get_lib_from_bin() detects wrong path with iptables 1.8.4 on Debian Unstable

[xtaran]

Hi,

while trying to update the Debian package to 2.5, I ran into a weird problem (see also Debian Bug #958945) with regards to installation paths:

The iptables modules are installed into /usr/lib/debug/.dwz/x86_64-linux-gnu/iptables.debug/. This comes from strings $IPTBIN | grep ^/.*lib.*/.*tables which indeed yields that path on my system:

$ strings /sbin/iptables | grep '^/.*lib.*/.*tables'
/usr/lib/debug/.dwz/x86_64-linux-gnu/iptables.debug

It seems as the general concept of looking for the path there is flawed as the binary contains no path similar to the expected path (/usr/lib/x86_64-linux-gnu/xtables/ on Debian's amd64 architecture):

$ strings /sbin/iptables | grep 'usr'
/usr/lib/debug/.dwz/x86_64-linux-gnu/iptables.debug
$ strings /sbin/iptables | grep 'lib'
/lib64/ld-linux-x86-64.so.2
libmnl.so.0
libnftnl.so.11
libxtables.so.12
libc.so.6
__libc_start_main
/usr/lib/debug/.dwz/x86_64-linux-gnu/iptables.debug
$ strings /sbin/iptables | grep 'x86'
/lib64/ld-linux-x86-64.so.2
/usr/lib/debug/.dwz/x86_64-linux-gnu/iptables.debug

Reason for falling back to that method seems that it could not determine the iptables source directory automatically:

Iptables binary version: 1.8.4 (nf_tables) (detected from /usr/sbin/iptables)
pkg-config for version 1.8.4 (nf_tables) exists: No (reported: 1.8.4)
Check for working gcc: Yes (gcc)
Checking for presence of xtables.h... Yes
Searching for iptables-1.8.4 (nf_tables) sources..
! Can not find iptables source directory, you may try setting it with --ipt-src=
! This is not fatal error, yet. Will be just using default include dir.
Iptables include flags: none (default)
Iptables module path: /usr/lib/debug/.dwz/x86_64-linux-gnu/iptables.debug (from binary)

For the Debian package I will probably use --ipt-lib, but this might need investigation nevertheless as it yields a rather broken result.

[aabc]

Preferable method of detecting iptables lib dir is pkg-config --variable=xtlibdir xtables.

pkg-config for version 1.8.4 (nf_tables) exists: No (reported: 1.8.4)

This looks like pkg-config failure. Looks like pkg-config --modversion xtables instead of just 1.8.4, like before, now shows 1.8.4 (nf_tables). Do you know why?

Maybe you installed nftables instead of iptables?

[xtaran]

Here's the output of the two commands on the system where I ran into this:

→ pkg-config --variable=xtlibdir xtables
/usr/lib/x86_64-linux-gnu/xtables
→ pkg-config --modversion xtables
1.8.4

And here's the complete output of the configure run:

Kernel version: 5.5.13 (proc)
Kernel sources: /lib/modules/5.5.0-1-amd64/build (found)
Checking for presence of include/linux/netfilter.h... Yes
netfilter.h uses CONFIG_NF_NAT_NEEDED... No
Checking for presence of include/linux/llist.h... Yes
Checking for presence of include/linux/grsecurity.h... No
Iptables binary version: 1.8.4 (nf_tables) (detected from /sbin/iptables)
pkg-config for version 1.8.4 (nf_tables) exists: No (reported: 1.8.4)
Check for working gcc: Yes (gcc)
Checking for presence of xtables.h... Yes
Searching for iptables-1.8.4 (nf_tables) sources..
! Can not find iptables source directory, you may try setting it with --ipt-src=
! This is not fatal error, yet. Will be just using default include dir.
Iptables include flags: none (default)
Iptables module path: /usr/lib/debug/.dwz/x86_64-linux-gnu/iptables.debug (from binary)
Searching for net-snmp-config... No.
Searching for net-snmp agent... No.
 Assuming you don't want net-snmp agent support.
 Otherwise do:  apt-get install snmpd libsnmp-dev
Checking for DKMS... Yes.
BACKLIGHT_CLASS_DEVICE disabled in this kernel, not building module.
BACKLIGHT_CLASS_DEVICE disabled in this kernel, not building module.
BACKLIGHT_CLASS_DEVICE disabled in this kernel, not building module.
BACKLIGHT_CLASS_DEVICE disabled in this kernel, not building module.
BACKLIGHT_CLASS_DEVICE disabled in this kernel, not building module.
BACKLIGHT_CLASS_DEVICE disabled in this kernel, not building module.
! You are already have module installed via DKMS
!   it will be uninstalled on 'make install' and
!   current version of module installed afterwards.
! Use --disable-dkms option if don't want this.
Creating Makefile.. done.

  If you need some options enabled run ./configure --help
  Now run: make all install

And here's the list of the relevant installed packages on that system:

→ dpkg -l | awk '$2 ~ /(nf|ip|x)tables|pkg-config/ {print $1" "$2" "$3}' | column -t
ii  iptables              1.8.4-3
ii  libnftables1:amd64    0.9.4-1
ii  libxtables-dev:amd64  1.8.4-3
ii  libxtables12:amd64    1.8.4-3
ii  nftables              0.9.4-1
ii  pkg-config            0.29.2-1
ii  ruby-pkg-config       1.4.1-1

Maybe you installed nftables instead of iptables?

So actually both are installed.

I also checked that the pkg-config replacement "pkgconf" is not installed.

Hope this helps to further isolate the issue.

[aabc]

Ah, 1.8.4 (nf_tables) is a version string reported from iptables -V.

ii  iptables              1.8.4-3
ii  nftables              0.9.4-1

Does nftables replace iptables bin somehow?

[xtaran]

Maybe you installed nftables instead of iptables?

So actually both are installed.

Does nftables replace iptables bin somehow?

Just checked, yes, you're right, the iptables binary seems to be for nftables (but not from the package nftables — which I find confusing):

→ ls -l /sbin/iptables /usr/sbin/iptables /etc/alternatives/iptables 
lrwxrwxrwx 1 root root 18 Dec  4  2018 /sbin/iptables -> /usr/sbin/iptables*
lrwxrwxrwx 1 root root 26 Dec  4  2018 /usr/sbin/iptables -> /etc/alternatives/iptables*
lrwxrwxrwx 1 root root 22 Dec  4  2018 /etc/alternatives/iptables -> /usr/sbin/iptables-nft*
→ dpkg -S /usr/sbin/iptables-nft
iptables: /usr/sbin/iptables-nft

The description of Debian's iptables package says:

The iptables/xtables framework has been replaced by nftables. You should consider migrating now.

iptables is the userspace command line program used to configure the Linux packet filtering and NAT ruleset. It is targeted towards systems and networks administrators.

This package contains several different utilities, the most important ones:

iptables-nft, iptables-nft-save, iptables-nft-restore (nft-based version)

iptables-legacy, iptables-legacy-save, iptables-legacy-restore (legacy version) […]

Since iptables-nft and iptables-legacy come from the same package, I can't control via build-dependencies and build-conflicts which of them will be used…

[xtaran]

Ah, 1.8.4 (nf_tables) is a version string reported from iptables -V.

Yes:

→ iptables -V
iptables v1.8.4 (nf_tables)

[aabc]

You, probably, should set via alternatives to use iptables-legacy bin as iptables.

[xtaran]

You, probably, should set via alternatives to use iptables-legacy bin as iptables.

Yes, but that doesn't help for package builds as in package builds update-alternatives can't be used. That's what I meant with

Since iptables-nft and iptables-legacy come from the same package, I can't control via build-dependencies and build-conflicts which of them will be used…

In the package I'm currently patching configure to accept some common autoconf-style options Debian uses by default on every build as they pass the correct directory, too. Had to patch configure anyway to not bail out on unknown options due to Debian passing these options by default...

Can send you that patch as pull-request or in here for review if interested. It's also online in Debian's Gitlab instance at https://salsa.debian.org/debian/iptables-netflow/-/blob/master/debian/patches/ignore-unknown-configure-options.patch

[xtaran]

Had to patch configure anyway to not bail out on unknown options due to Debian passing these options by default...

Looks like this with the patch in a clean chroot:

[…]
dh_auto_configure -- --disable-dkms
        ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --disable-dkms
WARNING: Ignoring unknown option: --build=x86_64-linux-gnu
WARNING: Ignoring unknown option: --mandir=${prefix}/share/man
WARNING: Ignoring unknown option: --infodir=${prefix}/share/info
WARNING: Ignoring unknown option: --sysconfdir=/etc
WARNING: Ignoring unknown option: --localstatedir=/var
WARNING: Ignoring unknown option: --disable-silent-rules
WARNING: Ignoring unknown option: --runstatedir=/run
WARNING: Ignoring unknown option: --disable-maintainer-mode
WARNING: Ignoring unknown option: --disable-dependency-tracking
Iptables binary version: no iptables binary found
Xtables version: 1.8.4 (detected from /usr/bin/pkg-config)
Check for working gcc: Yes (gcc)
Checking for presence of xtables.h... Yes (using ipt-inc)
Iptables include flags: -I${prefix}/include (user specified)
Iptables module path: /usr/${prefix}/lib/x86_64-linux-gnu/xtables (user specified)
Searching for net-snmp-config... No.
Searching for net-snmp agent... No.
 Assuming you don't want net-snmp agent support.
 Otherwise do:  apt-get install snmpd libsnmp-dev
Creating Makefile.. done.
[…]

Actually I just see that this isn't perfect yet as there's still some literal ${prefix} in there which shouldn't. Will fix that in my patch mentioned above. :-)

[xtaran]

So despite I do have a solution and now understand what went wrong, I'd prefer if this could be handled in your configure script.

But if you don't want to handle this case (which I assume will happen more often in the future, but I might be wrong), feel free to close this issue.

[aabc]

I'm not against patching configure so it behaves more like autoconf's. But, these lines look certainly wrong:

Iptables include flags: -I${prefix}/include (user specified)
Iptables module path: /usr/${prefix}/lib/x86_64-linux-gnu/xtables (user specified)

[xtaran]

I'm not against patching configure so it behaves more like autoconf's

Ok, will prepare a pull request.

But, these lines look certainly wrong

Yes, just noticed it myself. Already fixed and the patch is even more simple now. :-)

Looks like this now:

Iptables include flags: -I/usr/include (user specified)
Iptables module path: /usr/lib/x86_64-linux-gnu/xtables (user specified)

[aabc]

Would you send PR?

[xtaran]

Will do later, yes.

[ssgu85]

Hi guys! In CentOS 8 same trouble. Iptables version string content additional data. # iptables -V iptables v1.8.4 (nf_tables) Because of this, the configure-script does not work correctly.

A quick way to fix this problem is to remove extra information from version of iptables in the configure-script. Need modify string in iptables_find_version function IPTVER=`$IPTBIN -V 2>/dev/null | sed -n s/iptables.v//p` to IPTVER=`$IPTBIN -V 2>/dev/null | sed -n s/iptables.v//p | awk {'print $1'}`

After that, build is done without problems.

[hsvt]

I encountered this now, on the latest 12 Debian. This solution helped me:

update-alternatives --config iptables
ls -alh /etc/alternatives/iptables
unlink /etc/alternatives/iptables
ln -s /etc/alternatives/iptables /sbin/iptables 2>/dev/null
./configure --enable-natevents --disable-snmp-agent --enable-macaddress --enable-vlan --enable-aggregation --enable-direction
update-alternatives --config iptables

But of course, it would probably be great if the corrections were made to the master branch.