From patchwork Fri Feb 5 09:20:21 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 102845 Delivered-To: patch@linaro.org Received: by 10.112.43.199 with SMTP id y7csp968690lbl; Fri, 5 Feb 2016 01:22:25 -0800 (PST) X-Received: by 10.98.0.84 with SMTP id 81mr8614608pfa.67.1454664145027; Fri, 05 Feb 2016 01:22:25 -0800 (PST) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v4si22759719pfi.237.2016.02.05.01.22.24; Fri, 05 Feb 2016 01:22:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752523AbcBEJWV (ORCPT + 30 others); Fri, 5 Feb 2016 04:22:21 -0500 Received: from mout.kundenserver.de ([212.227.17.24]:62570 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752089AbcBEJWQ (ORCPT ); Fri, 5 Feb 2016 04:22:16 -0500 Received: from wuerfel.lan. ([78.42.132.4]) by mrelayeu.kundenserver.de (mreue103) with ESMTPA (Nemesis) id 0LjLuJ-1ZuU0j2L9T-00dTE9; Fri, 05 Feb 2016 10:20:58 +0100 From: Arnd Bergmann To: Pablo Neira Ayuso Cc: linux-arm-kernel@lists.infradead.org, Arnd Bergmann , Patrick McHardy , Jozsef Kadlecsik , "David S. Miller" , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] netfilter: tee: select NF_DUP_IPV6 unconditionally Date: Fri, 5 Feb 2016 10:20:21 +0100 Message-Id: <1454664040-1344109-1-git-send-email-arnd@arndb.de> X-Mailer: git-send-email 2.7.0 X-Provags-ID: V03:K0:wJ93jz/fb2UXUE8WFhtwOQeXZW6uttu6s7il1TQxSLKeWYDFQ5b pv/d0tqMmpKbvwwDc3C3HoKVCPDE6kmWNLOTYirVfnLP8yFS5LEWoojpH6Hoo/LMgX8z4KR vlTNUF01B7G1ZYKVyHEYjQYOeUPiHvWdlJuoRJTkAFX4jvfvfhbV/M/6f6e7al+w3wunPm3 akeS5KFGUchIARqP2sR+A== X-UI-Out-Filterresults: notjunk:1; V01:K0:69m4UGddKjs=:ANwGuyNf8Gc5XLK+IapScx lkWucLzv9a7fqv0Jpwyd1PrJEOKcUCjIDpyd2x7GUwRqokE3iO8tn3wqL3f8XNzMksBbQI/dJ yoFdve6jU30ZsiIHwOTHY5MZvi2rati7lwhk2olu8NLtrZqUnJk3ymRB4mSW2i15tHbJaAjs1 pTI9LxmRnLeVr17uB3raUeLr+dOxMR0AA4k0nkEF5OEs6OrScbAZRjLMXzzhB3xVUpAA9S/lr ttiVHkS/iUhg/3LVF2EdFwZuCPJk5cVI50iOS9oMDka5llU0F4BbwUYwFcKh0bFgGOOJN0ZLU JagzIMrtEPLA1WX751tKM0onptiwXnHWVyePxZD4fCkE1Qf3otgJheeBMC1bDR0sqD4MrsxYu +Y1i2HJfJv2taXDC3JxrzhAI4ja2vRaMFBRboqYaKNwfS79BcF0NP1o/dVl47iKyNyy8te68O sM5fkHPyXy95qiItu1Po4goQnaZJJVGEGolL9WLJUchf4L4OL1yCOVPkTmKF/x4F75eNSTc4t TQCE/GHHdFhaenpFJkiXG/a/DSTN79aGmftu1x0HZuwemLTH5ewSBjSxMV2nt2/xu8Rl2Yjcc euaJOcgP+/tTnZXRAaZGilDP1CPJM1BLNHgJDZrA8crcwG/SSCIvOUNkWZAtPcZHfsz3+L7Wv wyq22+STlc3SmJm9Ni/tMJqfPyljnOUtl94qV4i/COp1bwiI0aRy43vwgs9hEYvgbdfc= Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The NETFILTER_XT_TARGET_TEE option selects NF_DUP_IPV6 whenever IP6_NF_IPTABLES is enabled, and it ensures that it cannot be builtin itself if NF_CONNTRACK is a loadable module, as that is a dependency for NF_DUP_IPV6. However, NF_DUP_IPV6 can be enabled even if IP6_NF_IPTABLES is turned off, and it only really depends on IPV6. With the current check in tee_tg6, we call nf_dup_ipv6() whenever NF_DUP_IPV6 is enabled. This can however be a loadable module which is unreachable from a built-in xt_TEE: net/built-in.o: In function `tee_tg6': :(.text+0x67728): undefined reference to `nf_dup_ipv6' The bug was originally introduced in the split of the xt_TEE module into separate modules for ipv4 and ipv6, and two patches tried to fix it unsuccessfully afterwards. This is a revert of the the first incorrect attempt to fix it, going back to depending on IPV6 as the dependency, and we adapt the 'select' condition accordingly. Signed-off-by: Arnd Bergmann Fixes: bbde9fc1824a ("netfilter: factor out packet duplication for IPv4/IPv6") Fixes: 116984a316c3 ("netfilter: xt_TEE: use IS_ENABLED(CONFIG_NF_DUP_IPV6)") Fixes: 74ec4d55c4d2 ("netfilter: fix xt_TEE and xt_TPROXY dependencies") --- net/netfilter/Kconfig | 2 +- net/netfilter/xt_TEE.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) -- 2.7.0 diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 8c067e6663a1..95e757c377f9 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -891,7 +891,7 @@ config NETFILTER_XT_TARGET_TEE depends on IPV6 || IPV6=n depends on !NF_CONNTRACK || NF_CONNTRACK select NF_DUP_IPV4 - select NF_DUP_IPV6 if IP6_NF_IPTABLES != n + select NF_DUP_IPV6 if IPV6 ---help--- This option adds a "TEE" target with which a packet can be cloned and this clone be rerouted to another nexthop. diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c index 3eff7b67cdf2..6e57a3966dc5 100644 --- a/net/netfilter/xt_TEE.c +++ b/net/netfilter/xt_TEE.c @@ -38,7 +38,7 @@ tee_tg4(struct sk_buff *skb, const struct xt_action_param *par) return XT_CONTINUE; } -#if IS_ENABLED(CONFIG_NF_DUP_IPV6) +#if IS_ENABLED(CONFIG_IPV6) static unsigned int tee_tg6(struct sk_buff *skb, const struct xt_action_param *par) { @@ -131,7 +131,7 @@ static struct xt_target tee_tg_reg[] __read_mostly = { .destroy = tee_tg_destroy, .me = THIS_MODULE, }, -#if IS_ENABLED(CONFIG_NF_DUP_IPV6) +#if IS_ENABLED(CONFIG_IPV6) { .name = "TEE", .revision = 1,