nfct: remove lazy binding

Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when
daemon starts"), userspace conntrack helpers do not depend on a previous
invocation of nfct to set up the userspace helpers.

Move helper definitions to nfct-extensions/helper.c since existing
deployments might still invoke nfct, even if not required anymore.

This patch was motivated by the removal of the lazy binding.

Phil Sutter says:

"For security purposes, distributions might want to pass -Wl,-z,now
linker flags to all builds, thereby disabling lazy binding globally.

In the past, nfct relied upon lazy binding: It uses the helper objects'
parsing functions without but doesn't provide all symbols the objects
use."

Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 1 insertions, 4 deletions

diff --git a/configure.ac b/configure.ac
index b12b722..d9d351b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -77,15 +77,12 @@ AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabib
 AC_CHECK_HEADERS(arpa/inet.h)
 AC_CHECK_FUNCS(inet_pton)
 
-# Let nfct use dlopen() on helper libraries without resolving all symbols.
-AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
-
 if test ! -z "$libdir"; then
 	MODULE_DIR="\\\"$libdir/conntrack-tools/\\\""
 	CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR"
 fi
 
-AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile])
+AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/helpers/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile])
 AC_OUTPUT
 
 echo "