Commit 2fc72c7b84002ffb3c66918e2a7b0ee607d8b5aa
Committed by
Pablo Neira Ayuso
Pablo Neira Ayuso
1 parent
2f46e07995
Exists in
master
and in
7 other branches
netfilter: fix compilation when conntrack is disabled but tproxy is enabled
The IPv6 tproxy patches split IPv6 defragmentation off of conntrack, but failed to update the #ifdef stanzas guarding the defragmentation related fields and code in skbuff and conntrack related code in nf_defrag_ipv6.c. This patch adds the required #ifdefs so that IPv6 tproxy can truly be used without connection tracking. Original report: http://marc.info/?l=linux-netdev&m=129010118516341&w=2 Reported-by: Randy Dunlap <randy.dunlap@oracle.com> Acked-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Showing 5 changed files with 34 additions and 11 deletions Side-by-side Diff
include/linux/skbuff.h
| ... | ... | @@ -255,6 +255,11 @@ |
| 255 | 255 | typedef unsigned char *sk_buff_data_t; |
| 256 | 256 | #endif |
| 257 | 257 | |
| 258 | +#if defined(CONFIG_NF_DEFRAG_IPV4) || defined(CONFIG_NF_DEFRAG_IPV4_MODULE) || \ | |
| 259 | + defined(CONFIG_NF_DEFRAG_IPV6) || defined(CONFIG_NF_DEFRAG_IPV6_MODULE) | |
| 260 | +#define NET_SKBUFF_NF_DEFRAG_NEEDED 1 | |
| 261 | +#endif | |
| 262 | + | |
| 258 | 263 | /** |
| 259 | 264 | * struct sk_buff - socket buffer |
| 260 | 265 | * @next: Next buffer in list |
| ... | ... | @@ -362,6 +367,8 @@ |
| 362 | 367 | void (*destructor)(struct sk_buff *skb); |
| 363 | 368 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) |
| 364 | 369 | struct nf_conntrack *nfct; |
| 370 | +#endif | |
| 371 | +#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED | |
| 365 | 372 | struct sk_buff *nfct_reasm; |
| 366 | 373 | #endif |
| 367 | 374 | #ifdef CONFIG_BRIDGE_NETFILTER |
| ... | ... | @@ -2057,6 +2064,8 @@ |
| 2057 | 2064 | if (nfct) |
| 2058 | 2065 | atomic_inc(&nfct->use); |
| 2059 | 2066 | } |
| 2067 | +#endif | |
| 2068 | +#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED | |
| 2060 | 2069 | static inline void nf_conntrack_get_reasm(struct sk_buff *skb) |
| 2061 | 2070 | { |
| 2062 | 2071 | if (skb) |
| ... | ... | @@ -2085,6 +2094,8 @@ |
| 2085 | 2094 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) |
| 2086 | 2095 | nf_conntrack_put(skb->nfct); |
| 2087 | 2096 | skb->nfct = NULL; |
| 2097 | +#endif | |
| 2098 | +#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED | |
| 2088 | 2099 | nf_conntrack_put_reasm(skb->nfct_reasm); |
| 2089 | 2100 | skb->nfct_reasm = NULL; |
| 2090 | 2101 | #endif |
| ... | ... | @@ -2101,6 +2112,8 @@ |
| 2101 | 2112 | dst->nfct = src->nfct; |
| 2102 | 2113 | nf_conntrack_get(src->nfct); |
| 2103 | 2114 | dst->nfctinfo = src->nfctinfo; |
| 2115 | +#endif | |
| 2116 | +#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED | |
| 2104 | 2117 | dst->nfct_reasm = src->nfct_reasm; |
| 2105 | 2118 | nf_conntrack_get_reasm(src->nfct_reasm); |
| 2106 | 2119 | #endif |
| ... | ... | @@ -2114,6 +2127,8 @@ |
| 2114 | 2127 | { |
| 2115 | 2128 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) |
| 2116 | 2129 | nf_conntrack_put(dst->nfct); |
| 2130 | +#endif | |
| 2131 | +#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED | |
| 2117 | 2132 | nf_conntrack_put_reasm(dst->nfct_reasm); |
| 2118 | 2133 | #endif |
| 2119 | 2134 | #ifdef CONFIG_BRIDGE_NETFILTER |
include/net/netfilter/ipv6/nf_conntrack_ipv6.h
| ... | ... | @@ -7,16 +7,6 @@ |
| 7 | 7 | extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6; |
| 8 | 8 | extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6; |
| 9 | 9 | |
| 10 | -extern int nf_ct_frag6_init(void); | |
| 11 | -extern void nf_ct_frag6_cleanup(void); | |
| 12 | -extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user); | |
| 13 | -extern void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb, | |
| 14 | - struct net_device *in, | |
| 15 | - struct net_device *out, | |
| 16 | - int (*okfn)(struct sk_buff *)); | |
| 17 | - | |
| 18 | -struct inet_frags_ctl; | |
| 19 | - | |
| 20 | 10 | #include <linux/sysctl.h> |
| 21 | 11 | extern struct ctl_table nf_ct_ipv6_sysctl_table[]; |
| 22 | 12 |
include/net/netfilter/ipv6/nf_defrag_ipv6.h
| ... | ... | @@ -3,5 +3,15 @@ |
| 3 | 3 | |
| 4 | 4 | extern void nf_defrag_ipv6_enable(void); |
| 5 | 5 | |
| 6 | +extern int nf_ct_frag6_init(void); | |
| 7 | +extern void nf_ct_frag6_cleanup(void); | |
| 8 | +extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user); | |
| 9 | +extern void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb, | |
| 10 | + struct net_device *in, | |
| 11 | + struct net_device *out, | |
| 12 | + int (*okfn)(struct sk_buff *)); | |
| 13 | + | |
| 14 | +struct inet_frags_ctl; | |
| 15 | + | |
| 6 | 16 | #endif /* _NF_DEFRAG_IPV6_H */ |
net/core/skbuff.c
| ... | ... | @@ -380,6 +380,8 @@ |
| 380 | 380 | } |
| 381 | 381 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) |
| 382 | 382 | nf_conntrack_put(skb->nfct); |
| 383 | +#endif | |
| 384 | +#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED | |
| 383 | 385 | nf_conntrack_put_reasm(skb->nfct_reasm); |
| 384 | 386 | #endif |
| 385 | 387 | #ifdef CONFIG_BRIDGE_NETFILTER |
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
| ... | ... | @@ -19,13 +19,15 @@ |
| 19 | 19 | |
| 20 | 20 | #include <linux/netfilter_ipv6.h> |
| 21 | 21 | #include <linux/netfilter_bridge.h> |
| 22 | +#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) | |
| 22 | 23 | #include <net/netfilter/nf_conntrack.h> |
| 23 | 24 | #include <net/netfilter/nf_conntrack_helper.h> |
| 24 | 25 | #include <net/netfilter/nf_conntrack_l4proto.h> |
| 25 | 26 | #include <net/netfilter/nf_conntrack_l3proto.h> |
| 26 | 27 | #include <net/netfilter/nf_conntrack_core.h> |
| 27 | -#include <net/netfilter/nf_conntrack_zones.h> | |
| 28 | 28 | #include <net/netfilter/ipv6/nf_conntrack_ipv6.h> |
| 29 | +#endif | |
| 30 | +#include <net/netfilter/nf_conntrack_zones.h> | |
| 29 | 31 | #include <net/netfilter/ipv6/nf_defrag_ipv6.h> |
| 30 | 32 | |
| 31 | 33 | static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum, |
| 32 | 34 | |
| ... | ... | @@ -33,8 +35,10 @@ |
| 33 | 35 | { |
| 34 | 36 | u16 zone = NF_CT_DEFAULT_ZONE; |
| 35 | 37 | |
| 38 | +#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) | |
| 36 | 39 | if (skb->nfct) |
| 37 | 40 | zone = nf_ct_zone((struct nf_conn *)skb->nfct); |
| 41 | +#endif | |
| 38 | 42 | |
| 39 | 43 | #ifdef CONFIG_BRIDGE_NETFILTER |
| 40 | 44 | if (skb->nf_bridge && |
| 41 | 45 | |
| ... | ... | @@ -56,9 +60,11 @@ |
| 56 | 60 | { |
| 57 | 61 | struct sk_buff *reasm; |
| 58 | 62 | |
| 63 | +#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) | |
| 59 | 64 | /* Previously seen (loopback)? */ |
| 60 | 65 | if (skb->nfct && !nf_ct_is_template((struct nf_conn *)skb->nfct)) |
| 61 | 66 | return NF_ACCEPT; |
| 67 | +#endif | |
| 62 | 68 | |
| 63 | 69 | reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(hooknum, skb)); |
| 64 | 70 | /* queued */ |