Package: iptables
Version: 1.6.0+snapshot20161117-5
Severity: grave
Tags: upstream
User: debian-ad...@lists.debian.org
Usertags: needed-by-DSA-Team
On 32-bit architectures the extensions/libxt_hashlimit.c file compiles
with warning:
| gcc -D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-DXTABLES_LIBDIR=\"/usr/lib/i386-linux-gnu/xtables\" -DXTABLES_INTERNAL
-I../include -I.. -I../include -Wdate-time -D_FORTIFY_SOURCE=2
-Wp,-MMD,./.libxt_hashlimit.oo.d,-MT,libxt_hashlimit.oo -Wall
-Waggregate-return -Wmissing-declarations -Wmissing-prototypes
-Wredundant-decls -Wshadow -Wstrict-prototypes -Winline -pipe
-D_INIT=libxt_hashlimit_init -DPIC -fPIC -g -O2
-fdebug-prefix-map=/«BUILDDIR»/iptables-1.6.0+snapshot20161117=.
-fstack-protector-strong -Wformat -Werror=format-security -o libxt_hashlimit.oo
-c libxt_hashlimit.c;
| In file included from /usr/include/math.h:26:0,
| from libxt_hashlimit.c:15:
| /usr/include/features.h:148:3: warning: #warning "_BSD_SOURCE and
_SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" [-Wcpp]
| # warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE"
| ^~~~~~~
| libxt_hashlimit.c: In function 'parse_burst':
| libxt_hashlimit.c:263:36: warning: format '%lu' expects argument of type
'long unsigned int', but argument 4 has type 'uint64_t {aka long long unsigned
int}' [-Wformat=]
| xtables_error(PARAMETER_PROBLEM, "bad value for option "
| ^~~~~~~~~~~~~~~~~~~~~~~
| libxt_hashlimit.c: In function 'parse_bytes':
| libxt_hashlimit.c:288:42: warning: format '%lu' expects argument of type
'long unsigned int', but argument 4 has type 'uint64_t {aka long long unsigned
int}' [-Wformat=]
| "Rate value too large \"%llu\" (max %lu)\n",
| ^
| libxt_hashlimit.c: In function 'hashlimit_mt_check_v1':
| libxt_hashlimit.c:560:38: warning: format '%lu' expects argument of type
'long unsigned int', but argument 3 has type 'uint64_t {aka long long unsigned
int}' [-Wformat=]
| "burst cannot be smaller than %lub", cost_to_bytes(info->cfg.avg));
| ^
| libxt_hashlimit.c: In function 'hashlimit_mt_check':
| libxt_hashlimit.c:590:38: warning: format '%lu' expects argument of type
'long unsigned int', but argument 3 has type 'uint64_t {aka long long unsigned
int}' [-Wformat=]
| "burst cannot be smaller than %lub", cost_to_bytes(info->cfg.avg));
| ^
| libxt_hashlimit.c: In function 'print_rate':
| libxt_hashlimit.c:634:13: warning: format '%lu' expects argument of type
'long unsigned int', but argument 2 has type 'long long unsigned int'
[-Wformat=]
| printf(" %lu/%s", _rates[i-1].mult / period, _rates[i-1].name);
| ^
A full build log is available there:
https://buildd.debian.org/status/fetch.php?pkg=iptables&arch=i386&ver=1.6.0%2Bsnapshot20161117-5&stamp=1485163465&raw=0
The problem is that uint64_t types are printed using an unsigned long
format, which is the right type on 64-bit architectures, but not on
32-bit architectures where it is an unsigned long long type.
As a result, iptables-save fails when a rule is using hashlimit. It
fails differently depending on the architecture. On i386 the value
is printed as "(null)":
| -A FORWARD -m hashlimit --hashlimit-upto 1/(null) --hashlimit-burst 10
--hashlimit-mode srcip --hashlimit-name nflogreject -j ACCEPT
On mips iptables-save ends-up with a segfault instead. I haven't
tested on arm yet.
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: mips (mips64)
Kernel: Linux 4.9.0-2-5kc-malta
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages iptables depends on:
ii libc6 2.24-9
ii libip4tc0 1.6.0+snapshot20161117-5
ii libip6tc0 1.6.0+snapshot20161117-5
ii libiptc0 1.6.0+snapshot20161117-5
ii libnetfilter-conntrack3 1.0.6-2
ii libnfnetlink0 1.0.1-3
ii libxtables12 1.6.0+snapshot20161117-5
iptables recommends no packages.
Versions of packages iptables suggests:
ii kmod 23-2
-- no debconf information
