* netfilter: ipset: fix linking with CONFIG_IPV6=n @ 2011-02-02 8:40 Patrick McHardy 2011-02-02 19:52 ` Jozsef Kadlecsik 0 siblings, 1 reply; 4+ messages in thread From: Patrick McHardy @ 2011-02-02 8:40 UTC (permalink / raw) To: Jozsef Kadlecsik; +Cc: 'netfilter@vger.kernel.org' [-- Attachment #1: Type: text/plain, Size: 336 bytes --] Add some #ifdefs to unconditionally return false in ip_set_get_ip6_port() when CONFIG_IPV6=n and convert to ipv6_skip_exthdr() to avoid pulling in the ip6_tables module when loading ipset. A slightly more code-saving alternative would be to add a dummy inline function or ifdef the callsites. Please let me know which way you prefer. [-- Attachment #2: 05.diff --] [-- Type: text/x-patch, Size: 1126 bytes --] diff --git a/net/netfilter/ipset/ip_set_getport.c b/net/netfilter/ipset/ip_set_getport.c index 4dd2785..5ea0736 100644 --- a/net/netfilter/ipset/ip_set_getport.c +++ b/net/netfilter/ipset/ip_set_getport.c @@ -13,6 +13,7 @@ #include <linux/icmpv6.h> #include <linux/netfilter_ipv6/ip6_tables.h> #include <net/ip.h> +#include <net/ipv6.h> #include <linux/netfilter/ipset/ip_set_getport.h> @@ -97,15 +98,19 @@ bool ip_set_get_ip6_port(const struct sk_buff *skb, bool src, __be16 *port, u8 *proto) { - unsigned int protooff = 0; - int protocol; - unsigned short fragoff; +#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) + int protoff; + u8 nexthdr; - protocol = ipv6_find_hdr(skb, &protooff, -1, &fragoff); - if (protocol <= 0 || fragoff) + nexthdr = ipv6_hdr(skb)->nexthdr; + protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr); + if (protoff < 0) return false; - return get_port(skb, protocol, protooff, src, port, proto); + return get_port(skb, nexthdr, protoff, src, port, proto); +#else + return false; +#endif } EXPORT_SYMBOL_GPL(ip_set_get_ip6_port); ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: netfilter: ipset: fix linking with CONFIG_IPV6=n 2011-02-02 8:40 netfilter: ipset: fix linking with CONFIG_IPV6=n Patrick McHardy @ 2011-02-02 19:52 ` Jozsef Kadlecsik 2011-02-02 22:49 ` Patrick McHardy 0 siblings, 1 reply; 4+ messages in thread From: Jozsef Kadlecsik @ 2011-02-02 19:52 UTC (permalink / raw) To: Patrick McHardy; +Cc: 'netfilter@vger.kernel.org' Hi Patrick, On Wed, 2 Feb 2011, Patrick McHardy wrote: > Add some #ifdefs to unconditionally return false in > ip_set_get_ip6_port() when CONFIG_IPV6=n and convert > to ipv6_skip_exthdr() to avoid pulling in the ip6_tables > module when loading ipset. You left out checking fragmented packets. Is it intentional? > A slightly more code-saving alternative would be to add > a dummy inline function or ifdef the callsites. Please > let me know which way you prefer. A dummy inline looks nicer to me, because that way the IPv6 and non-IPv6 cases were clearly separated. Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: netfilter: ipset: fix linking with CONFIG_IPV6=n 2011-02-02 19:52 ` Jozsef Kadlecsik @ 2011-02-02 22:49 ` Patrick McHardy 2011-02-03 9:29 ` Jozsef Kadlecsik 0 siblings, 1 reply; 4+ messages in thread From: Patrick McHardy @ 2011-02-02 22:49 UTC (permalink / raw) To: Jozsef Kadlecsik; +Cc: 'netfilter@vger.kernel.org' [-- Attachment #1: Type: text/plain, Size: 851 bytes --] Am 02.02.2011 20:52, schrieb Jozsef Kadlecsik: > Hi Patrick, > > On Wed, 2 Feb 2011, Patrick McHardy wrote: > >> Add some #ifdefs to unconditionally return false in >> ip_set_get_ip6_port() when CONFIG_IPV6=n and convert >> to ipv6_skip_exthdr() to avoid pulling in the ip6_tables >> module when loading ipset. > > You left out checking fragmented packets. Is it intentional? Yes, ipv6_skip_exthdr() returns an error for non-first fragments. For the first fragment skb_header_pointer() checks that enough data for the port numbers is present. >> A slightly more code-saving alternative would be to add >> a dummy inline function or ifdef the callsites. Please >> let me know which way you prefer. > > A dummy inline looks nicer to me, because that way the IPv6 and non-IPv6 > cases were clearly separated. OK, I'm going to commit this patch. [-- Attachment #2: 05.diff --] [-- Type: text/plain, Size: 2089 bytes --] diff --git a/include/linux/netfilter/ipset/ip_set_getport.h b/include/linux/netfilter/ipset/ip_set_getport.h index 694c433..3882a81 100644 --- a/include/linux/netfilter/ipset/ip_set_getport.h +++ b/include/linux/netfilter/ipset/ip_set_getport.h @@ -3,8 +3,18 @@ extern bool ip_set_get_ip4_port(const struct sk_buff *skb, bool src, __be16 *port, u8 *proto); + +#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) extern bool ip_set_get_ip6_port(const struct sk_buff *skb, bool src, __be16 *port, u8 *proto); +#else +static inline bool ip_set_get_ip6_port(const struct sk_buff *skb, bool src, + __be16 *port, u8 *proto) +{ + return false; +} +#endif + extern bool ip_set_get_ip_port(const struct sk_buff *skb, u8 pf, bool src, __be16 *port); diff --git a/net/netfilter/ipset/ip_set_getport.c b/net/netfilter/ipset/ip_set_getport.c index 4dd2785..8d52272 100644 --- a/net/netfilter/ipset/ip_set_getport.c +++ b/net/netfilter/ipset/ip_set_getport.c @@ -13,6 +13,7 @@ #include <linux/icmpv6.h> #include <linux/netfilter_ipv6/ip6_tables.h> #include <net/ip.h> +#include <net/ipv6.h> #include <linux/netfilter/ipset/ip_set_getport.h> @@ -93,21 +94,23 @@ ip_set_get_ip4_port(const struct sk_buff *skb, bool src, } EXPORT_SYMBOL_GPL(ip_set_get_ip4_port); +#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) bool ip_set_get_ip6_port(const struct sk_buff *skb, bool src, __be16 *port, u8 *proto) { - unsigned int protooff = 0; - int protocol; - unsigned short fragoff; + int protoff; + u8 nexthdr; - protocol = ipv6_find_hdr(skb, &protooff, -1, &fragoff); - if (protocol <= 0 || fragoff) + nexthdr = ipv6_hdr(skb)->nexthdr; + protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr); + if (protoff < 0) return false; - return get_port(skb, protocol, protooff, src, port, proto); + return get_port(skb, nexthdr, protoff, src, port, proto); } EXPORT_SYMBOL_GPL(ip_set_get_ip6_port); +#endif bool ip_set_get_ip_port(const struct sk_buff *skb, u8 pf, bool src, __be16 *port) ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: netfilter: ipset: fix linking with CONFIG_IPV6=n 2011-02-02 22:49 ` Patrick McHardy @ 2011-02-03 9:29 ` Jozsef Kadlecsik 0 siblings, 0 replies; 4+ messages in thread From: Jozsef Kadlecsik @ 2011-02-03 9:29 UTC (permalink / raw) To: Patrick McHardy; +Cc: 'netfilter@vger.kernel.org' On Wed, 2 Feb 2011, Patrick McHardy wrote: > Am 02.02.2011 20:52, schrieb Jozsef Kadlecsik: > > Hi Patrick, > > > > On Wed, 2 Feb 2011, Patrick McHardy wrote: > > > >> Add some #ifdefs to unconditionally return false in > >> ip_set_get_ip6_port() when CONFIG_IPV6=n and convert > >> to ipv6_skip_exthdr() to avoid pulling in the ip6_tables > >> module when loading ipset. > > > > You left out checking fragmented packets. Is it intentional? > > Yes, ipv6_skip_exthdr() returns an error for non-first fragments. > For the first fragment skb_header_pointer() checks that enough > data for the port numbers is present. > > >> A slightly more code-saving alternative would be to add > >> a dummy inline function or ifdef the callsites. Please > >> let me know which way you prefer. > > > > A dummy inline looks nicer to me, because that way the IPv6 and non-IPv6 > > cases were clearly separated. > > OK, I'm going to commit this patch. I committed it in my tree too. Thanks! Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-02-03 9:29 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-02-02 8:40 netfilter: ipset: fix linking with CONFIG_IPV6=n Patrick McHardy 2011-02-02 19:52 ` Jozsef Kadlecsik 2011-02-02 22:49 ` Patrick McHardy 2011-02-03 9:29 ` Jozsef Kadlecsik
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox