Some netfilter compile errors when CONFIG_IPV6=m

Some netfilter compile errors when CONFIG_IPV6=m

[Cong Wang]

Hi, all

I got the following compile errors when I compile IPv6 as a module and
most of the rest are built into core kernel. David Miller insists we
should fix this kind of error and not by adding Kconfig tricks.

net/built-in.o: In function `nf_tproxy_get_sock_v6':
/home/wangcong/linux/include/net/netfilter/nf_tproxy_core.h:177:
undefined reference to `udp6_lib_lookup'
/home/wangcong/linux/include/net/netfilter/nf_tproxy_core.h:177:
undefined reference to `udp6_lib_lookup'
net/built-in.o: In function `tproxy_tg_init':
/home/wangcong/linux/net/netfilter/xt_TPROXY.c:415: undefined reference
to `nf_defrag_ipv6_enable'
net/built-in.o: In function `socket_mt_init':
/home/wangcong/linux/net/netfilter/xt_socket.c:366: undefined reference
to `nf_defrag_ipv6_enable'

My .config is:

CONFIG_NET_IPGRE=m
CONFIG_IPV6=m
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_IPV6_MIP6=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_TUNNEL=m
CONFIG_IPV6_GRE=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NF_NAT_H323=m
CONFIG_NF_DEFRAG_IPV6=m
CONFIG_NF_CONNTRACK_IPV6=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_AH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_MH=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP6_NF_SECURITY=m
CONFIG_NF_NAT_IPV6=m
CONFIG_IP6_NF_TARGET_MASQUERADE=m
CONFIG_BRIDGE_NF_EBTABLES=m
CONFIG_BRIDGE_EBT_BROUTE=m
CONFIG_BRIDGE_EBT_T_FILTER=m
CONFIG_BRIDGE_EBT_T_NAT=m
CONFIG_BRIDGE_EBT_802_3=m
CONFIG_BRIDGE_EBT_AMONG=m
CONFIG_BRIDGE_EBT_ARP=m
CONFIG_BRIDGE_EBT_IP=m
CONFIG_BRIDGE_EBT_IP6=m
CONFIG_BRIDGE_EBT_LIMIT=m
CONFIG_BRIDGE_EBT_MARK=m
CONFIG_BRIDGE_EBT_PKTTYPE=m
CONFIG_BRIDGE_EBT_STP=m
CONFIG_BRIDGE_EBT_VLAN=m
CONFIG_BRIDGE_EBT_ARPREPLY=m
CONFIG_BRIDGE_EBT_DNAT=m
CONFIG_BRIDGE_EBT_MARK_T=m
CONFIG_BRIDGE_EBT_REDIRECT=m
CONFIG_BRIDGE_EBT_SNAT=m
CONFIG_BRIDGE_EBT_LOG=m
CONFIG_BRIDGE_EBT_ULOG=m
CONFIG_BRIDGE_EBT_NFLOG=m
CONFIG_IP_SCTP=m
CONFIG_BRIDGE=m
CONFIG_BONDING=m

all the rest are either =y or =n.


Thanks.

Re: Some netfilter compile errors when CONFIG_IPV6=m

[Cong Wang]

On Tue, 2013-05-14 at 10:45 +0800, Cong Wang wrote:
> net/built-in.o: In function `tproxy_tg_init':
> /home/wangcong/linux/net/netfilter/xt_TPROXY.c:415: undefined reference
> to `nf_defrag_ipv6_enable'
> net/built-in.o: In function `socket_mt_init':
> /home/wangcong/linux/net/netfilter/xt_socket.c:366: undefined reference
> to `nf_defrag_ipv6_enable'

I don't know why we keep an empty definition for
nf_defrag_ipv6_enable(), so I make a patch to remove it, not sure if it
makes sense.


diff --git a/include/net/netfilter/ipv4/nf_defrag_ipv4.h
b/include/net/netfilter/ipv4/nf_defrag_ipv4.h
deleted file mode 100644
index 6b00ea3..0000000
--- a/include/net/netfilter/ipv4/nf_defrag_ipv4.h
+++ /dev/null
@@ -1,6 +0,0 @@
-#ifndef _NF_DEFRAG_IPV4_H
-#define _NF_DEFRAG_IPV4_H
-
-extern void nf_defrag_ipv4_enable(void);
-
-#endif /* _NF_DEFRAG_IPV4_H */
diff --git a/include/net/netfilter/ipv6/nf_defrag_ipv6.h
b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
index fd79c9a..7ba91bb 100644
--- a/include/net/netfilter/ipv6/nf_defrag_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
@@ -1,8 +1,6 @@
 #ifndef _NF_DEFRAG_IPV6_H
 #define _NF_DEFRAG_IPV6_H
 
-extern void nf_defrag_ipv6_enable(void);
-
 extern int nf_ct_frag6_init(void);
 extern void nf_ct_frag6_cleanup(void);
 extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32
user);
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 567d841..7344253 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -27,7 +27,6 @@
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
 #include <net/netfilter/nf_nat_helper.h>
-#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
 #include <net/netfilter/nf_log.h>
 
 static bool ipv4_pkt_to_tuple(const struct sk_buff *skb, unsigned int
nhoff,
@@ -464,7 +463,6 @@ static int __init
nf_conntrack_l3proto_ipv4_init(void)
 	int ret = 0;
 
 	need_conntrack();
-	nf_defrag_ipv4_enable();
 
 	ret = nf_register_sockopt(&so_getorigdst);
 	if (ret < 0) {
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c
b/net/ipv4/netfilter/nf_defrag_ipv4.c
index 7428155..b2ec6f1 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -16,7 +16,6 @@
 
 #include <linux/netfilter_bridge.h>
 #include <linux/netfilter_ipv4.h>
-#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 #include <net/netfilter/nf_conntrack.h>
 #endif
@@ -117,11 +116,6 @@ static void __exit nf_defrag_fini(void)
 	nf_unregister_hooks(ipv4_defrag_ops, ARRAY_SIZE(ipv4_defrag_ops));
 }
 
-void nf_defrag_ipv4_enable(void)
-{
-}
-EXPORT_SYMBOL_GPL(nf_defrag_ipv4_enable);
-
 module_init(nf_defrag_init);
 module_exit(nf_defrag_fini);
 
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 97bcf2b..3fc4d53 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -460,7 +460,6 @@ static int __init
nf_conntrack_l3proto_ipv6_init(void)
 	int ret = 0;
 
 	need_conntrack();
-	nf_defrag_ipv6_enable();
 
 	ret = nf_register_sockopt(&so_getorigdst6);
 	if (ret < 0) {
diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
index aacd121..97c876f 100644
--- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
@@ -125,12 +125,6 @@ static void __exit nf_defrag_fini(void)
 	nf_unregister_hooks(ipv6_defrag_ops, ARRAY_SIZE(ipv6_defrag_ops));
 	nf_ct_frag6_cleanup();
 }
-
-void nf_defrag_ipv6_enable(void)
-{
-}
-EXPORT_SYMBOL_GPL(nf_defrag_ipv6_enable);
-
 module_init(nf_defrag_init);
 module_exit(nf_defrag_fini);
 
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index d7f1953..fc7384d 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -20,8 +20,6 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 
-#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
-
 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 #define XT_TPROXY_HAVE_IPV6 1
 #include <net/if_inet6.h>
@@ -410,11 +408,6 @@ static struct xt_target tproxy_tg_reg[]
__read_mostly = {
 
 static int __init tproxy_tg_init(void)
 {
-	nf_defrag_ipv4_enable();
-#ifdef XT_TPROXY_HAVE_IPV6
-	nf_defrag_ipv6_enable();
-#endif
-
 	return xt_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
 }
 
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 63b2bdb..c588d68 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -20,7 +20,6 @@
 #include <net/sock.h>
 #include <net/inet_sock.h>
 #include <net/netfilter/nf_tproxy_core.h>
-#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
 
 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 #define XT_SOCKET_HAVE_IPV6 1
@@ -361,11 +360,6 @@ static struct xt_match socket_mt_reg[]
__read_mostly = {
 
 static int __init socket_mt_init(void)
 {
-	nf_defrag_ipv4_enable();
-#ifdef XT_SOCKET_HAVE_IPV6
-	nf_defrag_ipv6_enable();
-#endif
-
 	return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
 }

Re: Some netfilter compile errors when CONFIG_IPV6=m

[Pablo Neira Ayuso]

On Tue, May 14, 2013 at 10:48:22AM +0800, Cong Wang wrote:
> On Tue, 2013-05-14 at 10:45 +0800, Cong Wang wrote:
> > net/built-in.o: In function `tproxy_tg_init':
> > /home/wangcong/linux/net/netfilter/xt_TPROXY.c:415: undefined reference
> > to `nf_defrag_ipv6_enable'
> > net/built-in.o: In function `socket_mt_init':
> > /home/wangcong/linux/net/netfilter/xt_socket.c:366: undefined reference
> > to `nf_defrag_ipv6_enable'
> 
> I don't know why we keep an empty definition for
> nf_defrag_ipv6_enable(), so I make a patch to remove it, not sure if it
> makes sense.

It's there to enforce the dependency between nf_conntrack and
nf_defrag. We cannot run nf_conntrack without it.

Re: Some netfilter compile errors when CONFIG_IPV6=m

[Cong Wang]

Cc'ing Bjørn who cares IPV6=m compile errors very much. :)

BTW, this is what I found while testing my vxlan patches with IPV6=m.

On Tue, 2013-05-14 at 10:45 +0800, Cong Wang wrote:
> Hi, all
> 
> I got the following compile errors when I compile IPv6 as a module and
> most of the rest are built into core kernel. David Miller insists we
> should fix this kind of error and not by adding Kconfig tricks.
> 
> net/built-in.o: In function `nf_tproxy_get_sock_v6':
> /home/wangcong/linux/include/net/netfilter/nf_tproxy_core.h:177:
> undefined reference to `udp6_lib_lookup'
> /home/wangcong/linux/include/net/netfilter/nf_tproxy_core.h:177:
> undefined reference to `udp6_lib_lookup'
> net/built-in.o: In function `tproxy_tg_init':
> /home/wangcong/linux/net/netfilter/xt_TPROXY.c:415: undefined reference
> to `nf_defrag_ipv6_enable'
> net/built-in.o: In function `socket_mt_init':
> /home/wangcong/linux/net/netfilter/xt_socket.c:366: undefined reference
> to `nf_defrag_ipv6_enable'
> 
> My .config is:
> 
> CONFIG_NET_IPGRE=m
> CONFIG_IPV6=m
> CONFIG_INET6_AH=m
> CONFIG_INET6_ESP=m
> CONFIG_INET6_IPCOMP=m
> CONFIG_IPV6_MIP6=m
> CONFIG_INET6_XFRM_TUNNEL=m
> CONFIG_INET6_TUNNEL=m
> CONFIG_INET6_XFRM_MODE_TRANSPORT=m
> CONFIG_INET6_XFRM_MODE_TUNNEL=m
> CONFIG_INET6_XFRM_MODE_BEET=m
> CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
> CONFIG_IPV6_SIT=m
> CONFIG_IPV6_TUNNEL=m
> CONFIG_IPV6_GRE=m
> CONFIG_NF_CONNTRACK_H323=m
> CONFIG_NETFILTER_XT_TARGET_TEE=m
> CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
> CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
> CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
> CONFIG_NF_NAT_H323=m
> CONFIG_NF_DEFRAG_IPV6=m
> CONFIG_NF_CONNTRACK_IPV6=m
> CONFIG_IP6_NF_IPTABLES=m
> CONFIG_IP6_NF_MATCH_AH=m
> CONFIG_IP6_NF_MATCH_EUI64=m
> CONFIG_IP6_NF_MATCH_FRAG=m
> CONFIG_IP6_NF_MATCH_OPTS=m
> CONFIG_IP6_NF_MATCH_HL=m
> CONFIG_IP6_NF_MATCH_IPV6HEADER=m
> CONFIG_IP6_NF_MATCH_MH=m
> CONFIG_IP6_NF_MATCH_RT=m
> CONFIG_IP6_NF_TARGET_HL=m
> CONFIG_IP6_NF_FILTER=m
> CONFIG_IP6_NF_TARGET_REJECT=m
> CONFIG_IP6_NF_MANGLE=m
> CONFIG_IP6_NF_RAW=m
> CONFIG_IP6_NF_SECURITY=m
> CONFIG_NF_NAT_IPV6=m
> CONFIG_IP6_NF_TARGET_MASQUERADE=m
> CONFIG_BRIDGE_NF_EBTABLES=m
> CONFIG_BRIDGE_EBT_BROUTE=m
> CONFIG_BRIDGE_EBT_T_FILTER=m
> CONFIG_BRIDGE_EBT_T_NAT=m
> CONFIG_BRIDGE_EBT_802_3=m
> CONFIG_BRIDGE_EBT_AMONG=m
> CONFIG_BRIDGE_EBT_ARP=m
> CONFIG_BRIDGE_EBT_IP=m
> CONFIG_BRIDGE_EBT_IP6=m
> CONFIG_BRIDGE_EBT_LIMIT=m
> CONFIG_BRIDGE_EBT_MARK=m
> CONFIG_BRIDGE_EBT_PKTTYPE=m
> CONFIG_BRIDGE_EBT_STP=m
> CONFIG_BRIDGE_EBT_VLAN=m
> CONFIG_BRIDGE_EBT_ARPREPLY=m
> CONFIG_BRIDGE_EBT_DNAT=m
> CONFIG_BRIDGE_EBT_MARK_T=m
> CONFIG_BRIDGE_EBT_REDIRECT=m
> CONFIG_BRIDGE_EBT_SNAT=m
> CONFIG_BRIDGE_EBT_LOG=m
> CONFIG_BRIDGE_EBT_ULOG=m
> CONFIG_BRIDGE_EBT_NFLOG=m
> CONFIG_IP_SCTP=m
> CONFIG_BRIDGE=m
> CONFIG_BONDING=m
> 
> all the rest are either =y or =n.
> 
> 
> Thanks.



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Some netfilter compile errors when CONFIG_IPV6=m

[Pablo Neira Ayuso]

On Tue, May 14, 2013 at 10:45:52AM +0800, Cong Wang wrote:
> Hi, all
> 
> I got the following compile errors when I compile IPv6 as a module and
> most of the rest are built into core kernel. David Miller insists we
> should fix this kind of error and not by adding Kconfig tricks.
> 
> net/built-in.o: In function `nf_tproxy_get_sock_v6':
> /home/wangcong/linux/include/net/netfilter/nf_tproxy_core.h:177:
> undefined reference to `udp6_lib_lookup'
> /home/wangcong/linux/include/net/netfilter/nf_tproxy_core.h:177:
> undefined reference to `udp6_lib_lookup'
> net/built-in.o: In function `tproxy_tg_init':
> /home/wangcong/linux/net/netfilter/xt_TPROXY.c:415: undefined reference
> to `nf_defrag_ipv6_enable'
> net/built-in.o: In function `socket_mt_init':
> /home/wangcong/linux/net/netfilter/xt_socket.c:366: undefined reference
> to `nf_defrag_ipv6_enable'

Looking at your incomplete .config, I don't see how you set xt_TPROXY
and xt_socket but I bet they are =y.

For the udp6_lib_lookup dependency, you can use the ipv6 hooks added
here:

commit 2a7851bffb008ff4882eee673da74718997b4265
Author: Florian Westphal <fw@strlen.de>
Date:   Fri May 17 03:56:10 2013 +0000

    netfilter: add nf_ipv6_ops hook to fix xt_addrtype with IPv6

Already in the nf tree, to resolve it. It would be fairly easy to make
a patch for it.

For the nf_defrag_ipv6_enable, as I already mentioned, that's an
artificial function to enforce the dependency between those two
modules. We can add runtime checks in socket and TPROXY to skip
further processing is nf_defrag_ipv6 is not loaded. But that's a
problem because users will assume that their socket/TPROXY rule got
loaded but it will not actually work since defrag is not loaded.  I
think that really needs some Kconfig tricks for that specific case.

Regards.

Re: Some netfilter compile errors when CONFIG_IPV6=m

[Cong Wang]

On Mon, 2013-05-27 at 14:33 +0200, Pablo Neira Ayuso wrote:
> On Tue, May 14, 2013 at 10:45:52AM +0800, Cong Wang wrote:
> > Hi, all
> > 
> > I got the following compile errors when I compile IPv6 as a module and
> > most of the rest are built into core kernel. David Miller insists we
> > should fix this kind of error and not by adding Kconfig tricks.
> > 
> > net/built-in.o: In function `nf_tproxy_get_sock_v6':
> > /home/wangcong/linux/include/net/netfilter/nf_tproxy_core.h:177:
> > undefined reference to `udp6_lib_lookup'
> > /home/wangcong/linux/include/net/netfilter/nf_tproxy_core.h:177:
> > undefined reference to `udp6_lib_lookup'
> > net/built-in.o: In function `tproxy_tg_init':
> > /home/wangcong/linux/net/netfilter/xt_TPROXY.c:415: undefined reference
> > to `nf_defrag_ipv6_enable'
> > net/built-in.o: In function `socket_mt_init':
> > /home/wangcong/linux/net/netfilter/xt_socket.c:366: undefined reference
> > to `nf_defrag_ipv6_enable'
> 
> Looking at your incomplete .config, I don't see how you set xt_TPROXY
> and xt_socket but I bet they are =y.
> 
> For the udp6_lib_lookup dependency, you can use the ipv6 hooks added
> here:
> 
> commit 2a7851bffb008ff4882eee673da74718997b4265
> Author: Florian Westphal <fw@strlen.de>
> Date:   Fri May 17 03:56:10 2013 +0000
> 
>     netfilter: add nf_ipv6_ops hook to fix xt_addrtype with IPv6
> 
> Already in the nf tree, to resolve it. It would be fairly easy to make
> a patch for it.

Next time please Cc me, the reporter, when you submit a fix, otherwise I
don't know if it is fixed, since I don't subscribe nf mailing list.

> 
> For the nf_defrag_ipv6_enable, as I already mentioned, that's an
> artificial function to enforce the dependency between those two
> modules. We can add runtime checks in socket and TPROXY to skip
> further processing is nf_defrag_ipv6 is not loaded. But that's a
> problem because users will assume that their socket/TPROXY rule got
> loaded but it will not actually work since defrag is not loaded.  I
> think that really needs some Kconfig tricks for that specific case.
> 

Yeah, please send a fix? I can test it (together with my vxlan patches)
if you need. I have no cycles to work on it even if it is simple. :)

Thanks!