[PATCH nf-next v2 00/30] Add config option checks to netfilter headers.

[PATCH nf-next v2 00/30] Add config option checks to netfilter headers.

[Jeremy Sowden]

In a previous patch-series [0], I removed all netfilter headers from the
blacklist of headers which could not be compiled standalone.  I did so
by fixing the specific compilation failures of the headers in the list,
usually by adding a preprocessor conditional to check whether a particu-
lar config option was enabled and disable some function definition or
struct member which depended on that option.  While this was effective,
it was not wholly satisfactory since it left a scattering of seemingly
random ifdefs throughout the headers.

0 - https://lore.kernel.org/netfilter-devel/20190813113657.GB4840@azazel.net/T/

The reason why these ad-hoc conditionals were necessary is that there
were inconsistencies in how existing checks were used to disable code
when particular options were turned off.  For example, a header A.h
might define a struct S which was only available if a particular config
option C was enabled, but A.h might be included by header B.h, which
defined a struct T with a struct S member without checking for C.  If
A.h and B.h were included in X.c, which was only compiled if C was
enabled, everything worked as expected; however, trying to compile B.h
standalone when C was disabled would result in a compilation failure.

This patch-series represents an attempt to provide a more comprehensive
solution by identifying the config options relevant to each header and
adding the appropriate conditionals to it where they do not already
exist.  In the majority of cases, a particular header is only included
by files tied to a particular config option, whether CONFIG_NETFILTER or
something more specific, and the whole of it can be wrapped in one
conditional.

For historical reasons, there are some headers which include their uapi
siblings and are themselves included elsewhere only for stuff in the
uapi headers.  Rather than change all those include directives, I have
chosen to leave the uapi include directives outside the conditionals.

The patch series is structured as follows.

  1-2)

    Addition of header guards.  The first of these, by Masahiro Yamada,
    is already in the nf tree; I've put it here to ensure that all the
    later changes apply cleanly on top of it.

  3-8)

    Some miscellaneous fixes.

  9-12)

    Addition and removal of include directives.

  13-14)

    Removal of some headers.

  15-17)

    Moving code between headers.

  18)

    Refactoring of some inline functions.

  19)

    Replacement of some `if defined(...)` instances with `if IS_ENABLED(...)`.

  20-26)

    Addition of conditionals to sections of code, mostly in headers.

  27-29)

    Addition of new config options for use in later conditionals.

  30)

    Wrapping of entire headers in one conditional each, removing
    existing ones wrapping smaller sections of code.

    I wasn't quite sure how to present this last change-set.  In the
    branch I've been using for development, I have the headers grouped
    into a commit per config-option, but that would have meant an addi-
    tional 44 patches, so I squashed them all before sending the series,
    although it has resulted in a 2,000-line patch that touches 78
    files.

Changes since v1:

  * fixes for build errors reported by the kbuild test robot;
  * corrected placement of new NF_TPROXY config option.

Jeremy Sowden (29):
  netfilter: add include guard to nf_conntrack_labels.h.
  netfilter: fix include guard comment.
  netfilter: add GPL-2.0 SPDX ID's to a couple of headers.
  netfilter: remove trailing white-space.
  netfilter: fix Kconfig formatting error.
  netfilter: remove stray semicolons.
  netfilter: remove unused function declarations.
  netfilter: remove unused includes.
  netfilter: include the right header in nf_conntrack_zones.h.
  netfilter: fix inclusions of <linux/netfilter/nf_nat.h>.
  netfilter: added missing includes.
  netfilter: inline three headers.
  netfilter: remove superfluous header.
  netfilter: move inline function to a more appropriate header.
  netfilter: move code between synproxy headers.
  netfilter: move struct definition function to a more appropriate
    header.
  netfilter: use consistent style when defining inline functions in
    nf_conntrack_ecache.h.
  netfilter: replace defined(CONFIG...) || defined(CONFIG...MODULE) with
    IS_ENABLED(CONFIG...).
  netfilter: wrap union nf_conntrack_proto members in
    CONFIG_NF_CT_PROTO_* check.
  netfilter: wrap inline synproxy function in CONFIG_NETFILTER_SYNPROXY
    check.
  netfilter: wrap inline timeout function in CONFIG_NETFILTER_TIMEOUT
    check.
  netfilter: wrap some nat-related conntrack code in a CONFIG_NF_NAT
    check.
  netfilter: wrap some ipv6 tables code in a CONFIG_NF_TABLES_IPV6
    check.
  netfilter: wrap some conntrack code in a CONFIG_NF_CONNTRACK check.
  netfilter: add CONFIG_NETFILTER check to linux/netfilter.h.
  netfilter: add NF_TPROXY config option.
  netfilter: add IP_SET_BITMAP config option.
  netfilter: add IP_SET_HASH config option.
  netfilter: wrap headers in CONFIG checks.

Masahiro Yamada (1):
  netfilter: add include guard to nf_conntrack_h323_types.h

 include/linux/netfilter.h                     | 16 +++-
 include/linux/netfilter/ipset/ip_set.h        |  7 +-
 include/linux/netfilter/ipset/ip_set_bitmap.h |  4 +
 .../linux/netfilter/ipset/ip_set_getport.h    |  6 +-
 include/linux/netfilter/ipset/ip_set_hash.h   |  3 +
 include/linux/netfilter/ipset/ip_set_list.h   |  3 +
 include/linux/netfilter/ipset/pfxlen.h        |  4 +
 include/linux/netfilter/nf_conntrack_amanda.h |  6 ++
 include/linux/netfilter/nf_conntrack_common.h |  4 +
 include/linux/netfilter/nf_conntrack_dccp.h   |  4 +
 include/linux/netfilter/nf_conntrack_ftp.h    |  8 +-
 include/linux/netfilter/nf_conntrack_h323.h   |  4 +
 .../linux/netfilter/nf_conntrack_h323_asn1.h  |  4 +
 .../linux/netfilter/nf_conntrack_h323_types.h |  9 ++
 include/linux/netfilter/nf_conntrack_irc.h    |  4 +
 include/linux/netfilter/nf_conntrack_pptp.h   |  4 +
 .../linux/netfilter/nf_conntrack_proto_gre.h  |  6 ++
 include/linux/netfilter/nf_conntrack_sane.h   |  5 +
 include/linux/netfilter/nf_conntrack_sctp.h   |  5 +
 include/linux/netfilter/nf_conntrack_sip.h    |  4 +
 include/linux/netfilter/nf_conntrack_snmp.h   |  4 +
 include/linux/netfilter/nf_conntrack_tcp.h    |  3 +
 include/linux/netfilter/nf_conntrack_tftp.h   |  4 +
 .../netfilter/nf_conntrack_zones_common.h     |  8 ++
 include/linux/netfilter/nfnetlink.h           |  7 +-
 include/linux/netfilter/nfnetlink_acct.h      |  6 ++
 include/linux/netfilter/nfnetlink_osf.h       |  4 +
 include/linux/netfilter/x_tables.h            | 15 ++-
 include/linux/netfilter/xt_hashlimit.h        | 11 ---
 include/linux/netfilter/xt_physdev.h          |  8 --
 include/linux/netfilter_arp/arp_tables.h      |  8 +-
 include/linux/netfilter_bridge/ebt_802_3.h    | 12 ---
 include/linux/netfilter_bridge/ebtables.h     | 10 +-
 include/linux/netfilter_ipv4.h                |  7 +-
 include/linux/netfilter_ipv4/ip_tables.h      | 17 ++--
 include/linux/netfilter_ipv6.h                | 31 ++++--
 include/linux/netfilter_ipv6/ip6_tables.h     | 28 ++----
 include/net/netfilter/br_netfilter.h          | 14 +--
 .../net/netfilter/ipv4/nf_conntrack_ipv4.h    |  4 +
 include/net/netfilter/ipv4/nf_defrag_ipv4.h   |  4 +
 include/net/netfilter/ipv4/nf_dup_ipv4.h      |  4 +
 include/net/netfilter/ipv4/nf_reject.h        |  4 +
 .../net/netfilter/ipv6/nf_conntrack_icmpv6.h  | 21 -----
 .../net/netfilter/ipv6/nf_conntrack_ipv6.h    |  4 +
 include/net/netfilter/ipv6/nf_defrag_ipv6.h   |  4 +
 include/net/netfilter/ipv6/nf_dup_ipv6.h      |  4 +
 include/net/netfilter/ipv6/nf_reject.h        |  4 +
 include/net/netfilter/nf_conntrack.h          | 21 ++---
 include/net/netfilter/nf_conntrack_acct.h     | 19 ++--
 include/net/netfilter/nf_conntrack_bridge.h   | 11 +--
 include/net/netfilter/nf_conntrack_core.h     | 22 +++--
 include/net/netfilter/nf_conntrack_count.h    |  4 +
 include/net/netfilter/nf_conntrack_ecache.h   | 94 ++++++++++++-------
 include/net/netfilter/nf_conntrack_expect.h   |  8 +-
 include/net/netfilter/nf_conntrack_extend.h   |  8 +-
 include/net/netfilter/nf_conntrack_helper.h   |  6 ++
 include/net/netfilter/nf_conntrack_l4proto.h  |  7 +-
 include/net/netfilter/nf_conntrack_labels.h   | 15 ++-
 include/net/netfilter/nf_conntrack_seqadj.h   |  4 +
 include/net/netfilter/nf_conntrack_synproxy.h | 43 +--------
 include/net/netfilter/nf_conntrack_timeout.h  |  8 ++
 .../net/netfilter/nf_conntrack_timestamp.h    |  6 +-
 include/net/netfilter/nf_conntrack_tuple.h    |  8 +-
 include/net/netfilter/nf_conntrack_zones.h    |  3 +-
 include/net/netfilter/nf_dup_netdev.h         |  4 +
 include/net/netfilter/nf_flow_table.h         | 10 +-
 include/net/netfilter/nf_log.h                |  4 +
 include/net/netfilter/nf_nat.h                | 26 ++---
 include/net/netfilter/nf_nat_helper.h         |  5 +
 include/net/netfilter/nf_nat_masquerade.h     |  5 +
 include/net/netfilter/nf_nat_redirect.h       |  4 +
 include/net/netfilter/nf_queue.h              |  8 +-
 include/net/netfilter/nf_reject.h             |  4 +
 include/net/netfilter/nf_socket.h             |  4 +
 include/net/netfilter/nf_synproxy.h           | 46 ++++++++-
 include/net/netfilter/nf_tables.h             | 17 +---
 include/net/netfilter/nf_tables_core.h        |  5 +
 include/net/netfilter/nf_tables_ipv4.h        |  4 +
 include/net/netfilter/nf_tables_ipv6.h        | 10 +-
 include/net/netfilter/nf_tables_offload.h     |  4 +
 include/net/netfilter/nf_tproxy.h             |  4 +
 include/net/netfilter/nft_fib.h               |  5 +
 include/net/netfilter/nft_meta.h              |  4 +
 include/net/netfilter/nft_reject.h            |  4 +
 include/net/netfilter/xt_rateest.h            |  4 +
 net/bridge/netfilter/ebt_802_3.c              |  8 +-
 net/bridge/netfilter/nf_conntrack_bridge.c    | 15 ++-
 net/ipv4/netfilter/Kconfig                    |  9 +-
 net/ipv4/netfilter/Makefile                   |  2 +-
 net/ipv6/netfilter.c                          |  4 +-
 net/ipv6/netfilter/Kconfig                    |  1 +
 net/ipv6/netfilter/ip6t_ipv6header.c          |  4 +-
 net/ipv6/netfilter/nf_log_ipv6.c              |  4 +-
 net/ipv6/netfilter/nf_socket_ipv6.c           |  1 -
 net/netfilter/Kconfig                         | 11 ++-
 net/netfilter/Makefile                        |  2 +-
 net/netfilter/ipset/Kconfig                   | 21 +++++
 net/netfilter/nf_conntrack_core.c             |  4 +
 net/netfilter/nf_conntrack_ecache.c           |  1 +
 net/netfilter/nf_conntrack_expect.c           |  2 +
 net/netfilter/nf_conntrack_helper.c           |  5 +-
 net/netfilter/nf_conntrack_proto_icmpv6.c     |  1 -
 net/netfilter/nf_conntrack_timeout.c          |  1 +
 net/netfilter/nf_flow_table_core.c            |  1 +
 net/netfilter/nf_nat_core.c                   |  6 +-
 net/netfilter/nft_chain_filter.c              |  4 +
 net/netfilter/nft_flow_offload.c              |  3 +-
 net/netfilter/xt_connlimit.c                  |  2 +
 net/netfilter/xt_hashlimit.c                  |  7 +-
 net/netfilter/xt_physdev.c                    |  6 +-
 net/sched/act_ct.c                            |  2 +-
 111 files changed, 628 insertions(+), 327 deletions(-)
 delete mode 100644 include/linux/netfilter/xt_hashlimit.h
 delete mode 100644 include/linux/netfilter/xt_physdev.h
 delete mode 100644 include/linux/netfilter_bridge/ebt_802_3.h
 delete mode 100644 include/net/netfilter/ipv6/nf_conntrack_icmpv6.h

-- 
2.23.0.rc1

[PATCH nf-next v2 01/30] netfilter: add include guard to nf_conntrack_h323_types.h

[Jeremy Sowden]

From: Masahiro Yamada <yamada.masahiro@socionext.com>

Add a header include guard just in case.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/linux/netfilter/nf_conntrack_h323_types.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/include/linux/netfilter/nf_conntrack_h323_types.h b/include/linux/netfilter/nf_conntrack_h323_types.h
index 7a6871ac8784..74c6f9241944 100644
--- a/include/linux/netfilter/nf_conntrack_h323_types.h
+++ b/include/linux/netfilter/nf_conntrack_h323_types.h
@@ -4,6 +4,9 @@
  * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
  */
 
+#ifndef _NF_CONNTRACK_H323_TYPES_H
+#define _NF_CONNTRACK_H323_TYPES_H
+
 typedef struct TransportAddress_ipAddress {	/* SEQUENCE */
 	int options;		/* No use */
 	unsigned int ip;
@@ -931,3 +934,5 @@ typedef struct RasMessage {	/* CHOICE */
 		InfoRequestResponse infoRequestResponse;
 	};
 } RasMessage;
+
+#endif /* _NF_CONNTRACK_H323_TYPES_H */
-- 
2.23.0.rc1

[PATCH nf-next v2 02/30] netfilter: add include guard to nf_conntrack_labels.h.

[Jeremy Sowden]

nf_conntrack_labels.h has no include guard.  Add it.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/net/netfilter/nf_conntrack_labels.h | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_labels.h b/include/net/netfilter/nf_conntrack_labels.h
index 4eacce6f3bcc..ba916411c4e1 100644
--- a/include/net/netfilter/nf_conntrack_labels.h
+++ b/include/net/netfilter/nf_conntrack_labels.h
@@ -1,11 +1,14 @@
 /* SPDX-License-Identifier: GPL-2.0 */
-#include <linux/types.h>
-#include <net/net_namespace.h>
+
+#ifndef _NF_CONNTRACK_LABELS_H
+#define _NF_CONNTRACK_LABELS_H
+
 #include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/netfilter/nf_conntrack_tuple_common.h>
+#include <linux/types.h>
+#include <net/net_namespace.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_extend.h>
-
 #include <uapi/linux/netfilter/xt_connlabel.h>
 
 #define NF_CT_LABELS_MAX_SIZE ((XT_CONNLABEL_MAXBIT + 1) / BITS_PER_BYTE)
@@ -51,3 +54,5 @@ static inline void nf_conntrack_labels_fini(void) {}
 static inline int nf_connlabels_get(struct net *net, unsigned int bit) { return 0; }
 static inline void nf_connlabels_put(struct net *net) {}
 #endif
+
+#endif /* _NF_CONNTRACK_LABELS_H */
-- 
2.23.0.rc1

[PATCH nf-next v2 03/30] netfilter: fix include guard comment.

[Jeremy Sowden]

The comment following the #endif in the nf_flow_table.h include guard
referred to the wrong macro.  Fix it.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/net/netfilter/nf_flow_table.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index 609df33b1209..d875be62cdf0 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -127,4 +127,4 @@ unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
 #define MODULE_ALIAS_NF_FLOWTABLE(family)	\
 	MODULE_ALIAS("nf-flowtable-" __stringify(family))
 
-#endif /* _FLOW_OFFLOAD_H */
+#endif /* _NF_FLOW_TABLE_H */
-- 
2.23.0.rc1

[PATCH nf-next v2 04/30] netfilter: add GPL-2.0 SPDX ID's to a couple of headers.

[Jeremy Sowden]

Two headers are missing SPDX licence identifiers.  They contain
copyright notices indicating that the code is GPL.  Add GPL-2.0
identifiers.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/linux/netfilter_ipv4.h | 3 ++-
 include/linux/netfilter_ipv6.h | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 082e2c41b7ff..cab891485752 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -1,4 +1,5 @@
-/* IPv4-specific defines for netfilter. 
+/* SPDX-License-Identifier: GPL-2.0 */
+/* IPv4-specific defines for netfilter.
  * (C)1998 Rusty Russell -- This code is GPL.
  */
 #ifndef __LINUX_IP_NETFILTER_H
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 7beb681e1ce5..c2f669581d88 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -1,4 +1,5 @@
-/* IPv6-specific defines for netfilter. 
+/* SPDX-License-Identifier: GPL-2.0 */
+/* IPv6-specific defines for netfilter.
  * (C)1998 Rusty Russell -- This code is GPL.
  * (C)1999 David Jeffery
  *   this header was blatantly ripped from netfilter_ipv4.h 
-- 
2.23.0.rc1

[PATCH nf-next v2 05/30] netfilter: remove trailing white-space.

[Jeremy Sowden]

Several header-files, Kconfig files and Makefiles have trailing
white-space.  Remove it.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/linux/netfilter/x_tables.h          | 2 +-
 include/linux/netfilter_ipv6.h              | 2 +-
 include/net/netfilter/nf_conntrack_expect.h | 2 +-
 include/net/netfilter/nf_conntrack_tuple.h  | 2 +-
 net/ipv4/netfilter/Kconfig                  | 8 ++++----
 net/ipv4/netfilter/Makefile                 | 2 +-
 net/netfilter/Kconfig                       | 6 +++---
 net/netfilter/Makefile                      | 2 +-
 8 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index ae62bf1c6824..b9bc25f57c8e 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -340,7 +340,7 @@ void xt_free_table_info(struct xt_table_info *info);
 
 /**
  * xt_recseq - recursive seqcount for netfilter use
- * 
+ *
  * Packet processing changes the seqcount only if no recursion happened
  * get_counters() can use read_seqcount_begin()/read_seqcount_retry(),
  * because we use the normal seqcount convention :
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index c2f669581d88..9797685d1e11 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -2,7 +2,7 @@
 /* IPv6-specific defines for netfilter.
  * (C)1998 Rusty Russell -- This code is GPL.
  * (C)1999 David Jeffery
- *   this header was blatantly ripped from netfilter_ipv4.h 
+ *   this header was blatantly ripped from netfilter_ipv4.h
  *   it's amazing what adding a bunch of 6s can do =8^)
  */
 #ifndef __LINUX_IP6_NETFILTER_H
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 573429be4d59..0855b60fba17 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -126,7 +126,7 @@ void nf_ct_expect_init(struct nf_conntrack_expect *, unsigned int, u_int8_t,
 		       const union nf_inet_addr *,
 		       u_int8_t, const __be16 *, const __be16 *);
 void nf_ct_expect_put(struct nf_conntrack_expect *exp);
-int nf_ct_expect_related_report(struct nf_conntrack_expect *expect, 
+int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
 				u32 portid, int report, unsigned int flags);
 static inline int nf_ct_expect_related(struct nf_conntrack_expect *expect,
 				       unsigned int flags)
diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h
index 480c87b44a96..68ea9b932736 100644
--- a/include/net/netfilter/nf_conntrack_tuple.h
+++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -124,7 +124,7 @@ struct nf_conntrack_tuple_hash {
 #if IS_ENABLED(CONFIG_NETFILTER)
 static inline bool __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
 					   const struct nf_conntrack_tuple *t2)
-{ 
+{
 	return (nf_inet_addr_cmp(&t1->src.u3, &t2->src.u3) &&
 		t1->src.u.all == t2->src.u.all &&
 		t1->src.l3num == t2->src.l3num);
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 69e76d677f9e..f17b402111ce 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -272,7 +272,7 @@ config IP_NF_TARGET_CLUSTERIP
 	  The CLUSTERIP target allows you to build load-balancing clusters of
 	  network servers without having a dedicated load-balancing
 	  router/server/switch.
-	
+
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP_NF_TARGET_ECN
@@ -281,7 +281,7 @@ config IP_NF_TARGET_ECN
 	depends on NETFILTER_ADVANCED
 	---help---
 	  This option adds a `ECN' target, which can be used in the iptables mangle
-	  table.  
+	  table.
 
 	  You can use this target to remove the ECN bits from the IPv4 header of
 	  an IP packet.  This is particularly useful, if you need to work around
@@ -306,7 +306,7 @@ config IP_NF_RAW
 	  This option adds a `raw' table to iptables. This table is the very
 	  first in the netfilter framework and hooks in at the PREROUTING
 	  and OUTPUT chains.
-	
+
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
 
@@ -318,7 +318,7 @@ config IP_NF_SECURITY
 	help
 	  This option adds a `security' table to iptables, for use
 	  with Mandatory Access Control (MAC) policy.
-	 
+
 	  If unsure, say N.
 
 endif # IP_NF_IPTABLES
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index c50e0ec095d2..7c497c78105f 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -31,7 +31,7 @@ obj-$(CONFIG_NFT_DUP_IPV4) += nft_dup_ipv4.o
 # flow table support
 obj-$(CONFIG_NF_FLOW_TABLE_IPV4) += nf_flow_table_ipv4.o
 
-# generic IP tables 
+# generic IP tables
 obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
 
 # the three instances of ip_tables
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 0d65f4d39494..6244bf3de4af 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -34,7 +34,7 @@ config NETFILTER_NETLINK_QUEUE
 	help
 	  If this option is enabled, the kernel will include support
 	  for queueing packets via NFNETLINK.
-	  
+
 config NETFILTER_NETLINK_LOG
 	tristate "Netfilter LOG over NFNETLINK interface"
 	default m if NETFILTER_ADVANCED=n
@@ -1502,7 +1502,7 @@ config NETFILTER_XT_MATCH_REALM
 	  This option adds a `realm' match, which allows you to use the realm
 	  key from the routing subsystem inside iptables.
 
-	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
+	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
 	  in tc world.
 
 	  If you want to compile it as a module, say M here and read
@@ -1523,7 +1523,7 @@ config NETFILTER_XT_MATCH_SCTP
 	depends on NETFILTER_ADVANCED
 	default IP_SCTP
 	help
-	  With this option enabled, you will be able to use the 
+	  With this option enabled, you will be able to use the
 	  `sctp' match in order to match on SCTP source/destination ports
 	  and SCTP chunk types.
 
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 9270a7fae484..4fc075b612fe 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -124,7 +124,7 @@ nf_flow_table-objs := nf_flow_table_core.o nf_flow_table_ip.o
 
 obj-$(CONFIG_NF_FLOW_TABLE_INET) += nf_flow_table_inet.o
 
-# generic X tables 
+# generic X tables
 obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
 
 # combos
-- 
2.23.0.rc1

[PATCH nf-next v2 06/30] netfilter: fix Kconfig formatting error.

[Jeremy Sowden]

Indent the type of CONFIG_NETFILTER_NETLINK_ACCT correctly.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 net/netfilter/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 6244bf3de4af..34ec7afec116 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -20,7 +20,7 @@ config NETFILTER_FAMILY_ARP
 	bool
 
 config NETFILTER_NETLINK_ACCT
-tristate "Netfilter NFACCT over NFNETLINK interface"
+	tristate "Netfilter NFACCT over NFNETLINK interface"
 	depends on NETFILTER_ADVANCED
 	select NETFILTER_NETLINK
 	help
-- 
2.23.0.rc1

[PATCH nf-next v2 07/30] netfilter: remove stray semicolons.

[Jeremy Sowden]

There are a couple of semicolons at the end of function definitions.
Remove them.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/net/netfilter/nf_conntrack_acct.h   | 2 +-
 include/net/netfilter/nf_conntrack_ecache.h | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_acct.h b/include/net/netfilter/nf_conntrack_acct.h
index ad9f2172dee1..5b5287bb49db 100644
--- a/include/net/netfilter/nf_conntrack_acct.h
+++ b/include/net/netfilter/nf_conntrack_acct.h
@@ -45,7 +45,7 @@ struct nf_conn_acct *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp)
 #else
 	return NULL;
 #endif
-};
+}
 
 /* Check if connection tracking accounting is enabled */
 static inline bool nf_ct_acct_enabled(struct net *net)
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index 52b44192b43f..0815bfadfefe 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -61,7 +61,7 @@ nf_ct_ecache_ext_add(struct nf_conn *ct, u16 ctmask, u16 expmask, gfp_t gfp)
 #else
 	return NULL;
 #endif
-};
+}
 
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
 /* This structure is passed to event handler */
-- 
2.23.0.rc1

[PATCH nf-next v2 08/30] netfilter: remove unused function declarations.

[Jeremy Sowden]

Two headers include declarations of functions which are never defined.
Remove them.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/linux/netfilter_ipv4/ip_tables.h  | 2 --
 include/linux/netfilter_ipv6/ip6_tables.h | 3 +--
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index f40a65481df4..0b0d43ad9ed9 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -23,8 +23,6 @@
 #include <linux/init.h>
 #include <uapi/linux/netfilter_ipv4/ip_tables.h>
 
-extern void ipt_init(void) __init;
-
 #if IS_ENABLED(CONFIG_NETFILTER)
 int ipt_register_table(struct net *net, const struct xt_table *table,
 		       const struct ipt_replace *repl,
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 53b7309613bf..666450c117bf 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -23,9 +23,8 @@
 #include <linux/init.h>
 #include <uapi/linux/netfilter_ipv6/ip6_tables.h>
 
-extern void ip6t_init(void) __init;
-
 extern void *ip6t_alloc_initial_table(const struct xt_table *);
+
 #if IS_ENABLED(CONFIG_NETFILTER)
 int ip6t_register_table(struct net *net, const struct xt_table *table,
 			const struct ip6t_replace *repl,
-- 
2.23.0.rc1

[PATCH nf-next v2 09/30] netfilter: remove unused includes.

[Jeremy Sowden]

Some header-files are included in places where they are not needed.
Remove them.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 net/bridge/netfilter/nf_conntrack_bridge.c | 1 -
 net/ipv6/netfilter/nf_socket_ipv6.c        | 1 -
 net/netfilter/xt_physdev.c                 | 1 -
 3 files changed, 3 deletions(-)

diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
index 4f5444d2a526..c9ce321fcac1 100644
--- a/net/bridge/netfilter/nf_conntrack_bridge.c
+++ b/net/bridge/netfilter/nf_conntrack_bridge.c
@@ -17,7 +17,6 @@
 #include <net/netfilter/nf_conntrack_bridge.h>
 
 #include <linux/netfilter/nf_tables.h>
-#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
 #include <net/netfilter/nf_tables.h>
 
 #include "../br_private.h"
diff --git a/net/ipv6/netfilter/nf_socket_ipv6.c b/net/ipv6/netfilter/nf_socket_ipv6.c
index 437d95545c31..b9df879c48d3 100644
--- a/net/ipv6/netfilter/nf_socket_ipv6.c
+++ b/net/ipv6/netfilter/nf_socket_ipv6.c
@@ -12,7 +12,6 @@
 #include <net/sock.h>
 #include <net/inet_sock.h>
 #include <net/inet6_hashtables.h>
-#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
 #include <net/netfilter/nf_socket.h>
 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
 #include <net/netfilter/nf_conntrack.h>
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index ead7c6022208..4f311e5703e8 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -10,7 +10,6 @@
 #include <linux/netfilter_bridge.h>
 #include <linux/netfilter/xt_physdev.h>
 #include <linux/netfilter/x_tables.h>
-#include <net/netfilter/br_netfilter.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
-- 
2.23.0.rc1

[PATCH nf-next v2 10/30] netfilter: include the right header in nf_conntrack_zones.h.

[Jeremy Sowden]

nf_conntrack_zones.h includes nf_conntrack_extend.h, but it doesn't
actually use anything from it.  It does, however, require stuff from
nf_conntrack.h which it includes transitively.  Include nf_conntrack.h
directly instead.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/net/netfilter/nf_conntrack_zones.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/net/netfilter/nf_conntrack_zones.h b/include/net/netfilter/nf_conntrack_zones.h
index 52950baa3ab5..33b91d19cb7d 100644
--- a/include/net/netfilter/nf_conntrack_zones.h
+++ b/include/net/netfilter/nf_conntrack_zones.h
@@ -5,7 +5,8 @@
 #include <linux/netfilter/nf_conntrack_zones_common.h>
 
 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
-#include <net/netfilter/nf_conntrack_extend.h>
+
+#include <net/netfilter/nf_conntrack.h>
 
 static inline const struct nf_conntrack_zone *
 nf_ct_zone(const struct nf_conn *ct)
-- 
2.23.0.rc1

[PATCH nf-next v2 11/30] netfilter: fix inclusions of <linux/netfilter/nf_nat.h>.

[Jeremy Sowden]

Three files include linux/netfilter/nf_nat.h, which doesn't exist,
instead of uapi/linux/netfilter/nf_nat.h.  Fix them.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/net/netfilter/nf_nat.h | 5 ++++-
 net/netfilter/nf_nat_core.c    | 6 +++---
 net/sched/act_ct.c             | 2 +-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index eec208fb9c23..c3ac2751952d 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -2,8 +2,11 @@
 #ifndef _NF_NAT_H
 #define _NF_NAT_H
 #include <linux/netfilter_ipv4.h>
-#include <linux/netfilter/nf_nat.h>
+#include <linux/netfilter/nf_conntrack_pptp.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_extend.h>
 #include <net/netfilter/nf_conntrack_tuple.h>
+#include <uapi/linux/netfilter/nf_nat.h>
 
 enum nf_nat_manip_type {
 	NF_NAT_MANIP_SRC,
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 3f6023ed4966..bfc555fcbc72 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -18,12 +18,12 @@
 
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_core.h>
-#include <net/netfilter/nf_nat.h>
-#include <net/netfilter/nf_nat_helper.h>
 #include <net/netfilter/nf_conntrack_helper.h>
 #include <net/netfilter/nf_conntrack_seqadj.h>
 #include <net/netfilter/nf_conntrack_zones.h>
-#include <linux/netfilter/nf_nat.h>
+#include <net/netfilter/nf_nat.h>
+#include <net/netfilter/nf_nat_helper.h>
+#include <uapi/linux/netfilter/nf_nat.h>
 
 #include "nf_internals.h"
 
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index 33a1a7406e87..5a3c5c5885ef 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -24,12 +24,12 @@
 #include <uapi/linux/tc_act/tc_ct.h>
 #include <net/tc_act/tc_ct.h>
 
-#include <linux/netfilter/nf_nat.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_conntrack_zones.h>
 #include <net/netfilter/nf_conntrack_helper.h>
 #include <net/netfilter/ipv6/nf_defrag_ipv6.h>
+#include <uapi/linux/netfilter/nf_nat.h>
 
 static struct tc_action_ops act_ct_ops;
 static unsigned int ct_net_id;
-- 
2.23.0.rc1

[PATCH nf-next v2 12/30] netfilter: added missing includes.

[Jeremy Sowden]

Include some headers in files which use them.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/net/netfilter/nf_conntrack_core.h | 3 ++-
 include/net/netfilter/nf_nat.h            | 8 ++------
 include/net/netfilter/nf_nat_masquerade.h | 1 +
 net/netfilter/nf_conntrack_ecache.c       | 1 +
 net/netfilter/nf_conntrack_expect.c       | 2 ++
 net/netfilter/nf_conntrack_helper.c       | 5 +++--
 net/netfilter/nf_conntrack_timeout.c      | 1 +
 net/netfilter/nf_flow_table_core.c        | 1 +
 net/netfilter/nft_flow_offload.c          | 3 ++-
 net/netfilter/xt_connlimit.c              | 2 ++
 10 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 71a2d9cb64ea..d340886e012d 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -14,8 +14,9 @@
 #define _NF_CONNTRACK_CORE_H
 
 #include <linux/netfilter.h>
-#include <net/netfilter/nf_conntrack_l4proto.h>
+#include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_ecache.h>
+#include <net/netfilter/nf_conntrack_l4proto.h>
 
 /* This header is used to share core functionality between the
    standalone connection tracking module, and the compatibility layer's use
diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index c3ac2751952d..eeb336809679 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -1,6 +1,8 @@
 /* SPDX-License-Identifier: GPL-2.0 */
 #ifndef _NF_NAT_H
 #define _NF_NAT_H
+
+#include <linux/list.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter/nf_conntrack_pptp.h>
 #include <net/netfilter/nf_conntrack.h>
@@ -17,10 +19,6 @@ enum nf_nat_manip_type {
 #define HOOK2MANIP(hooknum) ((hooknum) != NF_INET_POST_ROUTING && \
 			     (hooknum) != NF_INET_LOCAL_IN)
 
-#include <linux/list.h>
-#include <linux/netfilter/nf_conntrack_pptp.h>
-#include <net/netfilter/nf_conntrack_extend.h>
-
 /* per conntrack: nat application helper private data */
 union nf_conntrack_nat_help {
 	/* insert nat helper private data here */
@@ -29,8 +27,6 @@ union nf_conntrack_nat_help {
 #endif
 };
 
-struct nf_conn;
-
 /* The structure embedded in the conntrack structure. */
 struct nf_conn_nat {
 	union nf_conntrack_nat_help help;
diff --git a/include/net/netfilter/nf_nat_masquerade.h b/include/net/netfilter/nf_nat_masquerade.h
index 54a14d643c34..be7abc9d5f22 100644
--- a/include/net/netfilter/nf_nat_masquerade.h
+++ b/include/net/netfilter/nf_nat_masquerade.h
@@ -2,6 +2,7 @@
 #ifndef _NF_NAT_MASQUERADE_H_
 #define _NF_NAT_MASQUERADE_H_
 
+#include <linux/skbuff.h>
 #include <net/netfilter/nf_nat.h>
 
 unsigned int
diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
index 5e2812ee2149..6fba74b5aaf7 100644
--- a/net/netfilter/nf_conntrack_ecache.c
+++ b/net/netfilter/nf_conntrack_ecache.c
@@ -24,6 +24,7 @@
 
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_conntrack_ecache.h>
 #include <net/netfilter/nf_conntrack_extend.h>
 
 static DEFINE_MUTEX(nf_ct_ecache_mutex);
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 65364de915d1..42557d2b6a90 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -25,8 +25,10 @@
 
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_conntrack_ecache.h>
 #include <net/netfilter/nf_conntrack_expect.h>
 #include <net/netfilter/nf_conntrack_helper.h>
+#include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_tuple.h>
 #include <net/netfilter/nf_conntrack_zones.h>
 
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 8d729e7c36ff..118f415928ae 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -21,10 +21,11 @@
 #include <linux/rtnetlink.h>
 
 #include <net/netfilter/nf_conntrack.h>
-#include <net/netfilter/nf_conntrack_l4proto.h>
-#include <net/netfilter/nf_conntrack_helper.h>
 #include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_conntrack_ecache.h>
 #include <net/netfilter/nf_conntrack_extend.h>
+#include <net/netfilter/nf_conntrack_helper.h>
+#include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_log.h>
 
 static DEFINE_MUTEX(nf_ct_helper_mutex);
diff --git a/net/netfilter/nf_conntrack_timeout.c b/net/netfilter/nf_conntrack_timeout.c
index 13d0f4a92647..14387e0b8008 100644
--- a/net/netfilter/nf_conntrack_timeout.c
+++ b/net/netfilter/nf_conntrack_timeout.c
@@ -19,6 +19,7 @@
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_conntrack_extend.h>
+#include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_timeout.h>
 
 struct nf_ct_timeout *
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 80a8f9ae4c93..09310a1bd91f 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -11,6 +11,7 @@
 #include <net/netfilter/nf_flow_table.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_tuple.h>
 
 struct flow_offload_entry {
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 060a4ed46d5e..b2dec0185056 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -6,12 +6,13 @@
 #include <linux/netfilter.h>
 #include <linux/workqueue.h>
 #include <linux/spinlock.h>
+#include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/netfilter/nf_tables.h>
 #include <net/ip.h> /* for ipv4 options. */
 #include <net/netfilter/nf_tables.h>
 #include <net/netfilter/nf_tables_core.h>
 #include <net/netfilter/nf_conntrack_core.h>
-#include <linux/netfilter/nf_conntrack_common.h>
+#include <net/netfilter/nf_conntrack_extend.h>
 #include <net/netfilter/nf_flow_table.h>
 
 struct nft_flow_offload {
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index bc6c8ab0fa62..46fcac75f726 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -13,6 +13,8 @@
  */
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
+#include <linux/ip.h>
+#include <linux/ipv6.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/netfilter/x_tables.h>
-- 
2.23.0.rc1

[PATCH nf-next v2 13/30] netfilter: inline three headers.

[Jeremy Sowden]

Three netfilter headers are only included once.  Inline their contents
at those sites and remove them.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/linux/netfilter/xt_hashlimit.h     | 11 -----------
 include/linux/netfilter/xt_physdev.h       |  8 --------
 include/linux/netfilter_bridge/ebt_802_3.h | 12 ------------
 net/bridge/netfilter/ebt_802_3.c           |  8 +++++++-
 net/netfilter/xt_hashlimit.c               |  7 ++++++-
 net/netfilter/xt_physdev.c                 |  5 +++--
 6 files changed, 16 insertions(+), 35 deletions(-)
 delete mode 100644 include/linux/netfilter/xt_hashlimit.h
 delete mode 100644 include/linux/netfilter/xt_physdev.h
 delete mode 100644 include/linux/netfilter_bridge/ebt_802_3.h

diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
deleted file mode 100644
index 169d03983589..000000000000
--- a/include/linux/netfilter/xt_hashlimit.h
+++ /dev/null
@@ -1,11 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-#ifndef _XT_HASHLIMIT_H
-#define _XT_HASHLIMIT_H
-
-#include <uapi/linux/netfilter/xt_hashlimit.h>
-
-#define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \
-			  XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | \
-			  XT_HASHLIMIT_INVERT | XT_HASHLIMIT_BYTES |\
-			  XT_HASHLIMIT_RATE_MATCH)
-#endif /*_XT_HASHLIMIT_H*/
diff --git a/include/linux/netfilter/xt_physdev.h b/include/linux/netfilter/xt_physdev.h
deleted file mode 100644
index 4ca0593949cd..000000000000
--- a/include/linux/netfilter/xt_physdev.h
+++ /dev/null
@@ -1,8 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-#ifndef _XT_PHYSDEV_H
-#define _XT_PHYSDEV_H
-
-#include <linux/if.h>
-#include <uapi/linux/netfilter/xt_physdev.h>
-
-#endif /*_XT_PHYSDEV_H*/
diff --git a/include/linux/netfilter_bridge/ebt_802_3.h b/include/linux/netfilter_bridge/ebt_802_3.h
deleted file mode 100644
index c6147f9c0d80..000000000000
--- a/include/linux/netfilter_bridge/ebt_802_3.h
+++ /dev/null
@@ -1,12 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-#ifndef __LINUX_BRIDGE_EBT_802_3_H
-#define __LINUX_BRIDGE_EBT_802_3_H
-
-#include <linux/skbuff.h>
-#include <uapi/linux/netfilter_bridge/ebt_802_3.h>
-
-static inline struct ebt_802_3_hdr *ebt_802_3_hdr(const struct sk_buff *skb)
-{
-	return (struct ebt_802_3_hdr *)skb_mac_header(skb);
-}
-#endif
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index 2c8fe24400e5..68c2519bdc52 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -11,7 +11,13 @@
 #include <linux/module.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_bridge/ebtables.h>
-#include <linux/netfilter_bridge/ebt_802_3.h>
+#include <linux/skbuff.h>
+#include <uapi/linux/netfilter_bridge/ebt_802_3.h>
+
+static struct ebt_802_3_hdr *ebt_802_3_hdr(const struct sk_buff *skb)
+{
+	return (struct ebt_802_3_hdr *)skb_mac_header(skb);
+}
 
 static bool
 ebt_802_3_mt(const struct sk_buff *skb, struct xt_action_param *par)
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 2d2691dd51e0..ced3fc8fad7c 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -34,9 +34,14 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter/xt_hashlimit.h>
 #include <linux/mutex.h>
 #include <linux/kernel.h>
+#include <uapi/linux/netfilter/xt_hashlimit.h>
+
+#define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \
+			  XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | \
+			  XT_HASHLIMIT_INVERT | XT_HASHLIMIT_BYTES |\
+			  XT_HASHLIMIT_RATE_MATCH)
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 4f311e5703e8..559a0572557f 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -5,11 +5,13 @@
 /* (C) 2001-2003 Bart De Schuymer <bdschuym@pandora.be>
  */
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/if.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/netfilter_bridge.h>
-#include <linux/netfilter/xt_physdev.h>
 #include <linux/netfilter/x_tables.h>
+#include <uapi/linux/netfilter/xt_physdev.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
@@ -17,7 +19,6 @@ MODULE_DESCRIPTION("Xtables: Bridge physical device match");
 MODULE_ALIAS("ipt_physdev");
 MODULE_ALIAS("ip6t_physdev");
 
-
 static bool
 physdev_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
-- 
2.23.0.rc1

[PATCH nf-next v2 14/30] netfilter: remove superfluous header.

[Jeremy Sowden]

nf_conntrack_icmpv6.h contains two object macros which duplicate macros
in linux/icmpv6.h.  The latter definitions are also visible wherever it
is included, so remove it.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 .../net/netfilter/ipv6/nf_conntrack_icmpv6.h  | 21 -------------------
 include/net/netfilter/nf_conntrack.h          |  1 -
 net/netfilter/nf_conntrack_proto_icmpv6.c     |  1 -
 3 files changed, 23 deletions(-)
 delete mode 100644 include/net/netfilter/ipv6/nf_conntrack_icmpv6.h

diff --git a/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h b/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h
deleted file mode 100644
index c86895bc5eb6..000000000000
--- a/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-/*
- * ICMPv6 tracking.
- *
- * 21 Apl 2004: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
- *	- separated from nf_conntrack_icmp.h
- *
- * Derived from include/linux/netfiter_ipv4/ip_conntrack_icmp.h
- */
-
-#ifndef _NF_CONNTRACK_ICMPV6_H
-#define _NF_CONNTRACK_ICMPV6_H
-
-#ifndef ICMPV6_NI_QUERY
-#define ICMPV6_NI_QUERY 139
-#endif
-#ifndef ICMPV6_NI_REPLY
-#define ICMPV6_NI_REPLY 140
-#endif
-
-#endif /* _NF_CONNTRACK_ICMPV6_H */
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 2cc304efe7f9..22275f42f0bb 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -23,7 +23,6 @@
 #include <linux/netfilter/nf_conntrack_dccp.h>
 #include <linux/netfilter/nf_conntrack_sctp.h>
 #include <linux/netfilter/nf_conntrack_proto_gre.h>
-#include <net/netfilter/ipv6/nf_conntrack_icmpv6.h>
 
 #include <net/netfilter/nf_conntrack_tuple.h>
 
diff --git a/net/netfilter/nf_conntrack_proto_icmpv6.c b/net/netfilter/nf_conntrack_proto_icmpv6.c
index 7e317e6698ba..6f9144e1f1c1 100644
--- a/net/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/netfilter/nf_conntrack_proto_icmpv6.c
@@ -22,7 +22,6 @@
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_conntrack_timeout.h>
 #include <net/netfilter/nf_conntrack_zones.h>
-#include <net/netfilter/ipv6/nf_conntrack_icmpv6.h>
 #include <net/netfilter/nf_log.h>
 
 static const unsigned int nf_ct_icmpv6_timeout = 30*HZ;
-- 
2.23.0.rc1

[PATCH nf-next v2 15/30] netfilter: move inline function to a more appropriate header.

[Jeremy Sowden]

There is an inline function in ip6_tables.h which is not specific to
ip6tables and is used elswhere in netfilter.  Move it into
netfilter_ipv6.h and update the callers.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/linux/netfilter_ipv6.h            | 12 ++++++++++++
 include/linux/netfilter_ipv6/ip6_tables.h | 12 ------------
 net/ipv6/netfilter/ip6t_ipv6header.c      |  4 ++--
 net/ipv6/netfilter/nf_log_ipv6.c          |  4 ++--
 4 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 9797685d1e11..b8f872844ba3 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -11,6 +11,18 @@
 #include <uapi/linux/netfilter_ipv6.h>
 #include <net/tcp.h>
 
+/* Check for an extension */
+static inline int
+nf_ip6_ext_hdr(u8 nexthdr)
+{	return (nexthdr == IPPROTO_HOPOPTS) ||
+	       (nexthdr == IPPROTO_ROUTING) ||
+	       (nexthdr == IPPROTO_FRAGMENT) ||
+	       (nexthdr == IPPROTO_ESP) ||
+	       (nexthdr == IPPROTO_AH) ||
+	       (nexthdr == IPPROTO_NONE) ||
+	       (nexthdr == IPPROTO_DSTOPTS);
+}
+
 /* Extra routing may needed on local out, as the QUEUE target never returns
  * control to the table.
  */
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 666450c117bf..3a0a2bd054cc 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -36,18 +36,6 @@ extern unsigned int ip6t_do_table(struct sk_buff *skb,
 				  struct xt_table *table);
 #endif
 
-/* Check for an extension */
-static inline int
-ip6t_ext_hdr(u8 nexthdr)
-{	return (nexthdr == IPPROTO_HOPOPTS) ||
-	       (nexthdr == IPPROTO_ROUTING) ||
-	       (nexthdr == IPPROTO_FRAGMENT) ||
-	       (nexthdr == IPPROTO_ESP) ||
-	       (nexthdr == IPPROTO_AH) ||
-	       (nexthdr == IPPROTO_NONE) ||
-	       (nexthdr == IPPROTO_DSTOPTS);
-}
-
 #ifdef CONFIG_COMPAT
 #include <net/compat.h>
 
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 0fc6326ef499..c52ff929c93b 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -16,7 +16,7 @@
 #include <net/ipv6.h>
 
 #include <linux/netfilter/x_tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6.h>
 #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
 
 MODULE_LICENSE("GPL");
@@ -42,7 +42,7 @@ ipv6header_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 	len = skb->len - ptr;
 	temp = 0;
 
-	while (ip6t_ext_hdr(nexthdr)) {
+	while (nf_ip6_ext_hdr(nexthdr)) {
 		const struct ipv6_opt_hdr *hp;
 		struct ipv6_opt_hdr _hdr;
 		int hdrlen;
diff --git a/net/ipv6/netfilter/nf_log_ipv6.c b/net/ipv6/netfilter/nf_log_ipv6.c
index f53bd8f01219..22b80db6d882 100644
--- a/net/ipv6/netfilter/nf_log_ipv6.c
+++ b/net/ipv6/netfilter/nf_log_ipv6.c
@@ -18,7 +18,7 @@
 #include <net/route.h>
 
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6.h>
 #include <linux/netfilter/xt_LOG.h>
 #include <net/netfilter/nf_log.h>
 
@@ -70,7 +70,7 @@ static void dump_ipv6_packet(struct net *net, struct nf_log_buf *m,
 	fragment = 0;
 	ptr = ip6hoff + sizeof(struct ipv6hdr);
 	currenthdr = ih->nexthdr;
-	while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) {
+	while (currenthdr != NEXTHDR_NONE && nf_ip6_ext_hdr(currenthdr)) {
 		struct ipv6_opt_hdr _hdr;
 		const struct ipv6_opt_hdr *hp;
 
-- 
2.23.0.rc1

[PATCH nf-next v2 16/30] netfilter: move code between synproxy headers.

[Jeremy Sowden]

There is some non-conntrack code in the nf_conntrack_synproxy.h header.
Move it to the nf_synproxy.h header.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/net/netfilter/nf_conntrack_synproxy.h | 39 -------------------
 include/net/netfilter/nf_synproxy.h           | 38 ++++++++++++++++++
 2 files changed, 38 insertions(+), 39 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_synproxy.h b/include/net/netfilter/nf_conntrack_synproxy.h
index 2f0171d24997..c22f0c11cc82 100644
--- a/include/net/netfilter/nf_conntrack_synproxy.h
+++ b/include/net/netfilter/nf_conntrack_synproxy.h
@@ -43,43 +43,4 @@ static inline bool nf_ct_add_synproxy(struct nf_conn *ct,
 	return true;
 }
 
-struct synproxy_stats {
-	unsigned int			syn_received;
-	unsigned int			cookie_invalid;
-	unsigned int			cookie_valid;
-	unsigned int			cookie_retrans;
-	unsigned int			conn_reopened;
-};
-
-struct synproxy_net {
-	struct nf_conn			*tmpl;
-	struct synproxy_stats __percpu	*stats;
-	unsigned int			hook_ref4;
-	unsigned int			hook_ref6;
-};
-
-extern unsigned int synproxy_net_id;
-static inline struct synproxy_net *synproxy_pernet(struct net *net)
-{
-	return net_generic(net, synproxy_net_id);
-}
-
-struct synproxy_options {
-	u8				options;
-	u8				wscale;
-	u16				mss_option;
-	u16				mss_encode;
-	u32				tsval;
-	u32				tsecr;
-};
-
-struct tcphdr;
-struct nf_synproxy_info;
-bool synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
-			    const struct tcphdr *th,
-			    struct synproxy_options *opts);
-
-void synproxy_init_timestamp_cookie(const struct nf_synproxy_info *info,
-				    struct synproxy_options *opts);
-
 #endif /* _NF_CONNTRACK_SYNPROXY_H */
diff --git a/include/net/netfilter/nf_synproxy.h b/include/net/netfilter/nf_synproxy.h
index dc420b47e3aa..19d1af7a0348 100644
--- a/include/net/netfilter/nf_synproxy.h
+++ b/include/net/netfilter/nf_synproxy.h
@@ -11,6 +11,44 @@
 #include <net/netfilter/nf_conntrack_seqadj.h>
 #include <net/netfilter/nf_conntrack_synproxy.h>
 
+struct synproxy_stats {
+	unsigned int			syn_received;
+	unsigned int			cookie_invalid;
+	unsigned int			cookie_valid;
+	unsigned int			cookie_retrans;
+	unsigned int			conn_reopened;
+};
+
+struct synproxy_net {
+	struct nf_conn			*tmpl;
+	struct synproxy_stats __percpu	*stats;
+	unsigned int			hook_ref4;
+	unsigned int			hook_ref6;
+};
+
+extern unsigned int synproxy_net_id;
+static inline struct synproxy_net *synproxy_pernet(struct net *net)
+{
+	return net_generic(net, synproxy_net_id);
+}
+
+struct synproxy_options {
+	u8				options;
+	u8				wscale;
+	u16				mss_option;
+	u16				mss_encode;
+	u32				tsval;
+	u32				tsecr;
+};
+
+struct nf_synproxy_info;
+bool synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
+			    const struct tcphdr *th,
+			    struct synproxy_options *opts);
+
+void synproxy_init_timestamp_cookie(const struct nf_synproxy_info *info,
+				    struct synproxy_options *opts);
+
 void synproxy_send_client_synack(struct net *net, const struct sk_buff *skb,
 				 const struct tcphdr *th,
 				 const struct synproxy_options *opts);
-- 
2.23.0.rc1

[PATCH nf-next v2 17/30] netfilter: move struct definition function to a more appropriate header.

[Jeremy Sowden]

There is a struct definition function in nf_conntrack_bridge.h which is
not specific to conntrack and is used elswhere in netfilter.  Move it
into netfilter.h.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/linux/netfilter.h                   |  7 +++++++
 include/linux/netfilter_ipv6.h              | 14 +++++++-------
 include/net/netfilter/nf_conntrack_bridge.h |  7 -------
 net/bridge/netfilter/nf_conntrack_bridge.c  | 14 +++++++-------
 net/ipv6/netfilter.c                        |  4 ++--
 5 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 049aeb40fa35..4c94dd4cc8d0 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -479,4 +479,11 @@ extern struct nfnl_ct_hook __rcu *nfnl_ct_hook;
  */
 DECLARE_PER_CPU(bool, nf_skb_duplicated);
 
+struct nf_bridge_frag_data {
+	char    mac[ETH_HLEN];
+	bool    vlan_present;
+	u16     vlan_tci;
+	__be16  vlan_proto;
+};
+
 #endif /*__LINUX_NETFILTER_H*/
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index b8f872844ba3..cec3253e736d 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -33,7 +33,7 @@ struct ip6_rt_info {
 };
 
 struct nf_queue_entry;
-struct nf_ct_bridge_frag_data;
+struct nf_bridge_frag_data;
 
 /*
  * Hook functions for ipv6 to allow xt_* modules to be built-in even
@@ -62,9 +62,9 @@ struct nf_ipv6_ops {
 	int (*br_defrag)(struct net *net, struct sk_buff *skb, u32 user);
 	int (*br_fragment)(struct net *net, struct sock *sk,
 			   struct sk_buff *skb,
-			   struct nf_ct_bridge_frag_data *data,
+			   struct nf_bridge_frag_data *data,
 			   int (*output)(struct net *, struct sock *sk,
-					 const struct nf_ct_bridge_frag_data *data,
+					 const struct nf_bridge_frag_data *data,
 					 struct sk_buff *));
 #endif
 };
@@ -136,16 +136,16 @@ static inline int nf_ipv6_br_defrag(struct net *net, struct sk_buff *skb,
 }
 
 int br_ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
-		    struct nf_ct_bridge_frag_data *data,
+		    struct nf_bridge_frag_data *data,
 		    int (*output)(struct net *, struct sock *sk,
-				  const struct nf_ct_bridge_frag_data *data,
+				  const struct nf_bridge_frag_data *data,
 				  struct sk_buff *));
 
 static inline int nf_br_ip6_fragment(struct net *net, struct sock *sk,
 				     struct sk_buff *skb,
-				     struct nf_ct_bridge_frag_data *data,
+				     struct nf_bridge_frag_data *data,
 				     int (*output)(struct net *, struct sock *sk,
-						   const struct nf_ct_bridge_frag_data *data,
+						   const struct nf_bridge_frag_data *data,
 						   struct sk_buff *))
 {
 #if IS_MODULE(CONFIG_IPV6)
diff --git a/include/net/netfilter/nf_conntrack_bridge.h b/include/net/netfilter/nf_conntrack_bridge.h
index 34c28f248b18..01b62fd5efa2 100644
--- a/include/net/netfilter/nf_conntrack_bridge.h
+++ b/include/net/netfilter/nf_conntrack_bridge.h
@@ -16,11 +16,4 @@ struct nf_ct_bridge_info {
 void nf_ct_bridge_register(struct nf_ct_bridge_info *info);
 void nf_ct_bridge_unregister(struct nf_ct_bridge_info *info);
 
-struct nf_ct_bridge_frag_data {
-	char	mac[ETH_HLEN];
-	bool	vlan_present;
-	u16	vlan_tci;
-	__be16	vlan_proto;
-};
-
 #endif
diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
index c9ce321fcac1..8842798c29e6 100644
--- a/net/bridge/netfilter/nf_conntrack_bridge.c
+++ b/net/bridge/netfilter/nf_conntrack_bridge.c
@@ -26,9 +26,9 @@
  */
 static int nf_br_ip_fragment(struct net *net, struct sock *sk,
 			     struct sk_buff *skb,
-			     struct nf_ct_bridge_frag_data *data,
+			     struct nf_bridge_frag_data *data,
 			     int (*output)(struct net *, struct sock *sk,
-					   const struct nf_ct_bridge_frag_data *data,
+					   const struct nf_bridge_frag_data *data,
 					   struct sk_buff *))
 {
 	int frag_max_size = BR_INPUT_SKB_CB(skb)->frag_max_size;
@@ -278,7 +278,7 @@ static unsigned int nf_ct_bridge_pre(void *priv, struct sk_buff *skb,
 }
 
 static void nf_ct_bridge_frag_save(struct sk_buff *skb,
-				   struct nf_ct_bridge_frag_data *data)
+				   struct nf_bridge_frag_data *data)
 {
 	if (skb_vlan_tag_present(skb)) {
 		data->vlan_present = true;
@@ -293,10 +293,10 @@ static void nf_ct_bridge_frag_save(struct sk_buff *skb,
 static unsigned int
 nf_ct_bridge_refrag(struct sk_buff *skb, const struct nf_hook_state *state,
 		    int (*output)(struct net *, struct sock *sk,
-				  const struct nf_ct_bridge_frag_data *data,
+				  const struct nf_bridge_frag_data *data,
 				  struct sk_buff *))
 {
-	struct nf_ct_bridge_frag_data data;
+	struct nf_bridge_frag_data data;
 
 	if (!BR_INPUT_SKB_CB(skb)->frag_max_size)
 		return NF_ACCEPT;
@@ -319,7 +319,7 @@ nf_ct_bridge_refrag(struct sk_buff *skb, const struct nf_hook_state *state,
 
 /* Actually only slow path refragmentation needs this. */
 static int nf_ct_bridge_frag_restore(struct sk_buff *skb,
-				     const struct nf_ct_bridge_frag_data *data)
+				     const struct nf_bridge_frag_data *data)
 {
 	int err;
 
@@ -340,7 +340,7 @@ static int nf_ct_bridge_frag_restore(struct sk_buff *skb,
 }
 
 static int nf_ct_bridge_refrag_post(struct net *net, struct sock *sk,
-				    const struct nf_ct_bridge_frag_data *data,
+				    const struct nf_bridge_frag_data *data,
 				    struct sk_buff *skb)
 {
 	int err;
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 61819ed858b1..a9bff556d3b2 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -113,9 +113,9 @@ int __nf_ip6_route(struct net *net, struct dst_entry **dst,
 EXPORT_SYMBOL_GPL(__nf_ip6_route);
 
 int br_ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
-		    struct nf_ct_bridge_frag_data *data,
+		    struct nf_bridge_frag_data *data,
 		    int (*output)(struct net *, struct sock *sk,
-				  const struct nf_ct_bridge_frag_data *data,
+				  const struct nf_bridge_frag_data *data,
 				  struct sk_buff *))
 {
 	int frag_max_size = BR_INPUT_SKB_CB(skb)->frag_max_size;
-- 
2.23.0.rc1

[PATCH nf-next v2 18/30] netfilter: use consistent style when defining inline functions in nf_conntrack_ecache.h.

[Jeremy Sowden]

The header contains some inline functions defined as:

  static inline f (...)
  {
  #ifdef CONFIG_NF_CONNTRACK_EVENTS
    ...
  #else
    ...
  #endif
  }

and a few others as:

  #ifdef CONFIG_NF_CONNTRACK_EVENTS
  static inline f (...)
  {
    ...
  }
  #else
  static inline f (...)
  {
    ...
  }
  #endif

Prefer the former style, which is more numerous.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/net/netfilter/nf_conntrack_ecache.h | 82 +++++++++++++--------
 1 file changed, 50 insertions(+), 32 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index 0815bfadfefe..eb81f9195e28 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -64,6 +64,7 @@ nf_ct_ecache_ext_add(struct nf_conn *ct, u16 ctmask, u16 expmask, gfp_t gfp)
 }
 
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
+
 /* This structure is passed to event handler */
 struct nf_ct_event {
 	struct nf_conn *ct;
@@ -84,9 +85,26 @@ void nf_ct_deliver_cached_events(struct nf_conn *ct);
 int nf_conntrack_eventmask_report(unsigned int eventmask, struct nf_conn *ct,
 				  u32 portid, int report);
 
+#else
+
+static inline void nf_ct_deliver_cached_events(const struct nf_conn *ct)
+{
+}
+
+static inline int nf_conntrack_eventmask_report(unsigned int eventmask,
+						struct nf_conn *ct,
+						u32 portid,
+						int report)
+{
+	return 0;
+}
+
+#endif
+
 static inline void
 nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct)
 {
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
 	struct net *net = nf_ct_net(ct);
 	struct nf_conntrack_ecache *e;
 
@@ -98,31 +116,42 @@ nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct)
 		return;
 
 	set_bit(event, &e->cache);
+#endif
 }
 
 static inline int
 nf_conntrack_event_report(enum ip_conntrack_events event, struct nf_conn *ct,
 			  u32 portid, int report)
 {
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
 	const struct net *net = nf_ct_net(ct);
 
 	if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb))
 		return 0;
 
 	return nf_conntrack_eventmask_report(1 << event, ct, portid, report);
+#else
+	return 0;
+#endif
 }
 
 static inline int
 nf_conntrack_event(enum ip_conntrack_events event, struct nf_conn *ct)
 {
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
 	const struct net *net = nf_ct_net(ct);
 
 	if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb))
 		return 0;
 
 	return nf_conntrack_eventmask_report(1 << event, ct, 0, 0);
+#else
+	return 0;
+#endif
 }
 
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
+
 struct nf_exp_event {
 	struct nf_conntrack_expect *exp;
 	u32 portid;
@@ -148,41 +177,18 @@ void nf_conntrack_ecache_pernet_fini(struct net *net);
 int nf_conntrack_ecache_init(void);
 void nf_conntrack_ecache_fini(void);
 
-static inline void nf_conntrack_ecache_delayed_work(struct net *net)
+#else /* CONFIG_NF_CONNTRACK_EVENTS */
+
+static inline void nf_ct_expect_event_report(enum ip_conntrack_expect_events e,
+					     struct nf_conntrack_expect *exp,
+					     u32 portid,
+					     int report)
 {
-	if (!delayed_work_pending(&net->ct.ecache_dwork)) {
-		schedule_delayed_work(&net->ct.ecache_dwork, HZ);
-		net->ct.ecache_dwork_pending = true;
-	}
 }
 
-static inline void nf_conntrack_ecache_work(struct net *net)
+static inline void nf_conntrack_ecache_pernet_init(struct net *net)
 {
-	if (net->ct.ecache_dwork_pending) {
-		net->ct.ecache_dwork_pending = false;
-		mod_delayed_work(system_wq, &net->ct.ecache_dwork, 0);
-	}
 }
-#else /* CONFIG_NF_CONNTRACK_EVENTS */
-static inline void nf_conntrack_event_cache(enum ip_conntrack_events event,
-					    struct nf_conn *ct) {}
-static inline int nf_conntrack_eventmask_report(unsigned int eventmask,
-						struct nf_conn *ct,
-						u32 portid,
-						int report) { return 0; }
-static inline int nf_conntrack_event(enum ip_conntrack_events event,
-				     struct nf_conn *ct) { return 0; }
-static inline int nf_conntrack_event_report(enum ip_conntrack_events event,
-					    struct nf_conn *ct,
-					    u32 portid,
-					    int report) { return 0; }
-static inline void nf_ct_deliver_cached_events(const struct nf_conn *ct) {}
-static inline void nf_ct_expect_event_report(enum ip_conntrack_expect_events e,
-					     struct nf_conntrack_expect *exp,
- 					     u32 portid,
- 					     int report) {}
-
-static inline void nf_conntrack_ecache_pernet_init(struct net *net) {}
 
 static inline void nf_conntrack_ecache_pernet_fini(struct net *net)
 {
@@ -197,14 +203,26 @@ static inline void nf_conntrack_ecache_fini(void)
 {
 }
 
+#endif /* CONFIG_NF_CONNTRACK_EVENTS */
+
 static inline void nf_conntrack_ecache_delayed_work(struct net *net)
 {
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
+	if (!delayed_work_pending(&net->ct.ecache_dwork)) {
+		schedule_delayed_work(&net->ct.ecache_dwork, HZ);
+		net->ct.ecache_dwork_pending = true;
+	}
+#endif
 }
 
 static inline void nf_conntrack_ecache_work(struct net *net)
 {
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
+	if (net->ct.ecache_dwork_pending) {
+		net->ct.ecache_dwork_pending = false;
+		mod_delayed_work(system_wq, &net->ct.ecache_dwork, 0);
+	}
+#endif
 }
-#endif /* CONFIG_NF_CONNTRACK_EVENTS */
 
 #endif /*_NF_CONNTRACK_ECACHE_H*/
-
-- 
2.23.0.rc1

[PATCH nf-next v2 19/30] netfilter: replace defined(CONFIG...) || defined(CONFIG...MODULE) with IS_ENABLED(CONFIG...).

[Jeremy Sowden]

A few headers contain instances of:

  #if defined(CONFIG_XXX) or defined(CONFIG_XXX_MODULE)

Replace them with:

  #if IS_ENABLED(CONFIG_XXX)

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/linux/netfilter.h                      | 2 +-
 include/linux/netfilter/ipset/ip_set_getport.h | 2 +-
 include/net/netfilter/nf_conntrack_extend.h    | 2 +-
 include/net/netfilter/nf_nat.h                 | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 4c94dd4cc8d0..3bed59528fed 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -422,7 +422,7 @@ nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
 }
 #endif /*CONFIG_NETFILTER*/
 
-#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
 #include <linux/netfilter/nf_conntrack_zones_common.h>
 
 extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu;
diff --git a/include/linux/netfilter/ipset/ip_set_getport.h b/include/linux/netfilter/ipset/ip_set_getport.h
index a906df06948b..d74cd112b88a 100644
--- a/include/linux/netfilter/ipset/ip_set_getport.h
+++ b/include/linux/netfilter/ipset/ip_set_getport.h
@@ -9,7 +9,7 @@
 extern bool ip_set_get_ip4_port(const struct sk_buff *skb, bool src,
 				__be16 *port, u8 *proto);
 
-#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 extern bool ip_set_get_ip6_port(const struct sk_buff *skb, bool src,
 				__be16 *port, u8 *proto);
 #else
diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
index 21f887c5058c..112a6f40dfaf 100644
--- a/include/net/netfilter/nf_conntrack_extend.h
+++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -8,7 +8,7 @@
 
 enum nf_ct_ext_id {
 	NF_CT_EXT_HELPER,
-#if defined(CONFIG_NF_NAT) || defined(CONFIG_NF_NAT_MODULE)
+#if IS_ENABLED(CONFIG_NF_NAT)
 	NF_CT_EXT_NAT,
 #endif
 	NF_CT_EXT_SEQADJ,
diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index eeb336809679..362ff94fa6b0 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -22,7 +22,7 @@ enum nf_nat_manip_type {
 /* per conntrack: nat application helper private data */
 union nf_conntrack_nat_help {
 	/* insert nat helper private data here */
-#if defined(CONFIG_NF_NAT_PPTP) || defined(CONFIG_NF_NAT_PPTP_MODULE)
+#if IS_ENABLED(CONFIG_NF_NAT_PPTP)
 	struct nf_nat_pptp nat_pptp_info;
 #endif
 };
@@ -47,7 +47,7 @@ struct nf_conn_nat *nf_ct_nat_ext_add(struct nf_conn *ct);
 
 static inline struct nf_conn_nat *nfct_nat(const struct nf_conn *ct)
 {
-#if defined(CONFIG_NF_NAT) || defined(CONFIG_NF_NAT_MODULE)
+#if IS_ENABLED(CONFIG_NF_NAT)
 	return nf_ct_ext_find(ct, NF_CT_EXT_NAT);
 #else
 	return NULL;
-- 
2.23.0.rc1

[PATCH nf-next v2 20/30] netfilter: wrap union nf_conntrack_proto members in CONFIG_NF_CT_PROTO_* check.

[Jeremy Sowden]

dccp, sctp and gre are only used in code enabled by particular
CONFIG_NF_CT_PROTO_* options.  Wrap them in the checks for those
options.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/net/netfilter/nf_conntrack.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 22275f42f0bb..0673cf685741 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -33,11 +33,17 @@ struct nf_ct_udp {
 /* per conntrack: protocol private data */
 union nf_conntrack_proto {
 	/* insert conntrack proto private data here */
+#ifdef CONFIG_NF_CT_PROTO_DCCP
 	struct nf_ct_dccp dccp;
+#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
 	struct ip_ct_sctp sctp;
+#endif
 	struct ip_ct_tcp tcp;
 	struct nf_ct_udp udp;
+#ifdef CONFIG_NF_CT_PROTO_GRE
 	struct nf_ct_gre gre;
+#endif
 	unsigned int tmpl_padto;
 };
 
-- 
2.23.0.rc1

[PATCH nf-next v2 21/30] netfilter: wrap inline synproxy function in CONFIG_NETFILTER_SYNPROXY check.

[Jeremy Sowden]

nf_conntrack_synproxy.h contains three inline functions.  The contents
of two of them are wrapped in CONFIG_NETFILTER_SYNPROXY checks and just
return NULL if it is not enabled.  The third does nothing if they return
NULL, so wrap its contents as well.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/net/netfilter/nf_conntrack_synproxy.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/include/net/netfilter/nf_conntrack_synproxy.h b/include/net/netfilter/nf_conntrack_synproxy.h
index c22f0c11cc82..6a3ab081e4bf 100644
--- a/include/net/netfilter/nf_conntrack_synproxy.h
+++ b/include/net/netfilter/nf_conntrack_synproxy.h
@@ -32,6 +32,7 @@ static inline struct nf_conn_synproxy *nfct_synproxy_ext_add(struct nf_conn *ct)
 static inline bool nf_ct_add_synproxy(struct nf_conn *ct,
 				      const struct nf_conn *tmpl)
 {
+#if IS_ENABLED(CONFIG_NETFILTER_SYNPROXY)
 	if (tmpl && nfct_synproxy(tmpl)) {
 		if (!nfct_seqadj_ext_add(ct))
 			return false;
@@ -39,6 +40,7 @@ static inline bool nf_ct_add_synproxy(struct nf_conn *ct,
 		if (!nfct_synproxy_ext_add(ct))
 			return false;
 	}
+#endif
 
 	return true;
 }
-- 
2.23.0.rc1

[PATCH nf-next v2 22/30] netfilter: wrap inline timeout function in CONFIG_NETFILTER_TIMEOUT check.

[Jeremy Sowden]

nf_ct_timeout_data is only called if CONFIG_NETFILTER_TIMEOUT is
enabled.  Wrap its contents in a CONFIG_NETFILTER_TIMEOUT check like the
other inline functions in nf_conntrack_timeout.h.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/net/netfilter/nf_conntrack_timeout.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/include/net/netfilter/nf_conntrack_timeout.h b/include/net/netfilter/nf_conntrack_timeout.h
index 00a8fbb2d735..6dd72396f534 100644
--- a/include/net/netfilter/nf_conntrack_timeout.h
+++ b/include/net/netfilter/nf_conntrack_timeout.h
@@ -32,6 +32,7 @@ struct nf_conn_timeout {
 static inline unsigned int *
 nf_ct_timeout_data(const struct nf_conn_timeout *t)
 {
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 	struct nf_ct_timeout *timeout;
 
 	timeout = rcu_dereference(t->timeout);
@@ -39,6 +40,9 @@ nf_ct_timeout_data(const struct nf_conn_timeout *t)
 		return NULL;
 
 	return (unsigned int *)timeout->data;
+#else
+	return NULL;
+#endif
 }
 
 static inline
-- 
2.23.0.rc1

[PATCH nf-next v2 23/30] netfilter: wrap some nat-related conntrack code in a CONFIG_NF_NAT check.

[Jeremy Sowden]

nf_conntrack_update uses nf_nat_hook to do some nat stuff.  However, it
will only be not NULL if CONFIG_NF_NAT is enabled.  Wrap the code in a
CONFIG_NF_NAT check to skip it altogether.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 net/netfilter/nf_conntrack_core.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 81a8ef42b88d..c597b3e8450b 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1885,7 +1885,9 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb)
 	struct nf_conntrack_tuple_hash *h;
 	struct nf_conntrack_tuple tuple;
 	enum ip_conntrack_info ctinfo;
+#if IS_ENABLED(CONFIG_NF_NAT)
 	struct nf_nat_hook *nat_hook;
+#endif
 	unsigned int status;
 	struct nf_conn *ct;
 	int dataoff;
@@ -1935,6 +1937,7 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb)
 	ct = nf_ct_tuplehash_to_ctrack(h);
 	nf_ct_set(skb, ct, ctinfo);
 
+#if IS_ENABLED(CONFIG_NF_NAT)
 	nat_hook = rcu_dereference(nf_nat_hook);
 	if (!nat_hook)
 		return 0;
@@ -1948,6 +1951,7 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb)
 	    nat_hook->manip_pkt(skb, ct, NF_NAT_MANIP_DST,
 				IP_CT_DIR_ORIGINAL) == NF_DROP)
 		return -1;
+#endif
 
 	return 0;
 }
-- 
2.23.0.rc1

[PATCH nf-next v2 24/30] netfilter: wrap some ipv6 tables code in a CONFIG_NF_TABLES_IPV6 check.

[Jeremy Sowden]

nft_set_pktinfo_ipv6_validate does nothing unless CONFIG_IPV6, and
therefore by implication CONFIG_NF_TABLES_IPV6, is enabled.  Wrap the
calls in a CONFIG_NF_TABLES_IPV6 check.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 net/netfilter/nft_chain_filter.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c
index b5d5d071d765..f411d9993612 100644
--- a/net/netfilter/nft_chain_filter.c
+++ b/net/netfilter/nft_chain_filter.c
@@ -207,9 +207,11 @@ nft_do_chain_bridge(void *priv,
 	case htons(ETH_P_IP):
 		nft_set_pktinfo_ipv4_validate(&pkt, skb);
 		break;
+#ifdef CONFIG_NF_TABLES_IPV6
 	case htons(ETH_P_IPV6):
 		nft_set_pktinfo_ipv6_validate(&pkt, skb);
 		break;
+#endif
 	default:
 		nft_set_pktinfo_unspec(&pkt, skb);
 		break;
@@ -262,9 +264,11 @@ static unsigned int nft_do_chain_netdev(void *priv, struct sk_buff *skb,
 	case htons(ETH_P_IP):
 		nft_set_pktinfo_ipv4_validate(&pkt, skb);
 		break;
+#ifdef CONFIG_NF_TABLES_IPV6
 	case htons(ETH_P_IPV6):
 		nft_set_pktinfo_ipv6_validate(&pkt, skb);
 		break;
+#endif
 	default:
 		nft_set_pktinfo_unspec(&pkt, skb);
 		break;
-- 
2.23.0.rc1

[PATCH nf-next v2 25/30] netfilter: wrap some conntrack code in a CONFIG_NF_CONNTRACK check.

[Jeremy Sowden]

struct nf_conntrack_zone is only required if CONFIG_NF_CONNTRACK.
Wrap its definition in a CONFIG_NF_CONNTRACK check.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/linux/netfilter/nf_conntrack_zones_common.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/include/linux/netfilter/nf_conntrack_zones_common.h b/include/linux/netfilter/nf_conntrack_zones_common.h
index 8f3905e12a64..4596f9eb2e8f 100644
--- a/include/linux/netfilter/nf_conntrack_zones_common.h
+++ b/include/linux/netfilter/nf_conntrack_zones_common.h
@@ -13,6 +13,8 @@
 
 #define NF_CT_FLAG_MARK		1
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 struct nf_conntrack_zone {
 	u16	id;
 	u8	flags;
@@ -21,4 +23,6 @@ struct nf_conntrack_zone {
 
 extern const struct nf_conntrack_zone nf_ct_zone_dflt;
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif /* _NF_CONNTRACK_ZONES_COMMON_H */
-- 
2.23.0.rc1

[PATCH nf-next v2 26/30] netfilter: add CONFIG_NETFILTER check to linux/netfilter.h.

[Jeremy Sowden]

The bulk of this header is already wrapped in CONFIG_NETFILTER or
CONFIG_NF_CONNTRACK checks.  The last few definitions are also only
required if CONFIG_NETFILTER is enabled.  Add another conditional for
that remainder.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/linux/netfilter.h | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 3bed59528fed..075d48ef6a48 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -16,6 +16,7 @@
 #include <net/net_namespace.h>
 
 #ifdef CONFIG_NETFILTER
+
 static inline int NF_DROP_GETERR(int verdict)
 {
 	return -(verdict >> NF_VERDICT_QBITS);
@@ -415,11 +416,13 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
 {
 	return 1;
 }
+
 struct flowi;
 static inline void
 nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
 {
 }
+
 #endif /*CONFIG_NETFILTER*/
 
 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
@@ -440,6 +443,8 @@ static inline bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple,
 }
 #endif
 
+#ifdef CONFIG_NETFILTER
+
 struct nf_conn;
 enum ip_conntrack_info;
 
@@ -486,4 +491,6 @@ struct nf_bridge_frag_data {
 	__be16  vlan_proto;
 };
 
+#endif /* CONFIG_NETFILTER */
+
 #endif /*__LINUX_NETFILTER_H*/
-- 
2.23.0.rc1

[PATCH nf-next v2 27/30] netfilter: add NF_TPROXY config option.

[Jeremy Sowden]

Add a hidden tristate option which is select by NF_TPROXY_IPV4 and
NF_TPROXY_IPV6.  It will be used to wrap nf_tproxy.h.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 net/ipv4/netfilter/Kconfig | 1 +
 net/ipv6/netfilter/Kconfig | 1 +
 net/netfilter/Kconfig      | 3 +++
 3 files changed, 5 insertions(+)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index f17b402111ce..50c02bd80ca7 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -18,6 +18,7 @@ config NF_SOCKET_IPV4
 
 config NF_TPROXY_IPV4
 	tristate "IPv4 tproxy support"
+        select NF_TPROXY
 
 if NF_TABLES
 
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 6120a7800975..273803f008f9 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -14,6 +14,7 @@ config NF_SOCKET_IPV6
 
 config NF_TPROXY_IPV6
 	tristate "IPv6 tproxy support"
+        select NF_TPROXY
 
 if NF_TABLES
 
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 34ec7afec116..7118352c78c4 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -439,6 +439,9 @@ config NETFILTER_SYNPROXY
 
 endif # NF_CONNTRACK
 
+config NF_TPROXY
+        tristate
+
 config NF_TABLES
 	select NETFILTER_NETLINK
 	tristate "Netfilter nf_tables support"
-- 
2.23.0.rc1

[PATCH nf-next v2 28/30] netfilter: add IP_SET_BITMAP config option.

[Jeremy Sowden]

Add a hidden tristate option which is selected by all the
IP_SET_BITMAP_* options.  It will be used to wrap ip_set_bitmap.h.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 net/netfilter/ipset/Kconfig | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter/ipset/Kconfig
index 3c273483df23..8a5498a86df0 100644
--- a/net/netfilter/ipset/Kconfig
+++ b/net/netfilter/ipset/Kconfig
@@ -25,9 +25,13 @@ config IP_SET_MAX
 	  The value can be overridden by the 'max_sets' module
 	  parameter of the 'ip_set' module.
 
+config IP_SET_BITMAP
+	tristate
+
 config IP_SET_BITMAP_IP
 	tristate "bitmap:ip set support"
 	depends on IP_SET
+	select IP_SET_BITMAP
 	help
 	  This option adds the bitmap:ip set type support, by which one
 	  can store IPv4 addresses (or network addresse) from a range.
@@ -37,6 +41,7 @@ config IP_SET_BITMAP_IP
 config IP_SET_BITMAP_IPMAC
 	tristate "bitmap:ip,mac set support"
 	depends on IP_SET
+	select IP_SET_BITMAP
 	help
 	  This option adds the bitmap:ip,mac set type support, by which one
 	  can store IPv4 address and (source) MAC address pairs from a range.
@@ -46,6 +51,7 @@ config IP_SET_BITMAP_IPMAC
 config IP_SET_BITMAP_PORT
 	tristate "bitmap:port set support"
 	depends on IP_SET
+	select IP_SET_BITMAP
 	help
 	  This option adds the bitmap:port set type support, by which one
 	  can store TCP/UDP port numbers from a range.
-- 
2.23.0.rc1

[PATCH nf-next v2 29/30] netfilter: add IP_SET_HASH config option.

[Jeremy Sowden]

Add a hidden tristate option which is selected by all the IP_SET_HASH_*
options.  It will be used to wrap ip_set_hash.h.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 net/netfilter/ipset/Kconfig | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter/ipset/Kconfig
index 8a5498a86df0..56b95e859043 100644
--- a/net/netfilter/ipset/Kconfig
+++ b/net/netfilter/ipset/Kconfig
@@ -58,9 +58,13 @@ config IP_SET_BITMAP_PORT
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP_SET_HASH
+	tristate
+
 config IP_SET_HASH_IP
 	tristate "hash:ip set support"
 	depends on IP_SET
+	select IP_SET_HASH
 	help
 	  This option adds the hash:ip set type support, by which one
 	  can store arbitrary IPv4 or IPv6 addresses (or network addresses)
@@ -71,6 +75,7 @@ config IP_SET_HASH_IP
 config IP_SET_HASH_IPMARK
 	tristate "hash:ip,mark set support"
 	depends on IP_SET
+	select IP_SET_HASH
 	help
 	  This option adds the hash:ip,mark set type support, by which one
 	  can store IPv4/IPv6 address and mark pairs.
@@ -80,6 +85,7 @@ config IP_SET_HASH_IPMARK
 config IP_SET_HASH_IPPORT
 	tristate "hash:ip,port set support"
 	depends on IP_SET
+	select IP_SET_HASH
 	help
 	  This option adds the hash:ip,port set type support, by which one
 	  can store IPv4/IPv6 address and protocol/port pairs.
@@ -89,6 +95,7 @@ config IP_SET_HASH_IPPORT
 config IP_SET_HASH_IPPORTIP
 	tristate "hash:ip,port,ip set support"
 	depends on IP_SET
+	select IP_SET_HASH
 	help
 	  This option adds the hash:ip,port,ip set type support, by which
 	  one can store IPv4/IPv6 address, protocol/port, and IPv4/IPv6
@@ -99,6 +106,7 @@ config IP_SET_HASH_IPPORTIP
 config IP_SET_HASH_IPPORTNET
 	tristate "hash:ip,port,net set support"
 	depends on IP_SET
+	select IP_SET_HASH
 	help
 	  This option adds the hash:ip,port,net set type support, by which
 	  one can store IPv4/IPv6 address, protocol/port, and IPv4/IPv6
@@ -109,6 +117,7 @@ config IP_SET_HASH_IPPORTNET
 config IP_SET_HASH_IPMAC
 	tristate "hash:ip,mac set support"
 	depends on IP_SET
+	select IP_SET_HASH
 	help
 	  This option adds the hash:ip,mac set type support, by which
 	  one can store IPv4/IPv6 address and MAC (ethernet address) pairs in a set.
@@ -118,6 +127,7 @@ config IP_SET_HASH_IPMAC
 config IP_SET_HASH_MAC
 	tristate "hash:mac set support"
 	depends on IP_SET
+	select IP_SET_HASH
 	help
 	  This option adds the hash:mac set type support, by which
 	  one can store MAC (ethernet address) elements in a set.
@@ -127,6 +137,7 @@ config IP_SET_HASH_MAC
 config IP_SET_HASH_NETPORTNET
 	tristate "hash:net,port,net set support"
 	depends on IP_SET
+	select IP_SET_HASH
 	help
 	  This option adds the hash:net,port,net set type support, by which
 	  one can store two IPv4/IPv6 subnets, and a protocol/port in a set.
@@ -136,6 +147,7 @@ config IP_SET_HASH_NETPORTNET
 config IP_SET_HASH_NET
 	tristate "hash:net set support"
 	depends on IP_SET
+	select IP_SET_HASH
 	help
 	  This option adds the hash:net set type support, by which
 	  one can store IPv4/IPv6 network address/prefix elements in a set.
@@ -145,6 +157,7 @@ config IP_SET_HASH_NET
 config IP_SET_HASH_NETNET
 	tristate "hash:net,net set support"
 	depends on IP_SET
+	select IP_SET_HASH
 	help
 	  This option adds the hash:net,net  set type support, by which
 	  one can store IPv4/IPv6 network address/prefix pairs in a set.
@@ -154,6 +167,7 @@ config IP_SET_HASH_NETNET
 config IP_SET_HASH_NETPORT
 	tristate "hash:net,port set support"
 	depends on IP_SET
+	select IP_SET_HASH
 	help
 	  This option adds the hash:net,port set type support, by which
 	  one can store IPv4/IPv6 network address/prefix and
@@ -164,6 +178,7 @@ config IP_SET_HASH_NETPORT
 config IP_SET_HASH_NETIFACE
 	tristate "hash:net,iface set support"
 	depends on IP_SET
+	select IP_SET_HASH
 	help
 	  This option adds the hash:net,iface set type support, by which
 	  one can store IPv4/IPv6 network address/prefix and
-- 
2.23.0.rc1

[PATCH nf-next v2 30/30] netfilter: wrap headers in CONFIG checks.

[Jeremy Sowden]

These headers are only required if some config option is enabled.  Wrap
each one in a check for that option.

This allows us to remove existing CONFIG checks wrapping smaller
sections of code.

In cases where a header includes a related uapi header, we leave that
inclusion outside the conditional in order to avoid having to update
inclusions in other parts of the kernel.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/linux/netfilter/ipset/ip_set.h        |  7 ++++++-
 include/linux/netfilter/ipset/ip_set_bitmap.h |  4 ++++
 .../linux/netfilter/ipset/ip_set_getport.h    |  4 ++++
 include/linux/netfilter/ipset/ip_set_hash.h   |  3 +++
 include/linux/netfilter/ipset/ip_set_list.h   |  3 +++
 include/linux/netfilter/ipset/pfxlen.h        |  4 ++++
 include/linux/netfilter/nf_conntrack_amanda.h |  6 ++++++
 include/linux/netfilter/nf_conntrack_common.h |  4 ++++
 include/linux/netfilter/nf_conntrack_dccp.h   |  4 ++++
 include/linux/netfilter/nf_conntrack_ftp.h    |  8 +++++++-
 include/linux/netfilter/nf_conntrack_h323.h   |  4 ++++
 .../linux/netfilter/nf_conntrack_h323_asn1.h  |  4 ++++
 .../linux/netfilter/nf_conntrack_h323_types.h |  4 ++++
 include/linux/netfilter/nf_conntrack_irc.h    |  4 ++++
 include/linux/netfilter/nf_conntrack_pptp.h   |  4 ++++
 .../linux/netfilter/nf_conntrack_proto_gre.h  |  6 ++++++
 include/linux/netfilter/nf_conntrack_sane.h   |  5 +++++
 include/linux/netfilter/nf_conntrack_sctp.h   |  5 +++++
 include/linux/netfilter/nf_conntrack_sip.h    |  4 ++++
 include/linux/netfilter/nf_conntrack_snmp.h   |  4 ++++
 include/linux/netfilter/nf_conntrack_tcp.h    |  3 +++
 include/linux/netfilter/nf_conntrack_tftp.h   |  4 ++++
 .../netfilter/nf_conntrack_zones_common.h     |  4 ++++
 include/linux/netfilter/nfnetlink.h           |  7 ++++++-
 include/linux/netfilter/nfnetlink_acct.h      |  6 ++++++
 include/linux/netfilter/nfnetlink_osf.h       |  4 ++++
 include/linux/netfilter/x_tables.h            | 13 ++++++-------
 include/linux/netfilter_arp/arp_tables.h      |  8 +++++++-
 include/linux/netfilter_bridge/ebtables.h     | 10 +++++++---
 include/linux/netfilter_ipv4.h                |  4 ++++
 include/linux/netfilter_ipv4/ip_tables.h      | 15 ++++++++-------
 include/linux/netfilter_ipv6/ip6_tables.h     | 13 ++++++++-----
 include/net/netfilter/br_netfilter.h          | 14 ++++----------
 .../net/netfilter/ipv4/nf_conntrack_ipv4.h    |  4 ++++
 include/net/netfilter/ipv4/nf_defrag_ipv4.h   |  4 ++++
 include/net/netfilter/ipv4/nf_dup_ipv4.h      |  4 ++++
 include/net/netfilter/ipv4/nf_reject.h        |  4 ++++
 .../net/netfilter/ipv6/nf_conntrack_ipv6.h    |  4 ++++
 include/net/netfilter/ipv6/nf_defrag_ipv6.h   |  4 ++++
 include/net/netfilter/ipv6/nf_dup_ipv6.h      |  4 ++++
 include/net/netfilter/ipv6/nf_reject.h        |  4 ++++
 include/net/netfilter/nf_conntrack.h          | 14 ++++----------
 include/net/netfilter/nf_conntrack_acct.h     | 17 +++++------------
 include/net/netfilter/nf_conntrack_bridge.h   |  6 ++++--
 include/net/netfilter/nf_conntrack_core.h     | 19 ++++++++++++-------
 include/net/netfilter/nf_conntrack_count.h    |  4 ++++
 include/net/netfilter/nf_conntrack_ecache.h   | 10 +++++++---
 include/net/netfilter/nf_conntrack_expect.h   |  6 ++++--
 include/net/netfilter/nf_conntrack_extend.h   |  6 +++++-
 include/net/netfilter/nf_conntrack_helper.h   |  6 ++++++
 include/net/netfilter/nf_conntrack_l4proto.h  |  7 +++++--
 include/net/netfilter/nf_conntrack_labels.h   |  4 ++++
 include/net/netfilter/nf_conntrack_seqadj.h   |  4 ++++
 include/net/netfilter/nf_conntrack_synproxy.h |  4 ++++
 include/net/netfilter/nf_conntrack_timeout.h  |  4 ++++
 .../net/netfilter/nf_conntrack_timestamp.h    |  6 +++++-
 include/net/netfilter/nf_conntrack_tuple.h    |  6 ++++--
 include/net/netfilter/nf_dup_netdev.h         |  4 ++++
 include/net/netfilter/nf_flow_table.h         |  8 ++++----
 include/net/netfilter/nf_log.h                |  4 ++++
 include/net/netfilter/nf_nat.h                |  9 +++++----
 include/net/netfilter/nf_nat_helper.h         |  5 +++++
 include/net/netfilter/nf_nat_masquerade.h     |  4 ++++
 include/net/netfilter/nf_nat_redirect.h       |  4 ++++
 include/net/netfilter/nf_queue.h              |  8 ++++----
 include/net/netfilter/nf_reject.h             |  4 ++++
 include/net/netfilter/nf_socket.h             |  4 ++++
 include/net/netfilter/nf_synproxy.h           |  8 ++++----
 include/net/netfilter/nf_tables.h             | 17 +++++------------
 include/net/netfilter/nf_tables_core.h        |  5 +++++
 include/net/netfilter/nf_tables_ipv4.h        |  4 ++++
 include/net/netfilter/nf_tables_ipv6.h        | 10 +++++-----
 include/net/netfilter/nf_tables_offload.h     |  4 ++++
 include/net/netfilter/nf_tproxy.h             |  4 ++++
 include/net/netfilter/nft_fib.h               |  5 +++++
 include/net/netfilter/nft_meta.h              |  4 ++++
 include/net/netfilter/nft_reject.h            |  4 ++++
 include/net/netfilter/xt_rateest.h            |  4 ++++
 78 files changed, 363 insertions(+), 111 deletions(-)

diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index 9bc255a8461b..2884511700a0 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -7,6 +7,10 @@
 #ifndef _IP_SET_H
 #define _IP_SET_H
 
+#include <uapi/linux/netfilter/ipset/ip_set.h>
+
+#if IS_ENABLED(CONFIG_IP_SET)
+
 #include <linux/ip.h>
 #include <linux/ipv6.h>
 #include <linux/netlink.h>
@@ -15,7 +19,6 @@
 #include <linux/stringify.h>
 #include <linux/vmalloc.h>
 #include <net/netlink.h>
-#include <uapi/linux/netfilter/ipset/ip_set.h>
 
 #define _IP_SET_MODULE_DESC(a, b, c)		\
 	MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c)
@@ -698,4 +701,6 @@ ip_set_init_skbinfo(struct ip_set_skbinfo *skbinfo,
 #define IPSET_CONCAT(a, b)		a##b
 #define IPSET_TOKEN(a, b)		IPSET_CONCAT(a, b)
 
+#endif /* IS_ENABLED(CONFIG_IP_SET) */
+
 #endif /*_IP_SET_H */
diff --git a/include/linux/netfilter/ipset/ip_set_bitmap.h b/include/linux/netfilter/ipset/ip_set_bitmap.h
index 2dddbc6dcac7..4a7d0dd68cd3 100644
--- a/include/linux/netfilter/ipset/ip_set_bitmap.h
+++ b/include/linux/netfilter/ipset/ip_set_bitmap.h
@@ -4,6 +4,8 @@
 
 #include <uapi/linux/netfilter/ipset/ip_set_bitmap.h>
 
+#if IS_ENABLED(CONFIG_IP_SET_BITMAP)
+
 #define IPSET_BITMAP_MAX_RANGE	0x0000FFFF
 
 enum {
@@ -26,4 +28,6 @@ range_to_mask(u32 from, u32 to, u8 *bits)
 	return mask;
 }
 
+#endif /* IS_ENABLED(CONFIG_IP_SET_BITMAP) */
+
 #endif /* __IP_SET_BITMAP_H */
diff --git a/include/linux/netfilter/ipset/ip_set_getport.h b/include/linux/netfilter/ipset/ip_set_getport.h
index d74cd112b88a..d47b5a2104b3 100644
--- a/include/linux/netfilter/ipset/ip_set_getport.h
+++ b/include/linux/netfilter/ipset/ip_set_getport.h
@@ -2,6 +2,8 @@
 #ifndef _IP_SET_GETPORT_H
 #define _IP_SET_GETPORT_H
 
+#if IS_ENABLED(CONFIG_IP_SET)
+
 #include <linux/skbuff.h>
 #include <linux/types.h>
 #include <uapi/linux/in.h>
@@ -35,4 +37,6 @@ static inline bool ip_set_proto_with_ports(u8 proto)
 	return false;
 }
 
+#endif /* IS_ENABLED(CONFIG_IP_SET) */
+
 #endif /*_IP_SET_GETPORT_H*/
diff --git a/include/linux/netfilter/ipset/ip_set_hash.h b/include/linux/netfilter/ipset/ip_set_hash.h
index 838abab672af..fa0cdf8ee8b8 100644
--- a/include/linux/netfilter/ipset/ip_set_hash.h
+++ b/include/linux/netfilter/ipset/ip_set_hash.h
@@ -4,6 +4,7 @@
 
 #include <uapi/linux/netfilter/ipset/ip_set_hash.h>
 
+#if IS_ENABLED(CONFIG_IP_SET_HASH)
 
 #define IPSET_DEFAULT_HASHSIZE		1024
 #define IPSET_MIMINAL_HASHSIZE		64
@@ -11,4 +12,6 @@
 #define IPSET_DEFAULT_PROBES		4
 #define IPSET_DEFAULT_RESIZE		100
 
+#endif /* IS_ENABLED(CONFIG_IP_SET_HASH) */
+
 #endif /* __IP_SET_HASH_H */
diff --git a/include/linux/netfilter/ipset/ip_set_list.h b/include/linux/netfilter/ipset/ip_set_list.h
index a61fe2a7e655..180b6549f811 100644
--- a/include/linux/netfilter/ipset/ip_set_list.h
+++ b/include/linux/netfilter/ipset/ip_set_list.h
@@ -4,9 +4,12 @@
 
 #include <uapi/linux/netfilter/ipset/ip_set_list.h>
 
+#if IS_ENABLED(CONFIG_IP_SET_LIST_SET)
 
 #define IP_SET_LIST_DEFAULT_SIZE	8
 #define IP_SET_LIST_MIN_SIZE		4
 #define IP_SET_LIST_MAX_SIZE		65536
 
+#endif /* IS_ENABLED(CONFIG_IP_SET_LIST_SET) */
+
 #endif /* __IP_SET_LIST_H */
diff --git a/include/linux/netfilter/ipset/pfxlen.h b/include/linux/netfilter/ipset/pfxlen.h
index f59094e6158b..7b9408e911e1 100644
--- a/include/linux/netfilter/ipset/pfxlen.h
+++ b/include/linux/netfilter/ipset/pfxlen.h
@@ -2,6 +2,8 @@
 #ifndef _PFXLEN_H
 #define _PFXLEN_H
 
+#if IS_ENABLED(CONFIG_IP_SET)
+
 #include <asm/byteorder.h>
 #include <linux/netfilter.h>
 #include <net/tcp.h>
@@ -51,4 +53,6 @@ ip6_netmask(union nf_inet_addr *ip, u8 prefix)
 	ip->ip6[3] &= ip_set_netmask6(prefix)[3];
 }
 
+#endif /* IS_ENABLED(CONFIG_IP_SET) */
+
 #endif /*_PFXLEN_H */
diff --git a/include/linux/netfilter/nf_conntrack_amanda.h b/include/linux/netfilter/nf_conntrack_amanda.h
index 6f0ac896fcc9..8a4ac5fe25d0 100644
--- a/include/linux/netfilter/nf_conntrack_amanda.h
+++ b/include/linux/netfilter/nf_conntrack_amanda.h
@@ -1,8 +1,11 @@
 /* SPDX-License-Identifier: GPL-2.0 */
 #ifndef _NF_CONNTRACK_AMANDA_H
 #define _NF_CONNTRACK_AMANDA_H
+
 /* AMANDA tracking. */
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_AMANDA)
+
 #include <linux/netfilter.h>
 #include <linux/skbuff.h>
 #include <net/netfilter/nf_conntrack_expect.h>
@@ -13,4 +16,7 @@ extern unsigned int (*nf_nat_amanda_hook)(struct sk_buff *skb,
 					  unsigned int matchoff,
 					  unsigned int matchlen,
 					  struct nf_conntrack_expect *exp);
+
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_AMANDA) */
+
 #endif /* _NF_CONNTRACK_AMANDA_H */
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index e142b2b5f1ea..31d10682abbe 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -4,6 +4,8 @@
 
 #include <uapi/linux/netfilter/nf_conntrack_common.h>
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 struct ip_conntrack_stat {
 	unsigned int found;
 	unsigned int invalid;
@@ -19,4 +21,6 @@ struct ip_conntrack_stat {
 	unsigned int search_restart;
 };
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif /* _NF_CONNTRACK_COMMON_H */
diff --git a/include/linux/netfilter/nf_conntrack_dccp.h b/include/linux/netfilter/nf_conntrack_dccp.h
index c509ed76e714..80245ff88321 100644
--- a/include/linux/netfilter/nf_conntrack_dccp.h
+++ b/include/linux/netfilter/nf_conntrack_dccp.h
@@ -2,6 +2,8 @@
 #ifndef _NF_CONNTRACK_DCCP_H
 #define _NF_CONNTRACK_DCCP_H
 
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+
 /* Exposed to userspace over nfnetlink */
 enum ct_dccp_states {
 	CT_DCCP_NONE,
@@ -35,4 +37,6 @@ struct nf_ct_dccp {
 	u_int64_t	handshake_seq;
 };
 
+#endif
+
 #endif /* _NF_CONNTRACK_DCCP_H */
diff --git a/include/linux/netfilter/nf_conntrack_ftp.h b/include/linux/netfilter/nf_conntrack_ftp.h
index 0e38302820b9..0d1bb4c15f48 100644
--- a/include/linux/netfilter/nf_conntrack_ftp.h
+++ b/include/linux/netfilter/nf_conntrack_ftp.h
@@ -2,11 +2,14 @@
 #ifndef _NF_CONNTRACK_FTP_H
 #define _NF_CONNTRACK_FTP_H
 
+#include <uapi/linux/netfilter/nf_conntrack_ftp.h>
+
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_FTP)
+
 #include <linux/netfilter.h>
 #include <linux/skbuff.h>
 #include <linux/types.h>
 #include <net/netfilter/nf_conntrack_expect.h>
-#include <uapi/linux/netfilter/nf_conntrack_ftp.h>
 #include <uapi/linux/netfilter/nf_conntrack_tuple_common.h>
 
 #define FTP_PORT	21
@@ -33,4 +36,7 @@ extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb,
 				       unsigned int matchoff,
 				       unsigned int matchlen,
 				       struct nf_conntrack_expect *exp);
+
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_FTP) */
+
 #endif /* _NF_CONNTRACK_FTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_h323.h b/include/linux/netfilter/nf_conntrack_h323.h
index 4561ec0fcea4..6435ee527637 100644
--- a/include/linux/netfilter/nf_conntrack_h323.h
+++ b/include/linux/netfilter/nf_conntrack_h323.h
@@ -2,6 +2,8 @@
 #ifndef _NF_CONNTRACK_H323_H
 #define _NF_CONNTRACK_H323_H
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_H323)
+
 #include <linux/netfilter.h>
 #include <linux/skbuff.h>
 #include <linux/types.h>
@@ -94,4 +96,6 @@ extern int (*nat_q931_hook) (struct sk_buff *skb, struct nf_conn *ct,
 			     int idx, __be16 port,
 			     struct nf_conntrack_expect *exp);
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_H323) */
+
 #endif
diff --git a/include/linux/netfilter/nf_conntrack_h323_asn1.h b/include/linux/netfilter/nf_conntrack_h323_asn1.h
index bd6797f823b2..37aa39e22e9d 100644
--- a/include/linux/netfilter/nf_conntrack_h323_asn1.h
+++ b/include/linux/netfilter/nf_conntrack_h323_asn1.h
@@ -34,6 +34,8 @@
 #ifndef _NF_CONNTRACK_HELPER_H323_ASN1_H_
 #define _NF_CONNTRACK_HELPER_H323_ASN1_H_
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_H323)
+
 /*****************************************************************************
  * H.323 Types
  ****************************************************************************/
@@ -94,4 +96,6 @@ int DecodeMultimediaSystemControlMessage(unsigned char *buf, size_t sz,
 					 MultimediaSystemControlMessage *
 					 mscm);
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_H323) */
+
 #endif
diff --git a/include/linux/netfilter/nf_conntrack_h323_types.h b/include/linux/netfilter/nf_conntrack_h323_types.h
index 74c6f9241944..4027361eb1c4 100644
--- a/include/linux/netfilter/nf_conntrack_h323_types.h
+++ b/include/linux/netfilter/nf_conntrack_h323_types.h
@@ -7,6 +7,8 @@
 #ifndef _NF_CONNTRACK_H323_TYPES_H
 #define _NF_CONNTRACK_H323_TYPES_H
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_H323)
+
 typedef struct TransportAddress_ipAddress {	/* SEQUENCE */
 	int options;		/* No use */
 	unsigned int ip;
@@ -935,4 +937,6 @@ typedef struct RasMessage {	/* CHOICE */
 	};
 } RasMessage;
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_H323) */
+
 #endif /* _NF_CONNTRACK_H323_TYPES_H */
diff --git a/include/linux/netfilter/nf_conntrack_irc.h b/include/linux/netfilter/nf_conntrack_irc.h
index d02255f721e1..2ca66e71ccef 100644
--- a/include/linux/netfilter/nf_conntrack_irc.h
+++ b/include/linux/netfilter/nf_conntrack_irc.h
@@ -2,6 +2,8 @@
 #ifndef _NF_CONNTRACK_IRC_H
 #define _NF_CONNTRACK_IRC_H
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_IRC)
+
 #include <linux/netfilter.h>
 #include <linux/skbuff.h>
 #include <net/netfilter/nf_conntrack_expect.h>
@@ -15,4 +17,6 @@ extern unsigned int (*nf_nat_irc_hook)(struct sk_buff *skb,
 				       unsigned int matchlen,
 				       struct nf_conntrack_expect *exp);
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_IRC) */
+
 #endif /* _NF_CONNTRACK_IRC_H */
diff --git a/include/linux/netfilter/nf_conntrack_pptp.h b/include/linux/netfilter/nf_conntrack_pptp.h
index fcc409de31a4..c8e300be2b4c 100644
--- a/include/linux/netfilter/nf_conntrack_pptp.h
+++ b/include/linux/netfilter/nf_conntrack_pptp.h
@@ -3,6 +3,8 @@
 #ifndef _NF_CONNTRACK_PPTP_H
 #define _NF_CONNTRACK_PPTP_H
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_PPTP)
+
 #include <linux/netfilter.h>
 #include <linux/skbuff.h>
 #include <linux/types.h>
@@ -322,4 +324,6 @@ extern void
 (*nf_nat_pptp_hook_expectfn)(struct nf_conn *ct,
 			     struct nf_conntrack_expect *exp);
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_PPTP) */
+
 #endif /* _NF_CONNTRACK_PPTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_proto_gre.h b/include/linux/netfilter/nf_conntrack_proto_gre.h
index f33aa6021364..0ee9fe25043c 100644
--- a/include/linux/netfilter/nf_conntrack_proto_gre.h
+++ b/include/linux/netfilter/nf_conntrack_proto_gre.h
@@ -1,6 +1,9 @@
 /* SPDX-License-Identifier: GPL-2.0 */
 #ifndef _CONNTRACK_PROTO_GRE_H
 #define _CONNTRACK_PROTO_GRE_H
+
+#ifdef CONFIG_NF_CT_PROTO_GRE
+
 #include <asm/byteorder.h>
 #include <net/gre.h>
 #include <net/pptp.h>
@@ -31,4 +34,7 @@ void nf_ct_gre_keymap_destroy(struct nf_conn *ct);
 
 bool gre_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
 		      struct net *net, struct nf_conntrack_tuple *tuple);
+
+#endif /* CONFIG_NF_CT_PROTO_GRE */
+
 #endif /* _CONNTRACK_PROTO_GRE_H */
diff --git a/include/linux/netfilter/nf_conntrack_sane.h b/include/linux/netfilter/nf_conntrack_sane.h
index 46c7acd1b4a7..d091f2ad567e 100644
--- a/include/linux/netfilter/nf_conntrack_sane.h
+++ b/include/linux/netfilter/nf_conntrack_sane.h
@@ -1,8 +1,11 @@
 /* SPDX-License-Identifier: GPL-2.0 */
 #ifndef _NF_CONNTRACK_SANE_H
 #define _NF_CONNTRACK_SANE_H
+
 /* SANE tracking. */
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_SANE)
+
 #define SANE_PORT	6566
 
 enum sane_state {
@@ -15,4 +18,6 @@ struct nf_ct_sane_master {
 	enum sane_state state;
 };
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_SANE) */
+
 #endif /* _NF_CONNTRACK_SANE_H */
diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/linux/netfilter/nf_conntrack_sctp.h
index 9a33f171aa82..4531a33e6182 100644
--- a/include/linux/netfilter/nf_conntrack_sctp.h
+++ b/include/linux/netfilter/nf_conntrack_sctp.h
@@ -1,14 +1,19 @@
 /* SPDX-License-Identifier: GPL-2.0 */
 #ifndef _NF_CONNTRACK_SCTP_H
 #define _NF_CONNTRACK_SCTP_H
+
 /* SCTP tracking. */
 
 #include <uapi/linux/netfilter/nf_conntrack_sctp.h>
 
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+
 struct ip_ct_sctp {
 	enum sctp_conntrack state;
 
 	__be32 vtag[IP_CT_DIR_MAX];
 };
 
+#endif /* CONFIG_NF_CT_PROTO_SCTP */
+
 #endif /* _NF_CONNTRACK_SCTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index c620521c42bc..b4b4d9f6f168 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -2,6 +2,8 @@
 #ifndef __NF_CONNTRACK_SIP_H__
 #define __NF_CONNTRACK_SIP_H__
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_SIP)
+
 #include <linux/skbuff.h>
 #include <linux/types.h>
 #include <net/netfilter/nf_conntrack_expect.h>
@@ -195,4 +197,6 @@ int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
 			  enum sdp_header_types term,
 			  unsigned int *matchoff, unsigned int *matchlen);
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_SIP) */
+
 #endif /* __NF_CONNTRACK_SIP_H__ */
diff --git a/include/linux/netfilter/nf_conntrack_snmp.h b/include/linux/netfilter/nf_conntrack_snmp.h
index 87e4f33eb55f..276328ed68f7 100644
--- a/include/linux/netfilter/nf_conntrack_snmp.h
+++ b/include/linux/netfilter/nf_conntrack_snmp.h
@@ -2,6 +2,8 @@
 #ifndef _NF_CONNTRACK_SNMP_H
 #define _NF_CONNTRACK_SNMP_H
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_SNMP)
+
 #include <linux/netfilter.h>
 #include <linux/skbuff.h>
 
@@ -10,4 +12,6 @@ extern int (*nf_nat_snmp_hook)(struct sk_buff *skb,
 				struct nf_conn *ct,
 				enum ip_conntrack_info ctinfo);
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_SNMP) */
+
 #endif /* _NF_CONNTRACK_SNMP_H */
diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h
index f9e3a663037b..136cbd3999f8 100644
--- a/include/linux/netfilter/nf_conntrack_tcp.h
+++ b/include/linux/netfilter/nf_conntrack_tcp.h
@@ -4,6 +4,7 @@
 
 #include <uapi/linux/netfilter/nf_conntrack_tcp.h>
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
 
 struct ip_ct_tcp_state {
 	u_int32_t	td_end;		/* max of seq + len */
@@ -30,4 +31,6 @@ struct ip_ct_tcp {
 	u_int8_t	last_flags;	/* Last flags set */
 };
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif /* _NF_CONNTRACK_TCP_H */
diff --git a/include/linux/netfilter/nf_conntrack_tftp.h b/include/linux/netfilter/nf_conntrack_tftp.h
index dc4c1b9beac0..6db39d3501bb 100644
--- a/include/linux/netfilter/nf_conntrack_tftp.h
+++ b/include/linux/netfilter/nf_conntrack_tftp.h
@@ -2,6 +2,8 @@
 #ifndef _NF_CONNTRACK_TFTP_H
 #define _NF_CONNTRACK_TFTP_H
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_TFTP)
+
 #define TFTP_PORT 69
 
 #include <linux/netfilter.h>
@@ -23,4 +25,6 @@ extern unsigned int (*nf_nat_tftp_hook)(struct sk_buff *skb,
 				        enum ip_conntrack_info ctinfo,
 				        struct nf_conntrack_expect *exp);
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_TFTP) */
+
 #endif /* _NF_CONNTRACK_TFTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_zones_common.h b/include/linux/netfilter/nf_conntrack_zones_common.h
index 4596f9eb2e8f..d92b2c77ee82 100644
--- a/include/linux/netfilter/nf_conntrack_zones_common.h
+++ b/include/linux/netfilter/nf_conntrack_zones_common.h
@@ -2,6 +2,8 @@
 #ifndef _NF_CONNTRACK_ZONES_COMMON_H
 #define _NF_CONNTRACK_ZONES_COMMON_H
 
+#ifdef CONFIG_NETFILTER
+
 #include <uapi/linux/netfilter/nf_conntrack_tuple_common.h>
 
 #define NF_CT_DEFAULT_ZONE_ID	0
@@ -25,4 +27,6 @@ extern const struct nf_conntrack_zone nf_ct_zone_dflt;
 
 #endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
 
+#endif /* CONFIG_NETFILTER */
+
 #endif /* _NF_CONNTRACK_ZONES_COMMON_H */
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index cf09ab37b45b..97fac10f8199 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -2,10 +2,13 @@
 #ifndef _NFNETLINK_H
 #define _NFNETLINK_H
 
+#include <uapi/linux/netfilter/nfnetlink.h>
+
+#if IS_ENABLED(CONFIG_NETFILTER_NETLINK)
+
 #include <linux/netlink.h>
 #include <linux/capability.h>
 #include <net/netlink.h>
-#include <uapi/linux/netfilter/nfnetlink.h>
 
 struct nfnl_callback {
 	int (*call)(struct net *net, struct sock *nl, struct sk_buff *skb,
@@ -65,4 +68,6 @@ static inline bool lockdep_nfnl_is_held(__u8 subsys_id)
 #define MODULE_ALIAS_NFNL_SUBSYS(subsys) \
 	MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys))
 
+#endif /* IS_ENABLED(CONFIG_NETFILTER_NETLINK) */
+
 #endif	/* _NFNETLINK_H */
diff --git a/include/linux/netfilter/nfnetlink_acct.h b/include/linux/netfilter/nfnetlink_acct.h
index beee8bffe49e..c4f11f056af4 100644
--- a/include/linux/netfilter/nfnetlink_acct.h
+++ b/include/linux/netfilter/nfnetlink_acct.h
@@ -3,6 +3,9 @@
 #define _NFNL_ACCT_H_
 
 #include <uapi/linux/netfilter/nfnetlink_acct.h>
+
+#if IS_ENABLED(CONFIG_NETFILTER_NETLINK_ACCT)
+
 #include <net/net_namespace.h>
 
 enum {
@@ -17,4 +20,7 @@ struct nf_acct *nfnl_acct_find_get(struct net *net, const char *filter_name);
 void nfnl_acct_put(struct nf_acct *acct);
 void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct);
 int nfnl_acct_overquota(struct net *net, struct nf_acct *nfacct);
+
+#endif /* IS_ENABLED(CONFIG_NETFILTER_NETLINK_ACCT) */
+
 #endif /* _NFNL_ACCT_H */
diff --git a/include/linux/netfilter/nfnetlink_osf.h b/include/linux/netfilter/nfnetlink_osf.h
index 788613f36935..0e23e7ee4cd4 100644
--- a/include/linux/netfilter/nfnetlink_osf.h
+++ b/include/linux/netfilter/nfnetlink_osf.h
@@ -4,6 +4,8 @@
 
 #include <uapi/linux/netfilter/nfnetlink_osf.h>
 
+#if IS_ENABLED(CONFIG_NETFILTER_NETLINK_OSF)
+
 enum osf_fmatch_states {
 	/* Packet does not match the fingerprint */
 	FMATCH_WRONG = 0,
@@ -35,4 +37,6 @@ bool nf_osf_find(const struct sk_buff *skb,
 		 const struct list_head *nf_osf_fingers,
 		 const int ttl_check, struct nf_osf_data *data);
 
+#endif /* IS_ENABLED(CONFIG_NETFILTER_NETLINK_OSF) */
+
 #endif /* _NFOSF_H */
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b9bc25f57c8e..65216379a398 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -2,11 +2,13 @@
 #ifndef _X_TABLES_H
 #define _X_TABLES_H
 
+#include <uapi/linux/netfilter/x_tables.h>
+
+#ifdef CONFIG_NETFILTER
 
 #include <linux/netdevice.h>
 #include <linux/static_key.h>
 #include <linux/netfilter.h>
-#include <uapi/linux/netfilter/x_tables.h>
 
 /* Test a struct->invflags and a boolean for inequality */
 #define NF_INVF(ptr, flag, boolean)					\
@@ -35,15 +37,12 @@ struct xt_action_param {
 	union {
 		const void *matchinfo, *targinfo;
 	};
-#if IS_ENABLED(CONFIG_NETFILTER)
 	const struct nf_hook_state *state;
-#endif
 	int fragoff;
 	unsigned int thoff;
 	bool hotdrop;
 };
 
-#if IS_ENABLED(CONFIG_NETFILTER)
 static inline struct net *xt_net(const struct xt_action_param *par)
 {
 	return par->state->net;
@@ -78,7 +77,6 @@ static inline u_int8_t xt_family(const struct xt_action_param *par)
 {
 	return par->state->pf;
 }
-#endif
 
 /**
  * struct xt_mtchk_param - parameters for match extensions'
@@ -450,9 +448,7 @@ xt_get_per_cpu_counter(struct xt_counters *cnt, unsigned int cpu)
 	return cnt;
 }
 
-#if IS_ENABLED(CONFIG_NETFILTER)
 struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *, nf_hookfn *);
-#endif
 
 #ifdef CONFIG_COMPAT
 #include <net/compat.h>
@@ -536,4 +532,7 @@ int xt_compat_check_entry_offsets(const void *base, const char *elems,
 				  unsigned int next_offset);
 
 #endif /* CONFIG_COMPAT */
+
+#endif /* CONFIG_NETFILTER */
+
 #endif /* _X_TABLES_H */
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 1b7b35bb9c27..24e473120493 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -9,11 +9,14 @@
 #ifndef _ARPTABLES_H
 #define _ARPTABLES_H
 
+#include <uapi/linux/netfilter_arp/arp_tables.h>
+
+#ifdef CONFIG_NETFILTER_FAMILY_ARP
+
 #include <linux/if.h>
 #include <linux/in.h>
 #include <linux/if_arp.h>
 #include <linux/skbuff.h>
-#include <uapi/linux/netfilter_arp/arp_tables.h>
 
 /* Standard entry. */
 struct arpt_standard {
@@ -79,4 +82,7 @@ compat_arpt_get_target(struct compat_arpt_entry *e)
 }
 
 #endif /* CONFIG_COMPAT */
+
+#endif /* CONFIG_NETFILTER_FAMILY_ARP */
+
 #endif /* _ARPTABLES_H */
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h
index b5b2d371f0ef..d12a175a7b9a 100644
--- a/include/linux/netfilter_bridge/ebtables.h
+++ b/include/linux/netfilter_bridge/ebtables.h
@@ -13,9 +13,12 @@
 #ifndef __LINUX_BRIDGE_EFF_H
 #define __LINUX_BRIDGE_EFF_H
 
+#include <uapi/linux/netfilter_bridge/ebtables.h>
+
+#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
+
 #include <linux/if.h>
 #include <linux/if_ether.h>
-#include <uapi/linux/netfilter_bridge/ebtables.h>
 
 struct ebt_match {
 	struct list_head list;
@@ -105,7 +108,7 @@ struct ebt_table {
 
 #define EBT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) & \
 		     ~(__alignof__(struct _xt_align)-1))
-#if IS_ENABLED(CONFIG_NETFILTER)
+
 extern int ebt_register_table(struct net *net,
 			      const struct ebt_table *table,
 			      const struct nf_hook_ops *ops,
@@ -115,7 +118,6 @@ extern void ebt_unregister_table(struct net *net, struct ebt_table *table,
 extern unsigned int ebt_do_table(struct sk_buff *skb,
 				 const struct nf_hook_state *state,
 				 struct ebt_table *table);
-#endif
 
 /* True if the hook mask denotes that the rule is in a base chain,
  * used in the check() functions */
@@ -128,4 +130,6 @@ static inline bool ebt_invalid_target(int target)
 	return (target < -NUM_STANDARD_TARGETS || target >= 0);
 }
 
+#endif /* CONFIG_NETFILTER_FAMILY_BRIDGE */
+
 #endif
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index cab891485752..ed8f17ae1fed 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -7,6 +7,8 @@
 
 #include <uapi/linux/netfilter_ipv4.h>
 
+#ifdef CONFIG_NETFILTER
+
 /* Extra routing may needed on local out, as the QUEUE target never returns
  * control to the table.
  */
@@ -39,4 +41,6 @@ static inline int nf_ip_route(struct net *net, struct dst_entry **dst,
 }
 #endif /* CONFIG_INET */
 
+#endif /* CONFIG_NETFILTER */
+
 #endif /*__LINUX_IP_NETFILTER_H*/
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 0b0d43ad9ed9..b9eb9165a7cb 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -15,21 +15,21 @@
 #ifndef _IPTABLES_H
 #define _IPTABLES_H
 
+#include <uapi/linux/netfilter_ipv4/ip_tables.h>
+
+#if IS_ENABLED(CONFIG_IP_NF_IPTABLES)
+
 #include <linux/if.h>
 #include <linux/in.h>
+#include <linux/init.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
 
-#include <linux/init.h>
-#include <uapi/linux/netfilter_ipv4/ip_tables.h>
-
-#if IS_ENABLED(CONFIG_NETFILTER)
 int ipt_register_table(struct net *net, const struct xt_table *table,
 		       const struct ipt_replace *repl,
 		       const struct nf_hook_ops *ops, struct xt_table **res);
 void ipt_unregister_table(struct net *net, struct xt_table *table,
 			  const struct nf_hook_ops *ops);
-#endif
 
 /* Standard entry. */
 struct ipt_standard {
@@ -65,11 +65,9 @@ struct ipt_error {
 }
 
 extern void *ipt_alloc_initial_table(const struct xt_table *);
-#if IS_ENABLED(CONFIG_NETFILTER)
 extern unsigned int ipt_do_table(struct sk_buff *skb,
 				 const struct nf_hook_state *state,
 				 struct xt_table *table);
-#endif
 
 #ifdef CONFIG_COMPAT
 #include <net/compat.h>
@@ -92,4 +90,7 @@ compat_ipt_get_target(struct compat_ipt_entry *e)
 }
 
 #endif /* CONFIG_COMPAT */
+
+#endif /* IS_ENABLED(CONFIG_IP_NF_IPTABLES) */
+
 #endif /* _IPTABLES_H */
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 3a0a2bd054cc..3fbff8334ef0 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -15,17 +15,18 @@
 #ifndef _IP6_TABLES_H
 #define _IP6_TABLES_H
 
+#include <uapi/linux/netfilter_ipv6/ip6_tables.h>
+
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+
 #include <linux/if.h>
 #include <linux/in6.h>
+#include <linux/init.h>
 #include <linux/ipv6.h>
 #include <linux/skbuff.h>
 
-#include <linux/init.h>
-#include <uapi/linux/netfilter_ipv6/ip6_tables.h>
-
 extern void *ip6t_alloc_initial_table(const struct xt_table *);
 
-#if IS_ENABLED(CONFIG_NETFILTER)
 int ip6t_register_table(struct net *net, const struct xt_table *table,
 			const struct ip6t_replace *repl,
 			const struct nf_hook_ops *ops, struct xt_table **res);
@@ -34,7 +35,6 @@ void ip6t_unregister_table(struct net *net, struct xt_table *table,
 extern unsigned int ip6t_do_table(struct sk_buff *skb,
 				  const struct nf_hook_state *state,
 				  struct xt_table *table);
-#endif
 
 #ifdef CONFIG_COMPAT
 #include <net/compat.h>
@@ -56,4 +56,7 @@ compat_ip6t_get_target(struct compat_ip6t_entry *e)
 }
 
 #endif /* CONFIG_COMPAT */
+
+#endif /* IS_ENABLED(CONFIG_IP6_NF_IPTABLES) */
+
 #endif /* _IP6_TABLES_H */
diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h
index 2a613c84d49f..e08126b3fa92 100644
--- a/include/net/netfilter/br_netfilter.h
+++ b/include/net/netfilter/br_netfilter.h
@@ -2,22 +2,20 @@
 #ifndef _BR_NETFILTER_H_
 #define _BR_NETFILTER_H_
 
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+
 #include <linux/netfilter.h>
 
 #include "../../../net/bridge/br_private.h"
 
 static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
 {
-#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
 	struct nf_bridge_info *b = skb_ext_add(skb, SKB_EXT_BRIDGE_NF);
 
 	if (b)
 		memset(b, 0, sizeof(*b));
 
 	return b;
-#else
-	return NULL;
-#endif
 }
 
 void nf_bridge_update_protocol(struct sk_buff *skb);
@@ -42,20 +40,15 @@ int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_
 
 static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
 {
-#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
 	struct net_bridge_port *port;
 
 	port = br_port_get_rcu(dev);
 	return port ? &port->br->fake_rtable : NULL;
-#else
-	return NULL;
-#endif
 }
 
 struct net_device *setup_pre_routing(struct sk_buff *skb,
 				     const struct net *net);
 
-#if IS_ENABLED(CONFIG_NETFILTER)
 #if IS_ENABLED(CONFIG_IPV6)
 int br_validate_ipv6(struct net *net, struct sk_buff *skb);
 unsigned int br_nf_pre_routing_ipv6(void *priv,
@@ -74,6 +67,7 @@ br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops, struct sk_buff *skb,
 	return NF_ACCEPT;
 }
 #endif
-#endif
+
+#endif /* IS_ENABLED(CONFIG_BRIDGE_NETFILTER) */
 
 #endif /* _BR_NETFILTER_H_ */
diff --git a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
index 2c8c2b023848..1841b1f8ffe1 100644
--- a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
@@ -10,6 +10,8 @@
 #ifndef _NF_CONNTRACK_IPV4_H
 #define _NF_CONNTRACK_IPV4_H
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp;
 extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp;
 extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;
@@ -26,4 +28,6 @@ extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite;
 extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_gre;
 #endif
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif /*_NF_CONNTRACK_IPV4_H*/
diff --git a/include/net/netfilter/ipv4/nf_defrag_ipv4.h b/include/net/netfilter/ipv4/nf_defrag_ipv4.h
index bcbd724cc048..d052d75fb9a9 100644
--- a/include/net/netfilter/ipv4/nf_defrag_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_defrag_ipv4.h
@@ -2,7 +2,11 @@
 #ifndef _NF_DEFRAG_IPV4_H
 #define _NF_DEFRAG_IPV4_H
 
+#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4)
+
 struct net;
 int nf_defrag_ipv4_enable(struct net *);
 
+#endif
+
 #endif /* _NF_DEFRAG_IPV4_H */
diff --git a/include/net/netfilter/ipv4/nf_dup_ipv4.h b/include/net/netfilter/ipv4/nf_dup_ipv4.h
index a2bc16cdbcd3..e3655d9f4650 100644
--- a/include/net/netfilter/ipv4/nf_dup_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_dup_ipv4.h
@@ -2,10 +2,14 @@
 #ifndef _NF_DUP_IPV4_H_
 #define _NF_DUP_IPV4_H_
 
+#if IS_ENABLED(CONFIG_NF_DUP_IPV4)
+
 #include <linux/skbuff.h>
 #include <uapi/linux/in.h>
 
 void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
 		 const struct in_addr *gw, int oif);
 
+#endif /* IS_ENABLED(CONFIG_NF_DUP_IPV4) */
+
 #endif /* _NF_DUP_IPV4_H_ */
diff --git a/include/net/netfilter/ipv4/nf_reject.h b/include/net/netfilter/ipv4/nf_reject.h
index 40e0e0623f46..7f0a76278c94 100644
--- a/include/net/netfilter/ipv4/nf_reject.h
+++ b/include/net/netfilter/ipv4/nf_reject.h
@@ -2,6 +2,8 @@
 #ifndef _IPV4_NF_REJECT_H
 #define _IPV4_NF_REJECT_H
 
+#if IS_ENABLED(CONFIG_NF_REJECT_IPV4)
+
 #include <linux/skbuff.h>
 #include <net/ip.h>
 #include <net/icmp.h>
@@ -18,4 +20,6 @@ struct iphdr *nf_reject_iphdr_put(struct sk_buff *nskb,
 void nf_reject_ip_tcphdr_put(struct sk_buff *nskb, const struct sk_buff *oldskb,
 			     const struct tcphdr *oth);
 
+#endif /* IS_ENABLED(CONFIG_NF_REJECT_IPV4) */
+
 #endif /* _IPV4_NF_REJECT_H */
diff --git a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
index 7b3c873f8839..73dfa7d42169 100644
--- a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
@@ -2,9 +2,13 @@
 #ifndef _NF_CONNTRACK_IPV6_H
 #define _NF_CONNTRACK_IPV6_H
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6;
 
 #include <linux/sysctl.h>
 extern struct ctl_table nf_ct_ipv6_sysctl_table[];
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif /* _NF_CONNTRACK_IPV6_H*/
diff --git a/include/net/netfilter/ipv6/nf_defrag_ipv6.h b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
index 6d31cd041143..30250f213856 100644
--- a/include/net/netfilter/ipv6/nf_defrag_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
@@ -2,6 +2,8 @@
 #ifndef _NF_DEFRAG_IPV6_H
 #define _NF_DEFRAG_IPV6_H
 
+#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
+
 #include <linux/skbuff.h>
 #include <linux/types.h>
 
@@ -13,4 +15,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user);
 
 struct inet_frags_ctl;
 
+#endif /* IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) */
+
 #endif /* _NF_DEFRAG_IPV6_H */
diff --git a/include/net/netfilter/ipv6/nf_dup_ipv6.h b/include/net/netfilter/ipv6/nf_dup_ipv6.h
index f6312bb04a13..81bb9096fe5a 100644
--- a/include/net/netfilter/ipv6/nf_dup_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_dup_ipv6.h
@@ -2,9 +2,13 @@
 #ifndef _NF_DUP_IPV6_H_
 #define _NF_DUP_IPV6_H_
 
+#if IS_ENABLED(CONFIG_NF_DUP_IPV6)
+
 #include <linux/skbuff.h>
 
 void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
 		 const struct in6_addr *gw, int oif);
 
+#endif
+
 #endif /* _NF_DUP_IPV6_H_ */
diff --git a/include/net/netfilter/ipv6/nf_reject.h b/include/net/netfilter/ipv6/nf_reject.h
index 4a3ef9ebdf6f..6d5cc6537319 100644
--- a/include/net/netfilter/ipv6/nf_reject.h
+++ b/include/net/netfilter/ipv6/nf_reject.h
@@ -2,6 +2,8 @@
 #ifndef _IPV6_NF_REJECT_H
 #define _IPV6_NF_REJECT_H
 
+#if IS_ENABLED(CONFIG_NF_REJECT_IPV6)
+
 #include <linux/icmpv6.h>
 #include <net/netfilter/nf_reject.h>
 
@@ -20,4 +22,6 @@ void nf_reject_ip6_tcphdr_put(struct sk_buff *nskb,
 			      const struct sk_buff *oldskb,
 			      const struct tcphdr *oth, unsigned int otcplen);
 
+#endif /* IS_ENABLED(CONFIG_NF_REJECT_IPV6) */
+
 #endif /* _IPV6_NF_REJECT_H */
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 0673cf685741..7dc5c913eb7f 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -13,6 +13,8 @@
 #ifndef _NF_CONNTRACK_H
 #define _NF_CONNTRACK_H
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 #include <linux/netfilter/nf_conntrack_common.h>
 
 #include <linux/bitops.h>
@@ -64,7 +66,6 @@ struct nf_conntrack_net {
 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
 
 struct nf_conn {
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
 	/* Usage count in here is 1 for hash table, 1 per skb,
 	 * plus 1 for any connection(s) we are `master' for
 	 *
@@ -74,7 +75,6 @@ struct nf_conn {
 	 * beware nf_ct_get() is different and don't inc refcnt.
 	 */
 	struct nf_conntrack ct_general;
-#endif
 
 	spinlock_t	lock;
 	/* jiffies32 when this ct is considered dead */
@@ -155,8 +155,6 @@ void nf_conntrack_alter_reply(struct nf_conn *ct,
 int nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
 			     const struct nf_conn *ignored_conntrack);
 
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
-
 #define NFCT_INFOMASK	7UL
 #define NFCT_PTRMASK	~(NFCT_INFOMASK)
 
@@ -176,8 +174,6 @@ static inline void nf_ct_put(struct nf_conn *ct)
 	nf_conntrack_put(&ct->ct_general);
 }
 
-#endif
-
 /* Protocol module loading */
 int nf_ct_l3proto_try_module_get(unsigned short l3proto);
 void nf_ct_l3proto_module_put(unsigned short l3proto);
@@ -329,16 +325,12 @@ void nf_ct_tmpl_free(struct nf_conn *tmpl);
 
 u32 nf_ct_get_id(const struct nf_conn *ct);
 
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
-
 static inline void
 nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info)
 {
 	skb->_nfct = (unsigned long)ct | info;
 }
 
-#endif
-
 #define NF_CT_STAT_INC(net, count)	  __this_cpu_inc((net)->ct.stat->count)
 #define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
 #define NF_CT_STAT_ADD_ATOMIC(net, count, v) this_cpu_add((net)->ct.stat->count, (v))
@@ -346,4 +338,6 @@ nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info)
 #define MODULE_ALIAS_NFCT_HELPER(helper) \
         MODULE_ALIAS("nfct-helper-" helper)
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif /* _NF_CONNTRACK_H */
diff --git a/include/net/netfilter/nf_conntrack_acct.h b/include/net/netfilter/nf_conntrack_acct.h
index 5b5287bb49db..b8994e20136f 100644
--- a/include/net/netfilter/nf_conntrack_acct.h
+++ b/include/net/netfilter/nf_conntrack_acct.h
@@ -5,11 +5,14 @@
 
 #ifndef _NF_CONNTRACK_ACCT_H
 #define _NF_CONNTRACK_ACCT_H
-#include <net/net_namespace.h>
+
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 #include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/netfilter/nf_conntrack_tuple_common.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_extend.h>
+#include <net/net_namespace.h>
 
 struct nf_conn_counter {
 	atomic64_t packets;
@@ -29,7 +32,6 @@ struct nf_conn_acct *nf_conn_acct_find(const struct nf_conn *ct)
 static inline
 struct nf_conn_acct *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp)
 {
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
 	struct net *net = nf_ct_net(ct);
 	struct nf_conn_acct *acct;
 
@@ -42,34 +44,25 @@ struct nf_conn_acct *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp)
 
 
 	return acct;
-#else
-	return NULL;
-#endif
 }
 
 /* Check if connection tracking accounting is enabled */
 static inline bool nf_ct_acct_enabled(struct net *net)
 {
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
 	return net->ct.sysctl_acct != 0;
-#else
-	return false;
-#endif
 }
 
 /* Enable/disable connection tracking accounting */
 static inline void nf_ct_set_acct(struct net *net, bool enable)
 {
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
 	net->ct.sysctl_acct = enable;
-#endif
 }
 
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
 void nf_conntrack_acct_pernet_init(struct net *net);
 
 int nf_conntrack_acct_init(void);
 void nf_conntrack_acct_fini(void);
+
 #endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
 
 #endif /* _NF_CONNTRACK_ACCT_H */
diff --git a/include/net/netfilter/nf_conntrack_bridge.h b/include/net/netfilter/nf_conntrack_bridge.h
index 01b62fd5efa2..fb5fb167a20e 100644
--- a/include/net/netfilter/nf_conntrack_bridge.h
+++ b/include/net/netfilter/nf_conntrack_bridge.h
@@ -1,14 +1,14 @@
 #ifndef NF_CONNTRACK_BRIDGE_
 #define NF_CONNTRACK_BRIDGE_
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 #include <linux/module.h>
 #include <linux/types.h>
 #include <uapi/linux/if_ether.h>
 
 struct nf_ct_bridge_info {
-#if IS_ENABLED(CONFIG_NETFILTER)
 	struct nf_hook_ops	*ops;
-#endif
 	unsigned int		ops_size;
 	struct module		*me;
 };
@@ -16,4 +16,6 @@ struct nf_ct_bridge_info {
 void nf_ct_bridge_register(struct nf_ct_bridge_info *info);
 void nf_ct_bridge_unregister(struct nf_ct_bridge_info *info);
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index d340886e012d..8653ddd45c0b 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -13,18 +13,21 @@
 #ifndef _NF_CONNTRACK_CORE_H
 #define _NF_CONNTRACK_CORE_H
 
+/*
+ * This header is used to share core functionality between the standalone
+ * connection tracking module, and the compatibility layer's use of connection
+ * tracking.
+ */
+
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 #include <linux/netfilter.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_ecache.h>
 #include <net/netfilter/nf_conntrack_l4proto.h>
 
-/* This header is used to share core functionality between the
-   standalone connection tracking module, and the compatibility layer's use
-   of connection tracking. */
-
-#if IS_ENABLED(CONFIG_NETFILTER)
-unsigned int nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state);
-#endif
+unsigned int nf_conntrack_in(struct sk_buff *skb,
+			     const struct nf_hook_state *state);
 
 int nf_conntrack_init_net(struct net *net);
 void nf_conntrack_cleanup_net(struct net *net);
@@ -81,4 +84,6 @@ void nf_conntrack_lock(spinlock_t *lock);
 
 extern spinlock_t nf_conntrack_expect_lock;
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif /* _NF_CONNTRACK_CORE_H */
diff --git a/include/net/netfilter/nf_conntrack_count.h b/include/net/netfilter/nf_conntrack_count.h
index 9645b47fa7e4..a5b43b9259e0 100644
--- a/include/net/netfilter/nf_conntrack_count.h
+++ b/include/net/netfilter/nf_conntrack_count.h
@@ -1,6 +1,8 @@
 #ifndef _NF_CONNTRACK_COUNT_H
 #define _NF_CONNTRACK_COUNT_H
 
+#if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
+
 #include <linux/list.h>
 #include <linux/spinlock.h>
 #include <net/netfilter/nf_conntrack_tuple.h>
@@ -36,4 +38,6 @@ bool nf_conncount_gc_list(struct net *net,
 
 void nf_conncount_cache_free(struct nf_conncount_list *list);
 
+#endif /* IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT) */
+
 #endif
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index eb81f9195e28..2d9dfcea9f2b 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -5,12 +5,14 @@
 
 #ifndef _NF_CONNTRACK_ECACHE_H
 #define _NF_CONNTRACK_ECACHE_H
-#include <net/netfilter/nf_conntrack.h>
 
-#include <net/net_namespace.h>
-#include <net/netfilter/nf_conntrack_expect.h>
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 #include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/netfilter/nf_conntrack_tuple_common.h>
+#include <net/net_namespace.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_expect.h>
 #include <net/netfilter/nf_conntrack_extend.h>
 
 enum nf_ct_ecache_state {
@@ -225,4 +227,6 @@ static inline void nf_conntrack_ecache_work(struct net *net)
 #endif
 }
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif /*_NF_CONNTRACK_ECACHE_H*/
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 0855b60fba17..7899ceb3c1be 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -6,8 +6,9 @@
 #ifndef _NF_CONNTRACK_EXPECT_H
 #define _NF_CONNTRACK_EXPECT_H
 
-#include <linux/refcount.h>
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
 
+#include <linux/refcount.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_zones.h>
 
@@ -134,5 +135,6 @@ static inline int nf_ct_expect_related(struct nf_conntrack_expect *expect,
 	return nf_ct_expect_related_report(expect, 0, 0, flags);
 }
 
-#endif /*_NF_CONNTRACK_EXPECT_H*/
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
 
+#endif /*_NF_CONNTRACK_EXPECT_H*/
diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
index 112a6f40dfaf..2e43f8683434 100644
--- a/include/net/netfilter/nf_conntrack_extend.h
+++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -2,8 +2,9 @@
 #ifndef _NF_CONNTRACK_EXTEND_H
 #define _NF_CONNTRACK_EXTEND_H
 
-#include <linux/slab.h>
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
 
+#include <linux/slab.h>
 #include <net/netfilter/nf_conntrack.h>
 
 enum nf_ct_ext_id {
@@ -97,4 +98,7 @@ struct nf_ct_ext_type {
 
 int nf_ct_extend_register(const struct nf_ct_ext_type *type);
 void nf_ct_extend_unregister(const struct nf_ct_ext_type *type);
+
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif /* _NF_CONNTRACK_EXTEND_H */
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index 44b5a00a9c64..c4a164eeab89 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -10,6 +10,9 @@
 
 #ifndef _NF_CONNTRACK_HELPER_H
 #define _NF_CONNTRACK_HELPER_H
+
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 #include <linux/refcount.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_extend.h>
@@ -177,4 +180,7 @@ void nf_nat_helper_unregister(struct nf_conntrack_nat_helper *nat);
 int nf_nat_helper_try_module_get(const char *name, u16 l3num,
 				 u8 protonum);
 void nf_nat_helper_put(struct nf_conntrack_helper *helper);
+
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif /*_NF_CONNTRACK_HELPER_H*/
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index c200b95d27ae..6912367da3ec 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -10,6 +10,9 @@
 
 #ifndef _NF_CONNTRACK_L4PROTO_H
 #define _NF_CONNTRACK_L4PROTO_H
+
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 #include <linux/netlink.h>
 #include <net/netlink.h>
 #include <net/netfilter/nf_conntrack.h>
@@ -178,7 +181,6 @@ void nf_ct_l4proto_log_invalid(const struct sk_buff *skb,
 			       const char *fmt, ...) { }
 #endif /* CONFIG_SYSCTL */
 
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
 static inline struct nf_generic_net *nf_generic_pernet(struct net *net)
 {
        return &net->ct.nf_ct_proto.generic;
@@ -203,7 +205,6 @@ static inline struct nf_icmp_net *nf_icmpv6_pernet(struct net *net)
 {
        return &net->ct.nf_ct_proto.icmpv6;
 }
-#endif
 
 #ifdef CONFIG_NF_CT_PROTO_DCCP
 static inline struct nf_dccp_net *nf_dccp_pernet(struct net *net)
@@ -226,4 +227,6 @@ static inline struct nf_gre_net *nf_gre_pernet(struct net *net)
 }
 #endif
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif /*_NF_CONNTRACK_PROTOCOL_H*/
diff --git a/include/net/netfilter/nf_conntrack_labels.h b/include/net/netfilter/nf_conntrack_labels.h
index ba916411c4e1..ffe08252a70d 100644
--- a/include/net/netfilter/nf_conntrack_labels.h
+++ b/include/net/netfilter/nf_conntrack_labels.h
@@ -3,6 +3,8 @@
 #ifndef _NF_CONNTRACK_LABELS_H
 #define _NF_CONNTRACK_LABELS_H
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 #include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/netfilter/nf_conntrack_tuple_common.h>
 #include <linux/types.h>
@@ -55,4 +57,6 @@ static inline int nf_connlabels_get(struct net *net, unsigned int bit) { return
 static inline void nf_connlabels_put(struct net *net) {}
 #endif
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif /* _NF_CONNTRACK_LABELS_H */
diff --git a/include/net/netfilter/nf_conntrack_seqadj.h b/include/net/netfilter/nf_conntrack_seqadj.h
index 0a10b50537ae..d7b22f4e1a66 100644
--- a/include/net/netfilter/nf_conntrack_seqadj.h
+++ b/include/net/netfilter/nf_conntrack_seqadj.h
@@ -2,6 +2,8 @@
 #ifndef _NF_CONNTRACK_SEQADJ_H
 #define _NF_CONNTRACK_SEQADJ_H
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 #include <net/netfilter/nf_conntrack_extend.h>
 
 /**
@@ -45,4 +47,6 @@ s32 nf_ct_seq_offset(const struct nf_conn *ct, enum ip_conntrack_dir, u32 seq);
 int nf_conntrack_seqadj_init(void);
 void nf_conntrack_seqadj_fini(void);
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif /* _NF_CONNTRACK_SEQADJ_H */
diff --git a/include/net/netfilter/nf_conntrack_synproxy.h b/include/net/netfilter/nf_conntrack_synproxy.h
index 6a3ab081e4bf..3c0395ada5b5 100644
--- a/include/net/netfilter/nf_conntrack_synproxy.h
+++ b/include/net/netfilter/nf_conntrack_synproxy.h
@@ -2,6 +2,8 @@
 #ifndef _NF_CONNTRACK_SYNPROXY_H
 #define _NF_CONNTRACK_SYNPROXY_H
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 #include <net/netfilter/nf_conntrack_seqadj.h>
 #include <net/netns/generic.h>
 
@@ -45,4 +47,6 @@ static inline bool nf_ct_add_synproxy(struct nf_conn *ct,
 	return true;
 }
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif /* _NF_CONNTRACK_SYNPROXY_H */
diff --git a/include/net/netfilter/nf_conntrack_timeout.h b/include/net/netfilter/nf_conntrack_timeout.h
index 6dd72396f534..dfc37f4ea49c 100644
--- a/include/net/netfilter/nf_conntrack_timeout.h
+++ b/include/net/netfilter/nf_conntrack_timeout.h
@@ -2,6 +2,8 @@
 #ifndef _NF_CONNTRACK_TIMEOUT_H
 #define _NF_CONNTRACK_TIMEOUT_H
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 #include <net/net_namespace.h>
 #include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/netfilter/nf_conntrack_tuple_common.h>
@@ -124,4 +126,6 @@ extern struct nf_ct_timeout *(*nf_ct_timeout_find_get_hook)(struct net *net, con
 extern void (*nf_ct_timeout_put_hook)(struct nf_ct_timeout *timeout);
 #endif
 
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif /* _NF_CONNTRACK_TIMEOUT_H */
diff --git a/include/net/netfilter/nf_conntrack_timestamp.h b/include/net/netfilter/nf_conntrack_timestamp.h
index 2b8aeba649aa..5ffa8b27cb77 100644
--- a/include/net/netfilter/nf_conntrack_timestamp.h
+++ b/include/net/netfilter/nf_conntrack_timestamp.h
@@ -2,9 +2,11 @@
 #ifndef _NF_CONNTRACK_TSTAMP_H
 #define _NF_CONNTRACK_TSTAMP_H
 
-#include <net/net_namespace.h>
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 #include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/netfilter/nf_conntrack_tuple_common.h>
+#include <net/net_namespace.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_extend.h>
 
@@ -73,4 +75,6 @@ static inline void nf_conntrack_tstamp_fini(void)
 }
 #endif /* CONFIG_NF_CONNTRACK_TIMESTAMP */
 
+#endif /* CONFIG_NF_CONNTRACK */
+
 #endif /* _NF_CONNTRACK_TSTAMP_H */
diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h
index 68ea9b932736..70af4b169eee 100644
--- a/include/net/netfilter/nf_conntrack_tuple.h
+++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -11,6 +11,8 @@
 #ifndef _NF_CONNTRACK_TUPLE_H
 #define _NF_CONNTRACK_TUPLE_H
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/nf_conntrack_tuple_common.h>
 #include <linux/list_nulls.h>
@@ -121,7 +123,6 @@ struct nf_conntrack_tuple_hash {
 	struct nf_conntrack_tuple tuple;
 };
 
-#if IS_ENABLED(CONFIG_NETFILTER)
 static inline bool __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
 					   const struct nf_conntrack_tuple *t2)
 {
@@ -184,6 +185,7 @@ nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,
 	return nf_ct_tuple_src_mask_cmp(t, tuple, mask) &&
 	       __nf_ct_tuple_dst_equal(t, tuple);
 }
-#endif
+
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
 
 #endif /* _NF_CONNTRACK_TUPLE_H */
diff --git a/include/net/netfilter/nf_dup_netdev.h b/include/net/netfilter/nf_dup_netdev.h
index 181672672160..e84227c68ea1 100644
--- a/include/net/netfilter/nf_dup_netdev.h
+++ b/include/net/netfilter/nf_dup_netdev.h
@@ -2,9 +2,13 @@
 #ifndef _NF_DUP_NETDEV_H_
 #define _NF_DUP_NETDEV_H_
 
+#if IS_ENABLED(CONFIG_NF_DUP_NETDEV)
+
 #include <net/netfilter/nf_tables.h>
 
 void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif);
 void nf_fwd_netdev_egress(const struct nft_pktinfo *pkt, int oif);
 
+#endif /* IS_ENABLED(CONFIG_NF_DUP_NETDEV) */
+
 #endif
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index d875be62cdf0..afaf4b882f53 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -1,6 +1,8 @@
 #ifndef _NF_FLOW_TABLE_H
 #define _NF_FLOW_TABLE_H
 
+#if IS_ENABLED(CONFIG_NF_TABLES)
+
 #include <linux/in.h>
 #include <linux/in6.h>
 #include <linux/netdevice.h>
@@ -17,9 +19,7 @@ struct nf_flowtable_type {
 	int				family;
 	int				(*init)(struct nf_flowtable *ft);
 	void				(*free)(struct nf_flowtable *ft);
-#if IS_ENABLED(CONFIG_NETFILTER)
 	nf_hookfn			*hook;
-#endif
 	struct module			*owner;
 };
 
@@ -117,14 +117,14 @@ struct flow_ports {
 	__be16 source, dest;
 };
 
-#if IS_ENABLED(CONFIG_NETFILTER)
 unsigned int nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
 				     const struct nf_hook_state *state);
 unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
 				       const struct nf_hook_state *state);
-#endif
 
 #define MODULE_ALIAS_NF_FLOWTABLE(family)	\
 	MODULE_ALIAS("nf-flowtable-" __stringify(family))
 
+#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
+
 #endif /* _NF_FLOW_TABLE_H */
diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
index 0d3920896d50..0dd375db4eda 100644
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -2,6 +2,8 @@
 #ifndef _NF_LOG_H
 #define _NF_LOG_H
 
+#ifdef CONFIG_NETFILTER
+
 #include <linux/netfilter.h>
 #include <linux/netfilter/nf_log.h>
 
@@ -122,4 +124,6 @@ void nf_log_l2packet(struct net *net, u_int8_t pf,
 		     const struct net_device *out,
 		     const struct nf_loginfo *loginfo, const char *prefix);
 
+#endif /* CONFIG_NETFILTER */
+
 #endif /* _NF_LOG_H */
diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index 362ff94fa6b0..d9d4acdc0776 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -2,6 +2,8 @@
 #ifndef _NF_NAT_H
 #define _NF_NAT_H
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
 #include <linux/list.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter/nf_conntrack_pptp.h>
@@ -68,12 +70,10 @@ static inline bool nf_nat_oif_changed(unsigned int hooknum,
 #endif
 }
 
-#if IS_ENABLED(CONFIG_NETFILTER)
 int nf_nat_register_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
 		       const struct nf_hook_ops *nat_ops, unsigned int ops_count);
 void nf_nat_unregister_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
 			  unsigned int ops_count);
-#endif
 
 unsigned int nf_nat_packet(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
 			   unsigned int hooknum, struct sk_buff *skb);
@@ -93,7 +93,6 @@ int nf_nat_icmpv6_reply_translation(struct sk_buff *skb, struct nf_conn *ct,
 				    enum ip_conntrack_info ctinfo,
 				    unsigned int hooknum, unsigned int hdrlen);
 
-#if IS_ENABLED(CONFIG_NETFILTER)
 int nf_nat_ipv4_register_fn(struct net *net, const struct nf_hook_ops *ops);
 void nf_nat_ipv4_unregister_fn(struct net *net, const struct nf_hook_ops *ops);
 
@@ -106,7 +105,6 @@ void nf_nat_inet_unregister_fn(struct net *net, const struct nf_hook_ops *ops);
 unsigned int
 nf_nat_inet_fn(void *priv, struct sk_buff *skb,
 	       const struct nf_hook_state *state);
-#endif
 
 int nf_xfrm_me_harder(struct net *n, struct sk_buff *s, unsigned int family);
 
@@ -118,4 +116,7 @@ static inline int nf_nat_initialized(struct nf_conn *ct,
 	else
 		return ct->status & IPS_DST_NAT_DONE;
 }
+
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
 #endif
diff --git a/include/net/netfilter/nf_nat_helper.h b/include/net/netfilter/nf_nat_helper.h
index efae84646353..11692d9b6913 100644
--- a/include/net/netfilter/nf_nat_helper.h
+++ b/include/net/netfilter/nf_nat_helper.h
@@ -1,6 +1,9 @@
 /* SPDX-License-Identifier: GPL-2.0 */
 #ifndef _NF_NAT_HELPER_H
 #define _NF_NAT_HELPER_H
+
+#if IS_ENABLED(CONFIG_NF_NAT)
+
 /* NAT protocol helper routines. */
 
 #include <linux/skbuff.h>
@@ -38,4 +41,6 @@ bool nf_nat_mangle_udp_packet(struct sk_buff *skb, struct nf_conn *ct,
  * to port ct->master->saved_proto. */
 void nf_nat_follow_master(struct nf_conn *ct, struct nf_conntrack_expect *this);
 
+#endif /* IS_ENABLED(CONFIG_NF_NAT) */
+
 #endif
diff --git a/include/net/netfilter/nf_nat_masquerade.h b/include/net/netfilter/nf_nat_masquerade.h
index be7abc9d5f22..d6ef5e6f84dd 100644
--- a/include/net/netfilter/nf_nat_masquerade.h
+++ b/include/net/netfilter/nf_nat_masquerade.h
@@ -2,6 +2,8 @@
 #ifndef _NF_NAT_MASQUERADE_H_
 #define _NF_NAT_MASQUERADE_H_
 
+#ifdef CONFIG_NF_NAT_MASQUERADE
+
 #include <linux/skbuff.h>
 #include <net/netfilter/nf_nat.h>
 
@@ -17,4 +19,6 @@ unsigned int
 nf_nat_masquerade_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,
 		       const struct net_device *out);
 
+#endif /* CONFIG_NF_NAT_MASQUERADE */
+
 #endif /*_NF_NAT_MASQUERADE_H_ */
diff --git a/include/net/netfilter/nf_nat_redirect.h b/include/net/netfilter/nf_nat_redirect.h
index 2418653a66db..2a2c818523eb 100644
--- a/include/net/netfilter/nf_nat_redirect.h
+++ b/include/net/netfilter/nf_nat_redirect.h
@@ -2,6 +2,8 @@
 #ifndef _NF_NAT_REDIRECT_H_
 #define _NF_NAT_REDIRECT_H_
 
+#ifdef CONFIG_NF_NAT_REDIRECT
+
 #include <linux/skbuff.h>
 #include <uapi/linux/netfilter/nf_nat.h>
 
@@ -13,4 +15,6 @@ unsigned int
 nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,
 		     unsigned int hooknum);
 
+#endif /* CONFIG_NF_NAT_REDIRECT */
+
 #endif /* _NF_NAT_REDIRECT_H_ */
diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
index 80edb46a1bbc..5f0986357ad8 100644
--- a/include/net/netfilter/nf_queue.h
+++ b/include/net/netfilter/nf_queue.h
@@ -2,6 +2,8 @@
 #ifndef _NF_QUEUE_H
 #define _NF_QUEUE_H
 
+#ifdef CONFIG_NETFILTER
+
 #include <linux/ip.h>
 #include <linux/ipv6.h>
 #include <linux/jhash.h>
@@ -15,9 +17,7 @@ struct nf_queue_entry {
 	unsigned int		id;
 	unsigned int		hook_index;	/* index in hook_entries->hook[] */
 
-#if IS_ENABLED(CONFIG_NETFILTER)
 	struct nf_hook_state	state;
-#endif
 	u16			size; /* sizeof(entry) + saved route keys */
 
 	/* extra space to store route keys */
@@ -123,9 +123,9 @@ nfqueue_hash(const struct sk_buff *skb, u16 queue, u16 queues_total, u8 family,
 	return queue;
 }
 
-#if IS_ENABLED(CONFIG_NETFILTER)
 int nf_queue(struct sk_buff *skb, struct nf_hook_state *state,
 	     unsigned int index, unsigned int verdict);
-#endif
+
+#endif /* CONFIG_NETFILTER */
 
 #endif /* _NF_QUEUE_H */
diff --git a/include/net/netfilter/nf_reject.h b/include/net/netfilter/nf_reject.h
index 9051c3a0c8e7..664db093d24a 100644
--- a/include/net/netfilter/nf_reject.h
+++ b/include/net/netfilter/nf_reject.h
@@ -2,6 +2,8 @@
 #ifndef _NF_REJECT_H
 #define _NF_REJECT_H
 
+#ifdef CONFIG_NETFILTER
+
 #include <linux/types.h>
 #include <uapi/linux/in.h>
 
@@ -27,4 +29,6 @@ static inline bool nf_reject_verify_csum(__u8 proto)
 	return true;
 }
 
+#endif /* CONFIG_NETFILTER */
+
 #endif /* _NF_REJECT_H */
diff --git a/include/net/netfilter/nf_socket.h b/include/net/netfilter/nf_socket.h
index f9d7bee9bd4e..642cb6640e23 100644
--- a/include/net/netfilter/nf_socket.h
+++ b/include/net/netfilter/nf_socket.h
@@ -2,6 +2,8 @@
 #ifndef _NF_SOCK_H_
 #define _NF_SOCK_H_
 
+#ifdef CONFIG_NETFILTER
+
 #include <net/sock.h>
 
 struct sock *nf_sk_lookup_slow_v4(struct net *net, const struct sk_buff *skb,
@@ -10,4 +12,6 @@ struct sock *nf_sk_lookup_slow_v4(struct net *net, const struct sk_buff *skb,
 struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb,
 				  const struct net_device *indev);
 
+#endif /* CONFIG_NETFILTER */
+
 #endif
diff --git a/include/net/netfilter/nf_synproxy.h b/include/net/netfilter/nf_synproxy.h
index 19d1af7a0348..e1661141a0b8 100644
--- a/include/net/netfilter/nf_synproxy.h
+++ b/include/net/netfilter/nf_synproxy.h
@@ -2,6 +2,8 @@
 #ifndef _NF_SYNPROXY_SHARED_H
 #define _NF_SYNPROXY_SHARED_H
 
+#if IS_ENABLED(CONFIG_NETFILTER_SYNPROXY)
+
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <net/ip6_checksum.h>
@@ -58,10 +60,8 @@ bool synproxy_recv_client_ack(struct net *net,
 			      const struct tcphdr *th,
 			      struct synproxy_options *opts, u32 recv_seq);
 
-#if IS_ENABLED(CONFIG_NETFILTER)
 unsigned int ipv4_synproxy_hook(void *priv, struct sk_buff *skb,
 				const struct nf_hook_state *nhs);
-#endif
 int nf_synproxy_ipv4_init(struct synproxy_net *snet, struct net *net);
 void nf_synproxy_ipv4_fini(struct synproxy_net *snet, struct net *net);
 
@@ -75,10 +75,8 @@ bool synproxy_recv_client_ack_ipv6(struct net *net, const struct sk_buff *skb,
 				   const struct tcphdr *th,
 				   struct synproxy_options *opts, u32 recv_seq);
 
-#if IS_ENABLED(CONFIG_NETFILTER)
 unsigned int ipv6_synproxy_hook(void *priv, struct sk_buff *skb,
 				const struct nf_hook_state *nhs);
-#endif
 int nf_synproxy_ipv6_init(struct synproxy_net *snet, struct net *net);
 void nf_synproxy_ipv6_fini(struct synproxy_net *snet, struct net *net);
 #else
@@ -88,4 +86,6 @@ static inline void
 nf_synproxy_ipv6_fini(struct synproxy_net *snet, struct net *net) {};
 #endif /* CONFIG_IPV6 */
 
+#endif /* IS_ENABLED(CONFIG_NETFILTER_SYNPROXY) */
+
 #endif /* _NF_SYNPROXY_SHARED_H */
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 498665158ee0..a172f0923542 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -2,6 +2,8 @@
 #ifndef _NET_NF_TABLES_H
 #define _NET_NF_TABLES_H
 
+#if IS_ENABLED(CONFIG_NF_TABLES)
+
 #include <asm/unaligned.h>
 #include <linux/list.h>
 #include <linux/netfilter.h>
@@ -26,7 +28,6 @@ struct nft_pktinfo {
 	struct xt_action_param		xt;
 };
 
-#if IS_ENABLED(CONFIG_NETFILTER)
 static inline struct net *nft_net(const struct nft_pktinfo *pkt)
 {
 	return pkt->xt.state->net;
@@ -59,7 +60,6 @@ static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
 	pkt->skb = skb;
 	pkt->xt.state = state;
 }
-#endif
 
 static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
 					  struct sk_buff *skb)
@@ -947,11 +947,9 @@ struct nft_chain_type {
 	int				family;
 	struct module			*owner;
 	unsigned int			hook_mask;
-#if IS_ENABLED(CONFIG_NETFILTER)
 	nf_hookfn			*hooks[NF_MAX_HOOKS];
 	int				(*ops_register)(struct net *net, const struct nf_hook_ops *ops);
 	void				(*ops_unregister)(struct net *net, const struct nf_hook_ops *ops);
-#endif
 };
 
 int nft_chain_validate_dependency(const struct nft_chain *chain,
@@ -977,9 +975,7 @@ struct nft_stats {
  *	@flow_block: flow block (for hardware offload)
  */
 struct nft_base_chain {
-#if IS_ENABLED(CONFIG_NETFILTER)
 	struct nf_hook_ops		ops;
-#endif
 	const struct nft_chain_type	*type;
 	u8				policy;
 	u8				flags;
@@ -1176,9 +1172,7 @@ struct nft_flowtable {
 					use:30;
 	u64				handle;
 	/* runtime data below here */
-#if IS_ENABLED(CONFIG_NETFILTER)
 	struct nf_hook_ops		*ops ____cacheline_aligned;
-#endif
 	struct nf_flowtable		data;
 };
 
@@ -1233,8 +1227,6 @@ void nft_trace_notify(struct nft_traceinfo *info);
 #define MODULE_ALIAS_NFT_OBJ(type) \
 	MODULE_ALIAS("nft-obj-" __stringify(type))
 
-#if IS_ENABLED(CONFIG_NF_TABLES)
-
 /*
  * The gencursor defines two generations, the currently active and the
  * next one. Objects contain a bitmask of 2 bits specifying the generations
@@ -1308,8 +1300,6 @@ static inline void nft_set_elem_change_active(const struct net *net,
 	ext->genmask ^= nft_genmask_next(net);
 }
 
-#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
-
 /*
  * We use a free bit in the genmask field to indicate the element
  * is busy, meaning it is currently being processed either by
@@ -1446,4 +1436,7 @@ void nft_chain_filter_fini(void);
 
 void __init nft_chain_route_init(void);
 void nft_chain_route_fini(void);
+
+#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
+
 #endif /* _NET_NF_TABLES_H */
diff --git a/include/net/netfilter/nf_tables_core.h b/include/net/netfilter/nf_tables_core.h
index 7281895fa6d9..7fa23fb4383c 100644
--- a/include/net/netfilter/nf_tables_core.h
+++ b/include/net/netfilter/nf_tables_core.h
@@ -2,6 +2,8 @@
 #ifndef _NET_NF_TABLES_CORE_H
 #define _NET_NF_TABLES_CORE_H
 
+#if IS_ENABLED(CONFIG_NF_TABLES)
+
 #include <net/netfilter/nf_tables.h>
 
 extern struct nft_expr_type nft_imm_type;
@@ -98,4 +100,7 @@ void nft_dynset_eval(const struct nft_expr *expr,
 		     struct nft_regs *regs, const struct nft_pktinfo *pkt);
 void nft_rt_get_eval(const struct nft_expr *expr,
 		     struct nft_regs *regs, const struct nft_pktinfo *pkt);
+
+#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
+
 #endif /* _NET_NF_TABLES_CORE_H */
diff --git a/include/net/netfilter/nf_tables_ipv4.h b/include/net/netfilter/nf_tables_ipv4.h
index ed7b511f0a59..5156a6e4e7d6 100644
--- a/include/net/netfilter/nf_tables_ipv4.h
+++ b/include/net/netfilter/nf_tables_ipv4.h
@@ -2,6 +2,8 @@
 #ifndef _NF_TABLES_IPV4_H_
 #define _NF_TABLES_IPV4_H_
 
+#if IS_ENABLED(CONFIG_NF_TABLES)
+
 #include <net/netfilter/nf_tables.h>
 #include <net/ip.h>
 
@@ -53,4 +55,6 @@ static inline void nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt,
 		nft_set_pktinfo_unspec(pkt, skb);
 }
 
+#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
+
 #endif
diff --git a/include/net/netfilter/nf_tables_ipv6.h b/include/net/netfilter/nf_tables_ipv6.h
index d0f1c537b017..46bf20eecf3a 100644
--- a/include/net/netfilter/nf_tables_ipv6.h
+++ b/include/net/netfilter/nf_tables_ipv6.h
@@ -2,6 +2,8 @@
 #ifndef _NF_TABLES_IPV6_H_
 #define _NF_TABLES_IPV6_H_
 
+#ifdef CONFIG_NF_TABLES_IPV6
+
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <net/ipv6.h>
 #include <net/netfilter/nf_tables.h>
@@ -28,7 +30,6 @@ static inline void nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
 static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
 						  struct sk_buff *skb)
 {
-#if IS_ENABLED(CONFIG_IPV6)
 	unsigned int flags = IP6_FH_F_AUTH;
 	struct ipv6hdr *ip6h, _ip6h;
 	unsigned int thoff = 0;
@@ -58,9 +59,6 @@ static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
 	pkt->xt.fragoff = frag_off;
 
 	return 0;
-#else
-	return -1;
-#endif
 }
 
 static inline void nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
@@ -70,4 +68,6 @@ static inline void nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
 		nft_set_pktinfo_unspec(pkt, skb);
 }
 
-#endif
+#endif /* CONFIG_NF_TABLES_IPV6 */
+
+#endif /* _NF_TABLES_IPV6_H_ */
diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
index db104665a9e4..79a4a78f2f01 100644
--- a/include/net/netfilter/nf_tables_offload.h
+++ b/include/net/netfilter/nf_tables_offload.h
@@ -1,6 +1,8 @@
 #ifndef _NET_NF_TABLES_OFFLOAD_H
 #define _NET_NF_TABLES_OFFLOAD_H
 
+#if IS_ENABLED(CONFIG_NF_TABLES)
+
 #include <net/flow_offload.h>
 #include <net/netfilter/nf_tables.h>
 
@@ -80,4 +82,6 @@ void nft_indr_block_get_and_ing_cmd(struct net_device *dev,
 
 int nft_chain_offload_priority(struct nft_base_chain *basechain);
 
+#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
+
 #endif
diff --git a/include/net/netfilter/nf_tproxy.h b/include/net/netfilter/nf_tproxy.h
index 82d0e41b76f2..0321ec632502 100644
--- a/include/net/netfilter/nf_tproxy.h
+++ b/include/net/netfilter/nf_tproxy.h
@@ -1,6 +1,8 @@
 #ifndef _NF_TPROXY_H_
 #define _NF_TPROXY_H_
 
+#if IS_ENABLED(CONFIG_NF_TPROXY)
+
 #include <net/tcp.h>
 
 enum nf_tproxy_lookup_t {
@@ -118,4 +120,6 @@ nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,
 		      const struct net_device *in,
 		      const enum nf_tproxy_lookup_t lookup_type);
 
+#endif /* IS_ENABLED(CONFIG_NF_TPROXY) */
+
 #endif /* _NF_TPROXY_H_ */
diff --git a/include/net/netfilter/nft_fib.h b/include/net/netfilter/nft_fib.h
index 628b6fa579cd..b753729ce591 100644
--- a/include/net/netfilter/nft_fib.h
+++ b/include/net/netfilter/nft_fib.h
@@ -2,6 +2,8 @@
 #ifndef _NFT_FIB_H_
 #define _NFT_FIB_H_
 
+#if IS_ENABLED(CONFIG_NFT_FIB)
+
 #include <net/netfilter/nf_tables.h>
 
 struct nft_fib {
@@ -37,4 +39,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
 
 void nft_fib_store_result(void *reg, const struct nft_fib *priv,
 			  const struct net_device *dev);
+
+#endif /* IS_ENABLED(CONFIG_NFT_FIB) */
+
 #endif
diff --git a/include/net/netfilter/nft_meta.h b/include/net/netfilter/nft_meta.h
index 07e2fd507963..bbd18b64eaf8 100644
--- a/include/net/netfilter/nft_meta.h
+++ b/include/net/netfilter/nft_meta.h
@@ -2,6 +2,8 @@
 #ifndef _NFT_META_H_
 #define _NFT_META_H_
 
+#if IS_ENABLED(CONFIG_NF_TABLES)
+
 #include <net/netfilter/nf_tables.h>
 
 struct nft_meta {
@@ -43,4 +45,6 @@ int nft_meta_set_validate(const struct nft_ctx *ctx,
 			  const struct nft_expr *expr,
 			  const struct nft_data **data);
 
+#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
+
 #endif
diff --git a/include/net/netfilter/nft_reject.h b/include/net/netfilter/nft_reject.h
index 56b123a42220..502961721d30 100644
--- a/include/net/netfilter/nft_reject.h
+++ b/include/net/netfilter/nft_reject.h
@@ -2,6 +2,8 @@
 #ifndef _NFT_REJECT_H_
 #define _NFT_REJECT_H_
 
+#if IS_ENABLED(CONFIG_NFT_REJECT)
+
 #include <linux/types.h>
 #include <net/netlink.h>
 #include <net/netfilter/nf_tables.h>
@@ -27,4 +29,6 @@ int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr);
 int nft_reject_icmp_code(u8 code);
 int nft_reject_icmpv6_code(u8 code);
 
+#endif /* IS_ENABLED(CONFIG_NFT_REJECT) */
+
 #endif
diff --git a/include/net/netfilter/xt_rateest.h b/include/net/netfilter/xt_rateest.h
index 832ab69efda5..9fae3397d62c 100644
--- a/include/net/netfilter/xt_rateest.h
+++ b/include/net/netfilter/xt_rateest.h
@@ -2,6 +2,8 @@
 #ifndef _XT_RATEEST_H
 #define _XT_RATEEST_H
 
+#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_RATEEST)
+
 #include <net/gen_stats.h>
 
 struct xt_rateest {
@@ -24,4 +26,6 @@ struct xt_rateest {
 struct xt_rateest *xt_rateest_lookup(struct net *net, const char *name);
 void xt_rateest_put(struct net *net, struct xt_rateest *est);
 
+#endif /* IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_RATEEST) */
+
 #endif /* _XT_RATEEST_H */
-- 
2.23.0.rc1

Re: [PATCH nf-next v2 30/30] netfilter: wrap headers in CONFIG checks.

[kbuild test robot]

[-- Attachment #1: Type: text/plain, Size: 2809 bytes --]

Hi Jeremy,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on nf-next/master]

url:    https://github.com/0day-ci/linux/commits/Jeremy-Sowden/Add-config-option-checks-to-netfilter-headers/20190903-075100
base:   https://kernel.googlesource.com/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: x86_64-randconfig-s0-09021303 (attached as .config)
compiler: gcc-7 (Debian 7.4.0-11) 7.4.0
reproduce:
        # save the attached .config to linux build tree
        make ARCH=x86_64 

If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   In file included from security/apparmor/lsm.c:23:0:
   include/linux/netfilter_ipv6.h: In function 'nf_ipv6_br_defrag':
>> include/linux/netfilter_ipv6.h:132:9: error: implicit declaration of function 'nf_ct_frag6_gather'; did you mean 'nf_ct_attach'? [-Werror=implicit-function-declaration]
     return nf_ct_frag6_gather(net, skb, user);
            ^~~~~~~~~~~~~~~~~~
            nf_ct_attach
   cc1: some warnings being treated as errors

vim +132 include/linux/netfilter_ipv6.h

c9bb6165a16e6d Pablo Neira Ayuso 2019-05-31  120  
764dd163ac922f Pablo Neira Ayuso 2019-05-29  121  static inline int nf_ipv6_br_defrag(struct net *net, struct sk_buff *skb,
764dd163ac922f Pablo Neira Ayuso 2019-05-29  122  				    u32 user)
764dd163ac922f Pablo Neira Ayuso 2019-05-29  123  {
764dd163ac922f Pablo Neira Ayuso 2019-05-29  124  #if IS_MODULE(CONFIG_IPV6)
764dd163ac922f Pablo Neira Ayuso 2019-05-29  125  	const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
764dd163ac922f Pablo Neira Ayuso 2019-05-29  126  
764dd163ac922f Pablo Neira Ayuso 2019-05-29  127  	if (!v6_ops)
764dd163ac922f Pablo Neira Ayuso 2019-05-29  128  		return 1;
764dd163ac922f Pablo Neira Ayuso 2019-05-29  129  
764dd163ac922f Pablo Neira Ayuso 2019-05-29  130  	return v6_ops->br_defrag(net, skb, user);
43a38c3f318082 Arnd Bergmann     2019-06-17  131  #elif IS_BUILTIN(CONFIG_IPV6)
764dd163ac922f Pablo Neira Ayuso 2019-05-29 @132  	return nf_ct_frag6_gather(net, skb, user);
43a38c3f318082 Arnd Bergmann     2019-06-17  133  #else
43a38c3f318082 Arnd Bergmann     2019-06-17  134  	return 1;
764dd163ac922f Pablo Neira Ayuso 2019-05-29  135  #endif
764dd163ac922f Pablo Neira Ayuso 2019-05-29  136  }
764dd163ac922f Pablo Neira Ayuso 2019-05-29  137  

:::::: The code at line 132 was first introduced by commit
:::::: 764dd163ac922f8683b5bcd3007251ce7b26cd33 netfilter: nf_conntrack_bridge: add support for IPv6

:::::: TO: Pablo Neira Ayuso <pablo@netfilter.org>
:::::: CC: David S. Miller <davem@davemloft.net>

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 35083 bytes --]

Re: [PATCH nf-next v2 00/30] Add config option checks to netfilter headers.

[Pablo Neira Ayuso]

Hi Jeremy,

Thanks for working on this.

Could you squash a few of these patches to get a smaller patchset?

My suggestions:

* Squash 01/30, 02/30 and 03/30, call this something like: "netfilter: add
  missing include guard". Just document that the chunk for the
  flowtable is fixing up a comment.

* For 04/30, since this is about SPDX, I would suggest you leave this
  behind and we wait for someone to make a whole pass over the netfilter
  headers to check for missing SPDX tags? Not a deal breaker, you can
  keep it in this batch if you like.

* Squash 05/30, 06/30 and 07/30, call this I'd suggest: "netfilter:
  fix coding style errors", document the stray semi-colons, the
  Kconfig missing indent and the trailing whitespaces.

* Squash 09/30, 10/30, 11/30, 12/30 and 12/30. They all refer to
  #include updates, could you squash and document these updates?

* 14/30, "netfilter: remove superfluous header" I'd suggest you rename
  this to "netfilter: remove nf_conntrack_icmpv6.h header".

* 15/30 and 16/30 LGTM.

* 17/30 I don't think struct nf_bridge_frag_data qualifies for the
  global netfilter.h header.

* 19/30 LGTM.

* With 20/30 gets more ifdef pollution to optimize a case where kernel
  is compiled without this trackers. I would prefer you keep this
  back.

* Please, squash 21/30 and 22/30.

* 24/30 nft_set_pktinfo_ipv6_validate() definition already
  deals with this in the right way.

* 25/30 nf_conntrack_zones_common.h only makes sense if NF_CONNTRACK
  is enabled, I don't understand.

* 27/30 identation is not correct, not using tabs.

* 26/30 is adding more #ifdef CONFIG_NETFILTER to the netfilter.h
  header. They make sense to make this new infra to compile headers,
  but from developer perspective is confusing.

* 30/30 very similar to 26/30...

--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -7,6 +7,10 @@ 
 #ifndef _IP_SET_H
 #define _IP_SET_H
 
+#include <uapi/linux/netfilter/ipset/ip_set.h>
+
+#if IS_ENABLED(CONFIG_IP_SET)
...

Shouldn't probably the CONFIG_HEADER_TEST infrastructure check if the
Kconfig option is set on before blindy compiling headers?

Re: [PATCH nf-next v2 00/30] Add config option checks to netfilter headers.

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 2593 bytes --]

On 2019-09-04, at 21:05:35 +0200, Pablo Neira Ayuso wrote:
> Thanks for working on this.

Happy to help.

> Could you squash a few of these patches to get a smaller patchset?

Absolutely.

> My suggestions:
>
> * Squash 01/30, 02/30 and 03/30, call this something like: "netfilter:
>   add missing include guard". Just document that the chunk for the
>   flowtable is fixing up a comment.

Will do.

> * For 04/30, since this is about SPDX, I would suggest you leave this
>   behind and we wait for someone to make a whole pass over the
>   netfilter headers to check for missing SPDX tags? Not a deal
>   breaker, you can keep it in this batch if you like.

Will drop it.  This was a bit speculative: I think I've got it right,
but, as you say, this may be one to leave to someone with more
expertise.

> * Squash 05/30, 06/30 and 07/30, call this I'd suggest: "netfilter:
>   fix coding style errors", document the stray semi-colons, the
>   Kconfig missing indent and the trailing whitespaces.

Will do.

> * Squash 09/30, 10/30, 11/30, 12/30 and 12/30. They all refer to
>   #include updates, could you squash and document these updates?

Will do.

> * 14/30, "netfilter: remove superfluous header" I'd suggest you rename
>   this to "netfilter: remove nf_conntrack_icmpv6.h header".

Will do.

> * 17/30 I don't think struct nf_bridge_frag_data qualifies for the
>   global netfilter.h header.

What about netfilter_bridge.h?

> * Please, squash 21/30 and 22/30.

Will do.

> * With 20/30 gets more ifdef pollution to optimize a case where kernel
>   is compiled without this trackers. I would prefer you keep this
>   back.
>
> * 24/30 nft_set_pktinfo_ipv6_validate() definition already
>   deals with this in the right way.
>
> * 25/30 nf_conntrack_zones_common.h only makes sense if NF_CONNTRACK
>   is enabled, I don't understand.
>
> * 27/30 identation is not correct, not using tabs.
>
> * 26/30 is adding more #ifdef CONFIG_NETFILTER to the netfilter.h
>   header. They make sense to make this new infra to compile headers,
>   but from developer perspective is confusing.
>
> * 30/30 very similar to 26/30...

As I mentioned in the cover-letter the idea behind my approach was to
config out as much code as possible: if header H is only required when
config C is enabled, then wrap it in an `#if IS_ENABLED(CONFIG_C)`.
However, you're clearly not keen, and, having had a poke around in other
headers that have been moved off the blacklist, I've come to the con-
clusion that it was the wrong way to go: we want less #ifdeffery, not
more.  Will rework this part of the series.

J.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH nf-next v2 00/30] Add config option checks to netfilter headers.

[Pablo Neira Ayuso]

On Sat, Sep 07, 2019 at 08:16:59PM +0100, Jeremy Sowden wrote:
> On 2019-09-04, at 21:05:35 +0200, Pablo Neira Ayuso wrote:
[...]
> > * 17/30 I don't think struct nf_bridge_frag_data qualifies for the
> >   global netfilter.h header.
> 
> What about netfilter_bridge.h?

That's fine indeed.

[...]
> As I mentioned in the cover-letter the idea behind my approach was to
> config out as much code as possible: if header H is only required when
> config C is enabled, then wrap it in an `#if IS_ENABLED(CONFIG_C)`.
> However, you're clearly not keen, and, having had a poke around in other
> headers that have been moved off the blacklist, I've come to the con-
> clusion that it was the wrong way to go: we want less #ifdeffery, not
> more.  Will rework this part of the series.

It would be great if all those are #if IS_ENABLED(CONFIG_C) only to
make happy CONFIG_HEADER_TEST go away, and no more new ones are added
indeed.

Thanks.