Package: iptables Version: 1.6.0+snapshot20161117-5 Severity: grave Tags: upstream User: debian-ad...@lists.debian.org Usertags: needed-by-DSA-Team
On 32-bit architectures the extensions/libxt_hashlimit.c file compiles with warning: | gcc -D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 -D_REENTRANT -DXTABLES_LIBDIR=\"/usr/lib/i386-linux-gnu/xtables\" -DXTABLES_INTERNAL -I../include -I.. -I../include -Wdate-time -D_FORTIFY_SOURCE=2 -Wp,-MMD,./.libxt_hashlimit.oo.d,-MT,libxt_hashlimit.oo -Wall -Waggregate-return -Wmissing-declarations -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes -Winline -pipe -D_INIT=libxt_hashlimit_init -DPIC -fPIC -g -O2 -fdebug-prefix-map=/«BUILDDIR»/iptables-1.6.0+snapshot20161117=. -fstack-protector-strong -Wformat -Werror=format-security -o libxt_hashlimit.oo -c libxt_hashlimit.c; | In file included from /usr/include/math.h:26:0, | from libxt_hashlimit.c:15: | /usr/include/features.h:148:3: warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" [-Wcpp] | # warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" | ^~~~~~~ | libxt_hashlimit.c: In function 'parse_burst': | libxt_hashlimit.c:263:36: warning: format '%lu' expects argument of type 'long unsigned int', but argument 4 has type 'uint64_t {aka long long unsigned int}' [-Wformat=] | xtables_error(PARAMETER_PROBLEM, "bad value for option " | ^~~~~~~~~~~~~~~~~~~~~~~ | libxt_hashlimit.c: In function 'parse_bytes': | libxt_hashlimit.c:288:42: warning: format '%lu' expects argument of type 'long unsigned int', but argument 4 has type 'uint64_t {aka long long unsigned int}' [-Wformat=] | "Rate value too large \"%llu\" (max %lu)\n", | ^ | libxt_hashlimit.c: In function 'hashlimit_mt_check_v1': | libxt_hashlimit.c:560:38: warning: format '%lu' expects argument of type 'long unsigned int', but argument 3 has type 'uint64_t {aka long long unsigned int}' [-Wformat=] | "burst cannot be smaller than %lub", cost_to_bytes(info->cfg.avg)); | ^ | libxt_hashlimit.c: In function 'hashlimit_mt_check': | libxt_hashlimit.c:590:38: warning: format '%lu' expects argument of type 'long unsigned int', but argument 3 has type 'uint64_t {aka long long unsigned int}' [-Wformat=] | "burst cannot be smaller than %lub", cost_to_bytes(info->cfg.avg)); | ^ | libxt_hashlimit.c: In function 'print_rate': | libxt_hashlimit.c:634:13: warning: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'long long unsigned int' [-Wformat=] | printf(" %lu/%s", _rates[i-1].mult / period, _rates[i-1].name); | ^ A full build log is available there: https://buildd.debian.org/status/fetch.php?pkg=iptables&arch=i386&ver=1.6.0%2Bsnapshot20161117-5&stamp=1485163465&raw=0 The problem is that uint64_t types are printed using an unsigned long format, which is the right type on 64-bit architectures, but not on 32-bit architectures where it is an unsigned long long type. As a result, iptables-save fails when a rule is using hashlimit. It fails differently depending on the architecture. On i386 the value is printed as "(null)": | -A FORWARD -m hashlimit --hashlimit-upto 1/(null) --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name nflogreject -j ACCEPT On mips iptables-save ends-up with a segfault instead. I haven't tested on arm yet. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: mips (mips64) Kernel: Linux 4.9.0-2-5kc-malta Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages iptables depends on: ii libc6 2.24-9 ii libip4tc0 1.6.0+snapshot20161117-5 ii libip6tc0 1.6.0+snapshot20161117-5 ii libiptc0 1.6.0+snapshot20161117-5 ii libnetfilter-conntrack3 1.0.6-2 ii libnfnetlink0 1.0.1-3 ii libxtables12 1.6.0+snapshot20161117-5 iptables recommends no packages. Versions of packages iptables suggests: ii kmod 23-2 -- no debconf information