Re: [PATCH] netfilter: conntrack: add weak IPV6 dependency

From: Arnd Bergmann
Date: Fri Jul 06 2018 - 10:50:53 EST

Next message: valdis . kletnieks: "Re: [PATCH] radix-tree: avoid NULL dereference"
Previous message: Richard Weinberger: "Re: [PATCH] mtd: stm32-quadspi: replace "%p" with "%pK""
In reply to: Florian Westphal: "Re: [PATCH] netfilter: conntrack: add weak IPV6 dependency"
Next in thread: Florian Westphal: "Re: [PATCH] netfilter: conntrack: add weak IPV6 dependency"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jul 6, 2018 at 3:55 PM, Florian Westphal <fw@xxxxxxxxx> wrote:
> Arnd Bergmann <arnd@xxxxxxxx> wrote:
>> Now that the conntrack module contains code for ipv6, we can no longer
>> have it built-in while IPv6 itself is a loadable module:
>>
>> net/netfilter/nf_conntrack_proto.o: In function `nf_ct_netns_do_get':
>> nf_conntrack_proto.c:(.text+0x88c): undefined reference to `nf_defrag_ipv6_enable'
>
> AFAICS this is caused by
>
> CONFIG_NF_CONNTRACK=y
> CONFIG_IPV6=m
> CONFIG_NF_DEFRAG_IPV6=m
>
> This is exported via nf_defrag_ipv6.ko.
>
> nf_defrag_ipv6 has an ipv6 dependency, but i think it might be avoidable
> so this would work:
>
> CONFIG_NF_CONNTRACK=y
> CONFIG_NF_DEFRAG_IPV6=y
> CONFIG_IPV6=m

I've tried it like this now:

diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 07516d5c2f80..18b9f8f37c97 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -5,10 +5,6 @@
menu "IPv6: Netfilter Configuration"
depends on INET && IPV6 && NETFILTER

-config NF_DEFRAG_IPV6
- tristate
- default n
-
config NF_SOCKET_IPV6
tristate "IPv6 socket lookup support"
help
@@ -352,3 +348,6 @@ endif # IP6_NF_IPTABLES

endmenu

+config NF_DEFRAG_IPV6
+ tristate
+ default n
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index e42c38c99741..51be519a3802 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -49,9 +49,8 @@ config NETFILTER_NETLINK_LOG
config NF_CONNTRACK
tristate "Netfilter connection tracking support"
default m if NETFILTER_ADVANCED=n
- depends on IPV6 || !IPV6
select NF_DEFRAG_IPV4
- select NF_DEFRAG_IPV6 if IPV6
+ select NF_DEFRAG_IPV6 if IPV6 != n
help
Connection tracking keeps a record of what packets have passed
through your machine, in order to figure out how they are related

and that resulted in a new build failure:

net/netfilter/nf_conntrack_proto.o:(.rodata+0x788): undefined
reference to `nf_conntrack_l4proto_icmpv6'
net/ipv6/netfilter/nf_conntrack_reasm.o: In function `nf_ct_frag6_expire':
nf_conntrack_reasm.c:(.text+0x2320): undefined reference to
`ip6_expire_frag_queue'
net/ipv6/netfilter/nf_conntrack_reasm.o: In function `nf_ct_frag6_init':
nf_conntrack_reasm.c:(.text+0x2384): undefined reference to `ip6_frag_init'
nf_conntrack_reasm.c:(.text+0x2394): undefined reference to `ip6_frag_init'
nf_conntrack_reasm.c:(.text+0x2398): undefined reference to `ip6_rhash_params'
net/ipv6/netfilter/nf_conntrack_reasm.o: In function `nf_ct_frag6_expire':
nf_conntrack_reasm.c:(.text+0x10bc): undefined reference to
`ip6_expire_frag_queue'

I don't think we can get CONFIG_NF_DEFRAG_IPV6=y to work with IPV6=m.

Arnd

Next message: valdis . kletnieks: "Re: [PATCH] radix-tree: avoid NULL dereference"
Previous message: Richard Weinberger: "Re: [PATCH] mtd: stm32-quadspi: replace "%p" with "%pK""
In reply to: Florian Westphal: "Re: [PATCH] netfilter: conntrack: add weak IPV6 dependency"
Next in thread: Florian Westphal: "Re: [PATCH] netfilter: conntrack: add weak IPV6 dependency"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]