tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: nf_conntrack: make nf_ct_zone_dflt built-in

Fengguang reported, that some randconfig generated the following linker
issue with nf_ct_zone_dflt object involved:

[...]
CC init/version.o
LD init/built-in.o
net/built-in.o: In function `ipv4_conntrack_defrag':
nf_defrag_ipv4.c:(.text+0x93e95): undefined reference to `nf_ct_zone_dflt'
net/built-in.o: In function `ipv6_defrag':
nf_defrag_ipv6_hooks.c:(.text+0xe3ffe): undefined reference to `nf_ct_zone_dflt'
make: *** [vmlinux] Error 1

Given that configurations exist where we have a built-in part, which is
accessing nf_ct_zone_dflt such as the two handlers nf_ct_defrag_user()
and nf_ct6_defrag_user(), and a part that configures nf_conntrack as a
module, we must move nf_ct_zone_dflt into a fixed, guaranteed built-in
area when netfilter is configured in general.

Therefore, split the more generic parts into a common header under
include/linux/netfilter/ and move nf_ct_zone_dflt into the built-in
section that already holds parts related to CONFIG_NF_CONNTRACK in the
netfilter core. This fixes the issue on my side.

Fixes: 308ac9143ee2 ("netfilter: nf_conntrack: push zone object into functions")
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Daniel Borkmann and committed by
David S. Miller 62da9865 a82b0e63

+32 -25
+2
include/linux/netfilter.h
··· 368 368 #endif /*CONFIG_NETFILTER*/ 369 369 370 370 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) 371 + #include <linux/netfilter/nf_conntrack_zones_common.h> 372 + 371 373 extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu; 372 374 void nf_ct_attach(struct sk_buff *, const struct sk_buff *); 373 375 extern void (*nf_ct_destroy)(struct nf_conntrack *) __rcu;
+23
include/linux/netfilter/nf_conntrack_zones_common.h
··· 1 + #ifndef _NF_CONNTRACK_ZONES_COMMON_H 2 + #define _NF_CONNTRACK_ZONES_COMMON_H 3 + 4 + #include <uapi/linux/netfilter/nf_conntrack_tuple_common.h> 5 + 6 + #define NF_CT_DEFAULT_ZONE_ID 0 7 + 8 + #define NF_CT_ZONE_DIR_ORIG (1 << IP_CT_DIR_ORIGINAL) 9 + #define NF_CT_ZONE_DIR_REPL (1 << IP_CT_DIR_REPLY) 10 + 11 + #define NF_CT_DEFAULT_ZONE_DIR (NF_CT_ZONE_DIR_ORIG | NF_CT_ZONE_DIR_REPL) 12 + 13 + #define NF_CT_FLAG_MARK 1 14 + 15 + struct nf_conntrack_zone { 16 + u16 id; 17 + u8 flags; 18 + u8 dir; 19 + }; 20 + 21 + extern const struct nf_conntrack_zone nf_ct_zone_dflt; 22 + 23 + #endif /* _NF_CONNTRACK_ZONES_COMMON_H */
+1 -18
include/net/netfilter/nf_conntrack_zones.h
··· 1 1 #ifndef _NF_CONNTRACK_ZONES_H 2 2 #define _NF_CONNTRACK_ZONES_H 3 3 4 - #include <linux/netfilter/nf_conntrack_tuple_common.h> 5 - 6 - #define NF_CT_DEFAULT_ZONE_ID 0 7 - 8 - #define NF_CT_ZONE_DIR_ORIG (1 << IP_CT_DIR_ORIGINAL) 9 - #define NF_CT_ZONE_DIR_REPL (1 << IP_CT_DIR_REPLY) 10 - 11 - #define NF_CT_DEFAULT_ZONE_DIR (NF_CT_ZONE_DIR_ORIG | NF_CT_ZONE_DIR_REPL) 12 - 13 - #define NF_CT_FLAG_MARK 1 14 - 15 - struct nf_conntrack_zone { 16 - u16 id; 17 - u8 flags; 18 - u8 dir; 19 - }; 20 - 21 - extern const struct nf_conntrack_zone nf_ct_zone_dflt; 4 + #include <linux/netfilter/nf_conntrack_zones_common.h> 22 5 23 6 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 24 7 #include <net/netfilter/nf_conntrack_extend.h>
+6
net/netfilter/core.c
··· 388 388 struct nfq_ct_hook __rcu *nfq_ct_hook __read_mostly; 389 389 EXPORT_SYMBOL_GPL(nfq_ct_hook); 390 390 391 + /* Built-in default zone used e.g. by modules. */ 392 + const struct nf_conntrack_zone nf_ct_zone_dflt = { 393 + .id = NF_CT_DEFAULT_ZONE_ID, 394 + .dir = NF_CT_DEFAULT_ZONE_DIR, 395 + }; 396 + EXPORT_SYMBOL_GPL(nf_ct_zone_dflt); 391 397 #endif /* CONFIG_NF_CONNTRACK */ 392 398 393 399 #ifdef CONFIG_NF_NAT_NEEDED
-7
net/netfilter/nf_conntrack_core.c
··· 1286 1286 } 1287 1287 EXPORT_SYMBOL_GPL(__nf_ct_kill_acct); 1288 1288 1289 - /* Built-in default zone used e.g. by modules. */ 1290 - const struct nf_conntrack_zone nf_ct_zone_dflt = { 1291 - .id = NF_CT_DEFAULT_ZONE_ID, 1292 - .dir = NF_CT_DEFAULT_ZONE_DIR, 1293 - }; 1294 - EXPORT_SYMBOL_GPL(nf_ct_zone_dflt); 1295 - 1296 1289 #ifdef CONFIG_NF_CONNTRACK_ZONES 1297 1290 static struct nf_ct_ext_type nf_ct_zone_extend __read_mostly = { 1298 1291 .len = sizeof(struct nf_conntrack_zone),