From fc80ef3613465e60257a5ddf0674debe45b09180 Mon Sep 17 00:00:00 2001 From: Tony Ambardar Date: Thu, 13 Dec 2018 11:48:55 -0800 Subject: [PATCH] iproute2: tc: enable and fix support for using .so plugins MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This enables using the tc module m_xt.so, which uses the act_ipt kernel module to allow tc actions based on iptables targets. e.g. tc filter add dev eth0 parent 1: prio 10 protocol ip \ u32 match u32 0 0 action xt -j DSCP --set-dscp-class BE Make the SHARED_LIBS parameter configurable and based on tc package selection. Fix a problem using the tc m_xt.so plugin as also described in https://bugs.debian.org/868059: Sync include/xtables.h from iptables to make sure the right offset is used when accessing structure members defined in libxtables. One could get “Extension does not know id …” otherwise. (See also: #868059) Patch to sync the included xtables.h with system iptables 1.6.x. This continues to work with iptables 1.8.2. Signed-off-by: Tony Ambardar --- package/network/utils/iproute2/Makefile | 7 +- .../patches/135-sync-iptables-header.patch | 101 ++++++++++++++++++ 2 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 package/network/utils/iproute2/patches/135-sync-iptables-header.patch diff --git a/package/network/utils/iproute2/Makefile b/package/network/utils/iproute2/Makefile index a9bcfd40a0..6e20e34dd8 100644 --- a/package/network/utils/iproute2/Makefile +++ b/package/network/utils/iproute2/Makefile @@ -106,6 +106,7 @@ endif ifeq ($(BUILD_VARIANT),tc) HAVE_ELF:=y + SHARED_LIBS:=y endif ifdef CONFIG_PACKAGE_devlink @@ -127,7 +128,7 @@ TARGET_CPPFLAGS += -I$(STAGING_DIR)/usr/include/libnl-tiny MAKE_FLAGS += \ KERNEL_INCLUDE="$(LINUX_DIR)/user_headers/include" \ - SHARED_LIBS="" \ + SHARED_LIBS=$(SHARED_LIBS) \ IP_CONFIG_TINY=$(IP_CONFIG_TINY) \ HAVE_ELF=$(HAVE_ELF) \ HAVE_MNL=$(HAVE_MNL) \ @@ -164,6 +165,10 @@ define Package/tc/install $(INSTALL_BIN) $(PKG_BUILD_DIR)/tc/tc $(1)/usr/sbin/ $(INSTALL_DIR) $(1)/etc/hotplug.d/iface $(INSTALL_BIN) ./files/15-teql $(1)/etc/hotplug.d/iface/ +ifeq ($(SHARED_LIBS),y) + $(INSTALL_DIR) $(1)/usr/lib/tc + $(CP) $(PKG_BUILD_DIR)/tc/*.so $(1)/usr/lib/tc +endif endef # ensure other packages are only saved during 'tiny' builds. diff --git a/package/network/utils/iproute2/patches/135-sync-iptables-header.patch b/package/network/utils/iproute2/patches/135-sync-iptables-header.patch new file mode 100644 index 0000000000..a04d8ac742 --- /dev/null +++ b/package/network/utils/iproute2/patches/135-sync-iptables-header.patch @@ -0,0 +1,101 @@ +Description: Sync header from iptables + The current versions in several suites have the same content: + - 1.6.1-2 (unstable) +Bug: https://bugs.debian.org/868059 +Forwarded: not-needed +Author: Cyril Brulebois +Last-Update: 2017-11-22 +--- a/include/xtables.h ++++ b/include/xtables.h +@@ -205,9 +205,24 @@ enum xtables_ext_flags { + XTABLES_EXT_ALIAS = 1 << 0, + }; + ++struct xt_xlate; ++ ++struct xt_xlate_mt_params { ++ const void *ip; ++ const struct xt_entry_match *match; ++ int numeric; ++ bool escape_quotes; ++}; ++ ++struct xt_xlate_tg_params { ++ const void *ip; ++ const struct xt_entry_target *target; ++ int numeric; ++ bool escape_quotes; ++}; ++ + /* Include file for additions: new matches and targets. */ +-struct xtables_match +-{ ++struct xtables_match { + /* + * ABI/API version this module requires. Must be first member, + * as the rest of this struct may be subject to ABI changes. +@@ -269,6 +284,10 @@ struct xtables_match + void (*x6_fcheck)(struct xt_fcheck_call *); + const struct xt_option_entry *x6_options; + ++ /* Translate iptables to nft */ ++ int (*xlate)(struct xt_xlate *xl, ++ const struct xt_xlate_mt_params *params); ++ + /* Size of per-extension instance extra "global" scratch space */ + size_t udata_size; + +@@ -280,8 +299,7 @@ struct xtables_match + unsigned int loaded; /* simulate loading so options are merged properly */ + }; + +-struct xtables_target +-{ ++struct xtables_target { + /* + * ABI/API version this module requires. Must be first member, + * as the rest of this struct may be subject to ABI changes. +@@ -346,6 +364,10 @@ struct xtables_target + void (*x6_fcheck)(struct xt_fcheck_call *); + const struct xt_option_entry *x6_options; + ++ /* Translate iptables to nft */ ++ int (*xlate)(struct xt_xlate *xl, ++ const struct xt_xlate_tg_params *params); ++ + size_t udata_size; + + /* Ignore these men behind the curtain: */ +@@ -406,6 +428,17 @@ struct xtables_globals + + #define XT_GETOPT_TABLEEND {.name = NULL, .has_arg = false} + ++/* ++ * enum op- ++ * ++ * For writing clean nftables translations code ++ */ ++enum xt_op { ++ XT_OP_EQ, ++ XT_OP_NEQ, ++ XT_OP_MAX, ++}; ++ + #ifdef __cplusplus + extern "C" { + #endif +@@ -548,6 +581,14 @@ extern void xtables_lmap_free(struct xta + extern int xtables_lmap_name2id(const struct xtables_lmap *, const char *); + extern const char *xtables_lmap_id2name(const struct xtables_lmap *, int); + ++/* xlate infrastructure */ ++struct xt_xlate *xt_xlate_alloc(int size); ++void xt_xlate_free(struct xt_xlate *xl); ++void xt_xlate_add(struct xt_xlate *xl, const char *fmt, ...); ++void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment); ++const char *xt_xlate_get_comment(struct xt_xlate *xl); ++const char *xt_xlate_get(struct xt_xlate *xl); ++ + #ifdef XTABLES_INTERNAL + + /* Shipped modules rely on this... */ -- 2.30.2