From 1c00b6bc7f6e8cb56aedd1ba86e5d1c49a6538f1 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jow@openwrt.org>
Date: Tue, 26 May 2015 09:16:50 +0000
Subject: [PATCH] iptables: reduce binary size

 * drop unused lenient restore patch
 * instead of statically linking core extensions, build shared libraries
   for reuse in fw3
 * strip outdated match revisions and aliases to trim down library size

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 45758
---
 package/network/utils/iptables/Makefile       |  13 +-
 .../patches/400-lenient-restore.patch         | 172 ------------------
 .../iptables/patches/600-shared-libext.patch  |  78 ++++++++
 .../700-disable-legacy-revisions.patch        | 108 +++++++++++
 4 files changed, 195 insertions(+), 176 deletions(-)
 delete mode 100644 package/network/utils/iptables/patches/400-lenient-restore.patch
 create mode 100644 package/network/utils/iptables/patches/600-shared-libext.patch
 create mode 100644 package/network/utils/iptables/patches/700-disable-legacy-revisions.patch

diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
index df886398166..626b2527619 100644
--- a/package/network/utils/iptables/Makefile
+++ b/package/network/utils/iptables/Makefile
@@ -392,7 +392,7 @@ define Package/libiptc
 $(call Package/iptables/Default)
   SECTION:=libs
   CATEGORY:=Libraries
-  DEPENDS:=+libip4tc +libip6tc
+  DEPENDS:=+libip4tc +libip6tc +libxtables
   TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
 endef
 
@@ -401,6 +401,7 @@ $(call Package/iptables/Default)
   SECTION:=libs
   CATEGORY:=Libraries
   TITLE:=IPv4 firewall - shared libiptc library
+  DEPENDS:=+libxtables
 endef
 
 define Package/libip6tc
@@ -408,6 +409,7 @@ $(call Package/iptables/Default)
   SECTION:=libs
   CATEGORY:=Libraries
   TITLE:=IPv6 firewall - shared libiptc library
+  DEPENDS:=+libxtables
 endef
 
 define Package/libxtables
@@ -425,7 +427,8 @@ TARGET_CPPFLAGS := \
 TARGET_CFLAGS += \
 	-I$(PKG_BUILD_DIR)/include \
 	-I$(LINUX_DIR)/user_headers/include \
-	-ffunction-sections -fdata-sections
+	-ffunction-sections -fdata-sections \
+	-DNO_LEGACY
 
 TARGET_LDFLAGS += \
 	-Wl,--gc-sections
@@ -466,8 +469,7 @@ define Build/InstallDev
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
 
 	# XXX: needed by firewall3
-	$(INSTALL_DIR) $(1)/usr/lib/iptables
-	$(CP) $(PKG_BUILD_DIR)/extensions/libext*.a $(1)/usr/lib/iptables/
+	$(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
 endef
 
 define Package/iptables/install
@@ -490,16 +492,19 @@ endef
 define Package/libip4tc/install
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
+	$(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
 endef
 
 define Package/libip6tc/install
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
+	$(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
 endef
 
 define Package/libxtables/install
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
+	$(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
 endef
 
 define BuildPlugin
diff --git a/package/network/utils/iptables/patches/400-lenient-restore.patch b/package/network/utils/iptables/patches/400-lenient-restore.patch
deleted file mode 100644
index 55ced4a872f..00000000000
--- a/package/network/utils/iptables/patches/400-lenient-restore.patch
+++ /dev/null
@@ -1,172 +0,0 @@
---- a/iptables/ip6tables-restore.c
-+++ b/iptables/ip6tables-restore.c
-@@ -14,6 +14,8 @@
- #include <string.h>
- #include <stdio.h>
- #include <stdlib.h>
-+#include <stdarg.h>
-+#include <setjmp.h>
- #include "ip6tables.h"
- #include "xtables.h"
- #include "libiptc/libip6tc.h"
-@@ -25,6 +27,7 @@
- #define DEBUGP(x, args...)
- #endif
- 
-+static jmp_buf jmp;
- static int binary = 0, counters = 0, verbose = 0, noflush = 0;
- 
- /* Keeping track of external matches and targets.  */
-@@ -35,6 +38,7 @@ static const struct option options[] = {
- 	{.name = "test",     .has_arg = false, .val = 't'},
- 	{.name = "help",     .has_arg = false, .val = 'h'},
- 	{.name = "noflush",  .has_arg = false, .val = 'n'},
-+	{.name = "lenient",  .has_arg = false, .val = 'l'},
- 	{.name = "modprobe", .has_arg = true,  .val = 'M'},
- 	{.name = "table",    .has_arg = true,  .val = 'T'},
- 	{NULL},
-@@ -51,6 +55,7 @@ static void print_usage(const char *name
- 			"	   [ --test ]\n"
- 			"	   [ --help ]\n"
- 			"	   [ --noflush ]\n"
-+			"	   [ --lenient ]\n"
- 			"          [ --modprobe=<command>]\n", name);
- 
- 	exit(1);
-@@ -114,6 +119,17 @@ static void free_argv(void) {
- 		free(newargv[i]);
- }
- 
-+static void catch_exit_error(enum xtables_exittype status, const char *msg, ...)
-+{
-+	va_list args;
-+	fprintf(stderr, "line %d: ", line);
-+	va_start(args, msg);
-+	vfprintf(stderr, msg, args);
-+	va_end(args);
-+	fprintf(stderr, "\n");
-+	longjmp(jmp, status);
-+}
-+
- static void add_param_to_argv(char *parsestart)
- {
- 	int quote_open = 0, escaped = 0, param_len = 0;
-@@ -204,7 +220,7 @@ int ip6tables_restore_main(int argc, cha
- 	init_extensions6();
- #endif
- 
--	while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
-+	while ((c = getopt_long(argc, argv, "bcvthnlM:T:", options, NULL)) != -1) {
- 		switch (c) {
- 			case 'b':
- 				binary = 1;
-@@ -225,6 +241,9 @@ int ip6tables_restore_main(int argc, cha
- 			case 'n':
- 				noflush = 1;
- 				break;
-+			case 'l':
-+				ip6tables_globals.exit_err = catch_exit_error;
-+				break;
- 			case 'M':
- 				xtables_modprobe_program = optarg;
- 				break;
-@@ -437,8 +456,11 @@ int ip6tables_restore_main(int argc, cha
- 			for (a = 0; a < newargc; a++)
- 				DEBUGP("argv[%u]: %s\n", a, newargv[a]);
- 
--			ret = do_command6(newargc, newargv,
--					 &newargv[2], &handle, true);
-+			if (!setjmp(jmp))
-+				ret = do_command6(newargc, newargv,
-+						 &newargv[2], &handle, true);
-+			else
-+				ret = 1;
- 
- 			free_argv();
- 			fflush(stdout);
---- a/iptables/iptables-restore.c
-+++ b/iptables/iptables-restore.c
-@@ -11,6 +11,8 @@
- #include <string.h>
- #include <stdio.h>
- #include <stdlib.h>
-+#include <stdarg.h>
-+#include <setjmp.h>
- #include "iptables.h"
- #include "xtables.h"
- #include "libiptc/libiptc.h"
-@@ -22,6 +24,7 @@
- #define DEBUGP(x, args...)
- #endif
- 
-+static jmp_buf jmp;
- static int binary = 0, counters = 0, verbose = 0, noflush = 0;
- 
- /* Keeping track of external matches and targets.  */
-@@ -32,6 +35,7 @@ static const struct option options[] = {
- 	{.name = "test",     .has_arg = false, .val = 't'},
- 	{.name = "help",     .has_arg = false, .val = 'h'},
- 	{.name = "noflush",  .has_arg = false, .val = 'n'},
-+	{.name = "lenient",  .has_arg = false, .val = 'l'},
- 	{.name = "modprobe", .has_arg = true,  .val = 'M'},
- 	{.name = "table",    .has_arg = true,  .val = 'T'},
- 	{NULL},
-@@ -50,6 +54,7 @@ static void print_usage(const char *name
- 			"	   [ --test ]\n"
- 			"	   [ --help ]\n"
- 			"	   [ --noflush ]\n"
-+			"	   [ --lenient ]\n"
- 			"	   [ --table=<TABLE> ]\n"
- 			"          [ --modprobe=<command>]\n", name);
- 
-@@ -113,6 +118,17 @@ static void free_argv(void) {
- 		free(newargv[i]);
- }
- 
-+static void catch_exit_error(enum xtables_exittype status, const char *msg, ...)
-+{
-+	va_list args;
-+	fprintf(stderr, "line %d: ", line);
-+	va_start(args, msg);
-+	vfprintf(stderr, msg, args);
-+	va_end(args);
-+	fprintf(stderr, "\n");
-+	longjmp(jmp, status);
-+}
-+
- static void add_param_to_argv(char *parsestart)
- {
- 	int quote_open = 0, escaped = 0, param_len = 0;
-@@ -204,7 +220,7 @@ iptables_restore_main(int argc, char *ar
- 	init_extensions4();
- #endif
- 
--	while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
-+	while ((c = getopt_long(argc, argv, "bcvthnlM:T:", options, NULL)) != -1) {
- 		switch (c) {
- 			case 'b':
- 				binary = 1;
-@@ -225,6 +241,9 @@ iptables_restore_main(int argc, char *ar
- 			case 'n':
- 				noflush = 1;
- 				break;
-+			case 'l':
-+				iptables_globals.exit_err = catch_exit_error;
-+				break;
- 			case 'M':
- 				xtables_modprobe_program = optarg;
- 				break;
-@@ -437,8 +456,11 @@ iptables_restore_main(int argc, char *ar
- 			for (a = 0; a < newargc; a++)
- 				DEBUGP("argv[%u]: %s\n", a, newargv[a]);
- 
--			ret = do_command4(newargc, newargv,
--					 &newargv[2], &handle, true);
-+			if (!setjmp(jmp))
-+				ret = do_command4(newargc, newargv,
-+						 &newargv[2], &handle, true);
-+			else
-+				ret = 1;
- 
- 			free_argv();
- 			fflush(stdout);
diff --git a/package/network/utils/iptables/patches/600-shared-libext.patch b/package/network/utils/iptables/patches/600-shared-libext.patch
new file mode 100644
index 00000000000..92f5485399f
--- /dev/null
+++ b/package/network/utils/iptables/patches/600-shared-libext.patch
@@ -0,0 +1,78 @@
+Index: iptables-1.4.21/extensions/GNUmakefile.in
+===================================================================
+--- iptables-1.4.21.orig/extensions/GNUmakefile.in
++++ iptables-1.4.21/extensions/GNUmakefile.in
+@@ -71,7 +71,7 @@ pf6_solibs    := $(patsubst %,libip6t_%.
+ #
+ # Building blocks
+ #
+-targets := libext.a libext4.a libext6.a matches.man targets.man
++targets := libiptext.so libiptext4.so libiptext6.so matches.man targets.man
+ targets_install :=
+ libext_objs := ${pfx_objs}
+ libext4_objs := ${pf4_objs}
+@@ -96,7 +96,7 @@ clean:
+ distclean: clean
+ 
+ init%.o: init%.c
+-	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init ${CFLAGS} -o $@ -c $<;
++	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init  -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+ 
+ -include .*.d
+ 
+@@ -130,16 +130,16 @@ xt_statistic_LIBADD = -lm
+ #	handling code in the Makefiles.
+ #
+ lib%.o: ${srcdir}/lib%.c
+-	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<;
++	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+ 
+-libext.a: initext.o ${libext_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
++libiptext.so: initext.o ${libext_objs}
++	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
+ 
+-libext4.a: initext4.o ${libext4_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
++libiptext4.so: initext4.o ${libext4_objs}
++	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
+ 
+-libext6.a: initext6.o ${libext6_objs}
+-	${AM_VERBOSE_AR} ${AR} crs $@ $^;
++libiptext6.so: initext6.o ${libext6_objs}
++	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
+ 
+ initext_func  := $(addprefix xt_,${pfx_build_static})
+ initext4_func := $(addprefix ipt_,${pf4_build_static})
+Index: iptables-1.4.21/iptables/Makefile.am
+===================================================================
+--- iptables-1.4.21.orig/iptables/Makefile.am
++++ iptables-1.4.21/iptables/Makefile.am
+@@ -5,7 +5,8 @@ AM_CPPFLAGS      = ${regular_CPPFLAGS} -
+ 
+ xtables_multi_SOURCES  = xtables-multi.c iptables-xml.c
+ xtables_multi_CFLAGS   = ${AM_CFLAGS}
+-xtables_multi_LDADD    = ../extensions/libext.a
++xtables_multi_LDADD    =
++xtables_multi_LDFLAGS  = -L../extensions/ -liptext
+ if ENABLE_STATIC
+ xtables_multi_CFLAGS  += -DALL_INCLUSIVE
+ endif
+@@ -13,13 +14,15 @@ if ENABLE_IPV4
+ xtables_multi_SOURCES += iptables-save.c iptables-restore.c \
+                          iptables-standalone.c iptables.c
+ xtables_multi_CFLAGS  += -DENABLE_IPV4
+-xtables_multi_LDADD   += ../libiptc/libip4tc.la ../extensions/libext4.a
++xtables_multi_LDADD   += ../libiptc/libip4tc.la
++xtables_multi_LDFLAGS += -liptext4
+ endif
+ if ENABLE_IPV6
+ xtables_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \
+                           ip6tables-standalone.c ip6tables.c
+ xtables_multi_CFLAGS  += -DENABLE_IPV6
+-xtables_multi_LDADD   += ../libiptc/libip6tc.la ../extensions/libext6.a
++xtables_multi_LDADD   += ../libiptc/libip6tc.la
++xtables_multi_LDFLAGS += -liptext6
+ endif
+ xtables_multi_SOURCES += xshared.c
+ xtables_multi_LDADD   += ../libxtables/libxtables.la -lm
diff --git a/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch
new file mode 100644
index 00000000000..342c3b013a3
--- /dev/null
+++ b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch
@@ -0,0 +1,108 @@
+Index: iptables-1.4.21/extensions/libxt_conntrack.c
+===================================================================
+--- iptables-1.4.21.orig/extensions/libxt_conntrack.c
++++ iptables-1.4.21/extensions/libxt_conntrack.c
+@@ -1157,6 +1157,7 @@ static void state_save(const void *ip, c
+ }
+ 
+ static struct xtables_match conntrack_mt_reg[] = {
++#ifndef NO_LEGACY
+ 	{
+ 		.version       = XTABLES_VERSION,
+ 		.name          = "conntrack",
+@@ -1232,6 +1233,7 @@ static struct xtables_match conntrack_mt
+ 		.alias	       = conntrack_print_name_alias,
+ 		.x6_options    = conntrack2_mt_opts,
+ 	},
++#endif
+ 	{
+ 		.version       = XTABLES_VERSION,
+ 		.name          = "conntrack",
+@@ -1262,6 +1264,7 @@ static struct xtables_match conntrack_mt
+ 		.alias	       = conntrack_print_name_alias,
+ 		.x6_options    = conntrack3_mt_opts,
+ 	},
++#ifndef NO_LEGACY
+ 	{
+ 		.family        = NFPROTO_UNSPEC,
+ 		.name          = "state",
+@@ -1292,6 +1295,7 @@ static struct xtables_match conntrack_mt
+ 		.x6_parse      = state_ct23_parse,
+ 		.x6_options    = state_opts,
+ 	},
++#endif
+ 	{
+ 		.family        = NFPROTO_UNSPEC,
+ 		.name          = "state",
+@@ -1307,6 +1311,7 @@ static struct xtables_match conntrack_mt
+ 		.x6_parse      = state_ct23_parse,
+ 		.x6_options    = state_opts,
+ 	},
++#ifndef NO_LEGACY
+ 	{
+ 		.family        = NFPROTO_UNSPEC,
+ 		.name          = "state",
+@@ -1320,6 +1325,7 @@ static struct xtables_match conntrack_mt
+ 		.x6_parse      = state_parse,
+ 		.x6_options    = state_opts,
+ 	},
++#endif
+ };
+ 
+ void _init(void)
+Index: iptables-1.4.21/extensions/libxt_CT.c
+===================================================================
+--- iptables-1.4.21.orig/extensions/libxt_CT.c
++++ iptables-1.4.21/extensions/libxt_CT.c
+@@ -290,6 +290,7 @@ static void notrack_ct2_tg_init(struct x
+ }
+ 
+ static struct xtables_target ct_target_reg[] = {
++#ifndef NO_LEGACY
+ 	{
+ 		.family		= NFPROTO_UNSPEC,
+ 		.name		= "CT",
+@@ -315,6 +316,7 @@ static struct xtables_target ct_target_r
+ 		.x6_parse	= ct_parse_v1,
+ 		.x6_options	= ct_opts_v1,
+ 	},
++#endif
+ 	{
+ 		.family		= NFPROTO_UNSPEC,
+ 		.name		= "CT",
+@@ -329,6 +331,7 @@ static struct xtables_target ct_target_r
+ 		.x6_parse	= ct_parse_v1,
+ 		.x6_options	= ct_opts_v1,
+ 	},
++#ifndef NO_LEGACY
+ 	{
+ 		.family        = NFPROTO_UNSPEC,
+ 		.name          = "NOTRACK",
+@@ -366,6 +369,7 @@ static struct xtables_target ct_target_r
+ 		.revision      = 0,
+ 		.version       = XTABLES_VERSION,
+ 	},
++#endif
+ };
+ 
+ void _init(void)
+Index: iptables-1.4.21/extensions/libxt_multiport.c
+===================================================================
+--- iptables-1.4.21.orig/extensions/libxt_multiport.c
++++ iptables-1.4.21/extensions/libxt_multiport.c
+@@ -469,6 +469,7 @@ static void multiport_save6_v1(const voi
+ }
+ 
+ static struct xtables_match multiport_mt_reg[] = {
++#ifndef NO_LEGACY
+ 	{
+ 		.family        = NFPROTO_IPV4,
+ 		.name          = "multiport",
+@@ -497,6 +498,7 @@ static struct xtables_match multiport_mt
+ 		.save          = multiport_save6,
+ 		.x6_options    = multiport_opts,
+ 	},
++#endif
+ 	{
+ 		.family        = NFPROTO_IPV4,
+ 		.name          = "multiport",
-- 
GitLab