Help with BLFS optional nftables package

amb85 · 04-19-2017, 03:26 AM

I know that nftables isn't officially supported in BLFS, but it is an option given in the iptables section in the security chapter. I've decided to try and install it, but get errors when trying to make the package - my LFS and initial foray into BLFS has been by following the systemd 8.0 version, kernel 4.9.9.

I get the following error:

Code:

[ /sources/nftables ]$ make
make  all-recursive
make[1]: Entering directory '/sources/nftables'
Making all in src
make[2]: Entering directory '/sources/nftables/src'
make  all-am
make[3]: Entering directory '/sources/nftables/src'
  CC       netlink.o
netlink.c: In function ‘alloc_nftnl_obj’:
netlink.c:321:26: error: ‘NFTNL_OBJ_CT_HELPER_NAME’ undeclared (first use in this function)
   nftnl_obj_set_str(nlo, NFTNL_OBJ_CT_HELPER_NAME,
                          ^~~~~~~~~~~~~~~~~~~~~~~~
netlink.c:321:26: note: each undeclared identifier is reported only once for each function it appears in
netlink.c:323:3: warning: implicit declaration of function ‘nftnl_obj_set_u8’ [-Wimplicit-function-declaration]
   nftnl_obj_set_u8(nlo, NFTNL_OBJ_CT_HELPER_L4PROTO,
   ^~~~~~~~~~~~~~~~
netlink.c:323:25: error: ‘NFTNL_OBJ_CT_HELPER_L4PROTO’ undeclared (first use in this function)
   nftnl_obj_set_u8(nlo, NFTNL_OBJ_CT_HELPER_L4PROTO,
                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~
netlink.c:326:4: warning: implicit declaration of function ‘nftnl_obj_set_u16’ [-Wimplicit-function-declaration]
    nftnl_obj_set_u16(nlo, NFTNL_OBJ_CT_HELPER_L3PROTO,
    ^~~~~~~~~~~~~~~~~
netlink.c:326:27: error: ‘NFTNL_OBJ_CT_HELPER_L3PROTO’ undeclared (first use in this function)
    nftnl_obj_set_u16(nlo, NFTNL_OBJ_CT_HELPER_L3PROTO,
                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~
netlink.c: In function ‘netlink_delinearize_set’:
netlink.c:1159:5: warning: implicit declaration of function ‘nftnl_udata_get_u32’ [-Wimplicit-function-declaration]
     nftnl_udata_get_u32(ud[UDATA_SET_KEYBYTEORDER]);
     ^~~~~~~~~~~~~~~~~~~
netlink.c: In function ‘netlink_add_set_batch’:
netlink.c:1301:7: warning: implicit declaration of function ‘nftnl_udata_put_u32’ [-Wimplicit-function-declaration]
  if (!nftnl_udata_put_u32(udbuf, UDATA_SET_KEYBYTEORDER,
       ^~~~~~~~~~~~~~~~~~~
netlink.c: In function ‘netlink_delinearize_obj’:
netlink.c:1829:28: error: ‘NFTNL_OBJ_CT_HELPER_NAME’ undeclared (first use in this function)
     nftnl_obj_get_str(nlo, NFTNL_OBJ_CT_HELPER_NAME));
                            ^~~~~~~~~~~~~~~~~~~~~~~~
netlink.c:1830:21: warning: implicit declaration of function ‘nftnl_obj_get_u16’ [-Wimplicit-function-declaration]
   obj->ct.l3proto = nftnl_obj_get_u16(nlo, NFTNL_OBJ_CT_HELPER_L3PROTO);
                     ^~~~~~~~~~~~~~~~~
netlink.c:1830:44: error: ‘NFTNL_OBJ_CT_HELPER_L3PROTO’ undeclared (first use in this function)
   obj->ct.l3proto = nftnl_obj_get_u16(nlo, NFTNL_OBJ_CT_HELPER_L3PROTO);
                                            ^~~~~~~~~~~~~~~~~~~~~~~~~~~
netlink.c:1831:21: warning: implicit declaration of function ‘nftnl_obj_get_u8’ [-Wimplicit-function-declaration]
   obj->ct.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_HELPER_L4PROTO);
                     ^~~~~~~~~~~~~~~~
netlink.c:1831:43: error: ‘NFTNL_OBJ_CT_HELPER_L4PROTO’ undeclared (first use in this function)
   obj->ct.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_HELPER_L4PROTO);
                                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~
make[3]: *** [Makefile:469: netlink.o] Error 1
make[3]: Leaving directory '/sources/nftables/src'
make[2]: *** [Makefile:345: all] Error 2
make[2]: Leaving directory '/sources/nftables/src'
make[1]: *** [Makefile:395: all-recursive] Error 1
make[1]: Leaving directory '/sources/nftables'
make: *** [Makefile:336: all] Error 2

As per the instructions, libgmp and libreadline are installed during LFS and I've installed libmnl and libnftnl, both with the configure options of --prefix=/usr and --sbindir=/sbin. I'm not aware of any other dependencies that I need to install.

After running sh autogen.sh, I configured nftables with the --prefix=/usr and --sbindir=/sbin flags.

I've recompiled the kernel with modules to support nftables and they are enabled:

Code:

lsmod | grep nf_tables
nf_tables_inet          1787  0
nf_tables_arp           1842  0
nf_tables_ipv6          2317  1 nf_tables_inet
nf_tables_ipv4          2253  1 nf_tables_inet
nf_tables              60319  4 nf_tables_arp,nf_tables_ipv6,nf_tables_ipv4,nf_tables_inet

I'm pretty stuck trying to figure out how to proceed; any help would be hugely welcome.

Edit 1:

I've noticed that there are some flags in the configure script that relate to LIBNFTNL (and others, but since the current error seems to relate to this, I'll start here).

Code:

  LIBNFTNL_CFLAGS
              C compiler flags for LIBNFTNL, overriding pkg-config
  LIBNFTNL_LIBS
              linker flags for LIBNFTNL, overriding pkg-config

Is setting these flags (if that's even possible - reached and exceeded the extent of my knowledge of make) likely to help? What should they be set to?

Keith Hedger · 04-19-2017, 06:49 AM

Those flags are only used to overide the default locations/flags etc suplied by pkg-config, usually you only need to worry about them if you have installed a package into a non-default location or you wish to muse a different version of the pkg etc.
Do you get any errors from the configure script?

amb85 · 04-19-2017, 07:02 AM

Okay, thanks. No, not that I can see:

Code:

./configure --prefix=/usr --sbindir=/sbin
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking how to create a pax tar archive... gnutar
checking whether make supports nested variables... (cached) yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for a sed that does not truncate output... /bin/sed
checking for flex... flex
checking lex output file root... lex.yy
checking lex library... -lfl
checking whether yytext is a pointer... yes
checking for bison... bison -y
checking for docbook2x-man... no
checking for docbook2man... no
checking for db2x_docbook2man... no
configure: WARNING: docbookx2-man/db2x_docbook2man not found, no manpages will be built
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for LIBMNL... yes
checking for LIBNFTNL... yes
checking for __gmpz_init in -lgmp... yes
checking for readline in -lreadline... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking whether to enable assertions... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking arpa/inet.h usability... yes
checking arpa/inet.h presence... yes
checking for arpa/inet.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking for inttypes.h... (cached) yes
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking malloc.h usability... yes
checking malloc.h presence... yes
checking for malloc.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking netinet/ip.h usability... yes
checking netinet/ip.h presence... yes
checking for netinet/ip.h... yes
checking netinet/ip6.h usability... yes
checking netinet/ip6.h presence... yes
checking for netinet/ip6.h... yes
checking netinet/tcp.h usability... yes
checking netinet/tcp.h presence... yes
checking for netinet/tcp.h... yes
checking netinet/udp.h usability... yes
checking netinet/udp.h presence... yes
checking for netinet/udp.h... yes
checking netinet/ip_icmp.h usability... yes
checking netinet/ip_icmp.h presence... yes
checking for netinet/ip_icmp.h... yes
checking stddef.h usability... yes
checking stddef.h presence... yes
checking for stddef.h... yes
checking for stdint.h... (cached) yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for unistd.h... (cached) yes
checking for stdbool.h that conforms to C99... yes
checking for _Bool... yes
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking for off_t... yes
checking for size_t... yes
checking for uid_t in sys/types.h... yes
checking for int8_t... yes
checking for int16_t... yes
checking for int32_t... yes
checking for int64_t... yes
checking for uint8_t... yes
checking for uint16_t... yes
checking for uint32_t... yes
checking for uint64_t... yes
checking for memmove... yes
checking for memset... yes
checking for strchr... yes
checking for strdup... yes
checking for strerror... yes
checking for strtoull... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating include/Makefile
config.status: creating include/linux/Makefile
config.status: creating include/linux/netfilter/Makefile
config.status: creating include/linux/netfilter_arp/Makefile
config.status: creating include/linux/netfilter_bridge/Makefile
config.status: creating include/linux/netfilter_ipv4/Makefile
config.status: creating include/linux/netfilter_ipv6/Makefile
config.status: creating doc/Makefile
config.status: creating files/Makefile
config.status: creating files/nftables/Makefile
config.status: creating config.h
config.status: executing depfiles commands

nft configuration:
  cli support:			yes
  enable debugging:		yes
  use mini-gmp:			no
  enable pdf documentation:	no
  libxtables support:		no

I have noticed that I when I recompiled the kernel, I did so without CONFIG_NF_TABLES_BRIDGE. How likely is it that this is causing the issue?

Code:

cat /boot/config-4.9.9 | grep BRIDGE
# CONFIG_NF_TABLES_BRIDGE is not set
# CONFIG_BRIDGE_NF_EBTABLES is not set
CONFIG_BRIDGE=m
CONFIG_BRIDGE_IGMP_SNOOPING=y
# CONFIG_BRIDGE_VLAN_FILTERING is not set
CONFIG_DRM_BRIDGE=y

I also wondered if it was an issue with netlink, which is provided by libnl and hadn't been installed previously. Installing this package and beginning the nftables installation process again yeilds the same outcome.