From patchwork Fri Mar 18 13:33:45 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 102548 Delivered-To: patch@linaro.org Received: by 10.112.199.169 with SMTP id jl9csp1060398lbc; Fri, 18 Mar 2016 06:35:28 -0700 (PDT) X-Received: by 10.98.71.203 with SMTP id p72mr23754238pfi.165.1458308127982; Fri, 18 Mar 2016 06:35:27 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e3si683905pap.82.2016.03.18.06.35.27; Fri, 18 Mar 2016 06:35:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757170AbcCRNfT (ORCPT + 30 others); Fri, 18 Mar 2016 09:35:19 -0400 Received: from mout.kundenserver.de ([217.72.192.73]:53446 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751158AbcCRNfL (ORCPT ); Fri, 18 Mar 2016 09:35:11 -0400 Received: from wuerfel.lan. ([78.42.132.4]) by mrelayeu.kundenserver.de (mreue101) with ESMTPA (Nemesis) id 0MUEtu-1aHAC825QI-00R4I7; Fri, 18 Mar 2016 14:34:10 +0100 From: Arnd Bergmann To: Pravin Shelar , "David S. Miller" Cc: Arnd Bergmann , Thomas Graf , Joe Stringer , Paolo Abeni , Jarno Rajahalme , Pablo Neira Ayuso , "Eric W. Biederman" , Florian Westphal , netdev@vger.kernel.org, dev@openvswitch.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] openvswitch: call only into reachable nf-nat code Date: Fri, 18 Mar 2016 14:33:45 +0100 Message-Id: <1458308044-246105-1-git-send-email-arnd@arndb.de> X-Mailer: git-send-email 2.7.0 X-Provags-ID: V03:K0:gqAMTz2rEoZ42bL2/qX8xXCyhM79FeThA7xVEtBA5axGBFA3lvL v8AWU4RCiuCCGpwD95RJmA+L0tTuJvGvcweFaoLWPlaltSDi/so30rAPM7FQLm565C5UmE+ wD/5OT7TJoXPoLjgJCtoTl8+w22rlmqp1SwCKKorq1SlI2p2e4H3Nh3r/vzQ678mF5/R6GQ BETz75uUaHfUfA1kojPnw== X-UI-Out-Filterresults: notjunk:1; V01:K0:IlA39zriz9k=:0h1eoCK+u7UQbcrbSwxbPp XTOIh5dF3ygIHnzCf1MaWCGRkMpHNoEBsdqiPQxeyOSXWWiNuxh79QruvM6FpcQB/xawvL2zw 60+b4Mf+uDgzMV67MkCrpzoKb6eTsYm1Z8mK6WO5DBN0OWEru0ZEKwsuF1R+eTyzoANe7Jkit 4UgtEKU3lyvN8I8e3YoAdmK6F09ULEA0wV8y7AV598hBhWEJsni5vp6vrTcoXotfDqL0cgEX7 tuLfHvYUc190+wtJNK+bzpzqDtjDU4964DYXoem25wEyw9RHd6MYedpv8ZcKlpNiTpLf3R0Fm 95UmGKCGxwDtybPy3cOy/h/erf5/Qabe8oK5oY1Yqvlw0h8Og9dxNl9gNzXZzFq1yMOBspii7 +dJNTB2r/OwE3NNRBdnJHqENc3+OI7FT3SfBJNedNNdtdU8T5gLyK3mJMo3w4bZymexu/yOQw w2QRWHP+BEO1F7n2GuHz9uOC1OfrrQlae++RVs3j/1lqeQ/WNeYsJ47Fi8USCfVj+vvYJCTla zLcHiSOfkaI6Qj5qUyDRN8D5K33ZupPo/bgCaMFp5k3SC7uKZggaDfnQTy99qyxJZWhlMboTm Xxzm0RyHyAn822eWDkS+B+3QE8B3gruYuj4w/eAYNFjj1moSGoUOtY5teLfpNvr8jeqOwemh7 rvxxuniamhKf502iaq1iP5HnUnm/vOyGZMjb8wF4JZKbCG1gMl5s79tOS6njR/j0JqF0= Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The openvswitch code has gained support for calling into the nf-nat-ipv4/ipv6 modules, however those can be loadable modules in a configuration in which openvswitch is built-in, leading to link errors: net/built-in.o: In function `__ovs_ct_lookup': :(.text+0x2cc2c8): undefined reference to `nf_nat_icmp_reply_translation' :(.text+0x2cc66c): undefined reference to `nf_nat_icmpv6_reply_translation' The dependency on (!NF_NAT || NF_NAT) prevents similar issues, but NF_NAT is set to 'y' if any of the symbols selecting it are built-in, but the link error happens when any of them are modular. A second issue is that even if CONFIG_NF_NAT_IPV6 is built-in, CONFIG_NF_NAT_IPV4 might be completely disabled. This is unlikely to be useful in practice, but the driver currently only handles IPv6 being optional. This patch improves the Kconfig dependency so that openvswitch cannot be built-in if either of the two other symbols are set to 'm', and it replaces the incorrect #ifdef in ovs_ct_nat_execute() with two "if (IS_ENABLED())" checks that should catch all corner cases also make the code more readable. The same #ifdef exists ovs_ct_nat_to_attr(), where it does not cause a link error, but for consistency I'm changing it the same way. Signed-off-by: Arnd Bergmann Fixes: 05752523e565 ("openvswitch: Interface with NAT.") Acked-by: Joe Stringer --- v2: leave (!NF_NAT || NF_NAT) dependency in there, we also need that net/openvswitch/Kconfig | 4 +++- net/openvswitch/conntrack.c | 16 ++++++++-------- 2 files changed, 11 insertions(+), 9 deletions(-) -- 2.7.0 diff --git a/net/openvswitch/Kconfig b/net/openvswitch/Kconfig index 234a73344c6e..ce947292ae77 100644 --- a/net/openvswitch/Kconfig +++ b/net/openvswitch/Kconfig @@ -7,7 +7,9 @@ config OPENVSWITCH depends on INET depends on !NF_CONNTRACK || \ (NF_CONNTRACK && ((!NF_DEFRAG_IPV6 || NF_DEFRAG_IPV6) && \ - (!NF_NAT || NF_NAT))) + (!NF_NAT || NF_NAT) && \ + (!NF_NAT_IPV4 || NF_NAT_IPV4) && \ + (!NF_NAT_IPV6 || NF_NAT_IPV6))) select LIBCRC32C select MPLS select NET_MPLS_GSO diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index dc5eb29fe7d6..ff04b5db04b3 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -535,14 +535,15 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, switch (ctinfo) { case IP_CT_RELATED: case IP_CT_RELATED_REPLY: - if (skb->protocol == htons(ETH_P_IP) && + if (IS_ENABLED(CONFIG_NF_NAT_IPV4) && + skb->protocol == htons(ETH_P_IP) && ip_hdr(skb)->protocol == IPPROTO_ICMP) { if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, hooknum)) err = NF_DROP; goto push; -#if IS_ENABLED(CONFIG_NF_NAT_IPV6) - } else if (skb->protocol == htons(ETH_P_IPV6)) { + } else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) && + skb->protocol == htons(ETH_P_IPV6)) { __be16 frag_off; u8 nexthdr = ipv6_hdr(skb)->nexthdr; int hdrlen = ipv6_skip_exthdr(skb, @@ -557,7 +558,6 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, err = NF_DROP; goto push; } -#endif } /* Non-ICMP, fall thru to initialize if needed. */ case IP_CT_NEW: @@ -1238,7 +1238,8 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info, } if (info->range.flags & NF_NAT_RANGE_MAP_IPS) { - if (info->family == NFPROTO_IPV4) { + if (IS_ENABLED(CONFIG_NF_NAT_IPV4) && + info->family == NFPROTO_IPV4) { if (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MIN, info->range.min_addr.ip) || (info->range.max_addr.ip @@ -1246,8 +1247,8 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info, (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MAX, info->range.max_addr.ip)))) return false; -#if IS_ENABLED(CONFIG_NF_NAT_IPV6) - } else if (info->family == NFPROTO_IPV6) { + } else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) && + info->family == NFPROTO_IPV6) { if (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MIN, &info->range.min_addr.in6) || (memcmp(&info->range.max_addr.in6, @@ -1256,7 +1257,6 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info, (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MAX, &info->range.max_addr.in6)))) return false; -#endif } else { return false; }