Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755281AbcCPMsZ (ORCPT ); Wed, 16 Mar 2016 08:48:25 -0400 Received: from mout.kundenserver.de ([212.227.126.130]:55617 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752648AbcCPMsY (ORCPT ); Wed, 16 Mar 2016 08:48:24 -0400 From: Arnd Bergmann To: Pablo Neira Ayuso , Pravin Shelar , "David S. Miller" Cc: Arnd Bergmann , Thomas Graf , Joe Stringer , Paolo Abeni , Jarno Rajahalme , netdev@vger.kernel.org, dev@openvswitch.org, linux-kernel@vger.kernel.org Subject: [PATCH] openvswitch: call only into reachable nf-nat code Date: Wed, 16 Mar 2016 13:47:13 +0100 Message-Id: <1458132481-318209-1-git-send-email-arnd@arndb.de> X-Mailer: git-send-email 2.7.0 X-Provags-ID: V03:K0:KYrzqisIATCZ4beT9ox8jdHGkZgsxPqxIG6FFr+ShodiN04kkdP WpkHXNAkyziQmhW60A+KfQyutv2LJEo2HOWuNGjPxk55C5hhtWneHKgSD5w0HujP5k6Y4f1 037uRAbmF4Zk3Ffjss3nGWC2dkVkXannfeqB63IDAU7rO6C40sZBUwrjeTIOLcmw1GeU7WP icVGLfCqbV8Q5VvjNK93Q== X-UI-Out-Filterresults: notjunk:1;V01:K0:wg4hn4hX64Q=:OGNhIkIEj34RPmPz0aUCDH UKYbhU+tCay4gyJrUBJdqtWwM+abr9Y9GcRHHkeIWKrJ4U5GCocvESuPkCe0Z7Q3AHeDsrwlN kZPGaNAU2J89hYcyyzpxXQVTkvtZOrDhb2Y20dbp89Ha5OV7tOhH6kOEl6ulvb8NAcsv4EDqa 9yESb9MLsLC/6TkO8gT2FUYIiduj2XMO9N7szs8j7yvnTg77zoW2BWj1p9+gcuBaeAThSqFi0 ze9klb1ieTTAmgjP+kP7Ro7Wd1tAATJdAi3LL2coIobRY/VMAEBDC9LJgNfHWQ9FBQFcSaHs1 g3cKqNcgtQYDjInTqt6bH3/IXeHwJIbdABW4RGOAEq5VXm7MiKP22TtamUl9D+tib3mkzXYV4 6aKx/dUwGpzMHOXnDvFRa4Bq2H9GjOdU/twNj3UnkUife3PYbBNwOgsWijJ/2+vb22cfRIXm9 /Cimelq1+2xK3moq+vUxCn9DCvd5DSKacXfzoiMz1bnEJYM0aEUojuWL4EC4XTK53urR+cu5Y AgdevTD3v76tYexpL6s6EVjf0FXhK30GjuTq405yIHmRdVLE5TVdlKgA0BE8XnktY/kghMlQt cjpDySmvYa7KATCsppS3keOVjj/ISwruwVIjBv/RsMG36R0G8XFGwh9oNoXF/9xTCh9hY82Cj RbA5ljnT8+6zc0Ro60w77hOaClStV1u+37VKoRn9Sf1M7hisLdr+bVSiWmkC21koU8PA= Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4266 Lines: 112 The openvswitch code has gained support for calling into the nf-nat-ipv4/ipv6 modules, however those can be loadable modules in a configuration in which openvswitch is built-in, leading to link errors: net/built-in.o: In function `__ovs_ct_lookup': :(.text+0x2cc2c8): undefined reference to `nf_nat_icmp_reply_translation' :(.text+0x2cc66c): undefined reference to `nf_nat_icmpv6_reply_translation' The dependency on (!NF_NAT || NF_NAT) was meant to prevent this, but NF_NAT is set to 'y' if any of the symbols selecting it are built-in, but the link error happens when any of them are modular. A second issue is that even if CONFIG_NF_NAT_IPV6 is built-in, CONFIG_NF_NAT_IPV4 might be completely disabled. This is unlikely to be useful in practice, but the driver currently only handles IPv6 being optional. This patch improves the Kconfig dependency so that openvswitch cannot be built-in if either of the two other symbols are set to 'm', and it replaces the incorrect #ifdef in ovs_ct_nat_execute() with two "if (IS_ENABLED())" checks that should catch all corner cases also make the code more readable. The same #ifdef exists ovs_ct_nat_to_attr(), where it does not cause a link error, but for consistency I'm changing it the same way. Signed-off-by: Arnd Bergmann Fixes: 05752523e565 ("openvswitch: Interface with NAT.") --- net/openvswitch/Kconfig | 3 ++- net/openvswitch/conntrack.c | 16 ++++++++-------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/net/openvswitch/Kconfig b/net/openvswitch/Kconfig index 234a73344c6e..961fb60115df 100644 --- a/net/openvswitch/Kconfig +++ b/net/openvswitch/Kconfig @@ -7,7 +7,8 @@ config OPENVSWITCH depends on INET depends on !NF_CONNTRACK || \ (NF_CONNTRACK && ((!NF_DEFRAG_IPV6 || NF_DEFRAG_IPV6) && \ - (!NF_NAT || NF_NAT))) + (!NF_NAT_IPV4 || NF_NAT_IPV4) && \ + (!NF_NAT_IPV6 || NF_NAT_IPV6))) select LIBCRC32C select MPLS select NET_MPLS_GSO diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index dc5eb29fe7d6..ff04b5db04b3 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -535,14 +535,15 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, switch (ctinfo) { case IP_CT_RELATED: case IP_CT_RELATED_REPLY: - if (skb->protocol == htons(ETH_P_IP) && + if (IS_ENABLED(CONFIG_NF_NAT_IPV4) && + skb->protocol == htons(ETH_P_IP) && ip_hdr(skb)->protocol == IPPROTO_ICMP) { if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, hooknum)) err = NF_DROP; goto push; -#if IS_ENABLED(CONFIG_NF_NAT_IPV6) - } else if (skb->protocol == htons(ETH_P_IPV6)) { + } else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) && + skb->protocol == htons(ETH_P_IPV6)) { __be16 frag_off; u8 nexthdr = ipv6_hdr(skb)->nexthdr; int hdrlen = ipv6_skip_exthdr(skb, @@ -557,7 +558,6 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, err = NF_DROP; goto push; } -#endif } /* Non-ICMP, fall thru to initialize if needed. */ case IP_CT_NEW: @@ -1238,7 +1238,8 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info, } if (info->range.flags & NF_NAT_RANGE_MAP_IPS) { - if (info->family == NFPROTO_IPV4) { + if (IS_ENABLED(CONFIG_NF_NAT_IPV4) && + info->family == NFPROTO_IPV4) { if (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MIN, info->range.min_addr.ip) || (info->range.max_addr.ip @@ -1246,8 +1247,8 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info, (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MAX, info->range.max_addr.ip)))) return false; -#if IS_ENABLED(CONFIG_NF_NAT_IPV6) - } else if (info->family == NFPROTO_IPV6) { + } else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) && + info->family == NFPROTO_IPV6) { if (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MIN, &info->range.min_addr.in6) || (memcmp(&info->range.max_addr.in6, @@ -1256,7 +1257,6 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info, (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MAX, &info->range.max_addr.in6)))) return false; -#endif } else { return false; } -- 2.7.0