On Mon, Mar 25, 2024 at 09:15:52PM -0700, Kuniyuki Iwashima wrote:
> syzkaller started to report a warning below [0] after consuming the
> commit 4654467dc7e1 ("netfilter: arptables: allow xtables-nft only
> builds").
>
> The change accidentally removed the dependency on NETFILTER_FAMILY_ARP
> from IP_NF_ARPTABLES.
>
> If NF_TABLES_ARP is not enabled on Kconfig, NETFILTER_FAMILY_ARP will
> be removed and some code necessary for arptables will not be compiled.
>
> $ grep -E "(NETFILTER_FAMILY_ARP|IP_NF_ARPTABLES|NF_TABLES_ARP)" .config
> CONFIG_NETFILTER_FAMILY_ARP=y
> # CONFIG_NF_TABLES_ARP is not set
> CONFIG_IP_NF_ARPTABLES=y
>
> $ make olddefconfig
>
> $ grep -E "(NETFILTER_FAMILY_ARP|IP_NF_ARPTABLES|NF_TABLES_ARP)" .config
> # CONFIG_NF_TABLES_ARP is not set
> CONFIG_IP_NF_ARPTABLES=y
>
> So, when nf_register_net_hooks() is called for arptables, it will
> trigger the splat below.
>
> Now IP_NF_ARPTABLES is only enabled by IP_NF_ARPFILTER, so let's
> restore the dependency on NETFILTER_FAMILY_ARP in IP_NF_ARPFILTER.
...
> Fixes: 4654467dc7e1 ("netfilter: arptables: allow xtables-nft only builds")
> Reported-by: syzkaller <syzkaller@xxxxxxxxxxxxxxxx>
> Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
Reviewed-by: Simon Horman <horms@xxxxxxxxxx>
...
