lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sun, 03 May 2015 22:18:26 +0800
From:	liusdu <liusdu@....com>
To:	Florian Westphal <fw@...len.de>, Liu Hua <sdu.liu@...wei.com>
CC:	davem@...emloft.net, kadlec@...ckhole.kfki.hu, kaber@...sh.net,
	pablo@...filter.org, netfilter-devel@...r.kernel.org,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] netfilter: fix dependency issues between IPv6 defragmentation
 and ip6tables


On 2015年05月03日 19:07, Florian Westphal wrote:
> Liu Hua <sdu.liu@...wei.com> wrote:
>> commit f6318e558806c925029dc101f14874be9f9fa78f fix some related issue
>> when ip6tables is enabled. But when IP6_NF_IPTABLES is disabled and
>> NETFILTER_XT_TARGET_TPROXY is enabled. We will meet build failure with
>> "net/built-in.o: In function `tproxy_tg_init':
>> net/netfilter/xt_TPROXY.c:588: undefined reference to `nf_defrag_ipv6_enable'
>> "
>> So this patch change the Kconfig as ipv4 does.
>> --- a/net/netfilter/Kconfig
>> +++ b/net/netfilter/Kconfig
>> @@ -865,7 +865,7 @@ config NETFILTER_XT_TARGET_TPROXY
>>   	depends on (IPV6 || IPV6=n)
>>   	depends on IP_NF_MANGLE
>>   	select NF_DEFRAG_IPV4
>> -	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
>> +	select NF_DEFRAG_IPV6
> IP6_NF_IPTABLES
> If IP6_NF_IPTABLES is not set, why would we have to pick
> up IPV6 defragmentation?
>
> Without ip6tables, TPROXY cannot be used for ipv6; in fact;
> xt_TPROXY should be built without ipv6 support in this case.
>
> My guess is that you have TPROXY=y but DEFRAG_IPV6=m, but that
> might warrant a better fix (xt_socket seems to have same issue).
Hi Florian,

Yes, It was exactly what I did.  Actually there is a macro to
determine whether we compile nf_defrag_ipv6_enable or not,
called XT_TPROXY_HAVE_IPV6, which will be set to 1 while
IP6_NF_IPTABLES=y or m.  With the patch below  we can
make the compiling pass. But I am not sure it is good enough
or not.

diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index cca96ce..abbda64 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -24,7 +24,7 @@

  #include <net/netfilter/ipv4/nf_defrag_ipv4.h>

-#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+#if IS_BUILTIN(CONFIG_IP6_NF_IPTABLES)
  #define XT_TPROXY_HAVE_IPV6 1
  #include <net/if_inet6.h>
  #include <net/addrconf.h>
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index e092cb0..239fccf 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -21,7 +21,7 @@
  #include <net/inet_sock.h>
  #include <net/netfilter/ipv4/nf_defrag_ipv4.h>

-#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+#if IS_BUILTIN(CONFIG_IP6_NF_IPTABLES)
  #define XT_SOCKET_HAVE_IPV6 1
  #include <linux/netfilter_ipv6/ip6_tables.h>
  #include <net/inet6_hashtables.h>


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists