* [PATCH] netfilter: fix CONFIG_NF_REJECT_IPV6=m link error @ 2018-04-09 10:53 Arnd Bergmann 2018-04-09 14:37 ` Pablo Neira Ayuso 0 siblings, 1 reply; 7+ messages in thread From: Arnd Bergmann @ 2018-04-09 10:53 UTC (permalink / raw) To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal, David S. Miller Cc: Arnd Bergmann, netfilter-devel, coreteam, netdev, linux-kernel We get a new link error with CONFIG_NFT_REJECT_INET=y and CONFIG_NF_REJECT_IPV6=m after larger parts of the nftables modules are linked together: net/netfilter/nft_reject_inet.o: In function `nft_reject_inet_eval': nft_reject_inet.c:(.text+0x17c): undefined reference to `nf_send_unreach6' nft_reject_inet.c:(.text+0x190): undefined reference to `nf_send_reset6' The problem is that with NF_TABLES_INET set, we implicitly try to use the ipv6 version as well for NFT_REJECT, but when CONFIG_IPV6 is set to a loadable module, it's impossible to reach that. The best workaround I found is to express the above as a Kconfig dependency, forcing NFT_REJECT itself to be 'm' in that particular configuration. Fixes: 02c7b25e5f54 ("netfilter: nf_tables: build-in filter chain type") Signed-off-by: Arnd Bergmann <arnd@arndb.de> --- net/netfilter/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 704b3832dbad..44d8a55e9721 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -594,6 +594,7 @@ config NFT_QUOTA config NFT_REJECT default m if NETFILTER_ADVANCED=n tristate "Netfilter nf_tables reject support" + depends on !NF_TABLES_INET || (IPV6!=m || m) help This option adds the "reject" expression that you can use to explicitly deny and notify via TCP reset/ICMP informational errors -- 2.9.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: fix CONFIG_NF_REJECT_IPV6=m link error 2018-04-09 10:53 [PATCH] netfilter: fix CONFIG_NF_REJECT_IPV6=m link error Arnd Bergmann @ 2018-04-09 14:37 ` Pablo Neira Ayuso 2018-04-09 14:43 ` Arnd Bergmann 0 siblings, 1 reply; 7+ messages in thread From: Pablo Neira Ayuso @ 2018-04-09 14:37 UTC (permalink / raw) To: Arnd Bergmann Cc: Jozsef Kadlecsik, Florian Westphal, David S. Miller, netfilter-devel, coreteam, netdev, linux-kernel [-- Attachment #1: Type: text/plain, Size: 549 bytes --] Hi Arnd, On Mon, Apr 09, 2018 at 12:53:12PM +0200, Arnd Bergmann wrote: > We get a new link error with CONFIG_NFT_REJECT_INET=y and CONFIG_NF_REJECT_IPV6=m I think we can update NFT_REJECT_INET so it depends on NFT_REJECT_IPV4 and NFT_REJECT_IPV6. This doesn't allow here CONFIG_NFT_REJECT_INET=y and CONFIG_NF_REJECT_IPV6=m. I mean, just like we do with NFT_FIB_INET. BTW, I think this problem has been is not related to the recent patch, but something older that kbuild robot has triggered more easily for some reason? Thanks for your patch! [-- Attachment #2: x.patch --] [-- Type: text/x-diff, Size: 358 bytes --] diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index d3220b43c832..b48c57bb9aaf 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -601,7 +601,8 @@ config NFT_REJECT config NFT_REJECT_INET depends on NF_TABLES_INET - default NFT_REJECT + depends on NFT_REJECT_IPV4 + depends on NFT_REJECT_IPV6 tristate config NFT_COMPAT ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: fix CONFIG_NF_REJECT_IPV6=m link error 2018-04-09 14:37 ` Pablo Neira Ayuso @ 2018-04-09 14:43 ` Arnd Bergmann 2018-04-13 13:15 ` Pablo Neira Ayuso 0 siblings, 1 reply; 7+ messages in thread From: Arnd Bergmann @ 2018-04-09 14:43 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: Jozsef Kadlecsik, Florian Westphal, David S. Miller, netfilter-devel, coreteam, Networking, Linux Kernel Mailing List On Mon, Apr 9, 2018 at 4:37 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > Hi Arnd, > > On Mon, Apr 09, 2018 at 12:53:12PM +0200, Arnd Bergmann wrote: >> We get a new link error with CONFIG_NFT_REJECT_INET=y and CONFIG_NF_REJECT_IPV6=m > > I think we can update NFT_REJECT_INET so it depends on NFT_REJECT_IPV4 > and NFT_REJECT_IPV6. This doesn't allow here CONFIG_NFT_REJECT_INET=y > and CONFIG_NF_REJECT_IPV6=m. > > I mean, just like we do with NFT_FIB_INET. That can only work if NFT_REJECT_INET can be made a 'tristate' symbol again, so that code gets built as a loadable module if CONFIG_NF_REJECT_IPV6=m. > BTW, I think this problem has been is not related to the recent patch, > but something older that kbuild robot has triggered more easily for > some reason? 02c7b25e5f54 is the one that turned NF_TABLES_INET into a 'bool' symbol. NFT_REJECT depends on NF_TABLES_INET, so it used to restricted to a loadable module with IPV6=m, but can now be built-in, which causes that link error. Arnd ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: fix CONFIG_NF_REJECT_IPV6=m link error 2018-04-09 14:43 ` Arnd Bergmann @ 2018-04-13 13:15 ` Pablo Neira Ayuso 2018-04-13 14:52 ` Arnd Bergmann ` (2 more replies) 0 siblings, 3 replies; 7+ messages in thread From: Pablo Neira Ayuso @ 2018-04-13 13:15 UTC (permalink / raw) To: Arnd Bergmann Cc: Jozsef Kadlecsik, Florian Westphal, David S. Miller, netfilter-devel, coreteam, Networking, Linux Kernel Mailing List [-- Attachment #1: Type: text/plain, Size: 1289 bytes --] On Mon, Apr 09, 2018 at 04:43:40PM +0200, Arnd Bergmann wrote: > On Mon, Apr 9, 2018 at 4:37 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > Hi Arnd, > > > > On Mon, Apr 09, 2018 at 12:53:12PM +0200, Arnd Bergmann wrote: > >> We get a new link error with CONFIG_NFT_REJECT_INET=y and CONFIG_NF_REJECT_IPV6=m > > > > I think we can update NFT_REJECT_INET so it depends on NFT_REJECT_IPV4 > > and NFT_REJECT_IPV6. This doesn't allow here CONFIG_NFT_REJECT_INET=y > > and CONFIG_NF_REJECT_IPV6=m. > > > > I mean, just like we do with NFT_FIB_INET. > > That can only work if NFT_REJECT_INET can be made a 'tristate' symbol > again, so that code gets built as a loadable module if > CONFIG_NF_REJECT_IPV6=m. > > > BTW, I think this problem has been is not related to the recent patch, > > but something older that kbuild robot has triggered more easily for > > some reason? > > 02c7b25e5f54 is the one that turned NF_TABLES_INET into a 'bool' > symbol. NFT_REJECT depends on NF_TABLES_INET, so it used to > restricted to a loadable module with IPV6=m, but can now be > built-in, which causes that link error. Still one more spin on this, I would like to see if we have a way to fix this by simplifing things a bit. Would this one I'm attaching would work? Thanks for you patience. [-- Attachment #2: 0001-netfilter-CONFIG_NF_REJECT_IPV-4-6-becomes-bool-togg.patch --] [-- Type: text/x-diff, Size: 2586 bytes --] >From af07bc7ff5d34ce54e7913233912c058e6699e3c Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Fri, 13 Apr 2018 10:48:40 +0200 Subject: [PATCH] netfilter: CONFIG_NF_REJECT_IPV{4,6} becomes bool toggle Arnd reports that we get a new link error with CONFIG_NFT_REJECT_INET=y and CONFIG_NF_REJECT_IPV6=m after larger parts of the nftables modules are linked together: net/netfilter/nft_reject_inet.o: In function `nft_reject_inet_eval': nft_reject_inet.c:(.text+0x17c): undefined reference to `nf_send_unreach6' nft_reject_inet.c:(.text+0x190): undefined reference to `nf_send_reset6' The problem is that with NF_TABLES_INET set, we implicitly try to use the ipv6 version as well for NFT_REJECT, but when CONFIG_IPV6 is set to a loadable module, it's impossible to reach that. This patch fixes this problem by building-in nf_reject_ipv{4,6}.c, IPv6 symbol dependencies for the IPv6 reject infrastructure are located in exthdrs_core.c, ip6_checksum.c and ip6_icmp.c which are also built-in, so let's do the same to simplify this. Fixes: 02c7b25e5f54 ("netfilter: nf_tables: build-in filter chain type") Reported-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/ipv4/netfilter/Kconfig | 3 +-- net/ipv6/netfilter/Kconfig | 3 +-- net/netfilter/Kconfig | 2 ++ 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 280048e1e395..3e4e0ae2a9a1 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig @@ -104,8 +104,7 @@ config NF_LOG_IPV4 select NF_LOG_COMMON config NF_REJECT_IPV4 - tristate "IPv4 packet rejection" - default m if NETFILTER_ADVANCED=n + bool "IPv4 packet rejection" config NF_NAT_IPV4 tristate "IPv4 NAT" diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index ccbfa83e4bb0..1e5d040a60b8 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig @@ -87,8 +87,7 @@ config NF_DUP_IPV6 packet to be rerouted to another destination. config NF_REJECT_IPV6 - tristate "IPv6 packet rejection" - default m if NETFILTER_ADVANCED=n + bool "IPv6 packet rejection" config NF_LOG_IPV6 tristate "IPv6 packet logging" diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 4189f574f5ec..d7b3272fe821 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -609,6 +609,8 @@ config NFT_REJECT config NFT_REJECT_INET depends on NF_TABLES_INET + select NF_REJECT_IPV4 + select NF_REJECT_IPV6 default NFT_REJECT tristate -- 2.11.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: fix CONFIG_NF_REJECT_IPV6=m link error 2018-04-13 13:15 ` Pablo Neira Ayuso @ 2018-04-13 14:52 ` Arnd Bergmann 2018-04-14 6:54 ` [PATCH] netfilter: CONFIG_NF_REJECT_IPV{4,6} becomes bool toggle kbuild test robot 2018-04-14 9:45 ` kbuild test robot 2 siblings, 0 replies; 7+ messages in thread From: Arnd Bergmann @ 2018-04-13 14:52 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: Jozsef Kadlecsik, Florian Westphal, David S. Miller, netfilter-devel, coreteam, Networking, Linux Kernel Mailing List On Fri, Apr 13, 2018 at 3:15 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Mon, Apr 09, 2018 at 04:43:40PM +0200, Arnd Bergmann wrote: >> On Mon, Apr 9, 2018 at 4:37 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: >> > Hi Arnd, >> > >> > On Mon, Apr 09, 2018 at 12:53:12PM +0200, Arnd Bergmann wrote: >> >> We get a new link error with CONFIG_NFT_REJECT_INET=y and CONFIG_NF_REJECT_IPV6=m >> > >> > I think we can update NFT_REJECT_INET so it depends on NFT_REJECT_IPV4 >> > and NFT_REJECT_IPV6. This doesn't allow here CONFIG_NFT_REJECT_INET=y >> > and CONFIG_NF_REJECT_IPV6=m. >> > >> > I mean, just like we do with NFT_FIB_INET. >> >> That can only work if NFT_REJECT_INET can be made a 'tristate' symbol >> again, so that code gets built as a loadable module if >> CONFIG_NF_REJECT_IPV6=m. >> >> > BTW, I think this problem has been is not related to the recent patch, >> > but something older that kbuild robot has triggered more easily for >> > some reason? >> >> 02c7b25e5f54 is the one that turned NF_TABLES_INET into a 'bool' >> symbol. NFT_REJECT depends on NF_TABLES_INET, so it used to >> restricted to a loadable module with IPV6=m, but can now be >> built-in, which causes that link error. > > Still one more spin on this, I would like to see if we have a way to > fix this by simplifing things a bit. > > Would this one I'm attaching would work? One disadvantage is that it makes the vmlinux bigger since NF_REJECT_IPV{4,6} can no longer be a module at all now. I suspect you also stil get a link error with IPV6=m, this time because the nf_reject_ipv6.o file fails to link against the ipv6 code, e.g. ipv6_skip_exthdr() and icmpv6_send() appear to be unreachable here. I haven't tried that though, so I might be missing something. Arnd ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: CONFIG_NF_REJECT_IPV{4,6} becomes bool toggle 2018-04-13 13:15 ` Pablo Neira Ayuso 2018-04-13 14:52 ` Arnd Bergmann @ 2018-04-14 6:54 ` kbuild test robot 2018-04-14 9:45 ` kbuild test robot 2 siblings, 0 replies; 7+ messages in thread From: kbuild test robot @ 2018-04-14 6:54 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: kbuild-all, Arnd Bergmann, Jozsef Kadlecsik, Florian Westphal, David S. Miller, netfilter-devel, coreteam, Networking, Linux Kernel Mailing List [-- Attachment #1: Type: text/plain, Size: 1446 bytes --] Hi Pablo, I love your patch! Yet something to improve: [auto build test ERROR on nf-next/master] [also build test ERROR on v4.16 next-20180413] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-CONFIG_NF_REJECT_IPV-4-6-becomes-bool-toggle/20180414-101337 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master config: ia64-allmodconfig (attached as .config) compiler: ia64-linux-gcc (GCC) 7.2.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=ia64 All errors (new ones prefixed by >>): net/ipv6/netfilter/nf_reject_ipv6.o: In function `nf_reject_ip6_tcphdr_get': >> nf_reject_ipv6.c:(.text+0x342): undefined reference to `nf_ip6_checksum' net/ipv6/netfilter/nf_reject_ipv6.o: In function `nf_send_reset6': >> nf_reject_ipv6.c:(.text+0xcc2): undefined reference to `ip6_route_output_flags' net/ipv6/netfilter/nf_reject_ipv6.o: In function `nf_send_unreach6': nf_reject_ipv6.c:(.text+0x12b2): undefined reference to `nf_ip6_checksum' --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation [-- Attachment #2: .config.gz --] [-- Type: application/gzip, Size: 50033 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: CONFIG_NF_REJECT_IPV{4,6} becomes bool toggle 2018-04-13 13:15 ` Pablo Neira Ayuso 2018-04-13 14:52 ` Arnd Bergmann 2018-04-14 6:54 ` [PATCH] netfilter: CONFIG_NF_REJECT_IPV{4,6} becomes bool toggle kbuild test robot @ 2018-04-14 9:45 ` kbuild test robot 2 siblings, 0 replies; 7+ messages in thread From: kbuild test robot @ 2018-04-14 9:45 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: kbuild-all, Arnd Bergmann, Jozsef Kadlecsik, Florian Westphal, David S. Miller, netfilter-devel, coreteam, Networking, Linux Kernel Mailing List [-- Attachment #1: Type: text/plain, Size: 1559 bytes --] Hi Pablo, I love your patch! Yet something to improve: [auto build test ERROR on nf-next/master] [also build test ERROR on v4.16 next-20180413] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-CONFIG_NF_REJECT_IPV-4-6-becomes-bool-toggle/20180414-101337 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master config: powerpc64-allmodconfig (attached as .config) compiler: powerpc64-linux-gnu-gcc (Debian 7.2.0-11) 7.2.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=powerpc64 All error/warnings (new ones prefixed by >>): powerpc64-linux-gnu-ld: warning: orphan section `.gnu.hash' from `linker stubs' being placed in section `.gnu.hash'. net/ipv6/netfilter/nf_reject_ipv6.o: In function `.nf_reject_ip6_tcphdr_get': >> (.text+0x1f0): undefined reference to `.nf_ip6_checksum' net/ipv6/netfilter/nf_reject_ipv6.o: In function `.nf_send_reset6': >> (.text+0x794): undefined reference to `.ip6_route_output_flags' net/ipv6/netfilter/nf_reject_ipv6.o: In function `.nf_send_unreach6': (.text+0xab8): undefined reference to `.nf_ip6_checksum' --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation [-- Attachment #2: .config.gz --] [-- Type: application/gzip, Size: 56409 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-04-14 9:46 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-04-09 10:53 [PATCH] netfilter: fix CONFIG_NF_REJECT_IPV6=m link error Arnd Bergmann 2018-04-09 14:37 ` Pablo Neira Ayuso 2018-04-09 14:43 ` Arnd Bergmann 2018-04-13 13:15 ` Pablo Neira Ayuso 2018-04-13 14:52 ` Arnd Bergmann 2018-04-14 6:54 ` [PATCH] netfilter: CONFIG_NF_REJECT_IPV{4,6} becomes bool toggle kbuild test robot 2018-04-14 9:45 ` kbuild test robot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).