nf_conntrack_ipv4 must be loaded explicitly

nf_conntrack_ipv4 must be loaded explicitly

[Jan Engelhardt]

Hi,


in recent git kernels, I experience the following "regression" that no 
packets traverse the nat table (esp. the POSTROUTING counters just stand 
still) - and hence things like ping+SNAT do not work. Bisect nailed it 
down to:

ff09b7493c8f433d3ffd6a31ad58d190f82ef0c5 is first bad commit
commit ff09b7493c8f433d3ffd6a31ad58d190f82ef0c5
Author: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Date:   Sat Jul 7 22:25:28 2007 -0700

    [NETFILTER]: nf_nat: remove unused nf_nat_module_is_loaded

    Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>

:040000 040000 177886eca60385293ac736c8e4861a2d4910d90a 32e63b6a9399e1ea65dc6cd0b357ca811e4dc835 M      include
:040000 040000 e1c20c3db28c927af62df067b2a20f8604a5fe06 84a277d1f81e3be9ce37ce6040c6d814ca20b3b0 M      net


The diff from ff09b7^...ff09b7 made me think...

End result:

After loading nf_conntrack_ipv4.ko, everything works again (also with 
the "bad" ff09b7). But I have to load it explicitly, and I think that 
unfortunately breaks a lot of setups (such as mine) which assume ipv4 
connection tracking is always there.

Comments?


	Jan
-- 

Re: nf_conntrack_ipv4 must be loaded explicitly

[Patrick McHardy]

Jan Engelhardt wrote
> in recent git kernels, I experience the following "regression" that no 
> packets traverse the nat table (esp. the POSTROUTING counters just stand 
> still) - and hence things like ping+SNAT do not work. Bisect nailed it 
> down to:
>
> ff09b7493c8f433d3ffd6a31ad58d190f82ef0c5 is first bad commit
> commit ff09b7493c8f433d3ffd6a31ad58d190f82ef0c5
> Author: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
> Date:   Sat Jul 7 22:25:28 2007 -0700
>
>     [NETFILTER]: nf_nat: remove unused nf_nat_module_is_loaded
>
>     Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
>     Signed-off-by: Patrick McHardy <kaber@trash.net>
>     Signed-off-by: David S. Miller <davem@davemloft.net>
>
> :040000 040000 177886eca60385293ac736c8e4861a2d4910d90a 32e63b6a9399e1ea65dc6cd0b357ca811e4dc835 M      include
> :040000 040000 e1c20c3db28c927af62df067b2a20f8604a5fe06 84a277d1f81e3be9ce37ce6040c6d814ca20b3b0 M      net
>
>
> The diff from ff09b7^...ff09b7 made me think...
>
> End result:
>
> After loading nf_conntrack_ipv4.ko, everything works again (also with 
> the "bad" ff09b7). But I have to load it explicitly, and I think that 
> unfortunately breaks a lot of setups (such as mine) which assume ipv4 
> connection tracking is always there.
>   

I already have a patch for this queued. I'll push it upstream once
I get a new power supply for the box I keep that tree on, hopefully
tommorrow.

Re: nf_conntrack_ipv4 must be loaded explicitly

[Jan Engelhardt]

On Aug 2 2007 20:33, Patrick McHardy wrote:
>> End result:
>>
>> After loading nf_conntrack_ipv4.ko, everything works again (also with the
>> "bad" ff09b7). But I have to load it explicitly, and I think that
>> unfortunately breaks a lot of setups (such as mine) which assume ipv4
>> connection tracking is always there.
>
> I already have a patch for this queued. I'll push it upstream once
> I get a new power supply for the box I keep that tree on, hopefully
> tommorrow.

What's that patch looking like?



thanks,
	Jan
-- 

Re: nf_conntrack_ipv4 must be loaded explicitly

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 597 bytes --]

Jan Engelhardt wrote:
> On Aug 2 2007 20:33, Patrick McHardy wrote:
> 
>>>End result:
>>>
>>>After loading nf_conntrack_ipv4.ko, everything works again (also with the
>>>"bad" ff09b7). But I have to load it explicitly, and I think that
>>>unfortunately breaks a lot of setups (such as mine) which assume ipv4
>>>connection tracking is always there.
>>
>>I already have a patch for this queued. I'll push it upstream once
>>I get a new power supply for the box I keep that tree on, hopefully
>>tommorrow.
> 
> 
> What's that patch looking like?


Upstream commit 591e6206. Doesn't it work for you?

[-- Attachment #2: x --]
[-- Type: text/plain, Size: 2193 bytes --]

[NETFILTER]: nf_nat: add symbolic dependency on IPv4 conntrack

Loading nf_nat causes the conntrack core to be loaded, but we need IPv4 as
well.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

---
commit 591e620693e71e24fb3450a4084217e44b7a60b6
tree e651e7beaca45a99b89bd63d33419c5b97477a28
parent ff4ca8273eafbba875a86d333e059e78f292107f
author Patrick McHardy <kaber@trash.net> Tue, 07 Aug 2007 18:12:01 -0700
committer David S. Miller <davem@davemloft.net> Tue, 07 Aug 2007 18:12:01 -0700

 include/net/netfilter/ipv4/nf_conntrack_ipv4.h |    2 ++
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |    6 ++++++
 net/ipv4/netfilter/nf_nat_standalone.c         |    2 +-
 3 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
index 7a67160..9bf0598 100644
--- a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
@@ -21,4 +21,6 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;
 extern int nf_conntrack_ipv4_compat_init(void);
 extern void nf_conntrack_ipv4_compat_fini(void);
 
+extern void need_ipv4_conntrack(void);
+
 #endif /*_NF_CONNTRACK_IPV4_H*/
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 64552af..d9b5177 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -509,3 +509,9 @@ static void __exit nf_conntrack_l3proto_ipv4_fini(void)
 
 module_init(nf_conntrack_l3proto_ipv4_init);
 module_exit(nf_conntrack_l3proto_ipv4_fini);
+
+void need_ipv4_conntrack(void)
+{
+	return;
+}
+EXPORT_SYMBOL_GPL(need_ipv4_conntrack);
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 332814d..46cc99d 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -328,7 +328,7 @@ static int __init nf_nat_standalone_init(void)
 {
 	int ret = 0;
 
-	need_conntrack();
+	need_ipv4_conntrack();
 
 #ifdef CONFIG_XFRM
 	BUG_ON(ip_nat_decode_session != NULL);

Re: nf_conntrack_ipv4 must be loaded explicitly

[Jan Engelhardt]

On Aug 23 2007 16:53, Patrick McHardy wrote:
>>>>After loading nf_conntrack_ipv4.ko, everything works again (also with the
>>>>"bad" ff09b7). But I have to load it explicitly, and I think that
>>>>unfortunately breaks a lot of setups (such as mine) which assume ipv4
>>>>connection tracking is always there.
>>>
>>>I already have a patch for this queued. I'll push it upstream once
>>>I get a new power supply for the box I keep that tree on, hopefully
>>>tommorrow.
>> 
>> 
>> What's that patch looking like?
>
>Upstream commit 591e6206. Doesn't it work for you?

I am sure it does, I just did not track the pulls or the log that
closely. Thanks for pointing out.


	Jan
--