290,6 +290,7 @@ static void notrack_ct2_tg_init(struct x
|
||||
}
|
||||
|
||||
static struct xtables_target ct_target_reg[] = {
|
||||
+#ifndef NO_LEGACY
|
||||
{
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.name = "CT",
|
||||
@@ -315,6 +316,7 @@ static struct xtables_target ct_target_r
|
||||
.x6_parse = ct_parse_v1,
|
||||
.x6_options = ct_opts_v1,
|
||||
},
|
||||
+#endif
|
||||
{
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.name = "CT",
|
||||
@@ -329,6 +331,7 @@ static struct xtables_target ct_target_r
|
||||
.x6_parse = ct_parse_v1,
|
||||
.x6_options = ct_opts_v1,
|
||||
},
|
||||
+#ifndef NO_LEGACY
|
||||
{
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.name = "NOTRACK",
|
||||
@@ -366,6 +369,7 @@ static struct xtables_target ct_target_r
|
||||
.revision = 0,
|
||||
.version = XTABLES_VERSION,
|
||||
},
|
||||
+#endif
|
||||
};
|
||||
|
||||
void _init(void)
|
||||
Index: iptables-1.4.21/extensions/libxt_multiport.c
|
||||
===================================================================
|
||||
--- iptables-1.4.21.orig/extensions/libxt_multiport.c
|
||||
+++ iptables-1.4.21/extensions/libxt_multiport.c
|
||||
@@ -469,6 +469,7 @@ static void multiport_save6_v1(const voi
|
||||
}
|
||||
|
||||
static struct xtables_match multiport_mt_reg[] = {
|
||||
+#ifndef NO_LEGACY
|
||||
{
|
||||
.family = NFPROTO_IPV4,
|
||||
.name = "multiport",
|
||||
@@ -497,6 +498,7 @@ static struct xtables_match multiport_mt
|
||||
.save = multiport_save6,
|
||||
.x6_options = multiport_opts,
|
||||
},
|
||||
+#endif
|
||||
{
|
||||
.family = NFPROTO_IPV4,
|
||||
.name = "multiport",
|
||||
Loading…
Reference in a new issue