| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 6 Jul 2018 16:50:45 +0200
From: Arnd Bergmann <arnd@...db.de>
To: Florian Westphal <fw@...len.de>
Cc: Pablo Neira Ayuso <pablo@...filter.org>,
Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>,
"David S. Miller" <davem@...emloft.net>,
Máté Eckl <ecklm94@...il.com>,
Fernando Fernandez Mancera <ffmancera@...eup.net>,
"Pablo M. Bermudo Garay" <pablombg@...il.com>,
Felix Fietkau <nbd@....name>, netfilter-devel@...r.kernel.org,
coreteam@...filter.org, Networking <netdev@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] netfilter: conntrack: add weak IPV6 dependency
On Fri, Jul 6, 2018 at 3:55 PM, Florian Westphal <fw@...len.de> wrote:
> Arnd Bergmann <arnd@...db.de> wrote:
>> Now that the conntrack module contains code for ipv6, we can no longer
>> have it built-in while IPv6 itself is a loadable module:
>>
>> net/netfilter/nf_conntrack_proto.o: In function `nf_ct_netns_do_get':
>> nf_conntrack_proto.c:(.text+0x88c): undefined reference to `nf_defrag_ipv6_enable'
>
> AFAICS this is caused by
>
> CONFIG_NF_CONNTRACK=y
> CONFIG_IPV6=m
> CONFIG_NF_DEFRAG_IPV6=m
>
> This is exported via nf_defrag_ipv6.ko.
>
> nf_defrag_ipv6 has an ipv6 dependency, but i think it might be avoidable
> so this would work:
>
> CONFIG_NF_CONNTRACK=y
> CONFIG_NF_DEFRAG_IPV6=y
> CONFIG_IPV6=m
I've tried it like this now:
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 07516d5c2f80..18b9f8f37c97 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -5,10 +5,6 @@
menu "IPv6: Netfilter Configuration"
depends on INET && IPV6 && NETFILTER
-config NF_DEFRAG_IPV6
- tristate
- default n
-
config NF_SOCKET_IPV6
tristate "IPv6 socket lookup support"
help
@@ -352,3 +348,6 @@ endif # IP6_NF_IPTABLES
endmenu
+config NF_DEFRAG_IPV6
+ tristate
+ default n
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index e42c38c99741..51be519a3802 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -49,9 +49,8 @@ config NETFILTER_NETLINK_LOG
config NF_CONNTRACK
tristate "Netfilter connection tracking support"
default m if NETFILTER_ADVANCED=n
- depends on IPV6 || !IPV6
select NF_DEFRAG_IPV4
- select NF_DEFRAG_IPV6 if IPV6
+ select NF_DEFRAG_IPV6 if IPV6 != n
help
Connection tracking keeps a record of what packets have passed
through your machine, in order to figure out how they are related
and that resulted in a new build failure:
net/netfilter/nf_conntrack_proto.o:(.rodata+0x788): undefined
reference to `nf_conntrack_l4proto_icmpv6'
net/ipv6/netfilter/nf_conntrack_reasm.o: In function `nf_ct_frag6_expire':
nf_conntrack_reasm.c:(.text+0x2320): undefined reference to
`ip6_expire_frag_queue'
net/ipv6/netfilter/nf_conntrack_reasm.o: In function `nf_ct_frag6_init':
nf_conntrack_reasm.c:(.text+0x2384): undefined reference to `ip6_frag_init'
nf_conntrack_reasm.c:(.text+0x2394): undefined reference to `ip6_frag_init'
nf_conntrack_reasm.c:(.text+0x2398): undefined reference to `ip6_rhash_params'
net/ipv6/netfilter/nf_conntrack_reasm.o: In function `nf_ct_frag6_expire':
nf_conntrack_reasm.c:(.text+0x10bc): undefined reference to
`ip6_expire_frag_queue'
I don't think we can get CONFIG_NF_DEFRAG_IPV6=y to work with IPV6=m.
Arnd
Powered by blists - more mailing lists