9444f6bb482810beb0b29e2d798070a8989c9fd5
[librecmc/librecmc.git] /
1 From 2a95183a5e0375df756efb2ca37602d71e8455f9 Mon Sep 17 00:00:00 2001
2 From: Florian Westphal <fw@strlen.de>
3 Date: Thu, 7 Dec 2017 16:28:26 +0100
4 Subject: [PATCH 08/11] netfilter: don't allocate space for arp/bridge hooks
5  unless needed
6
7 no need to define hook points if the family isn't supported.
8 Because we need these hooks for either nftables, arp/ebtables
9 or the 'call-iptables' hack we have in the bridge layer add two
10 new dependencies, NETFILTER_FAMILY_{ARP,BRIDGE}, and have the
11 users select them.
12
13 Signed-off-by: Florian Westphal <fw@strlen.de>
14 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
15 ---
16  include/linux/netfilter.h     | 4 ++++
17  include/net/netns/netfilter.h | 4 ++++
18  net/Kconfig                   | 1 +
19  net/bridge/netfilter/Kconfig  | 2 ++
20  net/ipv4/netfilter/Kconfig    | 2 ++
21  net/netfilter/Kconfig         | 6 ++++++
22  net/netfilter/core.c          | 8 ++++++++
23  net/netfilter/nf_queue.c      | 2 ++
24  8 files changed, 29 insertions(+)
25
26 --- a/include/linux/netfilter.h
27 +++ b/include/linux/netfilter.h
28 @@ -214,10 +214,14 @@ static inline int nf_hook(u_int8_t pf, u
29                 hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
30                 break;
31         case NFPROTO_ARP:
32 +#ifdef CONFIG_NETFILTER_FAMILY_ARP
33                 hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
34 +#endif
35                 break;
36         case NFPROTO_BRIDGE:
37 +#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
38                 hook_head = rcu_dereference(net->nf.hooks_bridge[hook]);
39 +#endif
40                 break;
41  #if IS_ENABLED(CONFIG_DECNET)
42         case NFPROTO_DECNET:
43 --- a/include/net/netns/netfilter.h
44 +++ b/include/net/netns/netfilter.h
45 @@ -19,8 +19,12 @@ struct netns_nf {
46  #endif
47         struct nf_hook_entries __rcu *hooks_ipv4[NF_INET_NUMHOOKS];
48         struct nf_hook_entries __rcu *hooks_ipv6[NF_INET_NUMHOOKS];
49 +#ifdef CONFIG_NETFILTER_FAMILY_ARP
50         struct nf_hook_entries __rcu *hooks_arp[NF_ARP_NUMHOOKS];
51 +#endif
52 +#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
53         struct nf_hook_entries __rcu *hooks_bridge[NF_INET_NUMHOOKS];
54 +#endif
55  #if IS_ENABLED(CONFIG_DECNET)
56         struct nf_hook_entries __rcu *hooks_decnet[NF_DN_NUMHOOKS];
57  #endif
58 --- a/net/Kconfig
59 +++ b/net/Kconfig
60 @@ -182,6 +182,7 @@ config BRIDGE_NETFILTER
61         depends on BRIDGE
62         depends on NETFILTER && INET
63         depends on NETFILTER_ADVANCED
64 +       select NETFILTER_FAMILY_BRIDGE
65         default m
66         ---help---
67           Enabling this option will let arptables resp. iptables see bridged
68 --- a/net/bridge/netfilter/Kconfig
69 +++ b/net/bridge/netfilter/Kconfig
70 @@ -4,6 +4,7 @@
71  #
72  menuconfig NF_TABLES_BRIDGE
73         depends on BRIDGE && NETFILTER && NF_TABLES
74 +       select NETFILTER_FAMILY_BRIDGE
75         tristate "Ethernet Bridge nf_tables support"
76  
77  if NF_TABLES_BRIDGE
78 @@ -29,6 +30,7 @@ endif # NF_TABLES_BRIDGE
79  menuconfig BRIDGE_NF_EBTABLES
80         tristate "Ethernet Bridge tables (ebtables) support"
81         depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
82 +       select NETFILTER_FAMILY_BRIDGE
83         help
84           ebtables is a general, extensible frame/packet identification
85           framework. Say 'Y' or 'M' here if you want to do Ethernet
86 --- a/net/ipv4/netfilter/Kconfig
87 +++ b/net/ipv4/netfilter/Kconfig
88 @@ -72,6 +72,7 @@ endif # NF_TABLES_IPV4
89  
90  config NF_TABLES_ARP
91         tristate "ARP nf_tables support"
92 +       select NETFILTER_FAMILY_ARP
93         help
94           This option enables the ARP support for nf_tables.
95  
96 @@ -392,6 +393,7 @@ endif # IP_NF_IPTABLES
97  config IP_NF_ARPTABLES
98         tristate "ARP tables support"
99         select NETFILTER_XTABLES
100 +       select NETFILTER_FAMILY_ARP
101         depends on NETFILTER_ADVANCED
102         help
103           arptables is a general, extensible packet identification framework.
104 --- a/net/netfilter/Kconfig
105 +++ b/net/netfilter/Kconfig
106 @@ -12,6 +12,12 @@ config NETFILTER_INGRESS
107  config NETFILTER_NETLINK
108         tristate
109  
110 +config NETFILTER_FAMILY_BRIDGE
111 +       bool
112 +
113 +config NETFILTER_FAMILY_ARP
114 +       bool
115 +
116  config NETFILTER_NETLINK_ACCT
117  tristate "Netfilter NFACCT over NFNETLINK interface"
118         depends on NETFILTER_ADVANCED
119 --- a/net/netfilter/core.c
120 +++ b/net/netfilter/core.c
121 @@ -267,14 +267,18 @@ static struct nf_hook_entries __rcu **nf
122         switch (reg->pf) {
123         case NFPROTO_NETDEV:
124                 break;
125 +#ifdef CONFIG_NETFILTER_FAMILY_ARP
126         case NFPROTO_ARP:
127                 if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_arp) <= reg->hooknum))
128                         return NULL;
129                 return net->nf.hooks_arp + reg->hooknum;
130 +#endif
131 +#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
132         case NFPROTO_BRIDGE:
133                 if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_bridge) <= reg->hooknum))
134                         return NULL;
135                 return net->nf.hooks_bridge + reg->hooknum;
136 +#endif
137         case NFPROTO_IPV4:
138                 if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv4) <= reg->hooknum))
139                         return NULL;
140 @@ -573,8 +577,12 @@ static int __net_init netfilter_net_init
141  {
142         __netfilter_net_init(net->nf.hooks_ipv4, ARRAY_SIZE(net->nf.hooks_ipv4));
143         __netfilter_net_init(net->nf.hooks_ipv6, ARRAY_SIZE(net->nf.hooks_ipv6));
144 +#ifdef CONFIG_NETFILTER_FAMILY_ARP
145         __netfilter_net_init(net->nf.hooks_arp, ARRAY_SIZE(net->nf.hooks_arp));
146 +#endif
147 +#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
148         __netfilter_net_init(net->nf.hooks_bridge, ARRAY_SIZE(net->nf.hooks_bridge));
149 +#endif
150  #if IS_ENABLED(CONFIG_DECNET)
151         __netfilter_net_init(net->nf.hooks_decnet, ARRAY_SIZE(net->nf.hooks_decnet));
152  #endif
153 --- a/net/netfilter/nf_queue.c
154 +++ b/net/netfilter/nf_queue.c
155 @@ -204,8 +204,10 @@ repeat:
156  static struct nf_hook_entries *nf_hook_entries_head(const struct net *net, u8 pf, u8 hooknum)
157  {
158         switch (pf) {
159 +#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
160         case NFPROTO_BRIDGE:
161                 return rcu_dereference(net->nf.hooks_bridge[hooknum]);
162 +#endif
163         case NFPROTO_IPV4:
164                 return rcu_dereference(net->nf.hooks_ipv4[hooknum]);
165         case NFPROTO_IPV6: