There's 52d1aa8b8249 in v6.1-rc7:
* netfilter: conntrack: Fix data-races around ct mark
It triggers an error:
#19 355.8 /build/linux-source/net/netfilter/nf_conntrack_netlink.c: In
function '__ctnetlink_glue_build':
#19 355.8 /build/linux-source/net/netfilter/nf_conntrack_netlink.c:2674:13:
error: unused variable 'mark' [-Werror=unused-variable]
#19 355.8 2674 | u32 mark;
#19 355.8 | ^~~~
#19 355.8 cc1: all warnings being treated as errors
If CONFIG_NF_CONNTRACK_MARK is not enabled, as mark is declared
unconditionally, but used under ifdef:
#ifdef CONFIG_NF_CONNTRACK_MARK
- if ((events & (1 << IPCT_MARK) || ct->mark)
- && ctnetlink_dump_mark(skb, ct) < 0)
+ mark = READ_ONCE(ct->mark);
+ if ((events & (1 << IPCT_MARK) || mark) &&
+ ctnetlink_dump_mark(skb, mark) < 0)
goto nla_put_failure;
#endif
To have NF_CONNTRACK_MARK one needs NETFILTER_ADVANCED:
config NF_CONNTRACK_MARK
bool 'Connection mark tracking support'
depends on NETFILTER_ADVANCED
It's supposed to be enabled by default:
config NETFILTER_ADVANCED
bool "Advanced netfilter configuration"
depends on NETFILTER
default y
But it's not in defconfig (it's missing from arm64 completely):
$ rg NETFILTER_ADVANCED arch/x86/configs/x86_64_defconfig
93:# CONFIG_NETFILTER_ADVANCED is not set
I think the solution is to enclose mark definition into ifdef as well
and I'm happy to send a patch if you agree and would like me to.
Hi,
On Sun, Nov 27, 2022 at 05:30:47PM -0800, Ivan Babrou wrote:
> There's 52d1aa8b8249 in v6.1-rc7:
>
> * netfilter: conntrack: Fix data-races around ct mark
>
> It triggers an error:
>
> #19 355.8 /build/linux-source/net/netfilter/nf_conntrack_netlink.c: In
> function '__ctnetlink_glue_build':
> #19 355.8 /build/linux-source/net/netfilter/nf_conntrack_netlink.c:2674:13:
> error: unused variable 'mark' [-Werror=unused-variable]
> #19 355.8 2674 | u32 mark;
> #19 355.8 | ^~~~
> #19 355.8 cc1: all warnings being treated as errors
>
> If CONFIG_NF_CONNTRACK_MARK is not enabled, as mark is declared
> unconditionally, but used under ifdef:
>
> #ifdef CONFIG_NF_CONNTRACK_MARK
> - if ((events & (1 << IPCT_MARK) || ct->mark)
> - && ctnetlink_dump_mark(skb, ct) < 0)
> + mark = READ_ONCE(ct->mark);
> + if ((events & (1 << IPCT_MARK) || mark) &&
> + ctnetlink_dump_mark(skb, mark) < 0)
> goto nla_put_failure;
> #endif
>
> To have NF_CONNTRACK_MARK one needs NETFILTER_ADVANCED:
>
> config NF_CONNTRACK_MARK
> bool 'Connection mark tracking support'
> depends on NETFILTER_ADVANCED
>
> It's supposed to be enabled by default:
>
> config NETFILTER_ADVANCED
> bool "Advanced netfilter configuration"
> depends on NETFILTER
> default y
>
> But it's not in defconfig (it's missing from arm64 completely):
>
> $ rg NETFILTER_ADVANCED arch/x86/configs/x86_64_defconfig
> 93:# CONFIG_NETFILTER_ADVANCED is not set
>
> I think the solution is to enclose mark definition into ifdef as well
> and I'm happy to send a patch if you agree and would like me to.
Thanks for reporting and offering a patch:
Could you give a try to this one? I'll be glad to get a Tested-by:
tag if this is correct to you.
https://patchwork.ozlabs.org/project/netfilter-devel/patch/[email protected]/
Thanks.
On Mon, Nov 28, 2022 at 2:00 AM Pablo Neira Ayuso <[email protected]> wrote:
>
> Hi,
>
> On Sun, Nov 27, 2022 at 05:30:47PM -0800, Ivan Babrou wrote:
> > There's 52d1aa8b8249 in v6.1-rc7:
> >
> > * netfilter: conntrack: Fix data-races around ct mark
> >
> > It triggers an error:
> >
> > #19 355.8 /build/linux-source/net/netfilter/nf_conntrack_netlink.c: In
> > function '__ctnetlink_glue_build':
> > #19 355.8 /build/linux-source/net/netfilter/nf_conntrack_netlink.c:2674:13:
> > error: unused variable 'mark' [-Werror=unused-variable]
> > #19 355.8 2674 | u32 mark;
> > #19 355.8 | ^~~~
> > #19 355.8 cc1: all warnings being treated as errors
> >
> > If CONFIG_NF_CONNTRACK_MARK is not enabled, as mark is declared
> > unconditionally, but used under ifdef:
> >
> > #ifdef CONFIG_NF_CONNTRACK_MARK
> > - if ((events & (1 << IPCT_MARK) || ct->mark)
> > - && ctnetlink_dump_mark(skb, ct) < 0)
> > + mark = READ_ONCE(ct->mark);
> > + if ((events & (1 << IPCT_MARK) || mark) &&
> > + ctnetlink_dump_mark(skb, mark) < 0)
> > goto nla_put_failure;
> > #endif
> >
> > To have NF_CONNTRACK_MARK one needs NETFILTER_ADVANCED:
> >
> > config NF_CONNTRACK_MARK
> > bool 'Connection mark tracking support'
> > depends on NETFILTER_ADVANCED
> >
> > It's supposed to be enabled by default:
> >
> > config NETFILTER_ADVANCED
> > bool "Advanced netfilter configuration"
> > depends on NETFILTER
> > default y
> >
> > But it's not in defconfig (it's missing from arm64 completely):
> >
> > $ rg NETFILTER_ADVANCED arch/x86/configs/x86_64_defconfig
> > 93:# CONFIG_NETFILTER_ADVANCED is not set
> >
> > I think the solution is to enclose mark definition into ifdef as well
> > and I'm happy to send a patch if you agree and would like me to.
>
> Thanks for reporting and offering a patch:
>
> Could you give a try to this one? I'll be glad to get a Tested-by:
> tag if this is correct to you.
>
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/[email protected]/
>
> Thanks.
LGTM, it builds. Tested-by: Ivan Babrou <[email protected]>