[OpenWrt-Devel] [RFC 26/27] kernel: netfilter: Adapt merge ipv4/ipv6 masquerade code

Hauke Mehrtens hauke at hauke-m.de
Sun Dec 2 17:02:22 EST 2018 

On 11/30/18 3:15 AM, Yousong Zhou wrote:
> On Fri, 30 Nov 2018 at 06:26, Hauke Mehrtens <hauke at hauke-m.de> wrote:
>>
>> On 11/28/18 6:53 AM, Yousong Zhou wrote:
>>> On Wed, 28 Nov 2018 at 07:21, Hauke Mehrtens <hauke at hauke-m.de> wrote:
>>>>
>>>> In kernel commit 0168e8b361 ("netfilter: nat: merge ipv4/ipv6 masquerade
>>>> code into main nat module") the CONFIG_NF_NAT_MASQUERADE_IPV4 and
>>>> CONFIG_NF_NAT_MASQUERADE_IPV6 kernel configuration option were changed
>>>> to bool and the code will not be compiled as a own module any more, but
>>>> it will be integrated into nf_nat_ipv4.ko or nf_nat_ipv6.ko to save some
>>>> memory.
>>>>
>>>> Activate these options as bool in the generic kernel 4.19 configuration
>>>> only, to always build them into the nf_nat_ipv*.ko modules. The kmod
>>>> file will still try to select them as module, but the generic
>>>> configuration will not be overwritten.
>>>>
>>>> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
>>>> ---
>>>>  include/netfilter.mk             | 4 ++--
>>>>  target/linux/generic/config-4.19 | 4 ++--
>>>>  2 files changed, 4 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/include/netfilter.mk b/include/netfilter.mk
>>>> index 2d232b5f5c..4b9cc20622 100644
>>>> --- a/include/netfilter.mk
>>>> +++ b/include/netfilter.mk
>>>> @@ -187,10 +187,10 @@ $(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_RT, $(P_V6)ip6t_rt))
>>>>  $(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT, $(P_XT)nf_nat),))
>>>>  $(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT_REDIRECT, $(P_XT)nf_nat_redirect, ge 3.19.0),))
>>>>  $(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT_IPV4, $(P_V4)nf_nat_ipv4),))
>>>> -$(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT_MASQUERADE_IPV4, $(P_V4)nf_nat_masquerade_ipv4),))
>>>> +$(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT_MASQUERADE_IPV4, $(P_V4)nf_nat_masquerade_ipv4, lt 4.18),))
>>>>
>>>>  $(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT6,CONFIG_NF_NAT_IPV6, $(P_V6)nf_nat_ipv6),))
>>>> -$(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT6,CONFIG_NF_NAT_MASQUERADE_IPV6, $(P_V6)nf_nat_masquerade_ipv6),))
>>>> +$(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT6,CONFIG_NF_NAT_MASQUERADE_IPV6, $(P_V6)nf_nat_masquerade_ipv6, lt 4.18),))
>>>>
>>>>  $(eval $(if $(NF_KMOD),$(call nf_add,IPT_NAT,CONFIG_NETFILTER_XT_NAT, $(P_XT)xt_nat),))
>>>>  $(eval $(if $(NF_KMOD),$(call nf_add,IPT_NAT,CONFIG_IP_NF_NAT, $(P_V4)iptable_nat),))
>>>> diff --git a/target/linux/generic/config-4.19 b/target/linux/generic/config-4.19
>>>> index c197f58464..5dec53c0f3 100644
>>>> --- a/target/linux/generic/config-4.19
>>>> +++ b/target/linux/generic/config-4.19
>>>> @@ -3352,8 +3352,8 @@ CONFIG_NF_CONNTRACK_PROCFS=y
>>>>  # CONFIG_NF_NAT_H323 is not set
>>>>  # CONFIG_NF_NAT_IPV6 is not set
>>>>  # CONFIG_NF_NAT_IRC is not set
>>>> -# CONFIG_NF_NAT_MASQUERADE_IPV4 is not set
>>>> -# CONFIG_NF_NAT_MASQUERADE_IPV6 is not set
>>>> +CONFIG_NF_NAT_MASQUERADE_IPV4=y
>>>> +CONFIG_NF_NAT_MASQUERADE_IPV6=y
>>>
>>> The ipv6 config option should be placed into config/Config-kernel.in,
>>> so that it can depend on the state of CONFIG_KERNEL_IPV6 option.
>>
>> Hi yousong,
>>
>> The IPV6 version is only available if CONFIG_IPV6 is selected otherwise
>> it is not possible to select it:
>> kernel 4.19:
>> https://elixir.bootlin.com/linux/v4.19.5/source/net/ipv6/netfilter/Kconfig#L121
>> kernel 4.9:
>> https://elixir.bootlin.com/linux/v4.9.141/source/net/ipv6/netfilter/Kconfig#L97
>>
>> This depends on the kernel version on kernel < 4.18 this should be build
>> as a module.
>>
>> Would it be better to add some KConfig options which depend on kernel
>> 4.19 near CONFIG_KERNEL_IPV6 ?
> 
> If this is a trend in the mainline to transform ipv6 options from
> tristate to bool, then annotating them each in the build system will
> become unwieldy sooner or later.

In the netfilter part some kernel modules were merged together, to save
some memory. In this change the nf_nat_masquerade_ipv6.ko kernel module
will be build into the nf_nat_ipv6.ko kernel module, IPv4 and IPv6 will
still be separated.
https://git.kernel.org/linus/0168e8b36145a7db353055bdd2673096165c8a3a

The only new part were a IPv4 netfilter module depends on a IPv6 module
is related to the IPv6 IP defrag module which is now needed by the core
netfilter code in case the kernel is compiled with IPv6 support, for the
other cases the IPv4 and IPv6 part still stays separate as before.
https://git.kernel.org/linus/a0ae2562c6c4b2721d9fddba63b7286c13517d9f


> Thinking it again, the main concern seems to be that we can still
> tweak out ipv6 from the build by disabling it with
> CONFIG_KERNEL_IPV6=n.  If this is still achievable with IPV6 options
> in the kernel config presets, then I think it's fine to include them
> there.

I hope this still works, but I will definitely try this before merging
the code.

> There are already several targets with IPV6 options explicitly
> enabled.  It's a bit odd and inconsistent.
> 
> ➜  ~/git-repo/openwrt/openwrt git:(master) find target/linux -name
> 'config-*' | xargs ag -s IPV6 | grep =
> target/linux/layerscape/armv8_64b/config-4.9:690:CONFIG_IPV6=y
> target/linux/layerscape/armv8_64b/config-4.9:691:CONFIG_IPV6_SIT=y
> target/linux/layerscape/armv8_32b/config-4.9:643:CONFIG_IPV6=y
> target/linux/layerscape/armv8_32b/config-4.9:644:CONFIG_IPV6_MULTIPLE_TABLES=y
> target/linux/layerscape/armv8_32b/config-4.9:645:CONFIG_IPV6_OPTIMISTIC_DAD=y
> target/linux/layerscape/armv8_32b/config-4.9:646:CONFIG_IPV6_ROUTER_PREF=y
> target/linux/layerscape/armv8_32b/config-4.9:647:CONFIG_IPV6_SIT=y
> target/linux/cns3xxx/config-4.14:192:CONFIG_IPV6=y
> target/linux/cns3xxx/config-4.14:193:CONFIG_IPV6_MROUTE=y
> target/linux/cns3xxx/config-4.14:194:CONFIG_IPV6_MULTIPLE_TABLES=y
> target/linux/cns3xxx/config-4.14:196:CONFIG_IPV6_SUBTREES=y
> target/linux/cns3xxx/config-4.14:259:CONFIG_NF_CONNTRACK_IPV6=m
> target/linux/cns3xxx/config-4.14:262:CONFIG_NF_DEFRAG_IPV6=m
> target/linux/cns3xxx/config-4.14:265:CONFIG_NF_LOG_IPV6=m
> target/linux/cns3xxx/config-4.14:272:CONFIG_NF_REJECT_IPV6=m
> target/linux/generic/config-4.14:2049:CONFIG_IPV6_NDISC_NODETYPE=y
> target/linux/generic/config-4.9:1915:CONFIG_IPV6_NDISC_NODETYPE=y
> target/linux/generic/config-3.18:1609:CONFIG_IPV6_NDISC_NODETYPE=y

These are the targets which have anyway too many option activated. ;-)
We should clean these configurations up.

Hauke

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20181202/fd9a3aa4/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list