Discussion:
Some netfilter compile errors when CONFIG_IPV6=m
(too old to reply)
Cong Wang
2013-05-14 02:45:52 UTC
Permalink
Hi, all

I got the following compile errors when I compile IPv6 as a module and
most of the rest are built into core kernel. David Miller insists we
should fix this kind of error and not by adding Kconfig tricks.

net/built-in.o: In function `nf_tproxy_get_sock_v6':
/home/wangcong/linux/include/net/netfilter/nf_tproxy_core.h:177:
undefined reference to `udp6_lib_lookup'
/home/wangcong/linux/include/net/netfilter/nf_tproxy_core.h:177:
undefined reference to `udp6_lib_lookup'
net/built-in.o: In function `tproxy_tg_init':
/home/wangcong/linux/net/netfilter/xt_TPROXY.c:415: undefined reference
to `nf_defrag_ipv6_enable'
net/built-in.o: In function `socket_mt_init':
/home/wangcong/linux/net/netfilter/xt_socket.c:366: undefined reference
to `nf_defrag_ipv6_enable'

My .config is:

CONFIG_NET_IPGRE=m
CONFIG_IPV6=m
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_IPV6_MIP6=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_TUNNEL=m
CONFIG_IPV6_GRE=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NF_NAT_H323=m
CONFIG_NF_DEFRAG_IPV6=m
CONFIG_NF_CONNTRACK_IPV6=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_AH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_MH=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP6_NF_SECURITY=m
CONFIG_NF_NAT_IPV6=m
CONFIG_IP6_NF_TARGET_MASQUERADE=m
CONFIG_BRIDGE_NF_EBTABLES=m
CONFIG_BRIDGE_EBT_BROUTE=m
CONFIG_BRIDGE_EBT_T_FILTER=m
CONFIG_BRIDGE_EBT_T_NAT=m
CONFIG_BRIDGE_EBT_802_3=m
CONFIG_BRIDGE_EBT_AMONG=m
CONFIG_BRIDGE_EBT_ARP=m
CONFIG_BRIDGE_EBT_IP=m
CONFIG_BRIDGE_EBT_IP6=m
CONFIG_BRIDGE_EBT_LIMIT=m
CONFIG_BRIDGE_EBT_MARK=m
CONFIG_BRIDGE_EBT_PKTTYPE=m
CONFIG_BRIDGE_EBT_STP=m
CONFIG_BRIDGE_EBT_VLAN=m
CONFIG_BRIDGE_EBT_ARPREPLY=m
CONFIG_BRIDGE_EBT_DNAT=m
CONFIG_BRIDGE_EBT_MARK_T=m
CONFIG_BRIDGE_EBT_REDIRECT=m
CONFIG_BRIDGE_EBT_SNAT=m
CONFIG_BRIDGE_EBT_LOG=m
CONFIG_BRIDGE_EBT_ULOG=m
CONFIG_BRIDGE_EBT_NFLOG=m
CONFIG_IP_SCTP=m
CONFIG_BRIDGE=m
CONFIG_BONDING=m

all the rest are either =y or =n.


Thanks.
Cong Wang
2013-05-14 02:48:22 UTC
Permalink
Post by Cong Wang
/home/wangcong/linux/net/netfilter/xt_TPROXY.c:415: undefined reference
to `nf_defrag_ipv6_enable'
/home/wangcong/linux/net/netfilter/xt_socket.c:366: undefined reference
to `nf_defrag_ipv6_enable'
I don't know why we keep an empty definition for
nf_defrag_ipv6_enable(), so I make a patch to remove it, not sure if it
makes sense.


diff --git a/include/net/netfilter/ipv4/nf_defrag_ipv4.h
b/include/net/netfilter/ipv4/nf_defrag_ipv4.h
deleted file mode 100644
index 6b00ea3..0000000
--- a/include/net/netfilter/ipv4/nf_defrag_ipv4.h
+++ /dev/null
@@ -1,6 +0,0 @@
-#ifndef _NF_DEFRAG_IPV4_H
-#define _NF_DEFRAG_IPV4_H
-
-extern void nf_defrag_ipv4_enable(void);
-
-#endif /* _NF_DEFRAG_IPV4_H */
diff --git a/include/net/netfilter/ipv6/nf_defrag_ipv6.h
b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
index fd79c9a..7ba91bb 100644
--- a/include/net/netfilter/ipv6/nf_defrag_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
@@ -1,8 +1,6 @@
#ifndef _NF_DEFRAG_IPV6_H
#define _NF_DEFRAG_IPV6_H

-extern void nf_defrag_ipv6_enable(void);
-
extern int nf_ct_frag6_init(void);
extern void nf_ct_frag6_cleanup(void);
extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32
user);
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 567d841..7344253 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -27,7 +27,6 @@
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
#include <net/netfilter/nf_nat_helper.h>
-#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
#include <net/netfilter/nf_log.h>

static bool ipv4_pkt_to_tuple(const struct sk_buff *skb, unsigned int
nhoff,
@@ -464,7 +463,6 @@ static int __init
nf_conntrack_l3proto_ipv4_init(void)
int ret = 0;

need_conntrack();
- nf_defrag_ipv4_enable();

ret = nf_register_sockopt(&so_getorigdst);
if (ret < 0) {
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c
b/net/ipv4/netfilter/nf_defrag_ipv4.c
index 7428155..b2ec6f1 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -16,7 +16,6 @@

#include <linux/netfilter_bridge.h>
#include <linux/netfilter_ipv4.h>
-#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
#include <net/netfilter/nf_conntrack.h>
#endif
@@ -117,11 +116,6 @@ static void __exit nf_defrag_fini(void)
nf_unregister_hooks(ipv4_defrag_ops, ARRAY_SIZE(ipv4_defrag_ops));
}

-void nf_defrag_ipv4_enable(void)
-{
-}
-EXPORT_SYMBOL_GPL(nf_defrag_ipv4_enable);
-
module_init(nf_defrag_init);
module_exit(nf_defrag_fini);

diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 97bcf2b..3fc4d53 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -460,7 +460,6 @@ static int __init
nf_conntrack_l3proto_ipv6_init(void)
int ret = 0;

need_conntrack();
- nf_defrag_ipv6_enable();

ret = nf_register_sockopt(&so_getorigdst6);
if (ret < 0) {
diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
index aacd121..97c876f 100644
--- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
@@ -125,12 +125,6 @@ static void __exit nf_defrag_fini(void)
nf_unregister_hooks(ipv6_defrag_ops, ARRAY_SIZE(ipv6_defrag_ops));
nf_ct_frag6_cleanup();
}
-
-void nf_defrag_ipv6_enable(void)
-{
-}
-EXPORT_SYMBOL_GPL(nf_defrag_ipv6_enable);
-
module_init(nf_defrag_init);
module_exit(nf_defrag_fini);

diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index d7f1953..fc7384d 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -20,8 +20,6 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>

-#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
-
#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
#define XT_TPROXY_HAVE_IPV6 1
#include <net/if_inet6.h>
@@ -410,11 +408,6 @@ static struct xt_target tproxy_tg_reg[]
__read_mostly = {

static int __init tproxy_tg_init(void)
{
- nf_defrag_ipv4_enable();
-#ifdef XT_TPROXY_HAVE_IPV6
- nf_defrag_ipv6_enable();
-#endif
-
return xt_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
}

diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 63b2bdb..c588d68 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -20,7 +20,6 @@
#include <net/sock.h>
#include <net/inet_sock.h>
#include <net/netfilter/nf_tproxy_core.h>
-#include <net/netfilter/ipv4/nf_defrag_ipv4.h>

#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
#define XT_SOCKET_HAVE_IPV6 1
@@ -361,11 +360,6 @@ static struct xt_match socket_mt_reg[]
__read_mostly = {

static int __init socket_mt_init(void)
{
- nf_defrag_ipv4_enable();
-#ifdef XT_SOCKET_HAVE_IPV6
- nf_defrag_ipv6_enable();
-#endif
-
return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
}


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso
2013-05-14 03:10:18 UTC
Permalink
Post by Cong Wang
Post by Cong Wang
/home/wangcong/linux/net/netfilter/xt_TPROXY.c:415: undefined reference
to `nf_defrag_ipv6_enable'
/home/wangcong/linux/net/netfilter/xt_socket.c:366: undefined reference
to `nf_defrag_ipv6_enable'
I don't know why we keep an empty definition for
nf_defrag_ipv6_enable(), so I make a patch to remove it, not sure if it
makes sense.
It's there to enforce the dependency between nf_conntrack and
nf_defrag. We cannot run nf_conntrack without it.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Cong Wang
2013-05-27 10:56:57 UTC
Permalink
Cc'ing Bj=C3=B8rn who cares IPV6=3Dm compile errors very much. :)

BTW, this is what I found while testing my vxlan patches with IPV6=3Dm.
Post by Cong Wang
Hi, all
=20
I got the following compile errors when I compile IPv6 as a module an=
d
Post by Cong Wang
most of the rest are built into core kernel. David Miller insists we
should fix this kind of error and not by adding Kconfig tricks.
=20
undefined reference to `udp6_lib_lookup'
undefined reference to `udp6_lib_lookup'
/home/wangcong/linux/net/netfilter/xt_TPROXY.c:415: undefined referen=
ce
Post by Cong Wang
to `nf_defrag_ipv6_enable'
/home/wangcong/linux/net/netfilter/xt_socket.c:366: undefined referen=
ce
Post by Cong Wang
to `nf_defrag_ipv6_enable'
=20
=20
CONFIG_NET_IPGRE=3Dm
CONFIG_IPV6=3Dm
CONFIG_INET6_AH=3Dm
CONFIG_INET6_ESP=3Dm
CONFIG_INET6_IPCOMP=3Dm
CONFIG_IPV6_MIP6=3Dm
CONFIG_INET6_XFRM_TUNNEL=3Dm
CONFIG_INET6_TUNNEL=3Dm
CONFIG_INET6_XFRM_MODE_TRANSPORT=3Dm
CONFIG_INET6_XFRM_MODE_TUNNEL=3Dm
CONFIG_INET6_XFRM_MODE_BEET=3Dm
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=3Dm
CONFIG_IPV6_SIT=3Dm
CONFIG_IPV6_TUNNEL=3Dm
CONFIG_IPV6_GRE=3Dm
CONFIG_NF_CONNTRACK_H323=3Dm
CONFIG_NETFILTER_XT_TARGET_TEE=3Dm
CONFIG_NETFILTER_XT_TARGET_TCPMSS=3Dm
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=3Dm
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=3Dm
CONFIG_NF_NAT_H323=3Dm
CONFIG_NF_DEFRAG_IPV6=3Dm
CONFIG_NF_CONNTRACK_IPV6=3Dm
CONFIG_IP6_NF_IPTABLES=3Dm
CONFIG_IP6_NF_MATCH_AH=3Dm
CONFIG_IP6_NF_MATCH_EUI64=3Dm
CONFIG_IP6_NF_MATCH_FRAG=3Dm
CONFIG_IP6_NF_MATCH_OPTS=3Dm
CONFIG_IP6_NF_MATCH_HL=3Dm
CONFIG_IP6_NF_MATCH_IPV6HEADER=3Dm
CONFIG_IP6_NF_MATCH_MH=3Dm
CONFIG_IP6_NF_MATCH_RT=3Dm
CONFIG_IP6_NF_TARGET_HL=3Dm
CONFIG_IP6_NF_FILTER=3Dm
CONFIG_IP6_NF_TARGET_REJECT=3Dm
CONFIG_IP6_NF_MANGLE=3Dm
CONFIG_IP6_NF_RAW=3Dm
CONFIG_IP6_NF_SECURITY=3Dm
CONFIG_NF_NAT_IPV6=3Dm
CONFIG_IP6_NF_TARGET_MASQUERADE=3Dm
CONFIG_BRIDGE_NF_EBTABLES=3Dm
CONFIG_BRIDGE_EBT_BROUTE=3Dm
CONFIG_BRIDGE_EBT_T_FILTER=3Dm
CONFIG_BRIDGE_EBT_T_NAT=3Dm
CONFIG_BRIDGE_EBT_802_3=3Dm
CONFIG_BRIDGE_EBT_AMONG=3Dm
CONFIG_BRIDGE_EBT_ARP=3Dm
CONFIG_BRIDGE_EBT_IP=3Dm
CONFIG_BRIDGE_EBT_IP6=3Dm
CONFIG_BRIDGE_EBT_LIMIT=3Dm
CONFIG_BRIDGE_EBT_MARK=3Dm
CONFIG_BRIDGE_EBT_PKTTYPE=3Dm
CONFIG_BRIDGE_EBT_STP=3Dm
CONFIG_BRIDGE_EBT_VLAN=3Dm
CONFIG_BRIDGE_EBT_ARPREPLY=3Dm
CONFIG_BRIDGE_EBT_DNAT=3Dm
CONFIG_BRIDGE_EBT_MARK_T=3Dm
CONFIG_BRIDGE_EBT_REDIRECT=3Dm
CONFIG_BRIDGE_EBT_SNAT=3Dm
CONFIG_BRIDGE_EBT_LOG=3Dm
CONFIG_BRIDGE_EBT_ULOG=3Dm
CONFIG_BRIDGE_EBT_NFLOG=3Dm
CONFIG_IP_SCTP=3Dm
CONFIG_BRIDGE=3Dm
CONFIG_BONDING=3Dm
=20
all the rest are either =3Dy or =3Dn.
=20
=20
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-dev=
el" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso
2013-05-27 12:33:39 UTC
Permalink
Post by Cong Wang
Hi, all
I got the following compile errors when I compile IPv6 as a module and
most of the rest are built into core kernel. David Miller insists we
should fix this kind of error and not by adding Kconfig tricks.
undefined reference to `udp6_lib_lookup'
undefined reference to `udp6_lib_lookup'
/home/wangcong/linux/net/netfilter/xt_TPROXY.c:415: undefined reference
to `nf_defrag_ipv6_enable'
/home/wangcong/linux/net/netfilter/xt_socket.c:366: undefined reference
to `nf_defrag_ipv6_enable'
Looking at your incomplete .config, I don't see how you set xt_TPROXY
and xt_socket but I bet they are =y.

For the udp6_lib_lookup dependency, you can use the ipv6 hooks added
here:

commit 2a7851bffb008ff4882eee673da74718997b4265
Author: Florian Westphal <***@strlen.de>
Date: Fri May 17 03:56:10 2013 +0000

netfilter: add nf_ipv6_ops hook to fix xt_addrtype with IPv6

Already in the nf tree, to resolve it. It would be fairly easy to make
a patch for it.

For the nf_defrag_ipv6_enable, as I already mentioned, that's an
artificial function to enforce the dependency between those two
modules. We can add runtime checks in socket and TPROXY to skip
further processing is nf_defrag_ipv6 is not loaded. But that's a
problem because users will assume that their socket/TPROXY rule got
loaded but it will not actually work since defrag is not loaded. I
think that really needs some Kconfig tricks for that specific case.

Regards.
Cong Wang
2013-05-28 02:47:55 UTC
Permalink
Post by Pablo Neira Ayuso
Post by Cong Wang
Hi, all
I got the following compile errors when I compile IPv6 as a module and
most of the rest are built into core kernel. David Miller insists we
should fix this kind of error and not by adding Kconfig tricks.
undefined reference to `udp6_lib_lookup'
undefined reference to `udp6_lib_lookup'
/home/wangcong/linux/net/netfilter/xt_TPROXY.c:415: undefined reference
to `nf_defrag_ipv6_enable'
/home/wangcong/linux/net/netfilter/xt_socket.c:366: undefined reference
to `nf_defrag_ipv6_enable'
Looking at your incomplete .config, I don't see how you set xt_TPROXY
and xt_socket but I bet they are =y.
For the udp6_lib_lookup dependency, you can use the ipv6 hooks added
commit 2a7851bffb008ff4882eee673da74718997b4265
Date: Fri May 17 03:56:10 2013 +0000
netfilter: add nf_ipv6_ops hook to fix xt_addrtype with IPv6
Already in the nf tree, to resolve it. It would be fairly easy to make
a patch for it.
Next time please Cc me, the reporter, when you submit a fix, otherwise I
don't know if it is fixed, since I don't subscribe nf mailing list.
Post by Pablo Neira Ayuso
For the nf_defrag_ipv6_enable, as I already mentioned, that's an
artificial function to enforce the dependency between those two
modules. We can add runtime checks in socket and TPROXY to skip
further processing is nf_defrag_ipv6 is not loaded. But that's a
problem because users will assume that their socket/TPROXY rule got
loaded but it will not actually work since defrag is not loaded. I
think that really needs some Kconfig tricks for that specific case.
Yeah, please send a fix? I can test it (together with my vxlan patches)
if you need. I have no cycles to work on it even if it is simple. :)

Thanks!

Continue reading on narkive:
Loading...