From: Jo-Philipp Wich Date: Tue, 26 May 2015 09:16:50 +0000 (+0000) Subject: iptables: reduce binary size X-Git-Tag: reboot~2991 X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=1c00b6bc7f6e8cb56aedd1ba86e5d1c49a6538f1;p=openwrt%2Fopenwrt.git iptables: reduce binary size * drop unused lenient restore patch * instead of statically linking core extensions, build shared libraries for reuse in fw3 * strip outdated match revisions and aliases to trim down library size Signed-off-by: Jo-Philipp Wich SVN-Revision: 45758 --- diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile index df88639816..626b252761 100644 --- a/package/network/utils/iptables/Makefile +++ b/package/network/utils/iptables/Makefile @@ -392,7 +392,7 @@ define Package/libiptc $(call Package/iptables/Default) SECTION:=libs CATEGORY:=Libraries - DEPENDS:=+libip4tc +libip6tc + DEPENDS:=+libip4tc +libip6tc +libxtables TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub) endef @@ -401,6 +401,7 @@ $(call Package/iptables/Default) SECTION:=libs CATEGORY:=Libraries TITLE:=IPv4 firewall - shared libiptc library + DEPENDS:=+libxtables endef define Package/libip6tc @@ -408,6 +409,7 @@ $(call Package/iptables/Default) SECTION:=libs CATEGORY:=Libraries TITLE:=IPv6 firewall - shared libiptc library + DEPENDS:=+libxtables endef define Package/libxtables @@ -425,7 +427,8 @@ TARGET_CPPFLAGS := \ TARGET_CFLAGS += \ -I$(PKG_BUILD_DIR)/include \ -I$(LINUX_DIR)/user_headers/include \ - -ffunction-sections -fdata-sections + -ffunction-sections -fdata-sections \ + -DNO_LEGACY TARGET_LDFLAGS += \ -Wl,--gc-sections @@ -466,8 +469,7 @@ define Build/InstallDev $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/ # XXX: needed by firewall3 - $(INSTALL_DIR) $(1)/usr/lib/iptables - $(CP) $(PKG_BUILD_DIR)/extensions/libext*.a $(1)/usr/lib/iptables/ + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/ endef define Package/iptables/install @@ -490,16 +492,19 @@ endef define Package/libip4tc/install $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/ + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/ endef define Package/libip6tc/install $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/ + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/ endef define Package/libxtables/install $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/ + $(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/ endef define BuildPlugin diff --git a/package/network/utils/iptables/patches/400-lenient-restore.patch b/package/network/utils/iptables/patches/400-lenient-restore.patch deleted file mode 100644 index 55ced4a872..0000000000 --- a/package/network/utils/iptables/patches/400-lenient-restore.patch +++ /dev/null @@ -1,172 +0,0 @@ ---- a/iptables/ip6tables-restore.c -+++ b/iptables/ip6tables-restore.c -@@ -14,6 +14,8 @@ - #include - #include - #include -+#include -+#include - #include "ip6tables.h" - #include "xtables.h" - #include "libiptc/libip6tc.h" -@@ -25,6 +27,7 @@ - #define DEBUGP(x, args...) - #endif - -+static jmp_buf jmp; - static int binary = 0, counters = 0, verbose = 0, noflush = 0; - - /* Keeping track of external matches and targets. */ -@@ -35,6 +38,7 @@ static const struct option options[] = { - {.name = "test", .has_arg = false, .val = 't'}, - {.name = "help", .has_arg = false, .val = 'h'}, - {.name = "noflush", .has_arg = false, .val = 'n'}, -+ {.name = "lenient", .has_arg = false, .val = 'l'}, - {.name = "modprobe", .has_arg = true, .val = 'M'}, - {.name = "table", .has_arg = true, .val = 'T'}, - {NULL}, -@@ -51,6 +55,7 @@ static void print_usage(const char *name - " [ --test ]\n" - " [ --help ]\n" - " [ --noflush ]\n" -+ " [ --lenient ]\n" - " [ --modprobe=]\n", name); - - exit(1); -@@ -114,6 +119,17 @@ static void free_argv(void) { - free(newargv[i]); - } - -+static void catch_exit_error(enum xtables_exittype status, const char *msg, ...) -+{ -+ va_list args; -+ fprintf(stderr, "line %d: ", line); -+ va_start(args, msg); -+ vfprintf(stderr, msg, args); -+ va_end(args); -+ fprintf(stderr, "\n"); -+ longjmp(jmp, status); -+} -+ - static void add_param_to_argv(char *parsestart) - { - int quote_open = 0, escaped = 0, param_len = 0; -@@ -204,7 +220,7 @@ int ip6tables_restore_main(int argc, cha - init_extensions6(); - #endif - -- while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) { -+ while ((c = getopt_long(argc, argv, "bcvthnlM:T:", options, NULL)) != -1) { - switch (c) { - case 'b': - binary = 1; -@@ -225,6 +241,9 @@ int ip6tables_restore_main(int argc, cha - case 'n': - noflush = 1; - break; -+ case 'l': -+ ip6tables_globals.exit_err = catch_exit_error; -+ break; - case 'M': - xtables_modprobe_program = optarg; - break; -@@ -437,8 +456,11 @@ int ip6tables_restore_main(int argc, cha - for (a = 0; a < newargc; a++) - DEBUGP("argv[%u]: %s\n", a, newargv[a]); - -- ret = do_command6(newargc, newargv, -- &newargv[2], &handle, true); -+ if (!setjmp(jmp)) -+ ret = do_command6(newargc, newargv, -+ &newargv[2], &handle, true); -+ else -+ ret = 1; - - free_argv(); - fflush(stdout); ---- a/iptables/iptables-restore.c -+++ b/iptables/iptables-restore.c -@@ -11,6 +11,8 @@ - #include - #include - #include -+#include -+#include - #include "iptables.h" - #include "xtables.h" - #include "libiptc/libiptc.h" -@@ -22,6 +24,7 @@ - #define DEBUGP(x, args...) - #endif - -+static jmp_buf jmp; - static int binary = 0, counters = 0, verbose = 0, noflush = 0; - - /* Keeping track of external matches and targets. */ -@@ -32,6 +35,7 @@ static const struct option options[] = { - {.name = "test", .has_arg = false, .val = 't'}, - {.name = "help", .has_arg = false, .val = 'h'}, - {.name = "noflush", .has_arg = false, .val = 'n'}, -+ {.name = "lenient", .has_arg = false, .val = 'l'}, - {.name = "modprobe", .has_arg = true, .val = 'M'}, - {.name = "table", .has_arg = true, .val = 'T'}, - {NULL}, -@@ -50,6 +54,7 @@ static void print_usage(const char *name - " [ --test ]\n" - " [ --help ]\n" - " [ --noflush ]\n" -+ " [ --lenient ]\n" - " [ --table= ]\n" - " [ --modprobe=]\n", name); - -@@ -113,6 +118,17 @@ static void free_argv(void) { - free(newargv[i]); - } - -+static void catch_exit_error(enum xtables_exittype status, const char *msg, ...) -+{ -+ va_list args; -+ fprintf(stderr, "line %d: ", line); -+ va_start(args, msg); -+ vfprintf(stderr, msg, args); -+ va_end(args); -+ fprintf(stderr, "\n"); -+ longjmp(jmp, status); -+} -+ - static void add_param_to_argv(char *parsestart) - { - int quote_open = 0, escaped = 0, param_len = 0; -@@ -204,7 +220,7 @@ iptables_restore_main(int argc, char *ar - init_extensions4(); - #endif - -- while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) { -+ while ((c = getopt_long(argc, argv, "bcvthnlM:T:", options, NULL)) != -1) { - switch (c) { - case 'b': - binary = 1; -@@ -225,6 +241,9 @@ iptables_restore_main(int argc, char *ar - case 'n': - noflush = 1; - break; -+ case 'l': -+ iptables_globals.exit_err = catch_exit_error; -+ break; - case 'M': - xtables_modprobe_program = optarg; - break; -@@ -437,8 +456,11 @@ iptables_restore_main(int argc, char *ar - for (a = 0; a < newargc; a++) - DEBUGP("argv[%u]: %s\n", a, newargv[a]); - -- ret = do_command4(newargc, newargv, -- &newargv[2], &handle, true); -+ if (!setjmp(jmp)) -+ ret = do_command4(newargc, newargv, -+ &newargv[2], &handle, true); -+ else -+ ret = 1; - - free_argv(); - fflush(stdout); diff --git a/package/network/utils/iptables/patches/600-shared-libext.patch b/package/network/utils/iptables/patches/600-shared-libext.patch new file mode 100644 index 0000000000..92f5485399 --- /dev/null +++ b/package/network/utils/iptables/patches/600-shared-libext.patch @@ -0,0 +1,78 @@ +Index: iptables-1.4.21/extensions/GNUmakefile.in +=================================================================== +--- iptables-1.4.21.orig/extensions/GNUmakefile.in ++++ iptables-1.4.21/extensions/GNUmakefile.in +@@ -71,7 +71,7 @@ pf6_solibs := $(patsubst %,libip6t_%. + # + # Building blocks + # +-targets := libext.a libext4.a libext6.a matches.man targets.man ++targets := libiptext.so libiptext4.so libiptext6.so matches.man targets.man + targets_install := + libext_objs := ${pfx_objs} + libext4_objs := ${pf4_objs} +@@ -96,7 +96,7 @@ clean: + distclean: clean + + init%.o: init%.c +- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init ${CFLAGS} -o $@ -c $<; ++ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; + + -include .*.d + +@@ -130,16 +130,16 @@ xt_statistic_LIBADD = -lm + # handling code in the Makefiles. + # + lib%.o: ${srcdir}/lib%.c +- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<; ++ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; + +-libext.a: initext.o ${libext_objs} +- ${AM_VERBOSE_AR} ${AR} crs $@ $^; ++libiptext.so: initext.o ${libext_objs} ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD}; + +-libext4.a: initext4.o ${libext4_objs} +- ${AM_VERBOSE_AR} ${AR} crs $@ $^; ++libiptext4.so: initext4.o ${libext4_objs} ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD}; + +-libext6.a: initext6.o ${libext6_objs} +- ${AM_VERBOSE_AR} ${AR} crs $@ $^; ++libiptext6.so: initext6.o ${libext6_objs} ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD}; + + initext_func := $(addprefix xt_,${pfx_build_static}) + initext4_func := $(addprefix ipt_,${pf4_build_static}) +Index: iptables-1.4.21/iptables/Makefile.am +=================================================================== +--- iptables-1.4.21.orig/iptables/Makefile.am ++++ iptables-1.4.21/iptables/Makefile.am +@@ -5,7 +5,8 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} - + + xtables_multi_SOURCES = xtables-multi.c iptables-xml.c + xtables_multi_CFLAGS = ${AM_CFLAGS} +-xtables_multi_LDADD = ../extensions/libext.a ++xtables_multi_LDADD = ++xtables_multi_LDFLAGS = -L../extensions/ -liptext + if ENABLE_STATIC + xtables_multi_CFLAGS += -DALL_INCLUSIVE + endif +@@ -13,13 +14,15 @@ if ENABLE_IPV4 + xtables_multi_SOURCES += iptables-save.c iptables-restore.c \ + iptables-standalone.c iptables.c + xtables_multi_CFLAGS += -DENABLE_IPV4 +-xtables_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a ++xtables_multi_LDADD += ../libiptc/libip4tc.la ++xtables_multi_LDFLAGS += -liptext4 + endif + if ENABLE_IPV6 + xtables_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \ + ip6tables-standalone.c ip6tables.c + xtables_multi_CFLAGS += -DENABLE_IPV6 +-xtables_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a ++xtables_multi_LDADD += ../libiptc/libip6tc.la ++xtables_multi_LDFLAGS += -liptext6 + endif + xtables_multi_SOURCES += xshared.c + xtables_multi_LDADD += ../libxtables/libxtables.la -lm diff --git a/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch new file mode 100644 index 0000000000..342c3b013a --- /dev/null +++ b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch @@ -0,0 +1,108 @@ +Index: iptables-1.4.21/extensions/libxt_conntrack.c +=================================================================== +--- iptables-1.4.21.orig/extensions/libxt_conntrack.c ++++ iptables-1.4.21/extensions/libxt_conntrack.c +@@ -1157,6 +1157,7 @@ static void state_save(const void *ip, c + } + + static struct xtables_match conntrack_mt_reg[] = { ++#ifndef NO_LEGACY + { + .version = XTABLES_VERSION, + .name = "conntrack", +@@ -1232,6 +1233,7 @@ static struct xtables_match conntrack_mt + .alias = conntrack_print_name_alias, + .x6_options = conntrack2_mt_opts, + }, ++#endif + { + .version = XTABLES_VERSION, + .name = "conntrack", +@@ -1262,6 +1264,7 @@ static struct xtables_match conntrack_mt + .alias = conntrack_print_name_alias, + .x6_options = conntrack3_mt_opts, + }, ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "state", +@@ -1292,6 +1295,7 @@ static struct xtables_match conntrack_mt + .x6_parse = state_ct23_parse, + .x6_options = state_opts, + }, ++#endif + { + .family = NFPROTO_UNSPEC, + .name = "state", +@@ -1307,6 +1311,7 @@ static struct xtables_match conntrack_mt + .x6_parse = state_ct23_parse, + .x6_options = state_opts, + }, ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "state", +@@ -1320,6 +1325,7 @@ static struct xtables_match conntrack_mt + .x6_parse = state_parse, + .x6_options = state_opts, + }, ++#endif + }; + + void _init(void) +Index: iptables-1.4.21/extensions/libxt_CT.c +=================================================================== +--- iptables-1.4.21.orig/extensions/libxt_CT.c ++++ iptables-1.4.21/extensions/libxt_CT.c +@@ -290,6 +290,7 @@ static void notrack_ct2_tg_init(struct x + } + + static struct xtables_target ct_target_reg[] = { ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "CT", +@@ -315,6 +316,7 @@ static struct xtables_target ct_target_r + .x6_parse = ct_parse_v1, + .x6_options = ct_opts_v1, + }, ++#endif + { + .family = NFPROTO_UNSPEC, + .name = "CT", +@@ -329,6 +331,7 @@ static struct xtables_target ct_target_r + .x6_parse = ct_parse_v1, + .x6_options = ct_opts_v1, + }, ++#ifndef NO_LEGACY + { + .family = NFPROTO_UNSPEC, + .name = "NOTRACK", +@@ -366,6 +369,7 @@ static struct xtables_target ct_target_r + .revision = 0, + .version = XTABLES_VERSION, + }, ++#endif + }; + + void _init(void) +Index: iptables-1.4.21/extensions/libxt_multiport.c +=================================================================== +--- iptables-1.4.21.orig/extensions/libxt_multiport.c ++++ iptables-1.4.21/extensions/libxt_multiport.c +@@ -469,6 +469,7 @@ static void multiport_save6_v1(const voi + } + + static struct xtables_match multiport_mt_reg[] = { ++#ifndef NO_LEGACY + { + .family = NFPROTO_IPV4, + .name = "multiport", +@@ -497,6 +498,7 @@ static struct xtables_match multiport_mt + .save = multiport_save6, + .x6_options = multiport_opts, + }, ++#endif + { + .family = NFPROTO_IPV4, + .name = "multiport",