From patchwork Fri Jan 19 19:10:23 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 125214 Delivered-To: patch@linaro.org Received: by 10.46.66.141 with SMTP id h13csp432815ljf; Fri, 19 Jan 2018 11:13:48 -0800 (PST) X-Google-Smtp-Source: ACJfBosOfX/bSndCZGKeeEUoVwA3yV/Peg0jJXkXMC8SLfoz6zrizWTPgHL6fwD+hB9ZDoTnc9fk X-Received: by 10.98.231.11 with SMTP id s11mr21700307pfh.174.1516389228456; Fri, 19 Jan 2018 11:13:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516389228; cv=none; d=google.com; s=arc-20160816; b=cKiTdNREs31kW+sQhuVzKt5tZ+KKXf2PvIlv5s5L1Jpp/Twza99c9oADUHiNfjn9mU Q3MomkiMLFNtv8sEgjJlZJ/89ri9WBDTJEL8r82AmDPBZZ4/zWrgXT42RiEZEKsSBCH/ Isgi9ntqpaZiCiHxxWfa8t/1/5VZkigCQ7elF4H06Zci7y7S/TgxChs0Y5deIV89Albg vT3PmyUqz8W3yZiufA1OfCFKQYgGVJZDSbZrRUD9MyAAuP9nMFdV8Ref+ByD5e+MkQZw y/++YETE2g42cq39dinlOxZLFafsSJKPXC/sT+x9gFIWeRKubHE3gtVcgvJu+9SYpC4Q qSBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=DpMrKKKvtRJ6yp6keppVvPAV0zOL8u+tr4TDPnKFMhI=; b=huBuGdNhtuOP4Mhu03/7Ag5t88uLT5ues4F8vTh+7kOWz2Np7n06l0GvtC53chlies x0A/axQ/zer7W7lR39g7ZSooB0ufBwMdvrfAywoTn5V4OVfWA27JhcXNPwSQ1MzPG3gI iqL+LGMJdWMYMId/9KF0S3bzuHn4ujg9wBahgdnJ5bIpbKJEckyXnz0HLnjzbkL7wE6Z /4Spu9xL+HHF+jYxQQ94RErMEoVdwHyhy7SCknFzWWXL+mXCX74JbHpndQboj9Vra/zn 6i7uASOA7oB3Zd0hNaCR6/VVcSvuzpuvJtWznorAV4BlNhxxvL/bmrjGmWNBpGGoq38H mYuw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c193si786174pfc.90.2018.01.19.11.13.48; Fri, 19 Jan 2018 11:13:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932778AbeASTNq (ORCPT + 7 others); Fri, 19 Jan 2018 14:13:46 -0500 Received: from mail.us.es ([193.147.175.20]:45252 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932352AbeASTLI (ORCPT ); Fri, 19 Jan 2018 14:11:08 -0500 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id A0FFD2EFEBD for ; Fri, 19 Jan 2018 20:11:02 +0100 (CET) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 8E578DA84A for ; Fri, 19 Jan 2018 20:11:02 +0100 (CET) Received: by antivirus1-rhel7.int (Postfix, from userid 99) id 8DC49DA84C; Fri, 19 Jan 2018 20:11:02 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on antivirus1-rhel7.int X-Spam-Level: X-Spam-Status: No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50, SMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1 Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 764F3DA381; Fri, 19 Jan 2018 20:11:00 +0100 (CET) Received: from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int (F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); Fri, 19 Jan 2018 20:11:00 +0100 (CET) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int) Received: from salvia.here (barqueta.lsi.us.es [150.214.188.150]) (Authenticated sender: pneira@us.es) by entrada.int (Postfix) with ESMTPA id 5EAB741E4817; Fri, 19 Jan 2018 20:11:00 +0100 (CET) X-SMTPAUTHUS: auth mail.us.es From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org Subject: [PATCH 14/32] netfilter: improve flow table Kconfig dependencies Date: Fri, 19 Jan 2018 20:10:23 +0100 Message-Id: <20180119191041.25804-15-pablo@netfilter.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180119191041.25804-1-pablo@netfilter.org> References: <20180119191041.25804-1-pablo@netfilter.org> X-Virus-Scanned: ClamAV using ClamSMTP Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Arnd Bergmann The newly added NF_FLOW_TABLE options cause some build failures in randconfig kernels: - when CONFIG_NF_CONNTRACK is disabled, or is a loadable module but NF_FLOW_TABLE is built-in: In file included from net/netfilter/nf_flow_table.c:8:0: include/net/netfilter/nf_conntrack.h:59:22: error: field 'ct_general' has incomplete type struct nf_conntrack ct_general; include/net/netfilter/nf_conntrack.h: In function 'nf_ct_get': include/net/netfilter/nf_conntrack.h:148:15: error: 'const struct sk_buff' has no member named '_nfct' include/net/netfilter/nf_conntrack.h: In function 'nf_ct_put': include/net/netfilter/nf_conntrack.h:157:2: error: implicit declaration of function 'nf_conntrack_put'; did you mean 'nf_ct_put'? [-Werror=implicit-function-declaration] net/netfilter/nf_flow_table.o: In function `nf_flow_offload_work_gc': (.text+0x1540): undefined reference to `nf_ct_delete' - when CONFIG_NF_TABLES is disabled: In file included from net/ipv6/netfilter/nf_flow_table_ipv6.c:13:0: include/net/netfilter/nf_tables.h: In function 'nft_gencursor_next': include/net/netfilter/nf_tables.h:1189:14: error: 'const struct net' has no member named 'nft'; did you mean 'nf'? - when CONFIG_NF_FLOW_TABLE_INET is enabled, but NF_FLOW_TABLE_IPV4 or NF_FLOW_TABLE_IPV6 are not, or are loadable modules net/netfilter/nf_flow_table_inet.o: In function `nf_flow_offload_inet_hook': nf_flow_table_inet.c:(.text+0x94): undefined reference to `nf_flow_offload_ipv6_hook' nf_flow_table_inet.c:(.text+0x40): undefined reference to `nf_flow_offload_ip_hook' - when CONFIG_NF_FLOW_TABLES is disabled, but the other options are enabled: net/netfilter/nf_flow_table_inet.o: In function `nf_flow_offload_inet_hook': nf_flow_table_inet.c:(.text+0x6c): undefined reference to `nf_flow_offload_ipv6_hook' net/netfilter/nf_flow_table_inet.o: In function `nf_flow_inet_module_exit': nf_flow_table_inet.c:(.exit.text+0x8): undefined reference to `nft_unregister_flowtable_type' net/netfilter/nf_flow_table_inet.o: In function `nf_flow_inet_module_init': nf_flow_table_inet.c:(.init.text+0x8): undefined reference to `nft_register_flowtable_type' net/ipv4/netfilter/nf_flow_table_ipv4.o: In function `nf_flow_ipv4_module_exit': nf_flow_table_ipv4.c:(.exit.text+0x8): undefined reference to `nft_unregister_flowtable_type' net/ipv4/netfilter/nf_flow_table_ipv4.o: In function `nf_flow_ipv4_module_init': nf_flow_table_ipv4.c:(.init.text+0x8): undefined reference to `nft_register_flowtable_type' This adds additional Kconfig dependencies to ensure that NF_CONNTRACK and NF_TABLES are always visible from NF_FLOW_TABLE, and that the internal dependencies between the four new modules are met. Fixes: 7c23b629a808 ("netfilter: flow table support for the mixed IPv4/IPv6 family") Fixes: 0995210753a2 ("netfilter: flow table support for IPv6") Fixes: 97add9f0d66d ("netfilter: flow table support for IPv4") Signed-off-by: Arnd Bergmann Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter/Kconfig | 3 ++- net/ipv6/netfilter/Kconfig | 3 ++- net/netfilter/Kconfig | 4 +++- 3 files changed, 7 insertions(+), 3 deletions(-) -- 2.11.0 diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 7d5d444964aa..3ad46a90b0fc 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig @@ -79,8 +79,9 @@ config NF_TABLES_ARP endif # NF_TABLES config NF_FLOW_TABLE_IPV4 - select NF_FLOW_TABLE tristate "Netfilter flow table IPv4 module" + depends on NF_CONNTRACK && NF_TABLES + select NF_FLOW_TABLE help This option adds the flow table IPv4 support. diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index b6f5edf926d2..4a634b7a2c80 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig @@ -72,8 +72,9 @@ endif # NF_TABLES_IPV6 endif # NF_TABLES config NF_FLOW_TABLE_IPV6 - select NF_FLOW_TABLE tristate "Netfilter flow table IPv6 module" + depends on NF_CONNTRACK && NF_TABLES + select NF_FLOW_TABLE help This option adds the flow table IPv6 support. diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 0ee0fcf3abbf..ea447826e127 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -665,8 +665,9 @@ endif # NF_TABLES_NETDEV endif # NF_TABLES config NF_FLOW_TABLE_INET - select NF_FLOW_TABLE tristate "Netfilter flow table mixed IPv4/IPv6 module" + depends on NF_FLOW_TABLE_IPV4 && NF_FLOW_TABLE_IPV6 + select NF_FLOW_TABLE help This option adds the flow table mixed IPv4/IPv6 support. @@ -674,6 +675,7 @@ config NF_FLOW_TABLE_INET config NF_FLOW_TABLE tristate "Netfilter flow table module" + depends on NF_CONNTRACK && NF_TABLES help This option adds the flow table core infrastructure. From patchwork Fri Jan 19 19:10:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 125213 Delivered-To: patch@linaro.org Received: by 10.46.66.141 with SMTP id h13csp432449ljf; Fri, 19 Jan 2018 11:12:49 -0800 (PST) X-Google-Smtp-Source: ACJfBouME1lyc7AeZFekmNH6nLO8pfPodqSd0Kh9Z0HYaXy+YQbiU8rgljiPJZjK+zpY746NNTWt X-Received: by 10.101.91.66 with SMTP id y2mr33055378pgr.11.1516389169239; Fri, 19 Jan 2018 11:12:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516389169; cv=none; d=google.com; s=arc-20160816; b=ByrO8CSzwZ+yoOG5MtMMP60CS9ewARbwYV87741wNdhzUSTCw6McqWx+0gtqbwpX9q RiQ/REkjl4iHa2fehR+a6J0q0NQ8bpqNnfCF/Ppl4+FVygNJpIml4fMnxf0j76dyJOXH NjBta0o/9daKf1BAFhgGScMKCPNNs8QDq3LuRLEjtrtlsudOSwqpZ0WRgC/4IuZwsLH2 XkBAr4QtMH0Q9XqHkmAALW71zz9g9OGNRS2ZkMy8ostS0ms5NsutCd3PJft+ynl1F7ma PJBhSnyMeo/Lq770hN3IfI0bBMraTusZen13pBpadQ/Aqh5RkcP3R9dXGd2h6ACLbN2Z nohQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=EELi1WBrNwR5FPenIih7lEX2oZGAr5V7PvI+ufN5HBM=; b=rqVuoCtMth7t8nhpgitp/hs9RSWS1kvvJNqPK4C81gpKV4AR3z5qMHDWN0trRNs2/L dMowJ+hyatV0YHs9hMK9K//eHGeGu5wht06cGq0zGWo5PgqfdqtXWRguOiD2tQxdMcwg UIkGheuwAfrtyzzMJoXFEr92Z5cubH1LH7tFfrdaHUEmiFUTZob3kgyC1cCnYitXqiTE ncILgtIfti52TEkAlcBqgVgxp/0t9v5QfGe5XCU0z64AMNbaJdgAyTa2oOFtrANBFBiZ Y1zhtGb50HzQK7+7zYCk+/11pr9/w1uEviZtbJ7+ngG6Vg3tTwCKLatbXdnIV6yn1kHD DKmA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f18si8783145pga.543.2018.01.19.11.12.49; Fri, 19 Jan 2018 11:12:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932634AbeASTMp (ORCPT + 7 others); Fri, 19 Jan 2018 14:12:45 -0500 Received: from mail.us.es ([193.147.175.20]:45156 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932394AbeASTLL (ORCPT ); Fri, 19 Jan 2018 14:11:11 -0500 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id 6E6992EFECF for ; Fri, 19 Jan 2018 20:11:04 +0100 (CET) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 4C786DA849 for ; Fri, 19 Jan 2018 20:11:04 +0100 (CET) Received: by antivirus1-rhel7.int (Postfix, from userid 99) id 4BE38DA858; Fri, 19 Jan 2018 20:11:04 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on antivirus1-rhel7.int X-Spam-Level: X-Spam-Status: No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50, SMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1 Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 580A7DA849; Fri, 19 Jan 2018 20:11:02 +0100 (CET) Received: from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int (F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); Fri, 19 Jan 2018 20:11:02 +0100 (CET) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int) Received: from salvia.here (barqueta.lsi.us.es [150.214.188.150]) (Authenticated sender: pneira@us.es) by entrada.int (Postfix) with ESMTPA id 4B8B941E4817; Fri, 19 Jan 2018 20:11:02 +0100 (CET) X-SMTPAUTHUS: auth mail.us.es From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org Subject: [PATCH 17/32] netfilter: nf_tables: flow_offload depends on flow_table Date: Fri, 19 Jan 2018 20:10:26 +0100 Message-Id: <20180119191041.25804-18-pablo@netfilter.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180119191041.25804-1-pablo@netfilter.org> References: <20180119191041.25804-1-pablo@netfilter.org> X-Virus-Scanned: ClamAV using ClamSMTP Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Arnd Bergmann Without CONFIG_NF_FLOW_TABLE, the new nft_flow_offload module produces a link error: net/netfilter/nft_flow_offload.o: In function `nft_flow_offload_iterate_cleanup': nft_flow_offload.c:(.text+0xb0): undefined reference to `nf_flow_table_iterate' net/netfilter/nft_flow_offload.o: In function `flow_offload_iterate_cleanup': nft_flow_offload.c:(.text+0x160): undefined reference to `flow_offload_dead' net/netfilter/nft_flow_offload.o: In function `nft_flow_offload_eval': nft_flow_offload.c:(.text+0xc4c): undefined reference to `flow_offload_alloc' nft_flow_offload.c:(.text+0xc64): undefined reference to `flow_offload_add' nft_flow_offload.c:(.text+0xc94): undefined reference to `flow_offload_free' This adds a Kconfig dependency for it. Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression") Signed-off-by: Arnd Bergmann Signed-off-by: Pablo Neira Ayuso --- net/netfilter/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.11.0 diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index ea447826e127..9019fa98003d 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -506,7 +506,7 @@ config NFT_CT connection tracking information such as the flow state. config NFT_FLOW_OFFLOAD - depends on NF_CONNTRACK + depends on NF_CONNTRACK && NF_FLOW_TABLE tristate "Netfilter nf_tables hardware flow offload module" help This option adds the "flow_offload" expression that you can use to From patchwork Fri Jan 19 19:10:29 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 125212 Delivered-To: patch@linaro.org Received: by 10.46.66.141 with SMTP id h13csp432315ljf; Fri, 19 Jan 2018 11:12:32 -0800 (PST) X-Google-Smtp-Source: ACJfBosF+/cW+RuTaWj6Ci442ZXtoEFBOSpHM0Ae3hJbBW4eY+EPh88fEdhRbZxQs4Ei/AYcrM/u X-Received: by 10.99.96.203 with SMTP id u194mr39876312pgb.167.1516389152337; Fri, 19 Jan 2018 11:12:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516389152; cv=none; d=google.com; s=arc-20160816; b=K62P46hkKKPyaYIxQyJxW7i0MKNa9GJ8OfW4mGbOEa26zG8ltXLjEZ0JSruotbEvHF B1IZKCtYbNeKu8xyhHT9xzIE/BULYr3yPgJn0asLyyD0g6HtLtkHu7u5rCC78BG2PZQe HJd4jent79Q+a4DS/3iDxGNKi/MKIEilxu0L+iKeUj0qzL6m51GsoHlkKrClvbjuW+C2 StpAy1Jc+/QJrA2vrE5Jlufvq9A3PNGXgm804sfdagiGVJFpdhtqnXzV/XqstPHHHW5h YJ7xHPs9fVOueumBQMZGjZB3H9H+pOqv7E4voPQ/q5Vch5zVUwD4560wznJlZP/EF+NM XthA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=WGIdl0W8qqGCiDpL5KztOcLOjWoRmvnUt3psya4y3TM=; b=PBaaFCYi1/uo20iSpCf4wDazPjxb5t/1x1R2ICL4mMZdq5ibar4kvKMZ7ES7OfFja4 QJsSjyhC5e59CMc5ed8YxexzE+wqXtZ9vRKWMWVakzOVX3rZ/vMxBqVgCRGzOeXWuCmd tQKADL6z8PPfeuzVpG/UJdfzy0PyZL0Ak10/gdz/J/gSNAOqlW7sztABWF+UkQNMO3LM IpFCxz+KdDzfZC4O7rGLfjVuRgyvk7Hmd/VZ5jYCJMRFAA4tnzRhs5P4GUZiWB+BP00c y9CxmaDidJpKCpjcVMY4KPKTXne/kuRuskyuyghpOlVmIMcZX1juDXdMt4lMAuC2/VTC r7Zw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f18si8783145pga.543.2018.01.19.11.12.32; Fri, 19 Jan 2018 11:12:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932579AbeASTM2 (ORCPT + 7 others); Fri, 19 Jan 2018 14:12:28 -0500 Received: from mail.us.es ([193.147.175.20]:45190 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932413AbeASTLL (ORCPT ); Fri, 19 Jan 2018 14:11:11 -0500 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id 9418C2EFEC7 for ; Fri, 19 Jan 2018 20:11:06 +0100 (CET) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 81DA0DA858 for ; Fri, 19 Jan 2018 20:11:06 +0100 (CET) Received: by antivirus1-rhel7.int (Postfix, from userid 99) id 76D2BDA855; Fri, 19 Jan 2018 20:11:06 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on antivirus1-rhel7.int X-Spam-Level: X-Spam-Status: No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50, SMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1 Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 4EEDFDA859; Fri, 19 Jan 2018 20:11:04 +0100 (CET) Received: from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int (F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); Fri, 19 Jan 2018 20:11:04 +0100 (CET) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int) Received: from salvia.here (barqueta.lsi.us.es [150.214.188.150]) (Authenticated sender: pneira@us.es) by entrada.int (Postfix) with ESMTPA id 3F7A841E4817; Fri, 19 Jan 2018 20:11:04 +0100 (CET) X-SMTPAUTHUS: auth mail.us.es From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org Subject: [PATCH 20/32] netfilter: nf_defrag: mark xt_table structures 'const' again Date: Fri, 19 Jan 2018 20:10:29 +0100 Message-Id: <20180119191041.25804-21-pablo@netfilter.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180119191041.25804-1-pablo@netfilter.org> References: <20180119191041.25804-1-pablo@netfilter.org> X-Virus-Scanned: ClamAV using ClamSMTP Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Arnd Bergmann As a side-effect of adding the module option, we now get a section mismatch warning: WARNING: net/ipv4/netfilter/iptable_raw.o(.data+0x1c): Section mismatch in reference from the variable packet_raw to the function .init.text:iptable_raw_table_init() The variable packet_raw references the function __init iptable_raw_table_init() If the reference is valid then annotate the variable with __init* or __refdata (see linux/init.h) or name the variable: *_template, *_timer, *_sht, *_ops, *_probe, *_probe_one, *_console Apparently it's ok to link to a __net_init function from .rodata but not from .data. We can address this by rearranging the logic so that the structure is read-only again. Instead of writing to the .priority field later, we have an extra copies of the structure with that flag. An added advantage is that that we don't have writable function pointers with this approach. Fixes: 902d6a4c2a4f ("netfilter: nf_defrag: Skip defrag if NOTRACK is set") Signed-off-by: Arnd Bergmann Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter/iptable_raw.c | 24 +++++++++++++++++++----- net/ipv6/netfilter/ip6table_raw.c | 24 +++++++++++++++++++----- 2 files changed, 38 insertions(+), 10 deletions(-) -- 2.11.0 diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c index 29b64d3024e0..960625aabf04 100644 --- a/net/ipv4/netfilter/iptable_raw.c +++ b/net/ipv4/netfilter/iptable_raw.c @@ -17,7 +17,7 @@ static bool raw_before_defrag __read_mostly; MODULE_PARM_DESC(raw_before_defrag, "Enable raw table before defrag"); module_param(raw_before_defrag, bool, 0000); -static struct xt_table packet_raw = { +static const struct xt_table packet_raw = { .name = "raw", .valid_hooks = RAW_VALID_HOOKS, .me = THIS_MODULE, @@ -26,6 +26,15 @@ static struct xt_table packet_raw = { .table_init = iptable_raw_table_init, }; +static const struct xt_table packet_raw_before_defrag = { + .name = "raw", + .valid_hooks = RAW_VALID_HOOKS, + .me = THIS_MODULE, + .af = NFPROTO_IPV4, + .priority = NF_IP_PRI_RAW_BEFORE_DEFRAG, + .table_init = iptable_raw_table_init, +}; + /* The work comes in here from netfilter.c. */ static unsigned int iptable_raw_hook(void *priv, struct sk_buff *skb, @@ -39,15 +48,19 @@ static struct nf_hook_ops *rawtable_ops __read_mostly; static int __net_init iptable_raw_table_init(struct net *net) { struct ipt_replace *repl; + const struct xt_table *table = &packet_raw; int ret; + if (raw_before_defrag) + table = &packet_raw_before_defrag; + if (net->ipv4.iptable_raw) return 0; - repl = ipt_alloc_initial_table(&packet_raw); + repl = ipt_alloc_initial_table(table); if (repl == NULL) return -ENOMEM; - ret = ipt_register_table(net, &packet_raw, repl, rawtable_ops, + ret = ipt_register_table(net, table, repl, rawtable_ops, &net->ipv4.iptable_raw); kfree(repl); return ret; @@ -68,14 +81,15 @@ static struct pernet_operations iptable_raw_net_ops = { static int __init iptable_raw_init(void) { int ret; + const struct xt_table *table = &packet_raw; if (raw_before_defrag) { - packet_raw.priority = NF_IP_PRI_RAW_BEFORE_DEFRAG; + table = &packet_raw_before_defrag; pr_info("Enabling raw table before defrag\n"); } - rawtable_ops = xt_hook_ops_alloc(&packet_raw, iptable_raw_hook); + rawtable_ops = xt_hook_ops_alloc(table, iptable_raw_hook); if (IS_ERR(rawtable_ops)) return PTR_ERR(rawtable_ops); diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c index 3df7383f96d0..710fa0806c37 100644 --- a/net/ipv6/netfilter/ip6table_raw.c +++ b/net/ipv6/netfilter/ip6table_raw.c @@ -16,7 +16,7 @@ static bool raw_before_defrag __read_mostly; MODULE_PARM_DESC(raw_before_defrag, "Enable raw table before defrag"); module_param(raw_before_defrag, bool, 0000); -static struct xt_table packet_raw = { +static const struct xt_table packet_raw = { .name = "raw", .valid_hooks = RAW_VALID_HOOKS, .me = THIS_MODULE, @@ -25,6 +25,15 @@ static struct xt_table packet_raw = { .table_init = ip6table_raw_table_init, }; +static const struct xt_table packet_raw_before_defrag = { + .name = "raw", + .valid_hooks = RAW_VALID_HOOKS, + .me = THIS_MODULE, + .af = NFPROTO_IPV6, + .priority = NF_IP6_PRI_RAW_BEFORE_DEFRAG, + .table_init = ip6table_raw_table_init, +}; + /* The work comes in here from netfilter.c. */ static unsigned int ip6table_raw_hook(void *priv, struct sk_buff *skb, @@ -38,15 +47,19 @@ static struct nf_hook_ops *rawtable_ops __read_mostly; static int __net_init ip6table_raw_table_init(struct net *net) { struct ip6t_replace *repl; + const struct xt_table *table = &packet_raw; int ret; + if (raw_before_defrag) + table = &packet_raw_before_defrag; + if (net->ipv6.ip6table_raw) return 0; - repl = ip6t_alloc_initial_table(&packet_raw); + repl = ip6t_alloc_initial_table(table); if (repl == NULL) return -ENOMEM; - ret = ip6t_register_table(net, &packet_raw, repl, rawtable_ops, + ret = ip6t_register_table(net, table, repl, rawtable_ops, &net->ipv6.ip6table_raw); kfree(repl); return ret; @@ -67,15 +80,16 @@ static struct pernet_operations ip6table_raw_net_ops = { static int __init ip6table_raw_init(void) { int ret; + const struct xt_table *table = &packet_raw; if (raw_before_defrag) { - packet_raw.priority = NF_IP6_PRI_RAW_BEFORE_DEFRAG; + table = &packet_raw_before_defrag; pr_info("Enabling raw table before defrag\n"); } /* Register hooks */ - rawtable_ops = xt_hook_ops_alloc(&packet_raw, ip6table_raw_hook); + rawtable_ops = xt_hook_ops_alloc(table, ip6table_raw_hook); if (IS_ERR(rawtable_ops)) return PTR_ERR(rawtable_ops); From patchwork Fri Jan 19 19:10:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 125211 Delivered-To: patch@linaro.org Received: by 10.46.66.141 with SMTP id h13csp432165ljf; Fri, 19 Jan 2018 11:12:09 -0800 (PST) X-Google-Smtp-Source: ACJfBotE1pGBBGQ3xweuFHzOCwVFy3YDGbNeq89jg+JIPYwpRJd0ihrltcRGPvOYet0uVpU3gY1H X-Received: by 10.99.96.23 with SMTP id u23mr41333831pgb.355.1516389129448; Fri, 19 Jan 2018 11:12:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516389129; cv=none; d=google.com; s=arc-20160816; b=NwiqWnqHqGvTa2AIu9vD0PMVlN31T7Mb+2gwhNBDR/OUcemkwtL0mlMXKdsQ422st/ mNQwzyrxJPwFGo1DtVgUKq6/6fJBjQJMHhC4lzLLJeGz5TrdGIpP4LVPm1gTquLxGo63 9BpIXw4nncwHTbQ3ky4Q2kkout613TkhS4YvWKYFOdzoxSmAFBIkaTrnHNSt5oM/lK8G 0cOTVo60/J++lgyqCSQ1VrCDKowHmsnFs1eo2T+HwUSZOHlpE9DGfASvDs+rhcGLL4k2 9FkqPxEGHSe36SaADv3XI9VzIZ27j2/nl/4hVyox9EVTfU2mndwGvTZ+8Og1f5z2N5dI AYcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=kukqr+FDkaQTVOHF8oDWv3nZqUZlMTBCJnz9BHoU4ug=; b=GqNO50LbJR3Rj8rDUP4puNcMDwJsJuIgLoehQG3NRIMRjp1xuRiA1rnwKWdaYz39YM KlXFBb8mKTDmfFPitFmODQW3rqrN7PVhpQ96oevlsbsUrFSQFoV/ow1mCIa/2zptLwNh QLMUrqcJEE/MiGKckDXV8nJVCky5OzIBWBIAnom6CjjptAR53PSsOa3eG7jrT32doUFR KaPWAnb7Ios7Q8yD55ObHIb2byZT7ld6mjCveGPpc/VJydckOlUlBVBZ5WFeTGFS03xM WGcX0GW80RGvPiEAg0tQNepYa6+AsUFE9ph98TPQ08QDu3cPf7BJHqTCXbfICVCOANF3 suWw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e8-v6si1033185plt.399.2018.01.19.11.12.09; Fri, 19 Jan 2018 11:12:09 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932440AbeASTMH (ORCPT + 7 others); Fri, 19 Jan 2018 14:12:07 -0500 Received: from mail.us.es ([193.147.175.20]:45188 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932488AbeASTLM (ORCPT ); Fri, 19 Jan 2018 14:11:12 -0500 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id 1AFF72EFED3 for ; Fri, 19 Jan 2018 20:11:07 +0100 (CET) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 08C69DA860 for ; Fri, 19 Jan 2018 20:11:07 +0100 (CET) Received: by antivirus1-rhel7.int (Postfix, from userid 99) id F2557DA85D; Fri, 19 Jan 2018 20:11:06 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on antivirus1-rhel7.int X-Spam-Level: X-Spam-Status: No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50, SMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1 Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 08B4ADA852; Fri, 19 Jan 2018 20:11:05 +0100 (CET) Received: from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int (F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); Fri, 19 Jan 2018 20:11:05 +0100 (CET) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int) Received: from salvia.here (barqueta.lsi.us.es [150.214.188.150]) (Authenticated sender: pneira@us.es) by entrada.int (Postfix) with ESMTPA id E5B5841E4817; Fri, 19 Jan 2018 20:11:04 +0100 (CET) X-SMTPAUTHUS: auth mail.us.es From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org Subject: [PATCH 21/32] netfilter: nf_defrag: move NF_CONNTRACK bits into #ifdef Date: Fri, 19 Jan 2018 20:10:30 +0100 Message-Id: <20180119191041.25804-22-pablo@netfilter.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180119191041.25804-1-pablo@netfilter.org> References: <20180119191041.25804-1-pablo@netfilter.org> X-Virus-Scanned: ClamAV using ClamSMTP Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Arnd Bergmann We cannot access the skb->_nfct field when CONFIG_NF_CONNTRACK is disabled: net/ipv4/netfilter/nf_defrag_ipv4.c: In function 'ipv4_conntrack_defrag': net/ipv4/netfilter/nf_defrag_ipv4.c:83:9: error: 'struct sk_buff' has no member named '_nfct' net/ipv6/netfilter/nf_defrag_ipv6_hooks.c: In function 'ipv6_defrag': net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68:9: error: 'struct sk_buff' has no member named '_nfct' Both functions already have an #ifdef for this, so let's move the check in there. Fixes: 902d6a4c2a4f ("netfilter: nf_defrag: Skip defrag if NOTRACK is set") Signed-off-by: Arnd Bergmann Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter/nf_defrag_ipv4.c | 4 +++- net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) -- 2.11.0 diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c index cbd987f6b1f8..a0d3ad60a411 100644 --- a/net/ipv4/netfilter/nf_defrag_ipv4.c +++ b/net/ipv4/netfilter/nf_defrag_ipv4.c @@ -78,9 +78,11 @@ static unsigned int ipv4_conntrack_defrag(void *priv, if (skb_nfct(skb) && !nf_ct_is_template((struct nf_conn *)skb_nfct(skb))) return NF_ACCEPT; #endif + if (skb->_nfct == IP_CT_UNTRACKED) + return NF_ACCEPT; #endif /* Gather fragments. */ - if (skb->_nfct != IP_CT_UNTRACKED && ip_is_fragment(ip_hdr(skb))) { + if (ip_is_fragment(ip_hdr(skb))) { enum ip_defrag_users user = nf_ct_defrag_user(state->hook, skb); diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c index 87b503a8f5ef..c87b48359e8f 100644 --- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c +++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c @@ -63,10 +63,10 @@ static unsigned int ipv6_defrag(void *priv, /* Previously seen (loopback)? */ if (skb_nfct(skb) && !nf_ct_is_template((struct nf_conn *)skb_nfct(skb))) return NF_ACCEPT; -#endif if (skb->_nfct == IP_CT_UNTRACKED) return NF_ACCEPT; +#endif err = nf_ct_frag6_gather(state->net, skb, nf_ct6_defrag_user(state->hook, skb));