mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-09 23:39:18 +00:00
netfilter: fix module dependency issues with IPv6 defragmentation, ip6tables and xt_TPROXY
One of the previous tproxy related patches split IPv6 defragmentation and connection tracking, but did not correctly add Kconfig stanzas to handle the new dependencies correctly. This patch fixes that by making the config options mirror the setup we have for IPv4: a distinct config option for defragmentation that is automatically selected by both connection tracking and xt_TPROXY/xt_socket. The patch also changes the #ifdefs enclosing IPv6 specific code in xt_socket and xt_TPROXY: we only compile these in case we have ip6tables support enabled. Signed-off-by: KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
6f0bcf1525
commit
f6318e5588
@ -5,10 +5,15 @@
|
|||||||
menu "IPv6: Netfilter Configuration"
|
menu "IPv6: Netfilter Configuration"
|
||||||
depends on INET && IPV6 && NETFILTER
|
depends on INET && IPV6 && NETFILTER
|
||||||
|
|
||||||
|
config NF_DEFRAG_IPV6
|
||||||
|
tristate
|
||||||
|
default n
|
||||||
|
|
||||||
config NF_CONNTRACK_IPV6
|
config NF_CONNTRACK_IPV6
|
||||||
tristate "IPv6 connection tracking support"
|
tristate "IPv6 connection tracking support"
|
||||||
depends on INET && IPV6 && NF_CONNTRACK
|
depends on INET && IPV6 && NF_CONNTRACK
|
||||||
default m if NETFILTER_ADVANCED=n
|
default m if NETFILTER_ADVANCED=n
|
||||||
|
select NF_DEFRAG_IPV6
|
||||||
---help---
|
---help---
|
||||||
Connection tracking keeps a record of what packets have passed
|
Connection tracking keeps a record of what packets have passed
|
||||||
through your machine, in order to figure out how they are related
|
through your machine, in order to figure out how they are related
|
||||||
|
@ -12,11 +12,14 @@ obj-$(CONFIG_IP6_NF_SECURITY) += ip6table_security.o
|
|||||||
|
|
||||||
# objects for l3 independent conntrack
|
# objects for l3 independent conntrack
|
||||||
nf_conntrack_ipv6-objs := nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o
|
nf_conntrack_ipv6-objs := nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o
|
||||||
nf_defrag_ipv6-objs := nf_defrag_ipv6_hooks.o nf_conntrack_reasm.o
|
|
||||||
|
|
||||||
# l3 independent conntrack
|
# l3 independent conntrack
|
||||||
obj-$(CONFIG_NF_CONNTRACK_IPV6) += nf_conntrack_ipv6.o nf_defrag_ipv6.o
|
obj-$(CONFIG_NF_CONNTRACK_IPV6) += nf_conntrack_ipv6.o nf_defrag_ipv6.o
|
||||||
|
|
||||||
|
# defrag
|
||||||
|
nf_defrag_ipv6-objs := nf_defrag_ipv6_hooks.o nf_conntrack_reasm.o
|
||||||
|
obj-$(CONFIG_NF_DEFRAG_IPV6) += nf_defrag_ipv6.o
|
||||||
|
|
||||||
# matches
|
# matches
|
||||||
obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o
|
obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o
|
||||||
obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o
|
obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o
|
||||||
|
@ -525,6 +525,7 @@ config NETFILTER_XT_TARGET_TPROXY
|
|||||||
depends on NETFILTER_XTABLES
|
depends on NETFILTER_XTABLES
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
select NF_DEFRAG_IPV4
|
select NF_DEFRAG_IPV4
|
||||||
|
select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
|
||||||
help
|
help
|
||||||
This option adds a `TPROXY' target, which is somewhat similar to
|
This option adds a `TPROXY' target, which is somewhat similar to
|
||||||
REDIRECT. It can only be used in the mangle table and is useful
|
REDIRECT. It can only be used in the mangle table and is useful
|
||||||
@ -927,6 +928,7 @@ config NETFILTER_XT_MATCH_SOCKET
|
|||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
depends on !NF_CONNTRACK || NF_CONNTRACK
|
depends on !NF_CONNTRACK || NF_CONNTRACK
|
||||||
select NF_DEFRAG_IPV4
|
select NF_DEFRAG_IPV4
|
||||||
|
select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
|
||||||
help
|
help
|
||||||
This option adds a `socket' match, which can be used to match
|
This option adds a `socket' match, which can be used to match
|
||||||
packets for which a TCP or UDP socket lookup finds a valid socket.
|
packets for which a TCP or UDP socket lookup finds a valid socket.
|
||||||
|
@ -21,7 +21,9 @@
|
|||||||
#include <linux/netfilter_ipv4/ip_tables.h>
|
#include <linux/netfilter_ipv4/ip_tables.h>
|
||||||
|
|
||||||
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
|
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
|
||||||
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
|
|
||||||
|
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
|
||||||
|
#define XT_TPROXY_HAVE_IPV6 1
|
||||||
#include <net/if_inet6.h>
|
#include <net/if_inet6.h>
|
||||||
#include <net/addrconf.h>
|
#include <net/addrconf.h>
|
||||||
#include <linux/netfilter_ipv6/ip6_tables.h>
|
#include <linux/netfilter_ipv6/ip6_tables.h>
|
||||||
@ -172,7 +174,7 @@ tproxy_tg4_v1(struct sk_buff *skb, const struct xt_action_param *par)
|
|||||||
return tproxy_tg4(skb, tgi->laddr.ip, tgi->lport, tgi->mark_mask, tgi->mark_value);
|
return tproxy_tg4(skb, tgi->laddr.ip, tgi->lport, tgi->mark_mask, tgi->mark_value);
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
|
#ifdef XT_TPROXY_HAVE_IPV6
|
||||||
|
|
||||||
static inline const struct in6_addr *
|
static inline const struct in6_addr *
|
||||||
tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr,
|
tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr,
|
||||||
@ -372,7 +374,7 @@ static struct xt_target tproxy_tg_reg[] __read_mostly = {
|
|||||||
.hooks = 1 << NF_INET_PRE_ROUTING,
|
.hooks = 1 << NF_INET_PRE_ROUTING,
|
||||||
.me = THIS_MODULE,
|
.me = THIS_MODULE,
|
||||||
},
|
},
|
||||||
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
|
#ifdef XT_TPROXY_HAVE_IPV6
|
||||||
{
|
{
|
||||||
.name = "TPROXY",
|
.name = "TPROXY",
|
||||||
.family = NFPROTO_IPV6,
|
.family = NFPROTO_IPV6,
|
||||||
@ -391,7 +393,7 @@ static struct xt_target tproxy_tg_reg[] __read_mostly = {
|
|||||||
static int __init tproxy_tg_init(void)
|
static int __init tproxy_tg_init(void)
|
||||||
{
|
{
|
||||||
nf_defrag_ipv4_enable();
|
nf_defrag_ipv4_enable();
|
||||||
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
|
#ifdef XT_TPROXY_HAVE_IPV6
|
||||||
nf_defrag_ipv6_enable();
|
nf_defrag_ipv6_enable();
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -14,7 +14,6 @@
|
|||||||
#include <linux/skbuff.h>
|
#include <linux/skbuff.h>
|
||||||
#include <linux/netfilter/x_tables.h>
|
#include <linux/netfilter/x_tables.h>
|
||||||
#include <linux/netfilter_ipv4/ip_tables.h>
|
#include <linux/netfilter_ipv4/ip_tables.h>
|
||||||
#include <linux/netfilter_ipv6/ip6_tables.h>
|
|
||||||
#include <net/tcp.h>
|
#include <net/tcp.h>
|
||||||
#include <net/udp.h>
|
#include <net/udp.h>
|
||||||
#include <net/icmp.h>
|
#include <net/icmp.h>
|
||||||
@ -22,7 +21,12 @@
|
|||||||
#include <net/inet_sock.h>
|
#include <net/inet_sock.h>
|
||||||
#include <net/netfilter/nf_tproxy_core.h>
|
#include <net/netfilter/nf_tproxy_core.h>
|
||||||
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
|
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
|
||||||
|
|
||||||
|
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
|
||||||
|
#define XT_SOCKET_HAVE_IPV6 1
|
||||||
|
#include <linux/netfilter_ipv6/ip6_tables.h>
|
||||||
#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
|
#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
#include <linux/netfilter/xt_socket.h>
|
#include <linux/netfilter/xt_socket.h>
|
||||||
|
|
||||||
@ -186,7 +190,7 @@ socket_mt4_v1(const struct sk_buff *skb, struct xt_action_param *par)
|
|||||||
return socket_match(skb, par, par->matchinfo);
|
return socket_match(skb, par, par->matchinfo);
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
|
#ifdef XT_SOCKET_HAVE_IPV6
|
||||||
|
|
||||||
static int
|
static int
|
||||||
extract_icmp6_fields(const struct sk_buff *skb,
|
extract_icmp6_fields(const struct sk_buff *skb,
|
||||||
@ -331,7 +335,7 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
|
|||||||
(1 << NF_INET_LOCAL_IN),
|
(1 << NF_INET_LOCAL_IN),
|
||||||
.me = THIS_MODULE,
|
.me = THIS_MODULE,
|
||||||
},
|
},
|
||||||
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
|
#ifdef XT_SOCKET_HAVE_IPV6
|
||||||
{
|
{
|
||||||
.name = "socket",
|
.name = "socket",
|
||||||
.revision = 1,
|
.revision = 1,
|
||||||
@ -348,7 +352,7 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
|
|||||||
static int __init socket_mt_init(void)
|
static int __init socket_mt_init(void)
|
||||||
{
|
{
|
||||||
nf_defrag_ipv4_enable();
|
nf_defrag_ipv4_enable();
|
||||||
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
|
#ifdef XT_SOCKET_HAVE_IPV6
|
||||||
nf_defrag_ipv6_enable();
|
nf_defrag_ipv6_enable();
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user