[Devel] [PATCH RHEL7 COMMIT] netfilter: core: Fix compilation with NFT disabled

Konstantin Khorenko khorenko at virtuozzo.com
Fri Mar 10 17:07:45 MSK 2023 

The commit is pushed to "branch-rh7-3.10.0-1160.88.1.vz7.195.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1160.88.1.el7
------>
commit 4e0a0fd01d32cc6baeb19175962da8f5617d10b5
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Fri Mar 10 17:04:44 2023 +0300

    netfilter: core: Fix compilation with NFT disabled
    
    (struct net)->nft is available only in case
      defined(CONFIG_NF_TABLES) || defined(CONFIG_NF_TABLES_MODULE)
    
    So need to put nf_tables_allow_nat_conflict() under same ifdef.
    
    Fixes: 1818f06a5eaa ("netfilter: core: fix NAT hooks collision check")
    
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 net/netfilter/core.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 6628d73ec5b8..fc27a0e20d4f 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -91,6 +91,7 @@ static DEFINE_MUTEX(nf_hook_mutex);
  * https://github.com/torvalds/linux/commit/ae6153b50f9bf75a4952050f32fe168f68cdd657
  * ("netfilter: nf_tables: permit second nat hook if colliding hook is going away")
  */
+#if defined(CONFIG_NF_TABLES) || defined(CONFIG_NF_TABLES_MODULE)
 static bool nf_tables_allow_nat_conflict(const struct net *net,
 					 const struct nft_base_chain *basechain)
 {
@@ -126,6 +127,7 @@ static bool nf_tables_allow_nat_conflict(const struct net *net,
 
 	return ret;
 }
+#endif
 
 int nf_register_hook(struct nf_hook_ops *reg)
 {
@@ -135,6 +137,7 @@ int nf_register_hook(struct nf_hook_ops *reg)
 	list_for_each_entry(elem, &nf_hooks[reg->pf][reg->hooknum], list) {
 		if (reg->priority < elem->priority)
 			break;
+#if defined(CONFIG_NF_TABLES) || defined(CONFIG_NF_TABLES_MODULE)
 		else if ((reg->priority == elem->priority) && reg->is_nft_ops) {
 			const struct nft_chain *c;
 			struct nft_base_chain *basechain;
@@ -163,6 +166,7 @@ int nf_register_hook(struct nf_hook_ops *reg)
 				return -EBUSY;
 			}
 		}
+#endif
 	}
 	list_add_rcu(&reg->list, elem->list.prev);
 	mutex_unlock(&nf_hook_mutex);

More information about the Devel mailing list