does ipset conflict with ipsec SuSE kernel patch?

All of lore.kernel.org
 help / color / mirror / Atom feed

* does ipset conflict with ipsec SuSE kernel patch?
@ 2006-07-06 21:05 Hung Lin
  2006-07-07 13:38 ` Amin Azez
  2006-07-09 15:34 ` Jozsef Kadlecsik
  0 siblings, 2 replies; 4+ messages in thread
From: Hung Lin @ 2006-07-06 21:05 UTC (permalink / raw)
  To: netfilter-devel

Hi,

I tried to install ipsets (http://ipset.netfilter.org/install.html) on
my SuSE 10.0 OS.  I could apply the kernel patches and rebuild the
kernel (Step 1 to 4 on ipsets installation webpage.)  But when I tried
to build iptables (Step 5,) it showed the error message:

/usr/src/linux/include/linux/ipv6.h:19: error: redefinition of `struct
in6_pktinfo'

In file included from /usr/src/linux/include/linux/netfilter_ipv4.h:11,

                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:26,

                 from include/libiptc/libiptc.h:6,

                 from include/iptables.h:5,

                 from extensions/libipt_ah.c:8:

/usr/src/linux/include/net/protocol.h:38: warning: `struct sk_buff'
declared inside parameter list

/usr/src/linux/include/net/protocol.h:38: warning: its scope is only
this definition or declaration, which is probably not what you want

/usr/src/linux/include/net/protocol.h:39: error: syntax error before
"u32"

/usr/src/linux/include/net/protocol.h:39: warning: `struct sk_buff'
declared inside parameter list

/usr/src/linux/include/net/protocol.h:47: warning: `struct sk_buff'
declared inside parameter list

/usr/src/linux/include/net/protocol.h:52: warning: `struct
inet6_skb_parm' declared inside parameter list

/usr/src/linux/include/net/protocol.h:52: warning: `struct sk_buff'
declared inside parameter list

/usr/src/linux/include/net/protocol.h:62: error: field `list' has
incomplete type

make: *** [extensions/libipt_ah_sh.o] Error 1

Since I could build ipsets on the kernel of kernel.org, I checked SuSE
kernel patches.  There's a set of SuSE kernel patches (for IPsec) that
conflicts with ipset patches:

(from series.conf in SuSE kernel source)

        # These patches are from the netfilter team, and
        # are required to tag IPsec packets for packet
        # filtering purposes.

-       patches.suse/netfilter-02-output-hooks
-       patches.suse/netfilter-03-input-hooks
-       patches.suse/netfilter-04-policy-lookup
-       patches.suse/netfilter-05-policy-checks
-       patches.suse/netfilter-06-policy-match

I removed the above patches and tried to build ipset again, it worked.

Does this mean IPsec conflicts with ipsets?  The comment of SuSE kernel
patch said the patches are from netfilter team, and the ipsets are also
from netfilter.org.  Since they are both belong to netfilter team, is
there any way to resolve the conflict?

Please let me know if you need more information.  Thanks for your time.

P.S.  Please CC to hlin@nextone.com because I didn't subscribe to the
mailing list.

Best

Hung Lin

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: does ipset conflict with ipsec SuSE kernel patch?
  2006-07-06 21:05 does ipset conflict with ipsec SuSE kernel patch? Hung Lin
@ 2006-07-07 13:38 ` Amin Azez
  2006-07-08  3:06   ` Patrick McHardy
  2006-07-09 15:34 ` Jozsef Kadlecsik
  1 sibling, 1 reply; 4+ messages in thread
From: Amin Azez @ 2006-07-07 13:38 UTC (permalink / raw)
  To: netfilter-devel

Hung Lin wrote:
...

> 
> I removed the above patches and tried to build ipset again, it worked.
> 
> Does this mean IPsec conflicts with ipsets?  The comment of SuSE kernel
> patch said the patches are from netfilter team, and the ipsets are also
> from netfilter.org.  Since they are both belong to netfilter team, is
> there any way to resolve the conflict?
> 
> Please let me know if you need more information.  Thanks for your time.
> 
> P.S.  Please CC to hlin@nextone.com because I didn't subscribe to the
> mailing list.

You need to manually compare the contents of those patches that you
removed with your ipset patch and locate the conflict.

You have to see what the patches are trying to achieve and what the real
nature of the conflict is.

Here it appears that a struct is defined twice, so you have to see if
this struct is defined the same way each time; your question is:
 what is it that suse needs?
 what is it that ipset needs?

You will then merge the struct definition into one that combines both needs.

You will probably then diff this new definition against the one that
suse patched to, to produce a new ipset patch which will apply cleanly
against the standard suse-patched kernel.

There is no magic spell here, but it won't be as hard as you might think.

If you just want a quick-fix, then edit the file with the two
definitions to merge them to something sensible and leave it at that.

Sam

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: does ipset conflict with ipsec SuSE kernel patch?
  2006-07-07 13:38 ` Amin Azez
@ 2006-07-08  3:06   ` Patrick McHardy
  0 siblings, 0 replies; 4+ messages in thread
From: Patrick McHardy @ 2006-07-08  3:06 UTC (permalink / raw)
  To: Amin Azez; +Cc: netfilter-devel

Amin Azez wrote:
>>Does this mean IPsec conflicts with ipsets?  The comment of SuSE kernel
>>patch said the patches are from netfilter team, and the ipsets are also
>>from netfilter.org.  Since they are both belong to netfilter team, is
>>there any way to resolve the conflict?
>>
>>Please let me know if you need more information.  Thanks for your time.

As far as I know SuSE chose to use an extremly beta (and horribly outdated
and incompatible to what we have today) version of my IPsec patches.
They have lots of known bugs, and SuSE certainly made a poor decision
(after buggering me for weeks) here. Please take it on with their
support or use the vanilla kernel.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: does ipset conflict with ipsec SuSE kernel patch?
  2006-07-06 21:05 does ipset conflict with ipsec SuSE kernel patch? Hung Lin
  2006-07-07 13:38 ` Amin Azez
@ 2006-07-09 15:34 ` Jozsef Kadlecsik
  1 sibling, 0 replies; 4+ messages in thread
From: Jozsef Kadlecsik @ 2006-07-09 15:34 UTC (permalink / raw)
  To: Hung Lin; +Cc: netfilter-devel

On Thu, 6 Jul 2006, Hung Lin wrote:

> I tried to install ipsets (http://ipset.netfilter.org/install.html) on
> my SuSE 10.0 OS.  I could apply the kernel patches and rebuild the
> kernel (Step 1 to 4 on ipsets installation webpage.)  But when I tried
> to build iptables (Step 5,) it showed the error message:

None of the error messages you included were generated due to ipset.

> Does this mean IPsec conflicts with ipsets?  The comment of SuSE kernel
> patch said the patches are from netfilter team, and the ipsets are also
> from netfilter.org.  Since they are both belong to netfilter team, is
> there any way to resolve the conflict?

ipset is absolutely isolated from any other part of netfilter or the
kernel subsystems (set/SET match and target do not count here): at compile
time it cannot clash with any subsystem, patch, extension, whatsoever.

At running time the only known clash can happen when you want to combine
the set and recent matches in one iptables command because both have got
the '--set' argument - that'll be fixed in the next release.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2006-07-09 15:34 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-07-06 21:05 does ipset conflict with ipsec SuSE kernel patch? Hung Lin
2006-07-07 13:38 ` Amin Azez
2006-07-08  3:06   ` Patrick McHardy
2006-07-09 15:34 ` Jozsef Kadlecsik

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.