From patchwork Sat Mar 22 22:59:29 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Westphal <fw@strlen.de>
X-Patchwork-Id: 332847
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 5704D2C0081
	for <incoming@patchwork.ozlabs.org>;
	Sun, 23 Mar 2014 10:03:55 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751424AbaCVXDy (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Sat, 22 Mar 2014 19:03:54 -0400
Received: from Chamillionaire.breakpoint.cc ([80.244.247.6]:49229 "EHLO
	Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1750866AbaCVXDy (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Sat, 22 Mar 2014 19:03:54 -0400
Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.80)
	(envelope-from <fw@breakpoint.cc>)
	id 1WRUxE-0001Eq-KM; Sun, 23 Mar 2014 00:03:52 +0100
From: Florian Westphal <fw@strlen.de>
To: netfilter-devel@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH] netfilter: disallow builtin socket/tproxy with modular ipv6
	defrag
Date: Sat, 22 Mar 2014 23:59:29 +0100
Message-Id: <1395529169-26819-1-git-send-email-fw@strlen.de>
X-Mailer: git-send-email 1.8.1.5
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

xt_socket.c:(.init.text+0x13d2): undefined reference to `nf_defrag_ipv6_enable'
xt_TPROXY.c:(.init.text+0x19b5): undefined reference to `nf_defrag_ipv6_enable'

If DEFRAG_IPV6=m we cannot have SOCKET/TPROXY=y.

Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
Technically this patch is bogus, but I couldn't figure out
how to express the dependencies in kconfig.

both already have

select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES

But its not enough; its possible to have
CONFIG_NF_DEFRAG_IPV6=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=y
CONFIG_NETFILTER_XT_MATCH_SOCKET=y

Which doesn't work as socket/tproxy references symbols
from ipv6 defrag.

cannot add
depends on (NF_DEFRAG_IPV6 || NF_DEFRAG_IPV6=n)
since thats a recursive dependency.

Adding a dependency to have m/y depend on IP6_NF_IPTABLES
status appears to do the right thing but its not correct
because it also disallows DEFRAG=y, TPROXY=m (which is fine).

AFAICS this dependency issue has always existed since ipv6
support was added to tproxy.

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index e9410d1..faca831 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -834,6 +834,7 @@ config NETFILTER_XT_TARGET_TPROXY
 	depends on NETFILTER_XTABLES
 	depends on NETFILTER_ADVANCED
 	depends on IP_NF_MANGLE
+	depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
 	select NF_DEFRAG_IPV4
 	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
 	help
@@ -1325,6 +1326,7 @@ config NETFILTER_XT_MATCH_SOCKET
 	depends on NETFILTER_XTABLES
 	depends on NETFILTER_ADVANCED
 	depends on !NF_CONNTRACK || NF_CONNTRACK
+	depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
 	depends on (IPV6 || IPV6=n)
 	select NF_DEFRAG_IPV4
 	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES