OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
  • Task Type Bug Report
  • Category Base system
  • Assigned To
    Hans Dedecker
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Nathaniel Wesley Filardo - 13.04.2017
Last edited by Hans Dedecker - 29.12.2017

FS#711 - iptables 600-shared-libext.patch broken and incomplete

Building LEDE HEAD (but, I think, anything after 5e2d15b4a6fc979497b252c617c4b353d6c84fa2) fails with various and exciting errors if IPTABLES_NFTABLES is turned on.

For starters, 600-shared-libext.patch erroneously changes ${libext_ebt_objs} to ${libext_ebt__objs} and similarly for ${libext_arpt_objs}, resulting in missing .o files and a subsequent link failure. Fixing that, however, reveals that the xtables-compat-multi dependencies are still referring to .a files, not the .so-s that actually get built.

Closed by  Hans Dedecker
29.12.2017 17:21
Reason for closing:  Fixed
Additional comments about closing:  

Fixed in https://git.lede-;a=commit;h=0f7 2690a2df92d8701b96c55c870be22704cc7c7

Manus Freedom commented on 20.05.2017 22:27

I confirm, I am unable to compile with IPTABLES_NFTABLES, linked to commit 98e43b13a7f0f747d4625ba0209ba37ae22f3b48.
And now rules with "-m state –state NEW" does not work.

Edit: Sorry "-m state –state NEW" is now "-m conntrack –ctstate NEW"

Jo-Philipp Wich commented on 22.05.2017 07:19

"-m state –state NEW" must be replaced with "-m conntrack –ctstate NEW"

Manus Freedom commented on 22.05.2017 19:11

Yes like I added in my edit.
But the initial problem persist, we are unable to compile with IPTABLES_NFTABLES.

Xorkle commented on 14.06.2017 09:35


Exact same issue here. :(

David commented on 10.07.2017 19:35

Hi, I happen exactly the same, even reversing the commit 5e2d15b4a6fc979497b252c617c4b353d6c84fa2 fails to compile.

Alexander Lochmann commented on 14.07.2017 11:06

Hi Folks,

I've been able to fix that issue. At least for my scenario.
Due to some reasons, the LEDE iptables maintainer decided to turn various auxiliary libraries, e.g., libext, into shared libraries (instead of a static one). To do so, they've written a patch to modify the appropriate file. Those changes can be found in ./package/network/utils/iptables/patches/600-shared-libext.patch.
However, the iptables maintainter more or less recently added another target called xtables_compat_multi. Guess what, that target relies on static libraries instead of shared libraries as the origin iptables project used to do.
To overcome that issue, I've added the following lines to the aforementioned patch file:
# nftables compatibility layer
BUILT_SOURCES += xtables-config-parser.h
xtables_compat_multi_SOURCES = xtables-compat-multi.c iptables-xml.c
xtables_compat_multi_CFLAGS = ${AM_CFLAGS}
-xtables_compat_multi_LDADD = ../extensions/libext.a ../extensions/libext_ebt.a
+xtables_compat_multi_LDADD =
+xtables_compat_multi_LDFLAGS = -L../extensions/ -liptext -liptext_ebt

Et voilá, the issue is fixed.
Can one of the maintainers please confirm my fix?


David commented on 17.07.2017 01:01

Hi Alex, I have modified the patch 600-shared-libext.patch with your modifications, but I still have the same compilation error. Could you upload your 600-shared-libext.patch file with your modifications?

David commented on 17.07.2017 01:03

In my case the error that throws me when compiling is the following one: " *** No rule to make target '../extensions/libext.a', needed by 'xtables-compat-multi'. "

Fedor Konstantinov commented on 19.09.2017 10:40

Hi, All.

Please see attached patch. It helps in my case.


Available keyboard shortcuts


Task Details

Task Editing