From patchwork Mon Jan 15 15:49:05 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arnd Bergmann <arnd@arndb.de>
X-Patchwork-Id: 124534
Delivered-To: patch@linaro.org
Received: by 10.46.64.148 with SMTP id r20csp711049lje;
 Mon, 15 Jan 2018 07:49:58 -0800 (PST)
X-Google-Smtp-Source: ACJfBostRjuIh16l1iPA99WXpUhuX0gP0r3e2qUIMyfmSdYl4j2UzOFr3QtD5cXLyc8jknrPl024
X-Received: by 10.98.55.3 with SMTP id e3mr132851pfa.119.1516031398025;
 Mon, 15 Jan 2018 07:49:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516031398; cv=none;
 d=google.com; s=arc-20160816;
 b=Q3eyEEmld7kTh19uKqr7kzcdytndz3J+WEl1CAD3DIiVXkvoaLguqtpdFtbE33iqZR
 Q6PJeAEGqW8vsMncb7ott3p+FpSK4WeCNzm+f7c32yXqEE5vmSMfpSPt1blZ3BwaAf+0
 wf/Z7QC3eMO2mk/EtXKrXnnxun7MWSkPLCTpj1rj60h1juLrpoB0M9jzNbpfs3G3ypQl
 7X7KwMeaD/QEwYWXvmSof9u/Vh1iS48EQ/qwSpD9Nxwc6kgUJgvDECaT8hFPG3LnCgRh
 eM+Uz0cSjKaIkMKmDuAuPnEg9/oVlMAQEmf+PzKvWOs92OBginVPw1pXKMZIgKpcImba
 muPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:message-id:date:subject:cc:to:from
 :arc-authentication-results;
 bh=qsqGameFE/6tgH1l3YnS0TRQBmeXPsufqjQAX3cpqVo=;
 b=sczL3F/M48ZP8pEFvOkouLTCYq6Kr9JyWAP3uRvQCC3uPXNDW16uNNxlbLyU/FiDMO
 Eaib7uVuRjNpK+g1dhM6NWS8Y7JxbIGIJFsHiPzS+48lw1hCKE7LVqb86b6W3FpEhFPI
 OS7n4saFQlNlngPWVZ3im0XcLjIaGKVm52JiE6NW1A1VjxPuvmu27UeK0BE9dfPddml8
 62G3lON5JQkEy5gIT5OY/gkDKKCRuuD5/gt1FPIoAPLvvsS23E9voNXnQiuouoAzz40B
 L3oRNHH94SUzZwP2FAzhT3b4++ySI4g/baci7otWzW4KX0S0hRJc/SlnTELVtJ5XcQhi
 vY7g==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 t70si15582506pgd.13.2018.01.15.07.49.57; 
 Mon, 15 Jan 2018 07:49:58 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S934839AbeAOPtx (ORCPT <rfc822;dan.rue@linaro.org> + 28 others);
 Mon, 15 Jan 2018 10:49:53 -0500
Received: from mout.kundenserver.de ([217.72.192.73]:56238 "EHLO
 mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S933346AbeAOPtv (ORCPT
 <rfc822;linux-kernel@vger.kernel.org>);
 Mon, 15 Jan 2018 10:49:51 -0500
Received: from wuerfel.lan ([95.208.111.237]) by mrelayeu.kundenserver.de
 (mreue104 [212.227.15.145]) with ESMTPA (Nemesis) id
 0Lc873-1fIAwD1tFl-00jdMa; Mon, 15 Jan 2018 16:49:24 +0100
From: Arnd Bergmann <arnd@arndb.de>
To: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>,
 Pablo Neira Ayuso <pablo@netfilter.org>,
 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
 Florian Westphal <fw@strlen.de>, "David S. Miller" <davem@davemloft.net>,
 Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
 Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: Arnd Bergmann <arnd@arndb.de>, netfilter-devel@vger.kernel.org,
 coreteam@netfilter.org, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org
Subject: [PATCH net-next 1/2] netfilter: nf_defrag: mark xt_table structures
 'const' again
Date: Mon, 15 Jan 2018 16:49:05 +0100
Message-Id: <20180115154918.4176669-1-arnd@arndb.de>
X-Mailer: git-send-email 2.9.0
X-Provags-ID: V03:K0:Zkn75YWNiud7KpYsn1Fseik51gLkyLS8xETn7YyE7o3UaPx0VW2
 fsjWmwrvGzpbdlRn0aK4Yr8oKMqNxDyZz5Q9F/qbzlibffjqumgs5byKLwW5uopzdYg0OmX
 gdwywGM20J+88d/utHcMyXHFG4UM6Dbv2TBQFK+K++Shb2kTJUy+6n8+2upvIUro0+iDFWP
 ceAKVs7QuIOI7ANfo/CZw==
X-UI-Out-Filterresults: notjunk:1; V01:K0:7VY2CFU7DpY=:bTKLSYzHJGlWYXcNooK2fl
 LWsEwbgjDk5N7nNSewNb2kKvtiT1pxWyURJtd8N0bPS9bd3u4MDa7V54QRvLoU5LxCtvEeaw3
 m0P0HEltQhPacCdzx0iSHJtTIGMNcesKuDWNU7pfgQTH1fHtZJIcPxr/2OqUCspsxvuANi98Z
 jyEJSiATOX8ybre23zQG9SI5EKY0l9eEyxJoeHyZ0oP7VC6DYUiObf/9D2cbeE3WTadKsftid
 7mqq+RL3QyZY38m/74bDcv8nkjTx7Lk+rNC8cLQg3QwSquyun2gKhDpCdToDn2jIiBOrez6Sr
 LjDsJKriX24AQE1fWuPeUOuv47NeBnqfeZAuqqmIPo4bciK0gRgjKCABv9UO1b1eoM9h+yrLw
 tlsnCBwF9RY8Wd89wfri40olA+gN5ujAUeUuaT5xGIJ0qvxC8Yy9mmXNHbLWhxgwRBJQVC6k7
 Zv1y9M4//TUckrQSoaJXQY0Gk1rPqizIoDp2+sqZj2arrXV0HoyQ5AXH8OO4M2z5FZCwZwZPh
 XBn72mveqysFLXFuoInSXCSQp+hZKSGTMYAMmDa4jsBXsoW8u4wVmEJ+iAbhrPF6bADFvzArK
 UzQDGPcZoKMmxddjkhOAD7FP+EHmh4Amu2ZalcZjfn/nDB0vs8Uw0KPQJtki91HitQlp3Bex2
 7qjf7wNWJ5flUMPYO6WVCH7Wi6mO+xJq5H51UDGT4nyzLM2UlC/duzWbvltzHFHFQHe1N9nEd
 3UmQBG4cY4w0vXFNzjJ3fimAXhWKgwebMEnBSQ==
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

As a side-effect of adding the module option, we now get a section
mismatch warning:

WARNING: net/ipv4/netfilter/iptable_raw.o(.data+0x1c): Section mismatch in reference from the variable packet_raw to the function .init.text:iptable_raw_table_init()
The variable packet_raw references
the function __init iptable_raw_table_init()
If the reference is valid then annotate the
variable with __init* or __refdata (see linux/init.h) or name the variable:
*_template, *_timer, *_sht, *_ops, *_probe, *_probe_one, *_console

Apparently it's ok to link to a __net_init function from .rodata but not
from .data. We can address this by rearranging the logic so that the
structure is read-only again. Instead of writing to the .priority field
later, we have an extra copies of the structure with that flag. An added
advantage is that that we don't have writable function pointers with this
approach.

Fixes: 902d6a4c2a4f ("netfilter: nf_defrag: Skip defrag if NOTRACK is set")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
This might not be the best fix for the issue, please have a look if you
can come up with something nicer, or just apply this version.
---
 net/ipv4/netfilter/iptable_raw.c  | 24 +++++++++++++++++++-----
 net/ipv6/netfilter/ip6table_raw.c | 24 +++++++++++++++++++-----
 2 files changed, 38 insertions(+), 10 deletions(-)

-- 
2.9.0

diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 29b64d3024e0..960625aabf04 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -17,7 +17,7 @@ static bool raw_before_defrag __read_mostly;
 MODULE_PARM_DESC(raw_before_defrag, "Enable raw table before defrag");
 module_param(raw_before_defrag, bool, 0000);
 
-static struct xt_table packet_raw = {
+static const struct xt_table packet_raw = {
 	.name = "raw",
 	.valid_hooks =  RAW_VALID_HOOKS,
 	.me = THIS_MODULE,
@@ -26,6 +26,15 @@ static struct xt_table packet_raw = {
 	.table_init = iptable_raw_table_init,
 };
 
+static const struct xt_table packet_raw_before_defrag = {
+	.name = "raw",
+	.valid_hooks =  RAW_VALID_HOOKS,
+	.me = THIS_MODULE,
+	.af = NFPROTO_IPV4,
+	.priority = NF_IP_PRI_RAW_BEFORE_DEFRAG,
+	.table_init = iptable_raw_table_init,
+};
+
 /* The work comes in here from netfilter.c. */
 static unsigned int
 iptable_raw_hook(void *priv, struct sk_buff *skb,
@@ -39,15 +48,19 @@ static struct nf_hook_ops *rawtable_ops __read_mostly;
 static int __net_init iptable_raw_table_init(struct net *net)
 {
 	struct ipt_replace *repl;
+	const struct xt_table *table = &packet_raw;
 	int ret;
 
+	if (raw_before_defrag)
+		table = &packet_raw_before_defrag;
+
 	if (net->ipv4.iptable_raw)
 		return 0;
 
-	repl = ipt_alloc_initial_table(&packet_raw);
+	repl = ipt_alloc_initial_table(table);
 	if (repl == NULL)
 		return -ENOMEM;
-	ret = ipt_register_table(net, &packet_raw, repl, rawtable_ops,
+	ret = ipt_register_table(net, table, repl, rawtable_ops,
 				 &net->ipv4.iptable_raw);
 	kfree(repl);
 	return ret;
@@ -68,14 +81,15 @@ static struct pernet_operations iptable_raw_net_ops = {
 static int __init iptable_raw_init(void)
 {
 	int ret;
+	const struct xt_table *table = &packet_raw;
 
 	if (raw_before_defrag) {
-		packet_raw.priority = NF_IP_PRI_RAW_BEFORE_DEFRAG;
+		table = &packet_raw_before_defrag;
 
 		pr_info("Enabling raw table before defrag\n");
 	}
 
-	rawtable_ops = xt_hook_ops_alloc(&packet_raw, iptable_raw_hook);
+	rawtable_ops = xt_hook_ops_alloc(table, iptable_raw_hook);
 	if (IS_ERR(rawtable_ops))
 		return PTR_ERR(rawtable_ops);
 
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 3df7383f96d0..710fa0806c37 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -16,7 +16,7 @@ static bool raw_before_defrag __read_mostly;
 MODULE_PARM_DESC(raw_before_defrag, "Enable raw table before defrag");
 module_param(raw_before_defrag, bool, 0000);
 
-static struct xt_table packet_raw = {
+static const struct xt_table packet_raw = {
 	.name = "raw",
 	.valid_hooks = RAW_VALID_HOOKS,
 	.me = THIS_MODULE,
@@ -25,6 +25,15 @@ static struct xt_table packet_raw = {
 	.table_init = ip6table_raw_table_init,
 };
 
+static const struct xt_table packet_raw_before_defrag = {
+	.name = "raw",
+	.valid_hooks = RAW_VALID_HOOKS,
+	.me = THIS_MODULE,
+	.af = NFPROTO_IPV6,
+	.priority = NF_IP6_PRI_RAW_BEFORE_DEFRAG,
+	.table_init = ip6table_raw_table_init,
+};
+
 /* The work comes in here from netfilter.c. */
 static unsigned int
 ip6table_raw_hook(void *priv, struct sk_buff *skb,
@@ -38,15 +47,19 @@ static struct nf_hook_ops *rawtable_ops __read_mostly;
 static int __net_init ip6table_raw_table_init(struct net *net)
 {
 	struct ip6t_replace *repl;
+	const struct xt_table *table = &packet_raw;
 	int ret;
 
+	if (raw_before_defrag)
+		table = &packet_raw_before_defrag;
+
 	if (net->ipv6.ip6table_raw)
 		return 0;
 
-	repl = ip6t_alloc_initial_table(&packet_raw);
+	repl = ip6t_alloc_initial_table(table);
 	if (repl == NULL)
 		return -ENOMEM;
-	ret = ip6t_register_table(net, &packet_raw, repl, rawtable_ops,
+	ret = ip6t_register_table(net, table, repl, rawtable_ops,
 				  &net->ipv6.ip6table_raw);
 	kfree(repl);
 	return ret;
@@ -67,15 +80,16 @@ static struct pernet_operations ip6table_raw_net_ops = {
 static int __init ip6table_raw_init(void)
 {
 	int ret;
+	const struct xt_table *table = &packet_raw;
 
 	if (raw_before_defrag) {
-		packet_raw.priority = NF_IP6_PRI_RAW_BEFORE_DEFRAG;
+		table = &packet_raw_before_defrag;
 
 		pr_info("Enabling raw table before defrag\n");
 	}
 
 	/* Register hooks */
-	rawtable_ops = xt_hook_ops_alloc(&packet_raw, ip6table_raw_hook);
+	rawtable_ops = xt_hook_ops_alloc(table, ip6table_raw_hook);
 	if (IS_ERR(rawtable_ops))
 		return PTR_ERR(rawtable_ops);
 

From patchwork Mon Jan 15 15:49:06 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arnd Bergmann <arnd@arndb.de>
X-Patchwork-Id: 124535
Delivered-To: patch@linaro.org
Received: by 10.46.64.148 with SMTP id r20csp711102lje;
 Mon, 15 Jan 2018 07:50:07 -0800 (PST)
X-Google-Smtp-Source: ACJfBotv5DsZ1fGCf+QjoyrQ0S4CGwtZvhAVr5W3ELOg+W7YRmr0IuT7ubuIvPjJppXWMP4kqRk5
X-Received: by 10.98.93.65 with SMTP id r62mr22792405pfb.55.1516031406856;
 Mon, 15 Jan 2018 07:50:06 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516031406; cv=none;
 d=google.com; s=arc-20160816;
 b=bpKrzu53iVHJ7CKxxy78Nmkosrdz9JqXVyH3O2kD5PaB0zb687NH3gtZlgkzXNq/f1
 f5i1eTRnGvcAaqurBa5+w593lEkSBB8T98BvFkDoCWedVWwzS3UKdaecndM7um9KjBJC
 zlbR7qXVivN99B5diTm9kPsTD1UuS4dPA91d+jsVIYui8pPkpXPqToU4HrgAKLzFr0p9
 W9jwWJiU3RFlq71CFGZ3uqDuo/3oHdn3IklWZYzpkF1v0FI6hn+okej2JcgYB/IIzESx
 JSsWBaWg3JliQkdjjQUDRO0aftm6H8T5+FDEWKjZz51h99bAAwn0NmuWkPTuS47QWdTT
 i7YQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:arc-authentication-results;
 bh=979S9Wtm0QxrmTSEU17/2UZVkxHeTxpGZnrgu2C6Iuk=;
 b=Aks2CpR5FT+Xqd0lYs+bObteqsDfyqNsBEhEQHOiBLaqiPa6jgEftkR6NtOs2QOY6Y
 kDj7ROAJJBzoHhSYCWovgPlgpMWfSdMbyC5o3DtODfpkib7N5Vi5tsb0SxKmu4eyIAed
 JdhcI7bcp2HhVJ+LfXdNBXtsNKBdm+6C2cnr4mH8Q3tn3V9Vji6ONg+GAI/FTSXT/Iog
 hUnghrb8fByHeBk4L4lk0IWPFSPB5jhGlV+HJuOP10ILkV4B8+dgt0M4OiU+O5Yd9AK+
 RoJUXmRzdiAmFqUTTiBTRR8C5sQob8Ena6DEN9lrOsCYsPwbL0351yM03KSNbhRNSskS
 teFA==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 t70si15582506pgd.13.2018.01.15.07.50.06; 
 Mon, 15 Jan 2018 07:50:06 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S966493AbeAOPuE (ORCPT <rfc822;dan.rue@linaro.org> + 28 others);
 Mon, 15 Jan 2018 10:50:04 -0500
Received: from mout.kundenserver.de ([212.227.17.10]:54898 "EHLO
 mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S934920AbeAOPt6 (ORCPT
 <rfc822;linux-kernel@vger.kernel.org>);
 Mon, 15 Jan 2018 10:49:58 -0500
Received: from wuerfel.lan ([95.208.111.237]) by mrelayeu.kundenserver.de
 (mreue104 [212.227.15.145]) with ESMTPA (Nemesis) id
 0Lm4GH-1fARhR43VJ-00ZhCC; Mon, 15 Jan 2018 16:49:37 +0100
From: Arnd Bergmann <arnd@arndb.de>
To: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>,
 Pablo Neira Ayuso <pablo@netfilter.org>,
 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
 Florian Westphal <fw@strlen.de>, "David S. Miller" <davem@davemloft.net>,
 Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
 Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: Arnd Bergmann <arnd@arndb.de>, netfilter-devel@vger.kernel.org,
 coreteam@netfilter.org, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org
Subject: [PATCH net-next 2/2] netfilter: nf_defrag: move NF_CONNTRACK bits
 into #ifdef
Date: Mon, 15 Jan 2018 16:49:06 +0100
Message-Id: <20180115154918.4176669-2-arnd@arndb.de>
X-Mailer: git-send-email 2.9.0
In-Reply-To: <20180115154918.4176669-1-arnd@arndb.de>
References: <20180115154918.4176669-1-arnd@arndb.de>
X-Provags-ID: V03:K0:QAXX7GnLdrScys7zsROL816K4N+D7ePLK24bZjBorIwPBGI3YN9
 wnmIVpFvQOgdhY9LNpH6QrlQIHiCu9lG62po1IVZNPx8UVosk1JgxM+EANizARW/O7d2TYS
 8n8QaXZCNu4IW72SNbwg7W7FbQZeS+nDQSUlVMXJMQ0GymCRGX62vq7ogDiPGXmJMb10Ub3
 ZC+PPLFHdCOvXsxkh7+8g==
X-UI-Out-Filterresults: notjunk:1; V01:K0:uH0vtpYUeME=:k/iEJcn7ZaNXSYkJNFQwzC
 LfoZmNxs7ne+jRsDuSrvBGePQq8NGGE7Jnl8ThSGZolq4tJSwFkVipw27BYJApv92jH5zpGh+
 sQvh+dxaqCauyhR6e6oMpWwtPr3xuSHId+jFWGd02a+7ZEMeXHhE2XoLP6dNB/59k0//KwNHj
 lf0rhTOIuRCGtU4ZudqxQBP3zx+TdLGxVx+Gw3NefsUAq+VSbaj2Bo8PrtMPYG1WYW6SebGwc
 OfOzx7hbK65I9kKsvP9OYgviyF9hiBZYv4w2a3Y+KrXT7rsqPWWw5IGq8CllG1YoED7mhgERZ
 nDnxlC8YCc+JI1JJyKw6nk0RikC+dX1iZAwXPqgOvCIBiYVjFkTxqQFQpQ8MwTOIyugW/vIS6
 bQNEnwUsjWSvILFVkDBKjiWmCkXvlsWcd6a/W0uAQXsOpmb9d/FT2WsTc4TLY6KQvnRjXWD4x
 JODY89Z+FUHb9ilSyQHbInDO1f19piWTch+aQL3WAFliFYPxdI1H/j937sJWS5t1wh1xDwbDr
 h0ifoCCCC3mXyNrShHt6Tks95oweHCDGnLLSb8OC/gUPBcfw58MO1MEZdHUi7sJuiJIUi/81f
 L/L6OxbiT23L0fWmF5P/OeRrDjDndpKIy2POZVoixKVF6WcfJhfzRAoVjfHzM8xqNbioHRNGX
 9lmbmhj9TcMDLs5du0nz5TD2nFsIFx7ZIPVqmydTHwzy3eNLcvdf3jvg4rTAs56MVB2xHtOjJ
 0f1h9Sv4S4gP0TWe1pB1/87S+kWRkFl7aQioDg==
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

We cannot access the skb->_nfct field when CONFIG_NF_CONNTRACK is
disabled:

net/ipv4/netfilter/nf_defrag_ipv4.c: In function 'ipv4_conntrack_defrag':
net/ipv4/netfilter/nf_defrag_ipv4.c:83:9: error: 'struct sk_buff' has no member named '_nfct'
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c: In function 'ipv6_defrag':
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68:9: error: 'struct sk_buff' has no member named '_nfct'

Both functions already have an #ifdef for this, so let's move the
check in there.

Fixes: 902d6a4c2a4f ("netfilter: nf_defrag: Skip defrag if NOTRACK is set")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
Please double-check what the right behavior for !CONFIG_NF_CONNTRACK
should be, I was only guessing here.
---
 net/ipv4/netfilter/nf_defrag_ipv4.c       | 4 +++-
 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

-- 
2.9.0

diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index cbd987f6b1f8..a0d3ad60a411 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -78,9 +78,11 @@ static unsigned int ipv4_conntrack_defrag(void *priv,
 	if (skb_nfct(skb) && !nf_ct_is_template((struct nf_conn *)skb_nfct(skb)))
 		return NF_ACCEPT;
 #endif
+	if (skb->_nfct == IP_CT_UNTRACKED)
+		return NF_ACCEPT;
 #endif
 	/* Gather fragments. */
-	if (skb->_nfct != IP_CT_UNTRACKED && ip_is_fragment(ip_hdr(skb))) {
+	if (ip_is_fragment(ip_hdr(skb))) {
 		enum ip_defrag_users user =
 			nf_ct_defrag_user(state->hook, skb);
 
diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
index 87b503a8f5ef..c87b48359e8f 100644
--- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
@@ -63,10 +63,10 @@ static unsigned int ipv6_defrag(void *priv,
 	/* Previously seen (loopback)?	*/
 	if (skb_nfct(skb) && !nf_ct_is_template((struct nf_conn *)skb_nfct(skb)))
 		return NF_ACCEPT;
-#endif
 
 	if (skb->_nfct == IP_CT_UNTRACKED)
 		return NF_ACCEPT;
+#endif
 
 	err = nf_ct_frag6_gather(state->net, skb,
 				 nf_ct6_defrag_user(state->hook, skb));