lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 03 May 2015 22:18:26 +0800 From: liusdu <liusdu@....com> To: Florian Westphal <fw@...len.de>, Liu Hua <sdu.liu@...wei.com> CC: davem@...emloft.net, kadlec@...ckhole.kfki.hu, kaber@...sh.net, pablo@...filter.org, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] netfilter: fix dependency issues between IPv6 defragmentation and ip6tables On 2015年05月03日 19:07, Florian Westphal wrote: > Liu Hua <sdu.liu@...wei.com> wrote: >> commit f6318e558806c925029dc101f14874be9f9fa78f fix some related issue >> when ip6tables is enabled. But when IP6_NF_IPTABLES is disabled and >> NETFILTER_XT_TARGET_TPROXY is enabled. We will meet build failure with >> "net/built-in.o: In function `tproxy_tg_init': >> net/netfilter/xt_TPROXY.c:588: undefined reference to `nf_defrag_ipv6_enable' >> " >> So this patch change the Kconfig as ipv4 does. >> --- a/net/netfilter/Kconfig >> +++ b/net/netfilter/Kconfig >> @@ -865,7 +865,7 @@ config NETFILTER_XT_TARGET_TPROXY >> depends on (IPV6 || IPV6=n) >> depends on IP_NF_MANGLE >> select NF_DEFRAG_IPV4 >> - select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES >> + select NF_DEFRAG_IPV6 > IP6_NF_IPTABLES > If IP6_NF_IPTABLES is not set, why would we have to pick > up IPV6 defragmentation? > > Without ip6tables, TPROXY cannot be used for ipv6; in fact; > xt_TPROXY should be built without ipv6 support in this case. > > My guess is that you have TPROXY=y but DEFRAG_IPV6=m, but that > might warrant a better fix (xt_socket seems to have same issue). Hi Florian, Yes, It was exactly what I did. Actually there is a macro to determine whether we compile nf_defrag_ipv6_enable or not, called XT_TPROXY_HAVE_IPV6, which will be set to 1 while IP6_NF_IPTABLES=y or m. With the patch below we can make the compiling pass. But I am not sure it is good enough or not. diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c index cca96ce..abbda64 100644 --- a/net/netfilter/xt_TPROXY.c +++ b/net/netfilter/xt_TPROXY.c @@ -24,7 +24,7 @@ #include <net/netfilter/ipv4/nf_defrag_ipv4.h> -#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) +#if IS_BUILTIN(CONFIG_IP6_NF_IPTABLES) #define XT_TPROXY_HAVE_IPV6 1 #include <net/if_inet6.h> #include <net/addrconf.h> diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c index e092cb0..239fccf 100644 --- a/net/netfilter/xt_socket.c +++ b/net/netfilter/xt_socket.c @@ -21,7 +21,7 @@ #include <net/inet_sock.h> #include <net/netfilter/ipv4/nf_defrag_ipv4.h> -#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) +#if IS_BUILTIN(CONFIG_IP6_NF_IPTABLES) #define XT_SOCKET_HAVE_IPV6 1 #include <linux/netfilter_ipv6/ip6_tables.h> #include <net/inet6_hashtables.h> -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists