From patchwork Wed Mar 16 12:47:13 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arnd Bergmann <arnd@arndb.de>
X-Patchwork-Id: 598327
Return-Path: <dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from archives.nicira.com (archives.nicira.com [96.126.127.54])
	by ozlabs.org (Postfix) with ESMTP id 3qQB9W6qW7z9sRZ
	for <incoming@patchwork.ozlabs.org>;
	Wed, 16 Mar 2016 23:48:15 +1100 (AEDT)
Received: from archives.nicira.com (localhost [127.0.0.1])
	by archives.nicira.com (Postfix) with ESMTP id F3FD010312;
	Wed, 16 Mar 2016 05:48:14 -0700 (PDT)
X-Original-To: dev@openvswitch.org
Delivered-To: dev@openvswitch.org
Received: from mx3v3.cudamail.com (mx3.cudamail.com [64.34.241.5])
	by archives.nicira.com (Postfix) with ESMTPS id 8979B1030F
	for <dev@openvswitch.org>; Wed, 16 Mar 2016 05:48:13 -0700 (PDT)
Received: from bar6.cudamail.com (localhost [127.0.0.1])
	by mx3v3.cudamail.com (Postfix) with ESMTPS id EAF28162B4C
	for <dev@openvswitch.org>; Wed, 16 Mar 2016 06:48:12 -0600 (MDT)
X-ASG-Debug-ID: 1458132491-0b3237276305e90001-byXFYA
Received: from mx1-pf2.cudamail.com ([192.168.24.2]) by bar6.cudamail.com
	with
	ESMTP id IMCxdEm2ApH6rAFM (version=TLSv1 cipher=DHE-RSA-AES256-SHA
	bits=256 verify=NO) for <dev@openvswitch.org>;
	Wed, 16 Mar 2016 06:48:12 -0600 (MDT)
X-Barracuda-Envelope-From: arnd@arndb.de
X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.2
Received: from unknown (HELO mout.kundenserver.de) (212.227.126.130)
	by mx1-pf2.cudamail.com with ESMTPS (DHE-RSA-AES256-SHA encrypted);
	16 Mar 2016 12:48:11 -0000
Received-SPF: none (mx1-pf2.cudamail.com: domain at arndb.de does not
	designate permitted sender hosts)
X-Barracuda-Apparent-Source-IP: 212.227.126.130
X-Barracuda-RBL-IP: 212.227.126.130
Received: from wuerfel.lan. ([78.42.132.4]) by mrelayeu.kundenserver.de
	(mreue004) with ESMTPA (Nemesis) id 0LeQ93-1a1MYF1Uon-00q9jG;
	Wed, 16 Mar 2016 13:48:06 +0100
X-CudaMail-Envelope-Sender: arnd@arndb.de
From: Arnd Bergmann <arnd@arndb.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>,
	Pravin Shelar <pshelar@nicira.com>,
	"David S. Miller" <davem@davemloft.net>
X-CudaMail-MID: CM-E2-315018180
X-CudaMail-DTE: 031616
X-CudaMail-Originating-IP: 212.227.126.130
Date: Wed, 16 Mar 2016 13:47:13 +0100
X-ASG-Orig-Subj: [##CM-E2-315018180##][PATCH] openvswitch: call only into
	reachable nf-nat code
Message-Id: <1458132481-318209-1-git-send-email-arnd@arndb.de>
X-Mailer: git-send-email 2.7.0
X-Provags-ID: V03:K0:KYrzqisIATCZ4beT9ox8jdHGkZgsxPqxIG6FFr+ShodiN04kkdP
	WpkHXNAkyziQmhW60A+KfQyutv2LJEo2HOWuNGjPxk55C5hhtWneHKgSD5w0HujP5k6Y4f1
	037uRAbmF4Zk3Ffjss3nGWC2dkVkXannfeqB63IDAU7rO6C40sZBUwrjeTIOLcmw1GeU7WP
	icVGLfCqbV8Q5VvjNK93Q==
X-UI-Out-Filterresults: notjunk:1; V01:K0:wg4hn4hX64Q=:OGNhIkIEj34RPmPz0aUCDH
	UKYbhU+tCay4gyJrUBJdqtWwM+abr9Y9GcRHHkeIWKrJ4U5GCocvESuPkCe0Z7Q3AHeDsrwlN
	kZPGaNAU2J89hYcyyzpxXQVTkvtZOrDhb2Y20dbp89Ha5OV7tOhH6kOEl6ulvb8NAcsv4EDqa
	9yESb9MLsLC/6TkO8gT2FUYIiduj2XMO9N7szs8j7yvnTg77zoW2BWj1p9+gcuBaeAThSqFi0
	ze9klb1ieTTAmgjP+kP7Ro7Wd1tAATJdAi3LL2coIobRY/VMAEBDC9LJgNfHWQ9FBQFcSaHs1
	g3cKqNcgtQYDjInTqt6bH3/IXeHwJIbdABW4RGOAEq5VXm7MiKP22TtamUl9D+tib3mkzXYV4
	6aKx/dUwGpzMHOXnDvFRa4Bq2H9GjOdU/twNj3UnkUife3PYbBNwOgsWijJ/2+vb22cfRIXm9
	/Cimelq1+2xK3moq+vUxCn9DCvd5DSKacXfzoiMz1bnEJYM0aEUojuWL4EC4XTK53urR+cu5Y
	AgdevTD3v76tYexpL6s6EVjf0FXhK30GjuTq405yIHmRdVLE5TVdlKgA0BE8XnktY/kghMlQt
	cjpDySmvYa7KATCsppS3keOVjj/ISwruwVIjBv/RsMG36R0G8XFGwh9oNoXF/9xTCh9hY82Cj
	RbA5ljnT8+6zc0Ro60w77hOaClStV1u+37VKoRn9Sf1M7hisLdr+bVSiWmkC21koU8PA=
X-GBUdb-Analysis: 0, 212.227.126.130,
	Ugly c=0.327499 p=-0.0833333 Source Normal
X-MessageSniffer-Rules: 0-0-0-10670-c
X-Barracuda-Connect: UNKNOWN[192.168.24.2]
X-Barracuda-Start-Time: 1458132492
X-Barracuda-Encrypted: DHE-RSA-AES256-SHA
X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at cudamail.com
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.10
X-Barracuda-Spam-Status: No,
	SCORE=0.10 using per-user scores of TAG_LEVEL=3.5
	QUARANTINE_LEVEL=1000.0 KILL_LEVEL=4.0 tests=BSF_SC0_MISMATCH_TO,
	RDNS_NONE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.27896
	Rule breakdown below
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	0.00 BSF_SC0_MISMATCH_TO    Envelope rcpt doesn't match header
	0.10 RDNS_NONE Delivered to trusted network by a host with no rDNS
Cc: dev@openvswitch.org, Arnd Bergmann <arnd@arndb.de>,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, Joe Stringer <joestringer@nicira.com>,
	Paolo Abeni <pabeni@redhat.com>
Subject: [ovs-dev] [PATCH] openvswitch: call only into reachable nf-nat code
X-BeenThere: dev@openvswitch.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: <dev.openvswitch.org>
List-Unsubscribe: <http://openvswitch.org/mailman/options/dev>,
	<mailto:dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://openvswitch.org/pipermail/dev>
List-Post: <mailto:dev@openvswitch.org>
List-Help: <mailto:dev-request@openvswitch.org?subject=help>
List-Subscribe: <http://openvswitch.org/mailman/listinfo/dev>,
	<mailto:dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dev-bounces@openvswitch.org
Sender: "dev" <dev-bounces@openvswitch.org>

The openvswitch code has gained support for calling into the
nf-nat-ipv4/ipv6 modules, however those can be loadable modules
in a configuration in which openvswitch is built-in, leading
to link errors:

net/built-in.o: In function `__ovs_ct_lookup':
:(.text+0x2cc2c8): undefined reference to `nf_nat_icmp_reply_translation'
:(.text+0x2cc66c): undefined reference to `nf_nat_icmpv6_reply_translation'

The dependency on (!NF_NAT || NF_NAT) was meant to prevent
this, but NF_NAT is set to 'y' if any of the symbols selecting
it are built-in, but the link error happens when any of them
are modular.

A second issue is that even if CONFIG_NF_NAT_IPV6 is built-in,
CONFIG_NF_NAT_IPV4 might be completely disabled. This is unlikely
to be useful in practice, but the driver currently only handles
IPv6 being optional.

This patch improves the Kconfig dependency so that openvswitch
cannot be built-in if either of the two other symbols are set
to 'm', and it replaces the incorrect #ifdef in ovs_ct_nat_execute()
with two "if (IS_ENABLED())" checks that should catch all corner
cases also make the code more readable.

The same #ifdef exists ovs_ct_nat_to_attr(), where it does not
cause a link error, but for consistency I'm changing it the same
way.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 05752523e565 ("openvswitch: Interface with NAT.")
Acked-by: Joe Stringer <joe@ovn.org>
---
 net/openvswitch/Kconfig     |  3 ++-
 net/openvswitch/conntrack.c | 16 ++++++++--------
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/net/openvswitch/Kconfig b/net/openvswitch/Kconfig
index 234a73344c6e..961fb60115df 100644
--- a/net/openvswitch/Kconfig
+++ b/net/openvswitch/Kconfig
@@ -7,7 +7,8 @@ config OPENVSWITCH
 	depends on INET
 	depends on !NF_CONNTRACK || \
 		   (NF_CONNTRACK && ((!NF_DEFRAG_IPV6 || NF_DEFRAG_IPV6) && \
-				     (!NF_NAT || NF_NAT)))
+				     (!NF_NAT_IPV4 || NF_NAT_IPV4) && \
+				     (!NF_NAT_IPV6 || NF_NAT_IPV6)))
 	select LIBCRC32C
 	select MPLS
 	select NET_MPLS_GSO
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index dc5eb29fe7d6..ff04b5db04b3 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -535,14 +535,15 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct,
 	switch (ctinfo) {
 	case IP_CT_RELATED:
 	case IP_CT_RELATED_REPLY:
-		if (skb->protocol == htons(ETH_P_IP) &&
+		if (IS_ENABLED(CONFIG_NF_NAT_IPV4) &&
+		    skb->protocol == htons(ETH_P_IP) &&
 		    ip_hdr(skb)->protocol == IPPROTO_ICMP) {
 			if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
 							   hooknum))
 				err = NF_DROP;
 			goto push;
-#if IS_ENABLED(CONFIG_NF_NAT_IPV6)
-		} else if (skb->protocol == htons(ETH_P_IPV6)) {
+		} else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) &&
+			   skb->protocol == htons(ETH_P_IPV6)) {
 			__be16 frag_off;
 			u8 nexthdr = ipv6_hdr(skb)->nexthdr;
 			int hdrlen = ipv6_skip_exthdr(skb,
@@ -557,7 +558,6 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct,
 					err = NF_DROP;
 				goto push;
 			}
-#endif
 		}
 		/* Non-ICMP, fall thru to initialize if needed. */
 	case IP_CT_NEW:
@@ -1238,7 +1238,8 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info,
 	}
 
 	if (info->range.flags & NF_NAT_RANGE_MAP_IPS) {
-		if (info->family == NFPROTO_IPV4) {
+		if (IS_ENABLED(CONFIG_NF_NAT_IPV4) &&
+		    info->family == NFPROTO_IPV4) {
 			if (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MIN,
 					    info->range.min_addr.ip) ||
 			    (info->range.max_addr.ip
@@ -1246,8 +1247,8 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info,
 			     (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MAX,
 					      info->range.max_addr.ip))))
 				return false;
-#if IS_ENABLED(CONFIG_NF_NAT_IPV6)
-		} else if (info->family == NFPROTO_IPV6) {
+		} else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) &&
+			   info->family == NFPROTO_IPV6) {
 			if (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MIN,
 					     &info->range.min_addr.in6) ||
 			    (memcmp(&info->range.max_addr.in6,
@@ -1256,7 +1257,6 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info,
 			     (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MAX,
 					       &info->range.max_addr.in6))))
 				return false;
-#endif
 		} else {
 			return false;
 		}