Re: linux-next: Tree for March 27 (netfilter build error)

Re: linux-next: Tree for March 27 (netfilter build error)

[David Miller]

From: Randy Dunlap <randy.dunlap@oracle.com>
Date: Fri, 27 Mar 2009 09:48:40 -0700

> Stephen Rothwell wrote:
> > Hi all,
> > 
> > Changes since 20090326:
> 
> 
> with CONFIG_IPV6=n:
> 
> ERROR: "__ipv6_addr_type" [net/netfilter/xt_cluster.ko] undefined!
> 
> config attached.

Patrick and netfilter folks, please have a look, thanks!

Re: linux-next: Tree for March 27 (netfilter build error)

[Cyrill Gorcunov]

[David Miller - Fri, Mar 27, 2009 at 04:01:07PM -0700]
| From: Randy Dunlap <randy.dunlap@oracle.com>
| Date: Fri, 27 Mar 2009 09:48:40 -0700
| 
| > Stephen Rothwell wrote:
| > > Hi all,
| > > 
| > > Changes since 20090326:
| > 
| > 
| > with CONFIG_IPV6=n:
| > 
| > ERROR: "__ipv6_addr_type" [net/netfilter/xt_cluster.ko] undefined!
| > 
| > config attached.
| 
| Patrick and netfilter folks, please have a look, thanks!
| 

Pablo, seems like something as inlined below is
missed? (except I doubt about CONFIG_IPV6_MODULE
here)

        Cyrill
---
 net/netfilter/xt_cluster.c |    2 ++
 1 file changed, 2 insertions(+)

Index: linux-2.6.git/net/netfilter/xt_cluster.c
===================================================================
--- linux-2.6.git.orig/net/netfilter/xt_cluster.c
+++ linux-2.6.git/net/netfilter/xt_cluster.c
@@ -67,8 +67,10 @@ xt_cluster_is_multicast_addr(const struc
 		is_multicast = ipv4_is_multicast(ip_hdr(skb)->daddr);
 		break;
 	case NFPROTO_IPV6:
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 		is_multicast = ipv6_addr_type(&ipv6_hdr(skb)->daddr) &
 						IPV6_ADDR_MULTICAST;
+#endif
 		break;
 	default:
 		WARN_ON(1);

Re: linux-next: Tree for March 27 (netfilter build error)

[Randy Dunlap]

Cyrill Gorcunov wrote:
> [David Miller - Fri, Mar 27, 2009 at 04:01:07PM -0700]
> | From: Randy Dunlap <randy.dunlap@oracle.com>
> | Date: Fri, 27 Mar 2009 09:48:40 -0700
> | 
> | > Stephen Rothwell wrote:
> | > > Hi all,
> | > > 
> | > > Changes since 20090326:
> | > 
> | > 
> | > with CONFIG_IPV6=n:
> | > 
> | > ERROR: "__ipv6_addr_type" [net/netfilter/xt_cluster.ko] undefined!
> | > 
> | > config attached.
> | 
> | Patrick and netfilter folks, please have a look, thanks!
> | 
> 
> Pablo, seems like something as inlined below is
> missed? (except I doubt about CONFIG_IPV6_MODULE
> here)
> 
>         Cyrill

works_for_me.  Thanks.
but missing S-O-B.

Acked-by: Randy Dunlap <randy.dunlap@oracle.com>


> ---
>  net/netfilter/xt_cluster.c |    2 ++
>  1 file changed, 2 insertions(+)
> 
> Index: linux-2.6.git/net/netfilter/xt_cluster.c
> ===================================================================
> --- linux-2.6.git.orig/net/netfilter/xt_cluster.c
> +++ linux-2.6.git/net/netfilter/xt_cluster.c
> @@ -67,8 +67,10 @@ xt_cluster_is_multicast_addr(const struc
>  		is_multicast = ipv4_is_multicast(ip_hdr(skb)->daddr);
>  		break;
>  	case NFPROTO_IPV6:
> +#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
>  		is_multicast = ipv6_addr_type(&ipv6_hdr(skb)->daddr) &
>  						IPV6_ADDR_MULTICAST;
> +#endif
>  		break;
>  	default:
>  		WARN_ON(1);


-- 
~Randy

Re: linux-next: Tree for March 27 (netfilter build error)

[Cyrill Gorcunov]

[Randy Dunlap - Sat, Mar 28, 2009 at 09:26:42PM -0700]
... 
| works_for_me.  Thanks.
| but missing S-O-B.
| 
| Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
...

Thanks for testing Randy. So if nobody will complain
here is a solid version of the patch. Though I would like
if Pablo or Patrick confirm its correctness. Thanks!

       Cyrill
---
From: Cyrill Gorcunov <gorcunov@openvz.org>
Subject: netfilter: xtables - build issue fix

Randy Dunlap reported:
| with CONFIG_IPV6=n:
|
| ERROR: "__ipv6_addr_type" [net/netfilter/xt_cluster.ko] undefined!

ipv6_addr_type does depend on IPv6 being tuned on.
Guard it with CONFIG_IPV6/_MODULE.

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
---
 net/netfilter/xt_cluster.c |    2 ++
 1 file changed, 2 insertions(+)

Index: linux-2.6.git/net/netfilter/xt_cluster.c
===================================================================
--- linux-2.6.git.orig/net/netfilter/xt_cluster.c
+++ linux-2.6.git/net/netfilter/xt_cluster.c
@@ -67,8 +67,10 @@ xt_cluster_is_multicast_addr(const struc
 		is_multicast = ipv4_is_multicast(ip_hdr(skb)->daddr);
 		break;
 	case NFPROTO_IPV6:
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 		is_multicast = ipv6_addr_type(&ipv6_hdr(skb)->daddr) &
 						IPV6_ADDR_MULTICAST;
+#endif
 		break;
 	default:
 		WARN_ON(1);

Re: linux-next: Tree for March 27 (netfilter build error)

[David Miller]

From: Cyrill Gorcunov <gorcunov@gmail.com>
Date: Sun, 29 Mar 2009 10:47:04 +0400

> [Randy Dunlap - Sat, Mar 28, 2009 at 09:26:42PM -0700]
> ... 
> | works_for_me.  Thanks.
> | but missing S-O-B.
> | 
> | Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
> ...
> 
> Thanks for testing Randy. So if nobody will complain
> here is a solid version of the patch. Though I would like
> if Pablo or Patrick confirm its correctness. Thanks!

I'll apply this once Patrick or Pablo have a look at it.

Thanks.

Re: linux-next: Tree for March 27 (netfilter build error)

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1710 bytes --]

Hi Dave,

On Sat, Mar 28, 2009 at 11:47:39PM -0700, David Miller wrote:
> From: Cyrill Gorcunov <gorcunov@gmail.com>
> Date: Sun, 29 Mar 2009 10:47:04 +0400
> 
> > [Randy Dunlap - Sat, Mar 28, 2009 at 09:26:42PM -0700]
> > ... 
> > | works_for_me.  Thanks.
> > | but missing S-O-B.
> > | 
> > | Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
> > ...
> > 
> > Thanks for testing Randy. So if nobody will complain
> > here is a solid version of the patch. Though I would like
> > if Pablo or Patrick confirm its correctness. Thanks!
> 
> I'll apply this once Patrick or Pablo have a look at it.

I'm neither of them but I strongly believe the patch is correct.   

The only question that Patrick raised during the discussion of this patch some
days ago is whether the __ipv6_addr_type() call would cause a runtime
dependency to thei ipv6 module.  This would be bad since loading the
xt_cluster.ko module should not pull in the IPv6 protocol module.

I have just verified that __ipv6_addr_type is provided by
net/ipv6/addrconf_core.c, which specifically states it contains functions
"needed by static components when full IPv6 support is not configured or
static".   This is confirmed by the makefile, which addes addrconf_core.o to
obj-y.

So from my point of view, I cannot see any problems.

Regards.
-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: linux-next: Tree for March 27 (netfilter build error)

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 751 bytes --]

David Miller wrote:
> From: Cyrill Gorcunov <gorcunov@gmail.com>
> Date: Sun, 29 Mar 2009 10:47:04 +0400
> 
>> [Randy Dunlap - Sat, Mar 28, 2009 at 09:26:42PM -0700]
>> ... 
>> | works_for_me.  Thanks.
>> | but missing S-O-B.
>> | 
>> | Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
>> ...
>>
>> Thanks for testing Randy. So if nobody will complain
>> here is a solid version of the patch. Though I would like
>> if Pablo or Patrick confirm its correctness. Thanks!
> 
> I'll apply this once Patrick or Pablo have a look at it.

I think that the patch attached is better since it removes the overhead
of the IPv6 dependency, which is indeed too much for the use of one
function. Thanks.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 1678 bytes --]

netfilter: xtables: fix IPv6 dependency in the cluster match

This patch fixes a dependency with IPv6:

ERROR: "__ipv6_addr_type" [net/netfilter/xt_cluster.ko] undefined!

This patch adds a function that checks if the higher bits of the
address is 0xFF to identify a multicast address, instead of adding a
dependency due to __ipv6_addr_type(). I came up with this idea after
Patrick McHardy pointed possible problems with runtime module
dependencies.

Reported-by: Steven Noonan <steven@uplinklabs.net>
Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Reported-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

 net/netfilter/xt_cluster.c |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)


diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index ad5bd89..f2d2482 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -58,6 +58,13 @@ xt_cluster_hash(const struct nf_conn *ct,
 }
 
 static inline bool
+xt_cluster_ipv6_is_multicast(const struct in6_addr *addr)
+{
+	__be32 st = addr->s6_addr32[0];
+	return ((st & htonl(0xFF000000)) == htonl(0xFF000000)); 
+}
+
+static inline bool
 xt_cluster_is_multicast_addr(const struct sk_buff *skb, u_int8_t family)
 {
 	bool is_multicast = false;
@@ -67,8 +74,8 @@ xt_cluster_is_multicast_addr(const struct sk_buff *skb, u_int8_t family)
 		is_multicast = ipv4_is_multicast(ip_hdr(skb)->daddr);
 		break;
 	case NFPROTO_IPV6:
-		is_multicast = ipv6_addr_type(&ipv6_hdr(skb)->daddr) &
-						IPV6_ADDR_MULTICAST;
+		is_multicast =
+			xt_cluster_ipv6_is_multicast(&ipv6_hdr(skb)->daddr);
 		break;
 	default:
 		WARN_ON(1);

Re: linux-next: Tree for March 27 (netfilter build error)

[Cyrill Gorcunov]

[Pablo Neira Ayuso - Sun, Mar 29, 2009 at 01:59:30PM +0200]
... 
| I think that the patch attached is better since it removes the overhead
| of the IPv6 dependency, which is indeed too much for the use of one
| function. Thanks.
| 
...

It's definitely better! Thanks Pablo.

        Cyrill

Re: linux-next: Tree for March 27 (netfilter build error)

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 29 Mar 2009 13:59:30 +0200

> David Miller wrote:
> > From: Cyrill Gorcunov <gorcunov@gmail.com>
> > Date: Sun, 29 Mar 2009 10:47:04 +0400
> > 
> >> [Randy Dunlap - Sat, Mar 28, 2009 at 09:26:42PM -0700]
> >> ... 
> >> | works_for_me.  Thanks.
> >> | but missing S-O-B.
> >> | 
> >> | Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
> >> ...
> >>
> >> Thanks for testing Randy. So if nobody will complain
> >> here is a solid version of the patch. Though I would like
> >> if Pablo or Patrick confirm its correctness. Thanks!
> > 
> > I'll apply this once Patrick or Pablo have a look at it.
> 
> I think that the patch attached is better since it removes the overhead
> of the IPv6 dependency, which is indeed too much for the use of one
> function. Thanks.

I think it's a lot better too, applied, thanks!

Re: linux-next: Tree for March 27 (netfilter build error)

[Patrick McHardy]

David Miller wrote:
> From: Pablo Neira Ayuso <pablo@netfilter.org>
> Date: Sun, 29 Mar 2009 13:59:30 +0200
> 
>> David Miller wrote:
>>> From: Cyrill Gorcunov <gorcunov@gmail.com>
>>> Date: Sun, 29 Mar 2009 10:47:04 +0400
>>>
>>>> [Randy Dunlap - Sat, Mar 28, 2009 at 09:26:42PM -0700]
>>>> ... 
>>>> | works_for_me.  Thanks.
>>>> | but missing S-O-B.
>>>> | 
>>>> | Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
>>>> ...
>>>>
>>>> Thanks for testing Randy. So if nobody will complain
>>>> here is a solid version of the patch. Though I would like
>>>> if Pablo or Patrick confirm its correctness. Thanks!
>>> I'll apply this once Patrick or Pablo have a look at it.
>> I think that the patch attached is better since it removes the overhead
>> of the IPv6 dependency, which is indeed too much for the use of one
>> function. Thanks.
> 
> I think it's a lot better too, applied, thanks!

No objections from my side, thanks :)