Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1496068imm; Tue, 10 Jul 2018 02:52:27 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdzyKHCxYnx0MC70aS41ar7yPoVfv9sxynhv/bskKmg2RRIJd3gpNc8uYJVkPwPWmZ67zON X-Received: by 2002:a17:902:8207:: with SMTP id x7-v6mr23579929pln.57.1531216347244; Tue, 10 Jul 2018 02:52:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531216347; cv=none; d=google.com; s=arc-20160816; b=pG3cZMiJMBbEWomOYlB6Cwymi6gQLk1ULbVNG+qMA4ZMEHh0sdsm2oOc5pO1lWHV/H i3XMV5rXfl1Fz8itJcViU5UFtr65n4B9A6d5j2luRSJKO74piwmTymh8eMSIue3dPmdc 40Sk0f3wcyvQjNf8Ny+YX9pIuRCrH27eIHWHBqkdPpZ4DMaWYR/hHHVR3t62R8F4fDOv aUbG0GhoViPBAgKLkmTP/fwTM2q7hUsWzPoGXPFJiZFGsjy5un7sAtCuWa4oLXPTePMN nXuntZwHFAfXqfRkZgjXDWAFHcn1/KmLvQA2hjIMzthrXK6q/9dAlfGTQQcedjtu+oE/ 0mgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=b/vodOVOuj9BFSNcHe+4ZmrPe7Gxn6XhuXMLpIBFxSI=; b=aa6vYDmY2zH54czr0xvwp2jwVtjU6YAK5WqrVunMeyH9GNdGWRI131UEQ5UzsNu+UC D1HEpm0xHEBRjz4HnvtBSW9VbIsWARMLWpXX3Bib0jW37aC9ebFcQjkTYwoMN3Ud66QN dubyma3WGAGjrI3GaRZ5Kr4SA2irr4FzsYFndoXMI7lu4Ump/TmmRK22z+FP1wubfPqG jFMdDaGeQfJHq+BJb6IK2PlURam5FPE21GVo7jpcM3xSXGtob/OLHha1WHNHI73FVnGv lCD82Dhq9qs7xGX4Won7M8yBvQCRvLgbwpEvPuXapNGBfbLDfzPSYoPRP6+Sezc2YZbh p0qA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=YUTUhOyv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y65-v6si16940475pfi.195.2018.07.10.02.52.12; Tue, 10 Jul 2018 02:52:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=YUTUhOyv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933115AbeGJJv2 (ORCPT + 99 others); Tue, 10 Jul 2018 05:51:28 -0400 Received: from mail-wm0-f68.google.com ([74.125.82.68]:52801 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751194AbeGJJv0 (ORCPT ); Tue, 10 Jul 2018 05:51:26 -0400 Received: by mail-wm0-f68.google.com with SMTP id w16-v6so23859259wmc.2; Tue, 10 Jul 2018 02:51:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=b/vodOVOuj9BFSNcHe+4ZmrPe7Gxn6XhuXMLpIBFxSI=; b=YUTUhOyvPzfbsjsAfVKvHc/3LQ1E2Nujp+pNj15M0DVKrgA2sIUNcGrGkCe49Nc+rs En/aw4aMH4OZWe16gFmIGDfQjHX3OolNbsAsdaQ7++yDnRSlMChhAG06h/te3f3UwRvb FcU+ggN5tSxmGkf/H6be6YE6PL0f7/lnoJyoGHbzpCh0IsVUcLSjcTz2wbhB3MrseelF SnvAEhL3EMkrwPiEXzy9Y7zHEH4N7RIb7ybKvQeU6KSVl758CBbxc7LPY6m/9IU3WyH+ BFHcGDWTwzAFgsVPWz5/GghSF4aBKwgXGN75wRmEIL86YCSWQYc1g4rHNiMXywCN5YaD 44Qg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=b/vodOVOuj9BFSNcHe+4ZmrPe7Gxn6XhuXMLpIBFxSI=; b=fKSmeNokDLTrPtnSPC7OY9aYJlnDzqNlxAPyT6IBDzCfcWTWna1rJk9y7LKgDVfDd8 NWLKNXzcIKXP6KsWiZ99slLQrU4k6ffL2qGFlI7t/IUpqAmxpFjFvNlyL5/dB+GGtbsI Zksa311bele1LM9vioXkaBevRdvky0W95eCKElvzkAHlrys7DoJyeppttJEazRUTG0ns ReDlqi6i/MrHi3b6WNLhhh17vUaX9e1PeqULrZMKrCnqclmagXj6amQ0jK9sapSBeNqo DJe0ZwWyBB508osN2tx77pTaiJW2k2ggieobsbXqUYJbVzxSZkH9KVlPq1Unze6kY+lG cIxw== X-Gm-Message-State: APt69E17oJhWy/jiQv8H8jfQwV9dajXgihgwqZAXy6pY7KhdH2ZuwroM O0pEQUp85bCgk/cyt/BmCNo= X-Received: by 2002:a1c:8f0e:: with SMTP id r14-v6mr15498571wmd.79.1531216284444; Tue, 10 Jul 2018 02:51:24 -0700 (PDT) Received: from sch.bme.hu (ecklm-pi.sch.bme.hu. [152.66.179.182]) by smtp.gmail.com with ESMTPSA id v1-v6sm582444wrs.28.2018.07.10.02.51.22 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 10 Jul 2018 02:51:23 -0700 (PDT) Date: Tue, 10 Jul 2018 11:51:22 +0200 From: =?utf-8?B?TcOhdMOp?= Eckl To: Arnd Bergmann Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Flavio Leitner , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, Networking , Linux Kernel Mailing List Subject: Re: [PATCH] netfilter: NFT_SOCKET don't use NF_SOCKET_IPV6 without NF_TABLES_IPV6 Message-ID: <20180710095122.6ee4wxfg4sabhcvw@sch.bme.hu> References: <20180709213537.2748896-1-arnd@arndb.de> <20180710080227.qwh53ahq26j6phhd@sch.bme.hu> <20180710080538.d7xqpjdvpksfrx6o@sch.bme.hu> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: NeoMutt/20180622 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 10, 2018 at 11:10:40AM +0200, Arnd Bergmann wrote: > On Tue, Jul 10, 2018 at 10:05 AM, M?t? Eckl wrote: > > On Tue, Jul 10, 2018 at 10:02:27AM +0200, M?t? Eckl wrote: > >> On Mon, Jul 09, 2018 at 11:35:09PM +0200, Arnd Bergmann wrote: > >> > It is now possible to build the nft_socket module as built-in when > >> > NF_TABLES_IPV6 is disabled, and have NF_SOCKET_IPV6=m set manually. > >> > > >> > In this case, the NF_SOCKET_IPV6 functionality will be useless according > >> > to the explanation in commit 35bf1ccecaaa ("netfilter: Kconfig: Change > >> > IPv6 select dependencies"), but on top of that it also causes a link > >> > error: > >> > > >> > net/netfilter/nft_socket.o: In function `nft_socket_eval': > >> > nft_socket.c:(.text+0x162): undefined reference to `nf_sk_lookup_slow_v6' > >> > > >> > This changes the compile-time check so we don't attempt to use > >> > the NF_SOCKET_IPV6 code when it cannot be used, and make it all > >> > compile again. That may lead to unexpected behavior when a user > >> > enables NF_SOCKET_IPV6 but cannot use it, but seems to be the > >> > logical conclusion of the 35bf1ccecaaa change. > >> > > >> > Fixes: 35bf1ccecaaa ("netfilter: Kconfig: Change IPv6 select dependencies") > >> > Signed-off-by: Arnd Bergmann > >> > >> I think this should be fixed in the Kconfig rather than inside the module(s). > > Should we revert your patch then, or do you have a better idea? > > >> I did some investigation and it turns out that you missed a circumstance. This > >> link error occures only if NFT_SOCKET=y && NF_SOCKET_IPV6=m && NF_TABLES_IPV6=y > >> (cannot be m here if NFT_SOCKET is y). > > No, if NF_TABLES_IPV6=y the problem cannot happen, since NFT_SOCKET then > selects NF_SOCKET_IPV6=y as well. Before your patch, it would always select > NF_SOCKET_IPV6 when it could, so it worked in all configurations. Sorry I wanted to write NF_TABLES_IPV6=n... So: NFT_SOCKET=y && NF_SOCKET_IPV6=m && NF_TABLES_IPV6=n causes linkage error. NFT_SOCKET=m && NF_SOCKET_IPV6=m && NF_TABLES_IPV6=n compiles fine. > >> And probably the same with > >> iptables-related modules. Probably this possibility should be eliminated. > > > > NF_TPROXY_IPV6 might be in the same situation. > > I tried coming up with a combination that is broken for NF_TPROXY_IPV6=m > but could not. From what I can see with > > config NETFILTER_XT_TARGET_TPROXY > tristate '"TPROXY" target transparent proxying support' > depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n > select NF_TPROXY_IPV6 if IP6_NF_IPTABLES > > and > > #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) > > inside of net/netfilter/xt_TPROXY.c, there is no way we can end up with > xt_TPROXY calling into the nf_tproxy_ipv6 loadable module from > a built-in context. This is the same approach I used in my patch, > just with IP6_NF_IPTABLES instead of NF_SOCKET_IPV6, in both > the Kconfig dependency and the module. Right, I see your point. I have an alternative solution which seems more robust to me, but I might be overthinking this situation. So Accepted-by: M?t? Eckl > Arnd