Home Explore Help
Sign In
PUBLIC_REPOS
/
ti-processor-sdk-linux
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

netfilter: fix xt_TEE and xt_TPROXY dependencies

Kconfig is too smart for its own good: a Kconfig line that states

	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES

means that if IP6_NF_IPTABLES is set to 'm', then NF_DEFRAG_IPV6 will
also be set to 'm', regardless of the state of the symbol from which
it is selected. When the xt_TEE driver is built-in and nothing else
forces NF_DEFRAG_IPV6 to be built-in, this causes a link-time error:

net/built-in.o: In function `tee_tg6':
net/netfilter/xt_TEE.c:46: undefined reference to `nf_dup_ipv6'

This works around that behavior by changing the dependency to
'if IP6_NF_IPTABLES != n', which is interpreted as boolean expression
rather than a tristate and causes the NF_DEFRAG_IPV6 symbol to
be built-in as well.

The bug only occurs once in thousands of 'randconfig' builds and
does not really impact real users. From inspecting the other
surrounding Kconfig symbols, I am guessing that NETFILTER_XT_TARGET_TPROXY
and NETFILTER_XT_MATCH_SOCKET have the same issue. If not, this
change should still be harmless.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arnd Bergmann 10 years ago
parent
c872a2d9e3
commit
74ec4d55c4
1 changed files with 3 additions and 3 deletions
Unified View Show Diff Stats
  1. 3 3
      net/netfilter/Kconfig

+ 3 - 3
net/netfilter/Kconfig
View File 

@@ -869,7 +869,7 @@ config NETFILTER_XT_TARGET_TEE
 
 	depends on IPV6 || IPV6=n
 
 	depends on IPV6 || IPV6=n
 
 	depends on !NF_CONNTRACK || NF_CONNTRACK
 
 	depends on !NF_CONNTRACK || NF_CONNTRACK
 
 	select NF_DUP_IPV4
 
 	select NF_DUP_IPV4
 
-	select NF_DUP_IPV6 if IP6_NF_IPTABLES
 
+	select NF_DUP_IPV6 if IP6_NF_IPTABLES != n
 
 	---help---
 
 	---help---
 
 	This option adds a "TEE" target with which a packet can be cloned and
 
 	This option adds a "TEE" target with which a packet can be cloned and
 
 	this clone be rerouted to another nexthop.
 
 	this clone be rerouted to another nexthop.
 
@@ -882,7 +882,7 @@ config NETFILTER_XT_TARGET_TPROXY
 
 	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
 
 	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
 
 	depends on IP_NF_MANGLE
 
 	depends on IP_NF_MANGLE
 
 	select NF_DEFRAG_IPV4
 
 	select NF_DEFRAG_IPV4
 
-	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
 
+	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
 
 	help
 
 	help
 
 	  This option adds a `TPROXY' target, which is somewhat similar to
 
 	  This option adds a `TPROXY' target, which is somewhat similar to
 
 	  REDIRECT.  It can only be used in the mangle table and is useful
 
 	  REDIRECT.  It can only be used in the mangle table and is useful
 
@@ -1375,7 +1375,7 @@ config NETFILTER_XT_MATCH_SOCKET
 
 	depends on IPV6 || IPV6=n
 
 	depends on IPV6 || IPV6=n
 
 	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
 
 	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
 
 	select NF_DEFRAG_IPV4
 
 	select NF_DEFRAG_IPV4
 
-	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
 
+	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
 
 	help
 
 	help
 
 	  This option adds a `socket' match, which can be used to match
 
 	  This option adds a `socket' match, which can be used to match
 
 	  packets for which a TCP or UDP socket lookup finds a valid socket.
 
 	  packets for which a TCP or UDP socket lookup finds a valid socket.