tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: fix compilation when conntrack is disabled but tproxy is enabled
The IPv6 tproxy patches split IPv6 defragmentation off of conntrack, but
failed to update the #ifdef stanzas guarding the defragmentation related
fields and code in skbuff and conntrack related code in nf_defrag_ipv6.c.
This patch adds the required #ifdefs so that IPv6 tproxy can truly be used
without connection tracking.
Original report:
http://marc.info/?l=linux-netdev&m=129010118516341&w=2
Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: KOVACS Krisztian <hidden@balabit.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
authored by
KOVACS Krisztian
and committed by
Pablo Neira Ayuso
2fc72c7b
2f46e079
+34
-11
+15
include/linux/skbuff.h
+15
include/linux/skbuff.h
···
255
255
typedef unsigned char *sk_buff_data_t;
256
256
#endif
257
257
258
+
#if defined(CONFIG_NF_DEFRAG_IPV4) || defined(CONFIG_NF_DEFRAG_IPV4_MODULE) || \
259
+
defined(CONFIG_NF_DEFRAG_IPV6) || defined(CONFIG_NF_DEFRAG_IPV6_MODULE)
260
+
#define NET_SKBUFF_NF_DEFRAG_NEEDED 1
261
+
#endif
262
+
258
263
/**
259
264
* struct sk_buff - socket buffer
260
265
* @next: Next buffer in list
···
367
362
void (*destructor)(struct sk_buff *skb);
368
363
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
369
364
struct nf_conntrack *nfct;
365
+
#endif
366
+
#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
370
367
struct sk_buff *nfct_reasm;
371
368
#endif
372
369
#ifdef CONFIG_BRIDGE_NETFILTER
···
2064
2057
if (nfct)
2065
2058
atomic_inc(&nfct->use);
2066
2059
}
2060
+
#endif
2061
+
#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
2067
2062
static inline void nf_conntrack_get_reasm(struct sk_buff *skb)
2068
2063
{
2069
2064
if (skb)
···
2094
2085
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
2095
2086
nf_conntrack_put(skb->nfct);
2096
2087
skb->nfct = NULL;
2088
+
#endif
2089
+
#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
2097
2090
nf_conntrack_put_reasm(skb->nfct_reasm);
2098
2091
skb->nfct_reasm = NULL;
2099
2092
#endif
···
2112
2101
dst->nfct = src->nfct;
2113
2102
nf_conntrack_get(src->nfct);
2114
2103
dst->nfctinfo = src->nfctinfo;
2104
+
#endif
2105
+
#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
2115
2106
dst->nfct_reasm = src->nfct_reasm;
2116
2107
nf_conntrack_get_reasm(src->nfct_reasm);
2117
2108
#endif
···
2127
2114
{
2128
2115
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
2129
2116
nf_conntrack_put(dst->nfct);
2117
+
#endif
2118
+
#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
2130
2119
nf_conntrack_put_reasm(dst->nfct_reasm);
2131
2120
#endif
2132
2121
#ifdef CONFIG_BRIDGE_NETFILTER
-10
include/net/netfilter/ipv6/nf_conntrack_ipv6.h
-10
include/net/netfilter/ipv6/nf_conntrack_ipv6.h
···
7
7
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6;
8
8
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6;
9
9
10
-
extern int nf_ct_frag6_init(void);
11
-
extern void nf_ct_frag6_cleanup(void);
12
-
extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user);
13
-
extern void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
14
-
struct net_device *in,
15
-
struct net_device *out,
16
-
int (*okfn)(struct sk_buff *));
17
-
18
-
struct inet_frags_ctl;
19
-
20
10
#include <linux/sysctl.h>
21
11
extern struct ctl_table nf_ct_ipv6_sysctl_table[];
22
12
+10
include/net/netfilter/ipv6/nf_defrag_ipv6.h
+10
include/net/netfilter/ipv6/nf_defrag_ipv6.h
···
3
3
4
4
extern void nf_defrag_ipv6_enable(void);
5
5
6
+
extern int nf_ct_frag6_init(void);
7
+
extern void nf_ct_frag6_cleanup(void);
8
+
extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user);
9
+
extern void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
10
+
struct net_device *in,
11
+
struct net_device *out,
12
+
int (*okfn)(struct sk_buff *));
13
+
14
+
struct inet_frags_ctl;
15
+
6
16
#endif /* _NF_DEFRAG_IPV6_H */
+2
net/core/skbuff.c
+2
net/core/skbuff.c
+7
-1
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+7
-1
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
···
19
19
20
20
#include <linux/netfilter_ipv6.h>
21
21
#include <linux/netfilter_bridge.h>
22
+
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
22
23
#include <net/netfilter/nf_conntrack.h>
23
24
#include <net/netfilter/nf_conntrack_helper.h>
24
25
#include <net/netfilter/nf_conntrack_l4proto.h>
25
26
#include <net/netfilter/nf_conntrack_l3proto.h>
26
27
#include <net/netfilter/nf_conntrack_core.h>
27
-
#include <net/netfilter/nf_conntrack_zones.h>
28
28
#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
29
+
#endif
30
+
#include <net/netfilter/nf_conntrack_zones.h>
29
31
#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
30
32
31
33
static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum,
···
35
33
{
36
34
u16 zone = NF_CT_DEFAULT_ZONE;
37
35
36
+
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
38
37
if (skb->nfct)
39
38
zone = nf_ct_zone((struct nf_conn *)skb->nfct);
39
+
#endif
40
40
41
41
#ifdef CONFIG_BRIDGE_NETFILTER
42
42
if (skb->nf_bridge &&
···
60
56
{
61
57
struct sk_buff *reasm;
62
58
59
+
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
63
60
/* Previously seen (loopback)? */
64
61
if (skb->nfct && !nf_ct_is_template((struct nf_conn *)skb->nfct))
65
62
return NF_ACCEPT;
63
+
#endif
66
64
67
65
reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(hooknum, skb));
68
66
/* queued */