* [PATCH] netfilter: fix dependency issues between IPv6 defragmentation and ip6tables @ 2015-05-03 9:50 Liu Hua 2015-05-03 11:07 ` Florian Westphal 0 siblings, 1 reply; 5+ messages in thread From: Liu Hua @ 2015-05-03 9:50 UTC (permalink / raw) To: davem, kadlec, kaber, pablo Cc: sdu.liu, netfilter-devel, coreteam, netdev, linux-kernel, liusdu commit f6318e558806c925029dc101f14874be9f9fa78f fix some related issue when ip6tables is enabled. But when IP6_NF_IPTABLES is disabled and NETFILTER_XT_TARGET_TPROXY is enabled. We will meet build failure with "net/built-in.o: In function `tproxy_tg_init': net/netfilter/xt_TPROXY.c:588: undefined reference to `nf_defrag_ipv6_enable' " So this patch change the Kconfig as ipv4 does. Signed-off-by: Liu Hua <sdu.liu@huawei.com> --- net/netfilter/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index f70e34a..34f54a8 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -865,7 +865,7 @@ config NETFILTER_XT_TARGET_TPROXY depends on (IPV6 || IPV6=n) depends on IP_NF_MANGLE select NF_DEFRAG_IPV4 - select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES + select NF_DEFRAG_IPV6 help This option adds a `TPROXY' target, which is somewhat similar to REDIRECT. It can only be used in the mangle table and is useful -- 1.9.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] netfilter: fix dependency issues between IPv6 defragmentation and ip6tables 2015-05-03 9:50 [PATCH] netfilter: fix dependency issues between IPv6 defragmentation and ip6tables Liu Hua @ 2015-05-03 11:07 ` Florian Westphal 2015-05-03 14:18 ` liusdu 0 siblings, 1 reply; 5+ messages in thread From: Florian Westphal @ 2015-05-03 11:07 UTC (permalink / raw) To: Liu Hua Cc: davem, kadlec, kaber, pablo, netfilter-devel, netdev, linux-kernel, liusdu Liu Hua <sdu.liu@huawei.com> wrote: > commit f6318e558806c925029dc101f14874be9f9fa78f fix some related issue > when ip6tables is enabled. But when IP6_NF_IPTABLES is disabled and > NETFILTER_XT_TARGET_TPROXY is enabled. We will meet build failure with > "net/built-in.o: In function `tproxy_tg_init': > net/netfilter/xt_TPROXY.c:588: undefined reference to `nf_defrag_ipv6_enable' > " > So this patch change the Kconfig as ipv4 does. > --- a/net/netfilter/Kconfig > +++ b/net/netfilter/Kconfig > @@ -865,7 +865,7 @@ config NETFILTER_XT_TARGET_TPROXY > depends on (IPV6 || IPV6=n) > depends on IP_NF_MANGLE > select NF_DEFRAG_IPV4 > - select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES > + select NF_DEFRAG_IPV6 If IP6_NF_IPTABLES is not set, why would we have to pick up IPV6 defragmentation? Without ip6tables, TPROXY cannot be used for ipv6; in fact; xt_TPROXY should be built without ipv6 support in this case. My guess is that you have TPROXY=y but DEFRAG_IPV6=m, but that might warrant a better fix (xt_socket seems to have same issue). ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] netfilter: fix dependency issues between IPv6 defragmentation and ip6tables 2015-05-03 11:07 ` Florian Westphal @ 2015-05-03 14:18 ` liusdu 2015-05-03 20:09 ` Florian Westphal 0 siblings, 1 reply; 5+ messages in thread From: liusdu @ 2015-05-03 14:18 UTC (permalink / raw) To: Florian Westphal, Liu Hua Cc: davem, kadlec, kaber, pablo, netfilter-devel, netdev, linux-kernel On 2015年05月03日 19:07, Florian Westphal wrote: > Liu Hua <sdu.liu@huawei.com> wrote: >> commit f6318e558806c925029dc101f14874be9f9fa78f fix some related issue >> when ip6tables is enabled. But when IP6_NF_IPTABLES is disabled and >> NETFILTER_XT_TARGET_TPROXY is enabled. We will meet build failure with >> "net/built-in.o: In function `tproxy_tg_init': >> net/netfilter/xt_TPROXY.c:588: undefined reference to `nf_defrag_ipv6_enable' >> " >> So this patch change the Kconfig as ipv4 does. >> --- a/net/netfilter/Kconfig >> +++ b/net/netfilter/Kconfig >> @@ -865,7 +865,7 @@ config NETFILTER_XT_TARGET_TPROXY >> depends on (IPV6 || IPV6=n) >> depends on IP_NF_MANGLE >> select NF_DEFRAG_IPV4 >> - select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES >> + select NF_DEFRAG_IPV6 > IP6_NF_IPTABLES > If IP6_NF_IPTABLES is not set, why would we have to pick > up IPV6 defragmentation? > > Without ip6tables, TPROXY cannot be used for ipv6; in fact; > xt_TPROXY should be built without ipv6 support in this case. > > My guess is that you have TPROXY=y but DEFRAG_IPV6=m, but that > might warrant a better fix (xt_socket seems to have same issue). Hi Florian, Yes, It was exactly what I did. Actually there is a macro to determine whether we compile nf_defrag_ipv6_enable or not, called XT_TPROXY_HAVE_IPV6, which will be set to 1 while IP6_NF_IPTABLES=y or m. With the patch below we can make the compiling pass. But I am not sure it is good enough or not. diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c index cca96ce..abbda64 100644 --- a/net/netfilter/xt_TPROXY.c +++ b/net/netfilter/xt_TPROXY.c @@ -24,7 +24,7 @@ #include <net/netfilter/ipv4/nf_defrag_ipv4.h> -#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) +#if IS_BUILTIN(CONFIG_IP6_NF_IPTABLES) #define XT_TPROXY_HAVE_IPV6 1 #include <net/if_inet6.h> #include <net/addrconf.h> diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c index e092cb0..239fccf 100644 --- a/net/netfilter/xt_socket.c +++ b/net/netfilter/xt_socket.c @@ -21,7 +21,7 @@ #include <net/inet_sock.h> #include <net/netfilter/ipv4/nf_defrag_ipv4.h> -#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) +#if IS_BUILTIN(CONFIG_IP6_NF_IPTABLES) #define XT_SOCKET_HAVE_IPV6 1 #include <linux/netfilter_ipv6/ip6_tables.h> #include <net/inet6_hashtables.h> ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] netfilter: fix dependency issues between IPv6 defragmentation and ip6tables 2015-05-03 14:18 ` liusdu @ 2015-05-03 20:09 ` Florian Westphal 2015-05-04 15:56 ` liusdu 0 siblings, 1 reply; 5+ messages in thread From: Florian Westphal @ 2015-05-03 20:09 UTC (permalink / raw) To: liusdu Cc: Florian Westphal, Liu Hua, davem, kadlec, kaber, pablo, netfilter-devel, netdev, linux-kernel liusdu <liusdu@126.com> wrote: > On 2015年05月03日 19:07, Florian Westphal wrote: > >Liu Hua <sdu.liu@huawei.com> wrote: > >>commit f6318e558806c925029dc101f14874be9f9fa78f fix some related issue > >>when ip6tables is enabled. But when IP6_NF_IPTABLES is disabled and > >>NETFILTER_XT_TARGET_TPROXY is enabled. We will meet build failure with > >>"net/built-in.o: In function `tproxy_tg_init': > >>net/netfilter/xt_TPROXY.c:588: undefined reference to `nf_defrag_ipv6_enable' > >>" > >>So this patch change the Kconfig as ipv4 does. > >>--- a/net/netfilter/Kconfig > >>+++ b/net/netfilter/Kconfig > >>@@ -865,7 +865,7 @@ config NETFILTER_XT_TARGET_TPROXY > >> depends on (IPV6 || IPV6=n) > >> depends on IP_NF_MANGLE > >> select NF_DEFRAG_IPV4 > >>- select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES > >>+ select NF_DEFRAG_IPV6 > >IP6_NF_IPTABLES > >If IP6_NF_IPTABLES is not set, why would we have to pick > >up IPV6 defragmentation? > > > >Without ip6tables, TPROXY cannot be used for ipv6; in fact; > >xt_TPROXY should be built without ipv6 support in this case. > > > >My guess is that you have TPROXY=y but DEFRAG_IPV6=m, but that > >might warrant a better fix (xt_socket seems to have same issue). > Hi Florian, > > Yes, It was exactly what I did. Actually there is a macro to > determine whether we compile nf_defrag_ipv6_enable or not, > called XT_TPROXY_HAVE_IPV6, which will be set to 1 while > IP6_NF_IPTABLES=y or m. With the patch below we can > make the compiling pass. But I am not sure it is good enough > or not. > diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c > index cca96ce..abbda64 100644 > --- a/net/netfilter/xt_TPROXY.c > +++ b/net/netfilter/xt_TPROXY.c > @@ -24,7 +24,7 @@ > > #include <net/netfilter/ipv4/nf_defrag_ipv4.h> > > -#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) > +#if IS_BUILTIN(CONFIG_IP6_NF_IPTABLES) This means you need to set IP6_NF_IPTABLES=y, else TPROXY doesn't work with ipv6. I suggest to try and get Kconfig to force the needed dependency (DEFRAG=y if TPROXY=y && DEFRAG=m if TPROXY=m). Maybe this is enough (untested) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -863,6 +863,7 @@ config NETFILTER_XT_TARGET_TPROXY depends on NETFILTER_XTABLES depends on NETFILTER_ADVANCED depends on (IPV6 || IPV6=n) + depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) depends on IP_NF_MANGLE select NF_DEFRAG_IPV4 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES @@ -1356,6 +1357,7 @@ config NETFILTER_XT_MATCH_SOCKET depends on NETFILTER_ADVANCED depends on !NF_CONNTRACK || NF_CONNTRACK depends on (IPV6 || IPV6=n) + depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) select NF_DEFRAG_IPV4 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES help -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] netfilter: fix dependency issues between IPv6 defragmentation and ip6tables 2015-05-03 20:09 ` Florian Westphal @ 2015-05-04 15:56 ` liusdu 0 siblings, 0 replies; 5+ messages in thread From: liusdu @ 2015-05-04 15:56 UTC (permalink / raw) To: Florian Westphal Cc: Liu Hua, davem, kadlec, kaber, pablo, netfilter-devel, netdev, linux-kernel On 2015年05月04日 04:09, Florian Westphal wrote: > liusdu <liusdu@126.com> wrote: >> On 2015年05月03日 19:07, Florian Westphal wrote: >>> Liu Hua <sdu.liu@huawei.com> wrote: >>>> commit f6318e558806c925029dc101f14874be9f9fa78f fix some related issue >>>> when ip6tables is enabled. But when IP6_NF_IPTABLES is disabled and >>>> NETFILTER_XT_TARGET_TPROXY is enabled. We will meet build failure with >>>> "net/built-in.o: In function `tproxy_tg_init': >>>> net/netfilter/xt_TPROXY.c:588: undefined reference to `nf_defrag_ipv6_enable' >>>> " >>>> So this patch change the Kconfig as ipv4 does. >>>> --- a/net/netfilter/Kconfig >>>> +++ b/net/netfilter/Kconfig >>>> @@ -865,7 +865,7 @@ config NETFILTER_XT_TARGET_TPROXY >>>> depends on (IPV6 || IPV6=n) >>>> depends on IP_NF_MANGLE >>>> select NF_DEFRAG_IPV4 >>>> - select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES >>>> + select NF_DEFRAG_IPV6 >>> IP6_NF_IPTABLES >>> If IP6_NF_IPTABLES is not set, why would we have to pick >>> up IPV6 defragmentation? >>> >>> Without ip6tables, TPROXY cannot be used for ipv6; in fact; >>> xt_TPROXY should be built without ipv6 support in this case. >>> >>> My guess is that you have TPROXY=y but DEFRAG_IPV6=m, but that >>> might warrant a better fix (xt_socket seems to have same issue). >> Hi Florian, >> >> Yes, It was exactly what I did. Actually there is a macro to >> determine whether we compile nf_defrag_ipv6_enable or not, >> called XT_TPROXY_HAVE_IPV6, which will be set to 1 while >> IP6_NF_IPTABLES=y or m. With the patch below we can >> make the compiling pass. But I am not sure it is good enough >> or not. >> diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c >> index cca96ce..abbda64 100644 >> --- a/net/netfilter/xt_TPROXY.c >> +++ b/net/netfilter/xt_TPROXY.c >> @@ -24,7 +24,7 @@ >> >> #include <net/netfilter/ipv4/nf_defrag_ipv4.h> >> >> -#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) >> +#if IS_BUILTIN(CONFIG_IP6_NF_IPTABLES) > This means you need to set IP6_NF_IPTABLES=y, else TPROXY doesn't work > with ipv6. I suggest to try and get Kconfig to force the needed > dependency (DEFRAG=y if TPROXY=y && DEFRAG=m if TPROXY=m). > > Maybe this is enough (untested) > > diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig > --- a/net/netfilter/Kconfig > +++ b/net/netfilter/Kconfig > @@ -863,6 +863,7 @@ config NETFILTER_XT_TARGET_TPROXY > depends on NETFILTER_XTABLES > depends on NETFILTER_ADVANCED > depends on (IPV6 || IPV6=n) > + depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) > depends on IP_NF_MANGLE > select NF_DEFRAG_IPV4 > select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES > @@ -1356,6 +1357,7 @@ config NETFILTER_XT_MATCH_SOCKET > depends on NETFILTER_ADVANCED > depends on !NF_CONNTRACK || NF_CONNTRACK > depends on (IPV6 || IPV6=n) > + depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) > select NF_DEFRAG_IPV4 > select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES > help It works for me. With it DEFRAG, TPROXY and IP6_NF_IPTABLES are always compiled as the same type. A better way to solve such dependency problem. Since I only report this, and you solve it. So could you give a formal patch for this. I am a beginner of linux network system and very glad to do the test for you. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-05-04 15:56 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-05-03 9:50 [PATCH] netfilter: fix dependency issues between IPv6 defragmentation and ip6tables Liu Hua 2015-05-03 11:07 ` Florian Westphal 2015-05-03 14:18 ` liusdu 2015-05-03 20:09 ` Florian Westphal 2015-05-04 15:56 ` liusdu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).