lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Feb 2016 19:14:36 +0100 From: Pablo Neira Ayuso <pablo@...filter.org> To: Arnd Bergmann <arnd@...db.de> Cc: linux-arm-kernel@...ts.infradead.org, Patrick McHardy <kaber@...sh.net>, Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>, "David S. Miller" <davem@...emloft.net>, netfilter-devel@...r.kernel.org, coreteam@...filter.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] netfilter: tee: select NF_DUP_IPV6 unconditionally On Fri, Feb 05, 2016 at 10:20:21AM +0100, Arnd Bergmann wrote: > The NETFILTER_XT_TARGET_TEE option selects NF_DUP_IPV6 whenever > IP6_NF_IPTABLES is enabled, and it ensures that it cannot be > builtin itself if NF_CONNTRACK is a loadable module, as that > is a dependency for NF_DUP_IPV6. > > However, NF_DUP_IPV6 can be enabled even if IP6_NF_IPTABLES is > turned off, and it only really depends on IPV6. With the current > check in tee_tg6, we call nf_dup_ipv6() whenever NF_DUP_IPV6 > is enabled. This can however be a loadable module which is > unreachable from a built-in xt_TEE: > > net/built-in.o: In function `tee_tg6': > :(.text+0x67728): undefined reference to `nf_dup_ipv6' > > The bug was originally introduced in the split of the xt_TEE module > into separate modules for ipv4 and ipv6, and two patches tried > to fix it unsuccessfully afterwards. > > This is a revert of the the first incorrect attempt to fix it, > going back to depending on IPV6 as the dependency, and we > adapt the 'select' condition accordingly. Applied, thanks Arnd.
Powered by blists - more mailing lists