| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Mar 2016 13:57:46 +0100
From: Arnd Bergmann <arnd@...db.de>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: Pravin Shelar <pshelar@...ira.com>,
"David S. Miller" <davem@...emloft.net>,
Thomas Graf <tgraf@...g.ch>,
Joe Stringer <joestringer@...ira.com>,
Paolo Abeni <pabeni@...hat.com>,
Jarno Rajahalme <jarno@....org>, netdev@...r.kernel.org,
dev@...nvswitch.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] openvswitch: call only into reachable nf-nat code
On Wednesday 16 March 2016 13:47:13 Arnd Bergmann wrote:
> The openvswitch code has gained support for calling into the
> nf-nat-ipv4/ipv6 modules, however those can be loadable modules
> in a configuration in which openvswitch is built-in, leading
> to link errors:
>
> net/built-in.o: In function `__ovs_ct_lookup':
> :(.text+0x2cc2c8): undefined reference to `nf_nat_icmp_reply_translation'
> :(.text+0x2cc66c): undefined reference to `nf_nat_icmpv6_reply_translation'
>
> The dependency on (!NF_NAT || NF_NAT) was meant to prevent
> this, but NF_NAT is set to 'y' if any of the symbols selecting
> it are built-in, but the link error happens when any of them
> are modular.
>
> A second issue is that even if CONFIG_NF_NAT_IPV6 is built-in,
> CONFIG_NF_NAT_IPV4 might be completely disabled. This is unlikely
> to be useful in practice, but the driver currently only handles
> IPv6 being optional.
>
> This patch improves the Kconfig dependency so that openvswitch
> cannot be built-in if either of the two other symbols are set
> to 'm', and it replaces the incorrect #ifdef in ovs_ct_nat_execute()
> with two "if (IS_ENABLED())" checks that should catch all corner
> cases also make the code more readable.
>
> The same #ifdef exists ovs_ct_nat_to_attr(), where it does not
> cause a link error, but for consistency I'm changing it the same
> way.
>
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> Fixes: 05752523e565 ("openvswitch: Interface with NAT.")
> ---
> net/openvswitch/Kconfig | 3 ++-
> net/openvswitch/conntrack.c | 16 ++++++++--------
> 2 files changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/net/openvswitch/Kconfig b/net/openvswitch/Kconfig
> index 234a73344c6e..961fb60115df 100644
> --- a/net/openvswitch/Kconfig
> +++ b/net/openvswitch/Kconfig
> @@ -7,7 +7,8 @@ config OPENVSWITCH
> depends on INET
> depends on !NF_CONNTRACK || \
> (NF_CONNTRACK && ((!NF_DEFRAG_IPV6 || NF_DEFRAG_IPV6) && \
> - (!NF_NAT || NF_NAT)))
> + (!NF_NAT_IPV4 || NF_NAT_IPV4) && \
> + (!NF_NAT_IPV6 || NF_NAT_IPV6)))
> select LIBCRC32C
> select MPLS
> select NET_MPLS_GSO
I've now seen a new regression:
net/built-in.o: In function `__ovs_ct_lookup':
switchdev.c:(.text+0x136e8c): undefined reference to `nf_ct_nat_ext_add'
switchdev.c:(.text+0x136f38): undefined reference to `nf_nat_packet'
switchdev.c:(.text+0x136f80): undefined reference to `nf_nat_setup_info'
switchdev.c:(.text+0x136f98): undefined reference to `nf_nat_alloc_null_binding'
Apparently, the (!NF_NAT || NF_NAT) statement is also needed in addition to
the other two. I'm resending the fixed patch, as it doesn't seem to have
been merged yet.
If it's in some other tree already and you'd rather have a patch on top,
I can send that too.
Arnd
Powered by blists - more mailing lists