From: Florian Westphal <fw@strlen.de>
To: Fernando Fernandez Mancera <ffmancera@riseup.net>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next v3 2/4] netfilter: synproxy: remove module dependency on IPv6 SYNPROXY
Date: Mon, 27 May 2019 23:26:09 +0200 [thread overview]
Message-ID: <20190527212609.sigjj636awmagfww@breakpoint.cc> (raw)
In-Reply-To: <20190524170106.2686-3-ffmancera@riseup.net>
Fernando Fernandez Mancera <ffmancera@riseup.net> wrote:
> This is a prerequisite for the new infrastructure module NF_SYNPROXY. The new
> module is needed to avoid duplicated code for the SYNPROXY nftables support.
> Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
> ---
> include/linux/netfilter_ipv6.h | 17 +++++++++++++++++
> net/ipv6/netfilter.c | 1 +
> 2 files changed, 18 insertions(+)
>
> diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
> index 12113e502656..549a5df39cf9 100644
> --- a/include/linux/netfilter_ipv6.h
> +++ b/include/linux/netfilter_ipv6.h
> @@ -8,6 +8,7 @@
> #define __LINUX_IP6_NETFILTER_H
>
> #include <uapi/linux/netfilter_ipv6.h>
> +#include <net/tcp.h>
>
> /* Extra routing may needed on local out, as the QUEUE target never returns
> * control to the table.
> @@ -34,6 +35,8 @@ struct nf_ipv6_ops {
> struct in6_addr *saddr);
> int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl,
> bool strict);
> + u32 (*cookie_init_sequence)(const struct ipv6hdr *iph,
> + const struct tcphdr *th, u16 *mssp);
This is good, but not enough:
/tmp/foo/./lib/modules/5.2.0-rc1+/kernel/net/netfilter/nf_synproxy.ko needs "__cookie_v6_check": /tmp/foo/./lib/modules/5.2.0-rc1+/kernel/net/ipv6/ipv6.ko
IOW, you need to also add the same trick for __cookie_v6_check.
Otherwise, an ipv4 only rule involving synproxy will pull in ipv6.ko
module.
> +static inline u32 nf_ipv6_cookie_init_sequence(const struct ipv6hdr *iph,
> + const struct tcphdr *th,
> + u16 *mssp)
> +{
> +#if IS_MODULE(CONFIG_IPV6)
> + const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
> +
> + if (v6_ops)
> + return v6_ops->cookie_init_sequence(iph, th, mssp);
This triggers a compiler warning for me, because return value is
undefined in !v6ops case.
I think you can just return 0 here for the !v6ops case.
next prev parent reply other threads:[~2019-05-27 21:26 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-24 17:01 [PATCH nf-next v3 0/4] Extract SYNPROXY infrastructure Fernando Fernandez Mancera
2019-05-24 17:01 ` [PATCH nf-next v3 1/4] netfilter: synproxy: add common uapi for " Fernando Fernandez Mancera
2019-05-24 17:01 ` [PATCH nf-next v3 2/4] netfilter: synproxy: remove module dependency on IPv6 SYNPROXY Fernando Fernandez Mancera
2019-05-27 21:26 ` Florian Westphal [this message]
2019-05-24 17:01 ` [PATCH nf-next v3 3/4] netfilter: synproxy: extract SYNPROXY infrastructure from {ipt,ip6t}_SYNPROXY Fernando Fernandez Mancera
2019-05-27 21:28 ` Florian Westphal
2019-05-24 17:01 ` [PATCH nf-next v3 4/4] netfilter: add NF_SYNPROXY symbol Fernando Fernandez Mancera
2019-05-27 20:05 ` Florian Westphal
2019-05-27 21:34 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190527212609.sigjj636awmagfww@breakpoint.cc \
--to=fw@strlen.de \
--cc=ffmancera@riseup.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.