Easy network (config) breakage with 3.17-rc1: NETFILTER_XT_TARGET_LOG

On Fri, Aug 22, 2014 at 08:01:12PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Aug 21, 2014 at 12:49:33PM +0200, Rafał Miłecki wrote:
> > Few days ago I updated my 3.16 to 3.17-rc1 (both self compiled) and I
> > was using it until I noticed my machine doesn't respond to pings. I
> > rebooted to 3.16 and it was working again.
> > 
> > I bisected between 3.16 and 3.17-rc1 but it has failed. After all I
> > got 3.16 not working anymore as well.
> > 
> > It took me few hours to find the one to blame:
> > CONFIG_NETFILTER_XT_TARGET_LOG. After moving my config from 3.16 to
> > 3.17-rc1 CONFIG_NETFILTER_XT_TARGET_LOG got disabled because of two
> > new dependencies: NF_LOG_IPV4 && NF_LOG_IPV6.
> > 
> > It would be nice if you could try to use "select" instead of "depends
> > on" in such cases in the future. I bet fix my problem would be trivial
> > since the beginning, but end-users may spent hours or days tracking
> > such things :(
> 
> Sorry for that Kconfig problem. Please, have a look at the attached
> patch and confirm that it fixes the problem. At quick glance I think
> it's safe to use select in this case.

I'm just looking at this again.

We cannot select NF_LOG_IPV6. This is going to break if IPV6 is not
enabled.

I can just relax this to avoid the dependency with NF_LOG_IPV4 and
NF_LOG_IPV6 so CONFIG_NETFILTER_XT_TARGET_LOG will be still selected
if not NF_LOG_IP* is set (see patch attached).

However, those new modules are really required to get this working, if
they are not present, iptables ... -j LOG will fail with -ENOENT since
the protocol logger won't be available.

On 24 August 2014 15:28, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Aug 22, 2014 at 08:01:12PM +0200, Pablo Neira Ayuso wrote:
>> On Thu, Aug 21, 2014 at 12:49:33PM +0200, Rafał Miłecki wrote:
>> > Few days ago I updated my 3.16 to 3.17-rc1 (both self compiled) and I
>> > was using it until I noticed my machine doesn't respond to pings. I
>> > rebooted to 3.16 and it was working again.
>> >
>> > I bisected between 3.16 and 3.17-rc1 but it has failed. After all I
>> > got 3.16 not working anymore as well.
>> >
>> > It took me few hours to find the one to blame:
>> > CONFIG_NETFILTER_XT_TARGET_LOG. After moving my config from 3.16 to
>> > 3.17-rc1 CONFIG_NETFILTER_XT_TARGET_LOG got disabled because of two
>> > new dependencies: NF_LOG_IPV4 && NF_LOG_IPV6.
>> >
>> > It would be nice if you could try to use "select" instead of "depends
>> > on" in such cases in the future. I bet fix my problem would be trivial
>> > since the beginning, but end-users may spent hours or days tracking
>> > such things :(
>>
>> Sorry for that Kconfig problem. Please, have a look at the attached
>> patch and confirm that it fixes the problem. At quick glance I think
>> it's safe to use select in this case.
>
> I'm just looking at this again.
>
> We cannot select NF_LOG_IPV6. This is going to break if IPV6 is not
> enabled.
>
> I can just relax this to avoid the dependency with NF_LOG_IPV4 and
> NF_LOG_IPV6 so CONFIG_NETFILTER_XT_TARGET_LOG will be still selected
> if not NF_LOG_IP* is set (see patch attached).
>
> However, those new modules are really required to get this working, if
> they are not present, iptables ... -j LOG will fail with -ENOENT since
> the protocol logger won't be available.

Well, with the attached patch, after moving from 3.16 to 3.17-rc1+ I get:
CONFIG_NETFILTER_XT_TARGET_LOG=m
# CONFIG_NF_LOG_IPV4 is not set

I've just noticed there used to be "select"s, but they were removed in
c1878869c0c8e0def3df5397155f369442ce4e06
netfilter: fix several Kconfig problems in NF_LOG_*

Could this be solved with some conditional select-s? Something like a:
select NF_LOG
select NF_LOG_IPV4
select NF_LOG_IPV6 if IPV6
maybe?