Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2a95183a authored Dec 07, 2017 by Florian Westphal Committed by Pablo Neira Ayuso Jan 08, 2018

netfilter: don't allocate space for arp/bridge hooks unless needed



no need to define hook points if the family isn't supported.
Because we need these hooks for either nftables, arp/ebtables
or the 'call-iptables' hack we have in the bridge layer add two
new dependencies, NETFILTER_FAMILY_{ARP,BRIDGE}, and have the
users select them.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent bb4badf3

include/linux/netfilter.h

+4 −0

Original line number	Diff line number	Diff line
		@@ -214,10 +214,14 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
		hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
		break;
		case NFPROTO_ARP:
		#ifdef CONFIG_NETFILTER_FAMILY_ARP
		hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
		#endif
		break;
		case NFPROTO_BRIDGE:
		#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
		hook_head = rcu_dereference(net->nf.hooks_bridge[hook]);
		#endif
		break;
		#if IS_ENABLED(CONFIG_DECNET)
		case NFPROTO_DECNET:

include/net/netns/netfilter.h

+4 −0

Original line number	Diff line number	Diff line
		@@ -19,8 +19,12 @@ struct netns_nf {
		#endif
		struct nf_hook_entries __rcu *hooks_ipv4[NF_INET_NUMHOOKS];
		struct nf_hook_entries __rcu *hooks_ipv6[NF_INET_NUMHOOKS];
		#ifdef CONFIG_NETFILTER_FAMILY_ARP
		struct nf_hook_entries __rcu *hooks_arp[NF_ARP_NUMHOOKS];
		#endif
		#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
		struct nf_hook_entries __rcu *hooks_bridge[NF_INET_NUMHOOKS];
		#endif
		#if IS_ENABLED(CONFIG_DECNET)
		struct nf_hook_entries __rcu *hooks_decnet[NF_DN_NUMHOOKS];
		#endif

net/Kconfig

+1 −0

Original line number	Diff line number	Diff line
		@@ -182,6 +182,7 @@ config BRIDGE_NETFILTER
		depends on BRIDGE
		depends on NETFILTER && INET
		depends on NETFILTER_ADVANCED
		select NETFILTER_FAMILY_BRIDGE
		default m
		---help---
		Enabling this option will let arptables resp. iptables see bridged

net/bridge/netfilter/Kconfig

+2 −0

Original line number	Diff line number	Diff line
		@@ -4,6 +4,7 @@
		#
		menuconfig NF_TABLES_BRIDGE
		depends on BRIDGE && NETFILTER && NF_TABLES
		select NETFILTER_FAMILY_BRIDGE
		tristate "Ethernet Bridge nf_tables support"

		if NF_TABLES_BRIDGE
		@@ -29,6 +30,7 @@ endif # NF_TABLES_BRIDGE
		menuconfig BRIDGE_NF_EBTABLES
		tristate "Ethernet Bridge tables (ebtables) support"
		depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
		select NETFILTER_FAMILY_BRIDGE
		help
		ebtables is a general, extensible frame/packet identification
		framework. Say 'Y' or 'M' here if you want to do Ethernet

net/ipv4/netfilter/Kconfig

+2 −0

Original line number	Diff line number	Diff line
		@@ -72,6 +72,7 @@ endif # NF_TABLES_IPV4

		config NF_TABLES_ARP
		tristate "ARP nf_tables support"
		select NETFILTER_FAMILY_ARP
		help
		This option enables the ARP support for nf_tables.

		@@ -392,6 +393,7 @@ endif # IP_NF_IPTABLES
		config IP_NF_ARPTABLES
		tristate "ARP tables support"
		select NETFILTER_XTABLES
		select NETFILTER_FAMILY_ARP
		depends on NETFILTER_ADVANCED
		help
		arptables is a general, extensible packet identification framework.