netfilter: don't allocate space for arp/bridge hooks unless needed
no need to define hook points if the family isn't supported. Because we need these hooks for either nftables, arp/ebtables or the 'call-iptables' hack we have in the bridge layer add two new dependencies, NETFILTER_FAMILY_{ARP,BRIDGE}, and have the users select them. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
bb4badf3a3
commit
2a95183a5e
|
@ -214,10 +214,14 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
|
||||||
hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
|
hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
|
||||||
break;
|
break;
|
||||||
case NFPROTO_ARP:
|
case NFPROTO_ARP:
|
||||||
|
#ifdef CONFIG_NETFILTER_FAMILY_ARP
|
||||||
hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
|
hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
|
||||||
|
#endif
|
||||||
break;
|
break;
|
||||||
case NFPROTO_BRIDGE:
|
case NFPROTO_BRIDGE:
|
||||||
|
#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
|
||||||
hook_head = rcu_dereference(net->nf.hooks_bridge[hook]);
|
hook_head = rcu_dereference(net->nf.hooks_bridge[hook]);
|
||||||
|
#endif
|
||||||
break;
|
break;
|
||||||
#if IS_ENABLED(CONFIG_DECNET)
|
#if IS_ENABLED(CONFIG_DECNET)
|
||||||
case NFPROTO_DECNET:
|
case NFPROTO_DECNET:
|
||||||
|
|
|
@ -19,8 +19,12 @@ struct netns_nf {
|
||||||
#endif
|
#endif
|
||||||
struct nf_hook_entries __rcu *hooks_ipv4[NF_INET_NUMHOOKS];
|
struct nf_hook_entries __rcu *hooks_ipv4[NF_INET_NUMHOOKS];
|
||||||
struct nf_hook_entries __rcu *hooks_ipv6[NF_INET_NUMHOOKS];
|
struct nf_hook_entries __rcu *hooks_ipv6[NF_INET_NUMHOOKS];
|
||||||
|
#ifdef CONFIG_NETFILTER_FAMILY_ARP
|
||||||
struct nf_hook_entries __rcu *hooks_arp[NF_ARP_NUMHOOKS];
|
struct nf_hook_entries __rcu *hooks_arp[NF_ARP_NUMHOOKS];
|
||||||
|
#endif
|
||||||
|
#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
|
||||||
struct nf_hook_entries __rcu *hooks_bridge[NF_INET_NUMHOOKS];
|
struct nf_hook_entries __rcu *hooks_bridge[NF_INET_NUMHOOKS];
|
||||||
|
#endif
|
||||||
#if IS_ENABLED(CONFIG_DECNET)
|
#if IS_ENABLED(CONFIG_DECNET)
|
||||||
struct nf_hook_entries __rcu *hooks_decnet[NF_DN_NUMHOOKS];
|
struct nf_hook_entries __rcu *hooks_decnet[NF_DN_NUMHOOKS];
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -182,6 +182,7 @@ config BRIDGE_NETFILTER
|
||||||
depends on BRIDGE
|
depends on BRIDGE
|
||||||
depends on NETFILTER && INET
|
depends on NETFILTER && INET
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
|
select NETFILTER_FAMILY_BRIDGE
|
||||||
default m
|
default m
|
||||||
---help---
|
---help---
|
||||||
Enabling this option will let arptables resp. iptables see bridged
|
Enabling this option will let arptables resp. iptables see bridged
|
||||||
|
|
|
@ -4,6 +4,7 @@
|
||||||
#
|
#
|
||||||
menuconfig NF_TABLES_BRIDGE
|
menuconfig NF_TABLES_BRIDGE
|
||||||
depends on BRIDGE && NETFILTER && NF_TABLES
|
depends on BRIDGE && NETFILTER && NF_TABLES
|
||||||
|
select NETFILTER_FAMILY_BRIDGE
|
||||||
tristate "Ethernet Bridge nf_tables support"
|
tristate "Ethernet Bridge nf_tables support"
|
||||||
|
|
||||||
if NF_TABLES_BRIDGE
|
if NF_TABLES_BRIDGE
|
||||||
|
@ -29,6 +30,7 @@ endif # NF_TABLES_BRIDGE
|
||||||
menuconfig BRIDGE_NF_EBTABLES
|
menuconfig BRIDGE_NF_EBTABLES
|
||||||
tristate "Ethernet Bridge tables (ebtables) support"
|
tristate "Ethernet Bridge tables (ebtables) support"
|
||||||
depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
|
depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
|
||||||
|
select NETFILTER_FAMILY_BRIDGE
|
||||||
help
|
help
|
||||||
ebtables is a general, extensible frame/packet identification
|
ebtables is a general, extensible frame/packet identification
|
||||||
framework. Say 'Y' or 'M' here if you want to do Ethernet
|
framework. Say 'Y' or 'M' here if you want to do Ethernet
|
||||||
|
|
|
@ -72,6 +72,7 @@ endif # NF_TABLES_IPV4
|
||||||
|
|
||||||
config NF_TABLES_ARP
|
config NF_TABLES_ARP
|
||||||
tristate "ARP nf_tables support"
|
tristate "ARP nf_tables support"
|
||||||
|
select NETFILTER_FAMILY_ARP
|
||||||
help
|
help
|
||||||
This option enables the ARP support for nf_tables.
|
This option enables the ARP support for nf_tables.
|
||||||
|
|
||||||
|
@ -392,6 +393,7 @@ endif # IP_NF_IPTABLES
|
||||||
config IP_NF_ARPTABLES
|
config IP_NF_ARPTABLES
|
||||||
tristate "ARP tables support"
|
tristate "ARP tables support"
|
||||||
select NETFILTER_XTABLES
|
select NETFILTER_XTABLES
|
||||||
|
select NETFILTER_FAMILY_ARP
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
help
|
help
|
||||||
arptables is a general, extensible packet identification framework.
|
arptables is a general, extensible packet identification framework.
|
||||||
|
|
|
@ -12,6 +12,12 @@ config NETFILTER_INGRESS
|
||||||
config NETFILTER_NETLINK
|
config NETFILTER_NETLINK
|
||||||
tristate
|
tristate
|
||||||
|
|
||||||
|
config NETFILTER_FAMILY_BRIDGE
|
||||||
|
bool
|
||||||
|
|
||||||
|
config NETFILTER_FAMILY_ARP
|
||||||
|
bool
|
||||||
|
|
||||||
config NETFILTER_NETLINK_ACCT
|
config NETFILTER_NETLINK_ACCT
|
||||||
tristate "Netfilter NFACCT over NFNETLINK interface"
|
tristate "Netfilter NFACCT over NFNETLINK interface"
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
|
|
|
@ -267,14 +267,18 @@ static struct nf_hook_entries __rcu **nf_hook_entry_head(struct net *net, const
|
||||||
switch (reg->pf) {
|
switch (reg->pf) {
|
||||||
case NFPROTO_NETDEV:
|
case NFPROTO_NETDEV:
|
||||||
break;
|
break;
|
||||||
|
#ifdef CONFIG_NETFILTER_FAMILY_ARP
|
||||||
case NFPROTO_ARP:
|
case NFPROTO_ARP:
|
||||||
if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_arp) <= reg->hooknum))
|
if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_arp) <= reg->hooknum))
|
||||||
return NULL;
|
return NULL;
|
||||||
return net->nf.hooks_arp + reg->hooknum;
|
return net->nf.hooks_arp + reg->hooknum;
|
||||||
|
#endif
|
||||||
|
#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
|
||||||
case NFPROTO_BRIDGE:
|
case NFPROTO_BRIDGE:
|
||||||
if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_bridge) <= reg->hooknum))
|
if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_bridge) <= reg->hooknum))
|
||||||
return NULL;
|
return NULL;
|
||||||
return net->nf.hooks_bridge + reg->hooknum;
|
return net->nf.hooks_bridge + reg->hooknum;
|
||||||
|
#endif
|
||||||
case NFPROTO_IPV4:
|
case NFPROTO_IPV4:
|
||||||
if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv4) <= reg->hooknum))
|
if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv4) <= reg->hooknum))
|
||||||
return NULL;
|
return NULL;
|
||||||
|
@ -573,8 +577,12 @@ static int __net_init netfilter_net_init(struct net *net)
|
||||||
{
|
{
|
||||||
__netfilter_net_init(net->nf.hooks_ipv4, ARRAY_SIZE(net->nf.hooks_ipv4));
|
__netfilter_net_init(net->nf.hooks_ipv4, ARRAY_SIZE(net->nf.hooks_ipv4));
|
||||||
__netfilter_net_init(net->nf.hooks_ipv6, ARRAY_SIZE(net->nf.hooks_ipv6));
|
__netfilter_net_init(net->nf.hooks_ipv6, ARRAY_SIZE(net->nf.hooks_ipv6));
|
||||||
|
#ifdef CONFIG_NETFILTER_FAMILY_ARP
|
||||||
__netfilter_net_init(net->nf.hooks_arp, ARRAY_SIZE(net->nf.hooks_arp));
|
__netfilter_net_init(net->nf.hooks_arp, ARRAY_SIZE(net->nf.hooks_arp));
|
||||||
|
#endif
|
||||||
|
#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
|
||||||
__netfilter_net_init(net->nf.hooks_bridge, ARRAY_SIZE(net->nf.hooks_bridge));
|
__netfilter_net_init(net->nf.hooks_bridge, ARRAY_SIZE(net->nf.hooks_bridge));
|
||||||
|
#endif
|
||||||
#if IS_ENABLED(CONFIG_DECNET)
|
#if IS_ENABLED(CONFIG_DECNET)
|
||||||
__netfilter_net_init(net->nf.hooks_decnet, ARRAY_SIZE(net->nf.hooks_decnet));
|
__netfilter_net_init(net->nf.hooks_decnet, ARRAY_SIZE(net->nf.hooks_decnet));
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -204,8 +204,10 @@ repeat:
|
||||||
static struct nf_hook_entries *nf_hook_entries_head(const struct net *net, u8 pf, u8 hooknum)
|
static struct nf_hook_entries *nf_hook_entries_head(const struct net *net, u8 pf, u8 hooknum)
|
||||||
{
|
{
|
||||||
switch (pf) {
|
switch (pf) {
|
||||||
|
#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
|
||||||
case NFPROTO_BRIDGE:
|
case NFPROTO_BRIDGE:
|
||||||
return rcu_dereference(net->nf.hooks_bridge[hooknum]);
|
return rcu_dereference(net->nf.hooks_bridge[hooknum]);
|
||||||
|
#endif
|
||||||
case NFPROTO_IPV4:
|
case NFPROTO_IPV4:
|
||||||
return rcu_dereference(net->nf.hooks_ipv4[hooknum]);
|
return rcu_dereference(net->nf.hooks_ipv4[hooknum]);
|
||||||
case NFPROTO_IPV6:
|
case NFPROTO_IPV6:
|
||||||
|
|
Loading…
Reference in New Issue