From: Patrick McHardy <kaber@trash.net>
To: KOVACS Krisztian <hidden@balabit.hu>
Cc: David Miller <davem@davemloft.net>,
rostedt@goodmis.org, linux-kernel@vger.kernel.org,
akpm@linux-foundation.org, netfilter-devel@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH] netfilter: Fix build failure when ipv6 but xt_tproxy is built in
Date: Tue, 05 Apr 2011 16:49:22 +0200 [thread overview]
Message-ID: <4D9B2BF2.2010606@trash.net> (raw)
In-Reply-To: <1302014626.67568.1.camel@nienna.balabit>
Am 05.04.2011 16:43, schrieb KOVACS Krisztian:
> Hi,
>
> On Mon, 2011-04-04 at 15:54 +0200, Patrick McHardy wrote:
>>>> net/built-in.o: In function `tproxy_tg6_v1':
>>>> /home/rostedt/work/autotest/nobackup/linux-test.git/net/netfilter/xt_TPROXY.c:288: undefined reference to `ipv6_find_hdr'
>>>>
>>>> This happened because the xt_TPROXY code was compiled into the kernel
>>>> proper, but the ipv6 netfilter was compiled as a module. The fix is to
>>>> only enter the code that calls ipv6_find_hdr if ipv6 netfilter is
>>>> compiled into the kernel, or if it is a module, so is the xt_TPROXY
>>>> code.
>>
>> I don't think this is a good fix for the problem since it may lead to
>> the confusing situation that both TPROXY and ip6tables are enabled,
>> but TPROXY has no IPv6 support.
>>
>> I think we should solve this by either adding a Kconfig dependency
>> on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) or using ipv6_skip_exthdr()
>> instead of ipv6_find_hdr().
>>
>> Krisztian, what do you think?
>
> I'd definitely prefer using ipv6_skip_exthdr() instead of playing
> various tricks with the config preprocessor macros.
>
> What about something like this?
>
> diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
> index dcfd57e..1ef0e56 100644
> --- a/net/netfilter/xt_TPROXY.c
> +++ b/net/netfilter/xt_TPROXY.c
> @@ -283,10 +283,10 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)
> const struct in6_addr *laddr;
> __be16 lport;
> int thoff;
> - int tproto;
> + u8 tproto = iph->nexthdr;
>
> - tproto = ipv6_find_hdr(skb, &thoff, -1, NULL);
> - if (tproto < 0) {
> + thoff = ipv6_skip_exthdr(skb, sizeof(*iph), &tproto);
> + if (thoff < 0) {
> pr_debug("unable to find transport header in IPv6 packet, dropping\n");
> return NF_DROP;
> }
Looks good to me. Please formally submit this including a Signed-off-by:
line and I'll push it upstream.
next prev parent reply other threads:[~2011-04-05 14:49 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-30 2:13 [PATCH] netfilter: Fix build failure when ipv6 but xt_tproxy is built in Steven Rostedt
2011-03-30 5:35 ` David Miller
2011-03-30 10:18 ` Steven Rostedt
2011-04-04 13:54 ` Patrick McHardy
2011-04-05 14:43 ` KOVACS Krisztian
2011-04-05 14:49 ` Patrick McHardy [this message]
2011-04-06 12:08 ` KOVACS Krisztian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D9B2BF2.2010606@trash.net \
--to=kaber@trash.net \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=hidden@balabit.hu \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=rostedt@goodmis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.