From 498d698084d258be8828010db5a8778c938046b3 Mon Sep 17 00:00:00 2001 From: Kevin Cernekee Date: Sun, 11 Sep 2016 13:54:19 -0700 Subject: Link nfct and helper modules with `-z lazy` Some distributions, such as Gentoo and Chrome OS, try to link all programs with `-z now` as a security hardening measure. This breaks nfct, because nfct cannot satisfy all of the helper modules' symbols. Therefore nfct implicitly depends on lazy binding. Have autoconf probe the linker to see if `-z lazy` works, and if so, use it to link nfct and the helpers. conntrackd itself is unaffected, and should still work with `-z now`. Signed-off-by: Kevin Cernekee Signed-off-by: Pablo Neira Ayuso --- src/helpers/Makefile.am | 39 +++++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 18 deletions(-) (limited to 'src/helpers') diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am index 51f4887..05801bc 100644 --- a/src/helpers/Makefile.am +++ b/src/helpers/Makefile.am @@ -10,38 +10,41 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \ ct_helper_sane.la \ ct_helper_ssdp.la +HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@ +HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) + ct_helper_amanda_la_SOURCES = amanda.c -ct_helper_amanda_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_amanda_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_amanda_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_amanda_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_dhcpv6_la_SOURCES = dhcpv6.c -ct_helper_dhcpv6_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_dhcpv6_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_dhcpv6_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_dhcpv6_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_ftp_la_SOURCES = ftp.c -ct_helper_ftp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_ftp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_ftp_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_ftp_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_mdns_la_SOURCES = mdns.c -ct_helper_mdns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_mdns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_mdns_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_rpc_la_SOURCES = rpc.c -ct_helper_rpc_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_rpc_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_tftp_la_SOURCES = tftp.c -ct_helper_tftp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_tftp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_tftp_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_tns_la_SOURCES = tns.c -ct_helper_tns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_tns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_tns_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_tns_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_sane_la_SOURCES = sane.c -ct_helper_sane_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_sane_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_sane_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_sane_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_ssdp_la_SOURCES = ssdp.c -ct_helper_ssdp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_ssdp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_ssdp_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_ssdp_la_CFLAGS = $(HELPER_CFLAGS) -- cgit v1.2.3