Message ID | 1395529169-26819-1-git-send-email-fw@strlen.de |
---|---|
State | Deferred |
Headers | show |
On Sat, Mar 22, 2014 at 11:59:29PM +0100, Florian Westphal wrote: > xt_socket.c:(.init.text+0x13d2): undefined reference to `nf_defrag_ipv6_enable' > xt_TPROXY.c:(.init.text+0x19b5): undefined reference to `nf_defrag_ipv6_enable' > > If DEFRAG_IPV6=m we cannot have SOCKET/TPROXY=y. > > Reported-by: kbuild test robot <fengguang.wu@intel.com> > Signed-off-by: Florian Westphal <fw@strlen.de> > --- > Technically this patch is bogus, but I couldn't figure out > how to express the dependencies in kconfig. > > both already have > > select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES > > But its not enough; its possible to have > CONFIG_NF_DEFRAG_IPV6=m > CONFIG_IP6_NF_IPTABLES=m > CONFIG_NETFILTER_XT_TARGET_TPROXY=y > CONFIG_NETFILTER_XT_MATCH_SOCKET=y > > Which doesn't work as socket/tproxy references symbols > from ipv6 defrag. > > cannot add > depends on (NF_DEFRAG_IPV6 || NF_DEFRAG_IPV6=n) > since thats a recursive dependency. > > Adding a dependency to have m/y depend on IP6_NF_IPTABLES > status appears to do the right thing but its not correct > because it also disallows DEFRAG=y, TPROXY=m (which is fine). > > AFAICS this dependency issue has always existed since ipv6 > support was added to tproxy. Not your fault, this Kconfig games that we already have to resolve the IPv6 dependencies are a mess. We should consider splitting this two in ipt_/ip6t_ modules, but that's just large change just to resolve this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > both already have > > > > select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES > > > > But its not enough; its possible to have > > CONFIG_NF_DEFRAG_IPV6=m > > CONFIG_IP6_NF_IPTABLES=m > > CONFIG_NETFILTER_XT_TARGET_TPROXY=y > > CONFIG_NETFILTER_XT_MATCH_SOCKET=y > > > > Which doesn't work as socket/tproxy references symbols > > from ipv6 defrag. > > > > cannot add > > depends on (NF_DEFRAG_IPV6 || NF_DEFRAG_IPV6=n) > > since thats a recursive dependency. > > > > Adding a dependency to have m/y depend on IP6_NF_IPTABLES > > status appears to do the right thing but its not correct > > because it also disallows DEFRAG=y, TPROXY=m (which is fine). > > > > AFAICS this dependency issue has always existed since ipv6 > > support was added to tproxy. > > Not your fault, this Kconfig games that we already have to resolve the > IPv6 dependencies are a mess. We should consider splitting this two in > ipt_/ip6t_ modules, but that's just large change just to resolve this. I'll look into a better way to fix it for -next. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index e9410d1..faca831 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -834,6 +834,7 @@ config NETFILTER_XT_TARGET_TPROXY depends on NETFILTER_XTABLES depends on NETFILTER_ADVANCED depends on IP_NF_MANGLE + depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) select NF_DEFRAG_IPV4 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES help @@ -1325,6 +1326,7 @@ config NETFILTER_XT_MATCH_SOCKET depends on NETFILTER_XTABLES depends on NETFILTER_ADVANCED depends on !NF_CONNTRACK || NF_CONNTRACK + depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) depends on (IPV6 || IPV6=n) select NF_DEFRAG_IPV4 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
xt_socket.c:(.init.text+0x13d2): undefined reference to `nf_defrag_ipv6_enable' xt_TPROXY.c:(.init.text+0x19b5): undefined reference to `nf_defrag_ipv6_enable' If DEFRAG_IPV6=m we cannot have SOCKET/TPROXY=y. Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Florian Westphal <fw@strlen.de> --- Technically this patch is bogus, but I couldn't figure out how to express the dependencies in kconfig. both already have select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES But its not enough; its possible to have CONFIG_NF_DEFRAG_IPV6=m CONFIG_IP6_NF_IPTABLES=m CONFIG_NETFILTER_XT_TARGET_TPROXY=y CONFIG_NETFILTER_XT_MATCH_SOCKET=y Which doesn't work as socket/tproxy references symbols from ipv6 defrag. cannot add depends on (NF_DEFRAG_IPV6 || NF_DEFRAG_IPV6=n) since thats a recursive dependency. Adding a dependency to have m/y depend on IP6_NF_IPTABLES status appears to do the right thing but its not correct because it also disallows DEFRAG=y, TPROXY=m (which is fine). AFAICS this dependency issue has always existed since ipv6 support was added to tproxy.