[HELP] netfilter Kconfig dependency nightmare

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [HELP] netfilter Kconfig dependency nightmare
       [not found]     ` <20050917012315.GA29841@mandriva.com>
@ 2005-09-17  8:07       ` Harald Welte
  2005-09-17 11:08         ` Roman Zippel
  0 siblings, 1 reply; 6+ messages in thread
From: Harald Welte @ 2005-09-17  8:07 UTC (permalink / raw)
  To: Arnaldo Carvalho de Melo
  Cc: Linux Netdev List, Netfilter Development Mailinglist,
	Linux Kernel Mailinglist

[-- Attachment #1: Type: text/plain, Size: 2529 bytes --]

On Fri, Sep 16, 2005 at 10:23:15PM -0300, Arnaldo Carvalho de Melo wrote:
> After applying this patch I still get a loop:
> 
> [acme@toy net-2.6]$ make O=OUTPUT/oops/ oldconfig | grep Warning
> Warning! Found recursive dependency: IP_NF_CONNTRACK_NETLINK NETFILTER_NETLINK IP_NF_CONNTRACK_NETLINK
> Warning! Found recursive dependency: NETFILTER_NETLINK IP_NF_CONNTRACK_NETLINK NETFILTER_NETLINK NETFILTER_NETLINK_QUEUE
> 
> This is using latest Dave tree, the one just before master.kernel.org
> was switched off for moving to Oregon, is there any other patch I should
> apply?

This f!*#$%!#$%ing kconfig dependency is killing me.   We have this
incredible inter-dependency between various options, and with every new
feature it's getting more complex.  The main reason being to avoid some
bits of dead code in case it's not really needed by some other module.

I'm starting to wonder whether it's really worth saving those few bytes
in some configurations at the expense of this complexity.

Maybe some Kconfig freak can help out. This is the intended dependency
rules:

ip_conntrack == CONFIG_IP_NF_CONNTRACK
nfnetlink == CONFIG_NETFILTER_NETLINK
ip_conntrack_netlink == CONFIG_IP_NF_CONNTRACK_NETLINK

If nfnetlink == N, ip_conntrack can be N or M or Y
If nfnetlink == M, ip_conntrack can be N or M
If nfnetlink == Y, ip_conntrack can be Y or M

If ip_conntrack == N && nfnetlink == N, ip_conntrack_netlink must be N
If ip_conntrack == N && nfnetlink == M, ip_conntrack_netlink must be N
If ip_conntrack == N && nfnetlink == Y, ip_conntrack_netlink must be N

If ip_conntrack == M && nfnetlink == N, ip_conntrack_netlink must be N 
If ip_conntrack == M && nfnetlink == M, ip_conntrack_netlink can N or M
If ip_conntrack == M && nfnetlink == Y, ip_conntrack_netlink can N or M

if ip_conntrack == Y && nfnetlink == N, ip_conntrack_netlink must be N
if ip_conntrack == Y && nfnetlink == M, ip_conntrack_netlink can N or M
if ip_conntrack == Y && nfnetlink == Y, ip_conntrack_netlink can N, M or Y

NETfILTER_NETLINK_QUEUE and NETFILTER_NETLINK_LOG only depend on
NETFILER_NETLINK and nothing else.

Cheers,

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [HELP] netfilter Kconfig dependency nightmare
  2005-09-17  8:07       ` [HELP] netfilter Kconfig dependency nightmare Harald Welte
@ 2005-09-17 11:08         ` Roman Zippel
  2005-09-17 11:29           ` Harald Welte
  0 siblings, 1 reply; 6+ messages in thread
From: Roman Zippel @ 2005-09-17 11:08 UTC (permalink / raw)
  To: Harald Welte
  Cc: Arnaldo Carvalho de Melo, Netfilter Development Mailinglist,
	Linux Netdev List, Linux Kernel Mailinglist

Hi,

On Sat, 17 Sep 2005, Harald Welte wrote:

> ip_conntrack == CONFIG_IP_NF_CONNTRACK
> nfnetlink == CONFIG_NETFILTER_NETLINK
> ip_conntrack_netlink == CONFIG_IP_NF_CONNTRACK_NETLINK
> 
> If nfnetlink == N, ip_conntrack can be N or M or Y
> If nfnetlink == M, ip_conntrack can be N or M
> If nfnetlink == Y, ip_conntrack can be Y or M

Where is the requirement for the last one coming from?

> If ip_conntrack == N && nfnetlink == N, ip_conntrack_netlink must be N
> If ip_conntrack == N && nfnetlink == M, ip_conntrack_netlink must be N
> If ip_conntrack == N && nfnetlink == Y, ip_conntrack_netlink must be N
> 
> If ip_conntrack == M && nfnetlink == N, ip_conntrack_netlink must be N 
> If ip_conntrack == M && nfnetlink == M, ip_conntrack_netlink can N or M
> If ip_conntrack == M && nfnetlink == Y, ip_conntrack_netlink can N or M
> 
> if ip_conntrack == Y && nfnetlink == N, ip_conntrack_netlink must be N
> if ip_conntrack == Y && nfnetlink == M, ip_conntrack_netlink can N or M
> if ip_conntrack == Y && nfnetlink == Y, ip_conntrack_netlink can N, M or Y

That looks like a normal ip_conntrack && nfnetlink.

bye, Roman

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [HELP] netfilter Kconfig dependency nightmare
  2005-09-17 11:08         ` Roman Zippel
@ 2005-09-17 11:29           ` Harald Welte
  2005-09-17 12:18             ` Roman Zippel
  0 siblings, 1 reply; 6+ messages in thread
From: Harald Welte @ 2005-09-17 11:29 UTC (permalink / raw)
  To: Roman Zippel
  Cc: Linux Netdev List, Netfilter Development Mailinglist,
	Linux Kernel Mailinglist, Arnaldo Carvalho de Melo

[-- Attachment #1: Type: text/plain, Size: 1958 bytes --]

On Sat, Sep 17, 2005 at 01:08:58PM +0200, Roman Zippel wrote:
> Hi,

Hi Roman, thanks for your reply.

> On Sat, 17 Sep 2005, Harald Welte wrote:
> 
> > ip_conntrack == CONFIG_IP_NF_CONNTRACK
> > nfnetlink == CONFIG_NETFILTER_NETLINK
> > ip_conntrack_netlink == CONFIG_IP_NF_CONNTRACK_NETLINK
> > 
> > If nfnetlink == N, ip_conntrack can be N or M or Y
> > If nfnetlink == M, ip_conntrack can be N or M
> > If nfnetlink == Y, ip_conntrack can be Y or M
> 
> Where is the requirement for the last one coming from?

sorry.  The last one should be N,M or Y.

The fundamental underlying problem is:

If CONFIG_IP_NF_CONNTRACK_NETLINK is selected (M or Y), then
CONFIG_IP_NF_CONNTRACK conditionally adds some code that references
symbols from nfnetlink.ko (CONFIG_NETFILTER_NETLINK)

So basically, enabling CONFIG_IP_NF_CONNTRACK_NETLINK creates a dependency
from CONFIG_IP_NF_CONNTRACK to CONFIG_NETFILTER_NETLINK.  AFAIK, the syntax
doesn't allow somthing like 

tristate IP_NF_CONNTRACK
	depends on NETFILTER_NETLINK if IP_NF_CONNTRACK_NETLINK!=n

So, if ip_conntrack_netlink == M (or Y), and ip_conntrack == Y, then
nfnetlink has to be set to Y (but cannot be a module).

Is there something that resembles 

And no, I do not see any chance to solve the problem in the code,
without either
1) adding yet another new module that only contains some 1kB of code and
   that requires additional EXPORT_SYMBOLS() on private data from
   ip_conntrack
or
2) adding dead code to ip_conntrack.ko that isn't used in many common
   configurations

:(

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [HELP] netfilter Kconfig dependency nightmare
  2005-09-17 11:29           ` Harald Welte
@ 2005-09-17 12:18             ` Roman Zippel
  2005-09-17 15:29               ` Harald Welte
  0 siblings, 1 reply; 6+ messages in thread
From: Roman Zippel @ 2005-09-17 12:18 UTC (permalink / raw)
  To: Harald Welte
  Cc: Arnaldo Carvalho de Melo, Netfilter Development Mailinglist,
	Linux Netdev List, Linux Kernel Mailinglist

Hi,

On Sat, 17 Sep 2005, Harald Welte wrote:

> If CONFIG_IP_NF_CONNTRACK_NETLINK is selected (M or Y), then
> CONFIG_IP_NF_CONNTRACK conditionally adds some code that references
> symbols from nfnetlink.ko (CONFIG_NETFILTER_NETLINK)
> 
> So basically, enabling CONFIG_IP_NF_CONNTRACK_NETLINK creates a dependency
> from CONFIG_IP_NF_CONNTRACK to CONFIG_NETFILTER_NETLINK.  AFAIK, the syntax
> doesn't allow somthing like 
> 
> tristate IP_NF_CONNTRACK
> 	depends on NETFILTER_NETLINK if IP_NF_CONNTRACK_NETLINK!=n

Since IP_NF_CONNTRACK_NETLINK is the one creating the dependency, 
something like this should work:

config IP_NF_CONNTRACK_NETLINK
	depends on IP_NF_CONNTRACK && NETFILTER_NETLINK
	depends on IP_NF_CONNTRACK!=y || NETFILTER_NETLINK!=m

IOW ct_nl depends on (ct && nl) unless (ct=y && nl=m).

bye, Roman

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [HELP] netfilter Kconfig dependency nightmare
  2005-09-17 12:18             ` Roman Zippel
@ 2005-09-17 15:29               ` Harald Welte
  2005-09-17 15:32                 ` Arnaldo Carvalho de Melo
  0 siblings, 1 reply; 6+ messages in thread
From: Harald Welte @ 2005-09-17 15:29 UTC (permalink / raw)
  To: Roman Zippel
  Cc: Linux Netdev List, Netfilter Development Mailinglist,
	Linux Kernel Mailinglist, Arnaldo Carvalho de Melo

[-- Attachment #1: Type: text/plain, Size: 742 bytes --]

On Sat, Sep 17, 2005 at 02:18:28PM +0200, Roman Zippel wrote:
> Since IP_NF_CONNTRACK_NETLINK is the one creating the dependency, 
> something like this should work:

yes, I agree.  Looking at the behaviour of "menuconfig", I think your
suggestion solves the problem.  I didn't try to compile all the
combinations, though.

I'll submit a patch via DaveM soon.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [HELP] netfilter Kconfig dependency nightmare
  2005-09-17 15:29               ` Harald Welte
@ 2005-09-17 15:32                 ` Arnaldo Carvalho de Melo
  0 siblings, 0 replies; 6+ messages in thread
From: Arnaldo Carvalho de Melo @ 2005-09-17 15:32 UTC (permalink / raw)
  To: Harald Welte, Roman Zippel, Arnaldo Carvalho de Melo,
	Netfilter Development Mailinglist, Linux Netdev List,
	Linux Kernel Mailinglist

On 9/17/05, Harald Welte <laforge@netfilter.org> wrote:
> On Sat, Sep 17, 2005 at 02:18:28PM +0200, Roman Zippel wrote:
> > Since IP_NF_CONNTRACK_NETLINK is the one creating the dependency,
> > something like this should work:
> 
> yes, I agree.  Looking at the behaviour of "menuconfig", I think your
> suggestion solves the problem.  I didn't try to compile all the
> combinations, though.
> 
> I'll submit a patch via DaveM soon.

OK, I'll test it as soon as it appears here :-)

- Arnaldo

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2005-09-17 15:32 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20050916021451.3012196c.akpm@osdl.org>
     [not found] ` <20050916191959.GN8413@sunbeam.de.gnumonks.org>
     [not found]   ` <39e6f6c705091617514457eded@mail.gmail.com>
     [not found]     ` <20050917012315.GA29841@mandriva.com>
2005-09-17  8:07       ` [HELP] netfilter Kconfig dependency nightmare Harald Welte
2005-09-17 11:08         ` Roman Zippel
2005-09-17 11:29           ` Harald Welte
2005-09-17 12:18             ` Roman Zippel
2005-09-17 15:29               ` Harald Welte
2005-09-17 15:32                 ` Arnaldo Carvalho de Melo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).