Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1464886imm; Tue, 10 Jul 2018 02:11:59 -0700 (PDT) X-Google-Smtp-Source: AAOMgpckAc3ByVSWtUcN+h3yqVrQLGFcVWBstTRIuQs7YZgsPQwvjgw8dMrKhCR80seB5g8V1311 X-Received: by 2002:a17:902:5a3:: with SMTP id f32-v6mr23585592plf.109.1531213919673; Tue, 10 Jul 2018 02:11:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531213919; cv=none; d=google.com; s=arc-20160816; b=q6qDLLCW0vNW/Wk04WUBgFPjeyC9jRglZ0j3P4gIRpWj86m0UQsSqsHEU7CG90kosh PsgwG6Y/g2ofATCbWRGWM4n0yhxwnDAl3LfycdpQpo04H07NxIcI2ysF13lWcjUBhgan lHBNvzP00iyjPmN0GgvXlV1KSenAv1MuH5HVjRb+J1uJ8rHUXfKYYMLhdGYoUM5Jy3qF ZABo+xtj3bjztFsZKbIyn38d2WwgbXlpaZSzlvdYxqq185oYBaJHYrdrmaRZAFlgPDv2 RxLXr8HX1le2k95SwtJ9TapHbycRnZnuUbxxYS3pWAK3rqBwB8gRDzh2DFzuO1l9kBd2 sb1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dkim-signature:arc-authentication-results; bh=1J8GtKyRPKpFyeKkRRHVAMbIUHykXlh1jfvtumb++7M=; b=jlx+/PqjHrNU3WqfnO240nJ1y8E4/qaXvuMF/idUt3I1Ji7ZDGUo3/j/4P/L9zNmba BoxRMAHVid0z0MJ8CaRTpItyuxsto7jmQEVlbt4YT2k+PIb8jdkPHKEMDb3LJU5J8b9l XxV7xJ/GjSVpgTZDszxXIMN9mZCTbZs7NwzvcbHELUsx3l0MlkyaAelwHPd4KkNmhizK Pd9SDYjjQOn2T0vZekAxINUD49UKmY5yWiaw3mX8XqoqxbwYxgUpUtISVlWa3cW1AEjm 4KUEihYoamlC0FcMtmmuTN4pHDoCK9+GSlLNKZiKdAKGYbAz00m/wL+MOuZoMG+RoV7i ggfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=Dsw3A1qV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d5-v6si16324170plr.13.2018.07.10.02.11.27; Tue, 10 Jul 2018 02:11:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=Dsw3A1qV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751370AbeGJJKp (ORCPT + 99 others); Tue, 10 Jul 2018 05:10:45 -0400 Received: from mail-lj1-f196.google.com ([209.85.208.196]:46298 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751242AbeGJJKn (ORCPT ); Tue, 10 Jul 2018 05:10:43 -0400 Received: by mail-lj1-f196.google.com with SMTP id 203-v6so5134173ljj.13; Tue, 10 Jul 2018 02:10:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=1J8GtKyRPKpFyeKkRRHVAMbIUHykXlh1jfvtumb++7M=; b=Dsw3A1qVl18iNBuxGvYN3H+dSbiBMR8+oGw6hi6T1X0KaaboikaiGtwKJh0reQ0U0x k7F4MijqBRf32dSAFD//UO3RsADe6jRh+GP4XIwwN5zDfDwVgHBgJ/RBA+llLqdctng5 9cVGsnaapJwwGd/AjGR6Lvh1KY9aqgXHpU2RJ9lMJ4wyN/885mShRSNyhbBnxvZBQ5qA RlBld8ZHU2RDuTcf+66N2nGh3ziwvskWvDodI8hiEQr5K/97YLqUG6lJxozjUzlRU7wZ NtiVI4SLIje6/wElGPmOmCA60r65SuA/zXk0zeHI5j+7N1BmW8isuD/oYkc9aALWXkEB nGWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=1J8GtKyRPKpFyeKkRRHVAMbIUHykXlh1jfvtumb++7M=; b=r5HpLlMAwhZt23pgr7RTzy62IN828gCgqYPb+OAQVU6eNkzcOactbGgm35swMXaNKt 8/V+LhLvTRGm0kMK9k3Lr4huBAYnRo81jWDUw7hPmAXEDrKIZ2KhpHLkbHCDTmM8/tH+ VCS6i93PDKqWC/zmUrtpBoRMlX2NfXpIbDPie9D8ru92yz+kWtjQRe2SBXSoHtYspeMe 4UtMg17KNWdYZ8Dt9iwTPwLbrSxWf2QY+SSxJ+EONx8em3WHJ9F6Mu4HLeLDDRcx6fMd OUNmLDknbBT3f45eXCRnnz23tU/qW0mntUogmwWThZSVuFRtRxU0ylk9W8/ROfDGiI8q 4P2g== X-Gm-Message-State: APt69E02KJ+dJCHVRySFIjXP3qIFA9zH3k+84spPniHCKCO2P4ria8RH Btw907RMJ729+1Wtzn9vExrBfMhk0U75iOBa9wA= X-Received: by 2002:a2e:1bcc:: with SMTP id c73-v6mr14442684ljf.0.1531213841176; Tue, 10 Jul 2018 02:10:41 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:41c1:0:0:0:0:0 with HTTP; Tue, 10 Jul 2018 02:10:40 -0700 (PDT) In-Reply-To: <20180710080538.d7xqpjdvpksfrx6o@sch.bme.hu> References: <20180709213537.2748896-1-arnd@arndb.de> <20180710080227.qwh53ahq26j6phhd@sch.bme.hu> <20180710080538.d7xqpjdvpksfrx6o@sch.bme.hu> From: Arnd Bergmann Date: Tue, 10 Jul 2018 11:10:40 +0200 X-Google-Sender-Auth: n8ONqyvIbAT9EE9YKSwKApTir7Y Message-ID: Subject: Re: [PATCH] netfilter: NFT_SOCKET don't use NF_SOCKET_IPV6 without NF_TABLES_IPV6 To: =?UTF-8?B?TcOhdMOpIEVja2w=?= Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Flavio Leitner , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, Networking , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 10, 2018 at 10:05 AM, M=C3=A1t=C3=A9 Eckl w= rote: > On Tue, Jul 10, 2018 at 10:02:27AM +0200, M=C3=A1t=C3=A9 Eckl wrote: >> On Mon, Jul 09, 2018 at 11:35:09PM +0200, Arnd Bergmann wrote: >> > It is now possible to build the nft_socket module as built-in when >> > NF_TABLES_IPV6 is disabled, and have NF_SOCKET_IPV6=3Dm set manually. >> > >> > In this case, the NF_SOCKET_IPV6 functionality will be useless accordi= ng >> > to the explanation in commit 35bf1ccecaaa ("netfilter: Kconfig: Change >> > IPv6 select dependencies"), but on top of that it also causes a link >> > error: >> > >> > net/netfilter/nft_socket.o: In function `nft_socket_eval': >> > nft_socket.c:(.text+0x162): undefined reference to `nf_sk_lookup_slow_= v6' >> > >> > This changes the compile-time check so we don't attempt to use >> > the NF_SOCKET_IPV6 code when it cannot be used, and make it all >> > compile again. That may lead to unexpected behavior when a user >> > enables NF_SOCKET_IPV6 but cannot use it, but seems to be the >> > logical conclusion of the 35bf1ccecaaa change. >> > >> > Fixes: 35bf1ccecaaa ("netfilter: Kconfig: Change IPv6 select dependenc= ies") >> > Signed-off-by: Arnd Bergmann >> >> I think this should be fixed in the Kconfig rather than inside the modul= e(s). Should we revert your patch then, or do you have a better idea? >> I did some investigation and it turns out that you missed a circumstance= . This >> link error occures only if NFT_SOCKET=3Dy && NF_SOCKET_IPV6=3Dm && NF_TA= BLES_IPV6=3Dy >> (cannot be m here if NFT_SOCKET is y). No, if NF_TABLES_IPV6=3Dy the problem cannot happen, since NFT_SOCKET then selects NF_SOCKET_IPV6=3Dy as well. Before your patch, it would always sele= ct NF_SOCKET_IPV6 when it could, so it worked in all configurations. >> And probably the same with >> iptables-related modules. Probably this possibility should be eliminated= . > > NF_TPROXY_IPV6 might be in the same situation. I tried coming up with a combination that is broken for NF_TPROXY_IPV6=3Dm but could not. From what I can see with config NETFILTER_XT_TARGET_TPROXY tristate '"TPROXY" target transparent proxying support' depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=3Dn select NF_TPROXY_IPV6 if IP6_NF_IPTABLES and #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) inside of net/netfilter/xt_TPROXY.c, there is no way we can end up with xt_TPROXY calling into the nf_tproxy_ipv6 loadable module from a built-in context. This is the same approach I used in my patch, just with IP6_NF_IPTABLES instead of NF_SOCKET_IPV6, in both the Kconfig dependency and the module. Arnd