* [PATCH net-next] netfilter: fix NETFILTER_XT_TARGET_TEE dependencies
@ 2018-07-06 12:37 Arnd Bergmann
2018-07-06 12:45 ` Pablo Neira Ayuso
0 siblings, 1 reply; 6+ messages in thread
From: Arnd Bergmann @ 2018-07-06 12:37 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal, David S. Miller
Cc: Arnd Bergmann, Máté Eckl, Fernando Fernandez Mancera,
Pablo M. Bermudo Garay, Felix Fietkau, netfilter-devel, coreteam,
netdev, linux-kernel
With NETFILTER_XT_TARGET_TEE=y and IP6_NF_IPTABLES=m, we get a link
error when referencing the NF_DUP_IPV6 module:
net/netfilter/xt_TEE.o: In function `tee_tg6':
xt_TEE.c:(.text+0x14): undefined reference to `nf_dup_ipv6'
The problem here is the 'select NF_DUP_IPV6 if IP6_NF_IPTABLES'
that forces NF_DUP_IPV6 to be =m as well rather than setting it
to =y as was intended here. Adding a soft dependency on
IP6_NF_IPTABLES avoids that broken configuration.
Fixes: 35bf1ccecaaa ("netfilter: Kconfig: Change IPv6 select dependencies")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
net/netfilter/Kconfig | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 8aa4883c176a..e42c38c99741 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -985,7 +985,8 @@ config NETFILTER_XT_TARGET_TEE
tristate '"TEE" - packet cloning to alternate destination'
depends on NETFILTER_ADVANCED
depends on IPV6 || IPV6=n
- depends on !NF_CONNTRACK || NF_CONNTRACK
+ depends on NF_CONNTRACK || !NF_CONNTRACK
+ depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES
select NF_DUP_IPV4
select NF_DUP_IPV6 if IP6_NF_IPTABLES
---help---
--
2.9.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH net-next] netfilter: fix NETFILTER_XT_TARGET_TEE dependencies
2018-07-06 12:37 [PATCH net-next] netfilter: fix NETFILTER_XT_TARGET_TEE dependencies Arnd Bergmann
@ 2018-07-06 12:45 ` Pablo Neira Ayuso
2018-07-06 12:48 ` Pablo Neira Ayuso
0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2018-07-06 12:45 UTC (permalink / raw)
To: Arnd Bergmann
Cc: Jozsef Kadlecsik, Florian Westphal, David S. Miller,
Máté Eckl, Fernando Fernandez Mancera,
Pablo M. Bermudo Garay, Felix Fietkau, netfilter-devel, coreteam,
netdev, linux-kernel
On Fri, Jul 06, 2018 at 02:37:58PM +0200, Arnd Bergmann wrote:
> With NETFILTER_XT_TARGET_TEE=y and IP6_NF_IPTABLES=m, we get a link
> error when referencing the NF_DUP_IPV6 module:
>
> net/netfilter/xt_TEE.o: In function `tee_tg6':
> xt_TEE.c:(.text+0x14): undefined reference to `nf_dup_ipv6'
>
> The problem here is the 'select NF_DUP_IPV6 if IP6_NF_IPTABLES'
> that forces NF_DUP_IPV6 to be =m as well rather than setting it
> to =y as was intended here. Adding a soft dependency on
> IP6_NF_IPTABLES avoids that broken configuration.
Applied to nf.git, thanks Arnd.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net-next] netfilter: fix NETFILTER_XT_TARGET_TEE dependencies
2018-07-06 12:45 ` Pablo Neira Ayuso
@ 2018-07-06 12:48 ` Pablo Neira Ayuso
2018-07-06 13:05 ` Arnd Bergmann
0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2018-07-06 12:48 UTC (permalink / raw)
To: Arnd Bergmann
Cc: Jozsef Kadlecsik, Florian Westphal, David S. Miller,
Máté Eckl, Fernando Fernandez Mancera,
Pablo M. Bermudo Garay, Felix Fietkau, netfilter-devel, coreteam,
netdev, linux-kernel
On Fri, Jul 06, 2018 at 02:45:42PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Jul 06, 2018 at 02:37:58PM +0200, Arnd Bergmann wrote:
> > With NETFILTER_XT_TARGET_TEE=y and IP6_NF_IPTABLES=m, we get a link
> > error when referencing the NF_DUP_IPV6 module:
> >
> > net/netfilter/xt_TEE.o: In function `tee_tg6':
> > xt_TEE.c:(.text+0x14): undefined reference to `nf_dup_ipv6'
> >
> > The problem here is the 'select NF_DUP_IPV6 if IP6_NF_IPTABLES'
> > that forces NF_DUP_IPV6 to be =m as well rather than setting it
> > to =y as was intended here. Adding a soft dependency on
> > IP6_NF_IPTABLES avoids that broken configuration.
>
> Applied to nf.git, thanks Arnd.
Sorry, let me reconsider.
We many need similar patches to other spots in 35bf1ccecaaa ?
If so, it would be good to fix in the one go.
Thanks!
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net-next] netfilter: fix NETFILTER_XT_TARGET_TEE dependencies
2018-07-06 12:48 ` Pablo Neira Ayuso
@ 2018-07-06 13:05 ` Arnd Bergmann
2018-07-06 15:54 ` Pablo Neira Ayuso
0 siblings, 1 reply; 6+ messages in thread
From: Arnd Bergmann @ 2018-07-06 13:05 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Jozsef Kadlecsik, Florian Westphal, David S. Miller,
Máté Eckl, Fernando Fernandez Mancera,
Pablo M. Bermudo Garay, Felix Fietkau, netfilter-devel, coreteam,
Networking, Linux Kernel Mailing List
On Fri, Jul 6, 2018 at 2:48 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Jul 06, 2018 at 02:45:42PM +0200, Pablo Neira Ayuso wrote:
>> On Fri, Jul 06, 2018 at 02:37:58PM +0200, Arnd Bergmann wrote:
>> > With NETFILTER_XT_TARGET_TEE=y and IP6_NF_IPTABLES=m, we get a link
>> > error when referencing the NF_DUP_IPV6 module:
>> >
>> > net/netfilter/xt_TEE.o: In function `tee_tg6':
>> > xt_TEE.c:(.text+0x14): undefined reference to `nf_dup_ipv6'
>> >
>> > The problem here is the 'select NF_DUP_IPV6 if IP6_NF_IPTABLES'
>> > that forces NF_DUP_IPV6 to be =m as well rather than setting it
>> > to =y as was intended here. Adding a soft dependency on
>> > IP6_NF_IPTABLES avoids that broken configuration.
>>
>> Applied to nf.git, thanks Arnd.
>
> Sorry, let me reconsider.
>
> We many need similar patches to other spots in 35bf1ccecaaa ?
>
> If so, it would be good to fix in the one go.
I'm fairly sure that NETFILTER_XT_TARGET_LOG is safe, since
NF_LOG_IPV6 already depends on IP6_NF_IPTABLES.
NF_SOCKET_IPV6 like NF_DUP_IPV6 does not depend on
IP6_NF_IPTABLES, so we may have a similar problem there, though
I have not come across that. I have done only a few hundred randconfig
builds since I started yesterday, so I may have missed something,
but I think this is safe because CONFIG_NF_SOCKET_IPV6 is
used like a 'bool' symbol these days, we don't actually control building
a module with it, only a small portion in the nft_socket file.
Arnd
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net-next] netfilter: fix NETFILTER_XT_TARGET_TEE dependencies
2018-07-06 13:05 ` Arnd Bergmann
@ 2018-07-06 15:54 ` Pablo Neira Ayuso
2018-07-09 15:27 ` Arnd Bergmann
0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2018-07-06 15:54 UTC (permalink / raw)
To: Arnd Bergmann
Cc: Jozsef Kadlecsik, Florian Westphal, David S. Miller,
Máté Eckl, Fernando Fernandez Mancera,
Pablo M. Bermudo Garay, Felix Fietkau, netfilter-devel, coreteam,
Networking, Linux Kernel Mailing List
On Fri, Jul 06, 2018 at 03:05:13PM +0200, Arnd Bergmann wrote:
> On Fri, Jul 6, 2018 at 2:48 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Fri, Jul 06, 2018 at 02:45:42PM +0200, Pablo Neira Ayuso wrote:
> >> On Fri, Jul 06, 2018 at 02:37:58PM +0200, Arnd Bergmann wrote:
> >> > With NETFILTER_XT_TARGET_TEE=y and IP6_NF_IPTABLES=m, we get a link
> >> > error when referencing the NF_DUP_IPV6 module:
> >> >
> >> > net/netfilter/xt_TEE.o: In function `tee_tg6':
> >> > xt_TEE.c:(.text+0x14): undefined reference to `nf_dup_ipv6'
> >> >
> >> > The problem here is the 'select NF_DUP_IPV6 if IP6_NF_IPTABLES'
> >> > that forces NF_DUP_IPV6 to be =m as well rather than setting it
> >> > to =y as was intended here. Adding a soft dependency on
> >> > IP6_NF_IPTABLES avoids that broken configuration.
> >>
> >> Applied to nf.git, thanks Arnd.
> >
> > Sorry, let me reconsider.
> >
> > We many need similar patches to other spots in 35bf1ccecaaa ?
> >
> > If so, it would be good to fix in the one go.
>
> I'm fairly sure that NETFILTER_XT_TARGET_LOG is safe, since
> NF_LOG_IPV6 already depends on IP6_NF_IPTABLES.
>
> NF_SOCKET_IPV6 like NF_DUP_IPV6 does not depend on
> IP6_NF_IPTABLES, so we may have a similar problem there, though
> I have not come across that. I have done only a few hundred randconfig
> builds since I started yesterday, so I may have missed something,
> but I think this is safe because CONFIG_NF_SOCKET_IPV6 is
> used like a 'bool' symbol these days, we don't actually control building
> a module with it, only a small portion in the nft_socket file.
Thanks for explaining.
Applied, thanks!
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net-next] netfilter: fix NETFILTER_XT_TARGET_TEE dependencies
2018-07-06 15:54 ` Pablo Neira Ayuso
@ 2018-07-09 15:27 ` Arnd Bergmann
0 siblings, 0 replies; 6+ messages in thread
From: Arnd Bergmann @ 2018-07-09 15:27 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Jozsef Kadlecsik, Florian Westphal, David S. Miller,
Máté Eckl, Fernando Fernandez Mancera,
Pablo M. Bermudo Garay, Felix Fietkau, netfilter-devel, coreteam,
Networking, Linux Kernel Mailing List
On Fri, Jul 6, 2018 at 5:54 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Jul 06, 2018 at 03:05:13PM +0200, Arnd Bergmann wrote:
>> On Fri, Jul 6, 2018 at 2:48 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> > On Fri, Jul 06, 2018 at 02:45:42PM +0200, Pablo Neira Ayuso wrote:
>> >> On Fri, Jul 06, 2018 at 02:37:58PM +0200, Arnd Bergmann wrote:
>> >> > With NETFILTER_XT_TARGET_TEE=y and IP6_NF_IPTABLES=m, we get a link
>> >> > error when referencing the NF_DUP_IPV6 module:
>> >> >
>> >> > net/netfilter/xt_TEE.o: In function `tee_tg6':
>> >> > xt_TEE.c:(.text+0x14): undefined reference to `nf_dup_ipv6'
>> >> >
>> >> > The problem here is the 'select NF_DUP_IPV6 if IP6_NF_IPTABLES'
>> >> > that forces NF_DUP_IPV6 to be =m as well rather than setting it
>> >> > to =y as was intended here. Adding a soft dependency on
>> >> > IP6_NF_IPTABLES avoids that broken configuration.
>> >>
>> >> Applied to nf.git, thanks Arnd.
>> >
>> > Sorry, let me reconsider.
>> >
>> > We many need similar patches to other spots in 35bf1ccecaaa ?
>> >
>> > If so, it would be good to fix in the one go.
>>
>> I'm fairly sure that NETFILTER_XT_TARGET_LOG is safe, since
>> NF_LOG_IPV6 already depends on IP6_NF_IPTABLES.
>>
>> NF_SOCKET_IPV6 like NF_DUP_IPV6 does not depend on
>> IP6_NF_IPTABLES, so we may have a similar problem there, though
>> I have not come across that. I have done only a few hundred randconfig
>> builds since I started yesterday, so I may have missed something,
>> but I think this is safe because CONFIG_NF_SOCKET_IPV6 is
>> used like a 'bool' symbol these days, we don't actually control building
>> a module with it, only a small portion in the nft_socket file.
>
> Thanks for explaining.
Unfortunately I came across a related build error that my patch failed
to address. I've sent another patch for that one. Feel free to fold it
into my first patch in case you rebased before you forward the patches
to net-next.
Arnd
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-07-09 15:27 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-06 12:37 [PATCH net-next] netfilter: fix NETFILTER_XT_TARGET_TEE dependencies Arnd Bergmann
2018-07-06 12:45 ` Pablo Neira Ayuso
2018-07-06 12:48 ` Pablo Neira Ayuso
2018-07-06 13:05 ` Arnd Bergmann
2018-07-06 15:54 ` Pablo Neira Ayuso
2018-07-09 15:27 ` Arnd Bergmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).