* [PATCH nf-next v2 01/30] netfilter: add include guard to nf_conntrack_h323_types.h
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 02/30] netfilter: add include guard to nf_conntrack_labels.h Jeremy Sowden
` (29 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal
Cc: Netfilter Devel, Masahiro Yamada
From: Masahiro Yamada <yamada.masahiro@socionext.com>
Add a header include guard just in case.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter/nf_conntrack_h323_types.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/include/linux/netfilter/nf_conntrack_h323_types.h b/include/linux/netfilter/nf_conntrack_h323_types.h
index 7a6871ac8784..74c6f9241944 100644
--- a/include/linux/netfilter/nf_conntrack_h323_types.h
+++ b/include/linux/netfilter/nf_conntrack_h323_types.h
@@ -4,6 +4,9 @@
* Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
*/
+#ifndef _NF_CONNTRACK_H323_TYPES_H
+#define _NF_CONNTRACK_H323_TYPES_H
+
typedef struct TransportAddress_ipAddress { /* SEQUENCE */
int options; /* No use */
unsigned int ip;
@@ -931,3 +934,5 @@ typedef struct RasMessage { /* CHOICE */
InfoRequestResponse infoRequestResponse;
};
} RasMessage;
+
+#endif /* _NF_CONNTRACK_H323_TYPES_H */
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 02/30] netfilter: add include guard to nf_conntrack_labels.h.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 01/30] netfilter: add include guard to nf_conntrack_h323_types.h Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 03/30] netfilter: fix include guard comment Jeremy Sowden
` (28 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
nf_conntrack_labels.h has no include guard. Add it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/net/netfilter/nf_conntrack_labels.h | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_labels.h b/include/net/netfilter/nf_conntrack_labels.h
index 4eacce6f3bcc..ba916411c4e1 100644
--- a/include/net/netfilter/nf_conntrack_labels.h
+++ b/include/net/netfilter/nf_conntrack_labels.h
@@ -1,11 +1,14 @@
/* SPDX-License-Identifier: GPL-2.0 */
-#include <linux/types.h>
-#include <net/net_namespace.h>
+
+#ifndef _NF_CONNTRACK_LABELS_H
+#define _NF_CONNTRACK_LABELS_H
+
#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter/nf_conntrack_tuple_common.h>
+#include <linux/types.h>
+#include <net/net_namespace.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_extend.h>
-
#include <uapi/linux/netfilter/xt_connlabel.h>
#define NF_CT_LABELS_MAX_SIZE ((XT_CONNLABEL_MAXBIT + 1) / BITS_PER_BYTE)
@@ -51,3 +54,5 @@ static inline void nf_conntrack_labels_fini(void) {}
static inline int nf_connlabels_get(struct net *net, unsigned int bit) { return 0; }
static inline void nf_connlabels_put(struct net *net) {}
#endif
+
+#endif /* _NF_CONNTRACK_LABELS_H */
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 03/30] netfilter: fix include guard comment.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 01/30] netfilter: add include guard to nf_conntrack_h323_types.h Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 02/30] netfilter: add include guard to nf_conntrack_labels.h Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 04/30] netfilter: add GPL-2.0 SPDX ID's to a couple of headers Jeremy Sowden
` (27 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
The comment following the #endif in the nf_flow_table.h include guard
referred to the wrong macro. Fix it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/net/netfilter/nf_flow_table.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index 609df33b1209..d875be62cdf0 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -127,4 +127,4 @@ unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
#define MODULE_ALIAS_NF_FLOWTABLE(family) \
MODULE_ALIAS("nf-flowtable-" __stringify(family))
-#endif /* _FLOW_OFFLOAD_H */
+#endif /* _NF_FLOW_TABLE_H */
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 04/30] netfilter: add GPL-2.0 SPDX ID's to a couple of headers.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (2 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 03/30] netfilter: fix include guard comment Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 05/30] netfilter: remove trailing white-space Jeremy Sowden
` (26 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
Two headers are missing SPDX licence identifiers. They contain
copyright notices indicating that the code is GPL. Add GPL-2.0
identifiers.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/linux/netfilter_ipv4.h | 3 ++-
include/linux/netfilter_ipv6.h | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 082e2c41b7ff..cab891485752 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -1,4 +1,5 @@
-/* IPv4-specific defines for netfilter.
+/* SPDX-License-Identifier: GPL-2.0 */
+/* IPv4-specific defines for netfilter.
* (C)1998 Rusty Russell -- This code is GPL.
*/
#ifndef __LINUX_IP_NETFILTER_H
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 7beb681e1ce5..c2f669581d88 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -1,4 +1,5 @@
-/* IPv6-specific defines for netfilter.
+/* SPDX-License-Identifier: GPL-2.0 */
+/* IPv6-specific defines for netfilter.
* (C)1998 Rusty Russell -- This code is GPL.
* (C)1999 David Jeffery
* this header was blatantly ripped from netfilter_ipv4.h
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 05/30] netfilter: remove trailing white-space.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (3 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 04/30] netfilter: add GPL-2.0 SPDX ID's to a couple of headers Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 06/30] netfilter: fix Kconfig formatting error Jeremy Sowden
` (25 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
Several header-files, Kconfig files and Makefiles have trailing
white-space. Remove it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/linux/netfilter/x_tables.h | 2 +-
include/linux/netfilter_ipv6.h | 2 +-
include/net/netfilter/nf_conntrack_expect.h | 2 +-
include/net/netfilter/nf_conntrack_tuple.h | 2 +-
net/ipv4/netfilter/Kconfig | 8 ++++----
net/ipv4/netfilter/Makefile | 2 +-
net/netfilter/Kconfig | 6 +++---
net/netfilter/Makefile | 2 +-
8 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index ae62bf1c6824..b9bc25f57c8e 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -340,7 +340,7 @@ void xt_free_table_info(struct xt_table_info *info);
/**
* xt_recseq - recursive seqcount for netfilter use
- *
+ *
* Packet processing changes the seqcount only if no recursion happened
* get_counters() can use read_seqcount_begin()/read_seqcount_retry(),
* because we use the normal seqcount convention :
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index c2f669581d88..9797685d1e11 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -2,7 +2,7 @@
/* IPv6-specific defines for netfilter.
* (C)1998 Rusty Russell -- This code is GPL.
* (C)1999 David Jeffery
- * this header was blatantly ripped from netfilter_ipv4.h
+ * this header was blatantly ripped from netfilter_ipv4.h
* it's amazing what adding a bunch of 6s can do =8^)
*/
#ifndef __LINUX_IP6_NETFILTER_H
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 573429be4d59..0855b60fba17 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -126,7 +126,7 @@ void nf_ct_expect_init(struct nf_conntrack_expect *, unsigned int, u_int8_t,
const union nf_inet_addr *,
u_int8_t, const __be16 *, const __be16 *);
void nf_ct_expect_put(struct nf_conntrack_expect *exp);
-int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
+int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
u32 portid, int report, unsigned int flags);
static inline int nf_ct_expect_related(struct nf_conntrack_expect *expect,
unsigned int flags)
diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h
index 480c87b44a96..68ea9b932736 100644
--- a/include/net/netfilter/nf_conntrack_tuple.h
+++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -124,7 +124,7 @@ struct nf_conntrack_tuple_hash {
#if IS_ENABLED(CONFIG_NETFILTER)
static inline bool __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
const struct nf_conntrack_tuple *t2)
-{
+{
return (nf_inet_addr_cmp(&t1->src.u3, &t2->src.u3) &&
t1->src.u.all == t2->src.u.all &&
t1->src.l3num == t2->src.l3num);
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 69e76d677f9e..f17b402111ce 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -272,7 +272,7 @@ config IP_NF_TARGET_CLUSTERIP
The CLUSTERIP target allows you to build load-balancing clusters of
network servers without having a dedicated load-balancing
router/server/switch.
-
+
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_TARGET_ECN
@@ -281,7 +281,7 @@ config IP_NF_TARGET_ECN
depends on NETFILTER_ADVANCED
---help---
This option adds a `ECN' target, which can be used in the iptables mangle
- table.
+ table.
You can use this target to remove the ECN bits from the IPv4 header of
an IP packet. This is particularly useful, if you need to work around
@@ -306,7 +306,7 @@ config IP_NF_RAW
This option adds a `raw' table to iptables. This table is the very
first in the netfilter framework and hooks in at the PREROUTING
and OUTPUT chains.
-
+
If you want to compile it as a module, say M here and read
<file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
@@ -318,7 +318,7 @@ config IP_NF_SECURITY
help
This option adds a `security' table to iptables, for use
with Mandatory Access Control (MAC) policy.
-
+
If unsure, say N.
endif # IP_NF_IPTABLES
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index c50e0ec095d2..7c497c78105f 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -31,7 +31,7 @@ obj-$(CONFIG_NFT_DUP_IPV4) += nft_dup_ipv4.o
# flow table support
obj-$(CONFIG_NF_FLOW_TABLE_IPV4) += nf_flow_table_ipv4.o
-# generic IP tables
+# generic IP tables
obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
# the three instances of ip_tables
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 0d65f4d39494..6244bf3de4af 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -34,7 +34,7 @@ config NETFILTER_NETLINK_QUEUE
help
If this option is enabled, the kernel will include support
for queueing packets via NFNETLINK.
-
+
config NETFILTER_NETLINK_LOG
tristate "Netfilter LOG over NFNETLINK interface"
default m if NETFILTER_ADVANCED=n
@@ -1502,7 +1502,7 @@ config NETFILTER_XT_MATCH_REALM
This option adds a `realm' match, which allows you to use the realm
key from the routing subsystem inside iptables.
- This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
+ This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
in tc world.
If you want to compile it as a module, say M here and read
@@ -1523,7 +1523,7 @@ config NETFILTER_XT_MATCH_SCTP
depends on NETFILTER_ADVANCED
default IP_SCTP
help
- With this option enabled, you will be able to use the
+ With this option enabled, you will be able to use the
`sctp' match in order to match on SCTP source/destination ports
and SCTP chunk types.
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 9270a7fae484..4fc075b612fe 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -124,7 +124,7 @@ nf_flow_table-objs := nf_flow_table_core.o nf_flow_table_ip.o
obj-$(CONFIG_NF_FLOW_TABLE_INET) += nf_flow_table_inet.o
-# generic X tables
+# generic X tables
obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
# combos
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 06/30] netfilter: fix Kconfig formatting error.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (4 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 05/30] netfilter: remove trailing white-space Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 07/30] netfilter: remove stray semicolons Jeremy Sowden
` (24 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
Indent the type of CONFIG_NETFILTER_NETLINK_ACCT correctly.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
net/netfilter/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 6244bf3de4af..34ec7afec116 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -20,7 +20,7 @@ config NETFILTER_FAMILY_ARP
bool
config NETFILTER_NETLINK_ACCT
-tristate "Netfilter NFACCT over NFNETLINK interface"
+ tristate "Netfilter NFACCT over NFNETLINK interface"
depends on NETFILTER_ADVANCED
select NETFILTER_NETLINK
help
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 07/30] netfilter: remove stray semicolons.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (5 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 06/30] netfilter: fix Kconfig formatting error Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 08/30] netfilter: remove unused function declarations Jeremy Sowden
` (23 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
There are a couple of semicolons at the end of function definitions.
Remove them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/net/netfilter/nf_conntrack_acct.h | 2 +-
include/net/netfilter/nf_conntrack_ecache.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_acct.h b/include/net/netfilter/nf_conntrack_acct.h
index ad9f2172dee1..5b5287bb49db 100644
--- a/include/net/netfilter/nf_conntrack_acct.h
+++ b/include/net/netfilter/nf_conntrack_acct.h
@@ -45,7 +45,7 @@ struct nf_conn_acct *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp)
#else
return NULL;
#endif
-};
+}
/* Check if connection tracking accounting is enabled */
static inline bool nf_ct_acct_enabled(struct net *net)
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index 52b44192b43f..0815bfadfefe 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -61,7 +61,7 @@ nf_ct_ecache_ext_add(struct nf_conn *ct, u16 ctmask, u16 expmask, gfp_t gfp)
#else
return NULL;
#endif
-};
+}
#ifdef CONFIG_NF_CONNTRACK_EVENTS
/* This structure is passed to event handler */
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 08/30] netfilter: remove unused function declarations.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (6 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 07/30] netfilter: remove stray semicolons Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 09/30] netfilter: remove unused includes Jeremy Sowden
` (22 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
Two headers include declarations of functions which are never defined.
Remove them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/linux/netfilter_ipv4/ip_tables.h | 2 --
include/linux/netfilter_ipv6/ip6_tables.h | 3 +--
2 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index f40a65481df4..0b0d43ad9ed9 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -23,8 +23,6 @@
#include <linux/init.h>
#include <uapi/linux/netfilter_ipv4/ip_tables.h>
-extern void ipt_init(void) __init;
-
#if IS_ENABLED(CONFIG_NETFILTER)
int ipt_register_table(struct net *net, const struct xt_table *table,
const struct ipt_replace *repl,
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 53b7309613bf..666450c117bf 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -23,9 +23,8 @@
#include <linux/init.h>
#include <uapi/linux/netfilter_ipv6/ip6_tables.h>
-extern void ip6t_init(void) __init;
-
extern void *ip6t_alloc_initial_table(const struct xt_table *);
+
#if IS_ENABLED(CONFIG_NETFILTER)
int ip6t_register_table(struct net *net, const struct xt_table *table,
const struct ip6t_replace *repl,
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 09/30] netfilter: remove unused includes.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (7 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 08/30] netfilter: remove unused function declarations Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 10/30] netfilter: include the right header in nf_conntrack_zones.h Jeremy Sowden
` (21 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
Some header-files are included in places where they are not needed.
Remove them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
net/bridge/netfilter/nf_conntrack_bridge.c | 1 -
net/ipv6/netfilter/nf_socket_ipv6.c | 1 -
net/netfilter/xt_physdev.c | 1 -
3 files changed, 3 deletions(-)
diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
index 4f5444d2a526..c9ce321fcac1 100644
--- a/net/bridge/netfilter/nf_conntrack_bridge.c
+++ b/net/bridge/netfilter/nf_conntrack_bridge.c
@@ -17,7 +17,6 @@
#include <net/netfilter/nf_conntrack_bridge.h>
#include <linux/netfilter/nf_tables.h>
-#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
#include <net/netfilter/nf_tables.h>
#include "../br_private.h"
diff --git a/net/ipv6/netfilter/nf_socket_ipv6.c b/net/ipv6/netfilter/nf_socket_ipv6.c
index 437d95545c31..b9df879c48d3 100644
--- a/net/ipv6/netfilter/nf_socket_ipv6.c
+++ b/net/ipv6/netfilter/nf_socket_ipv6.c
@@ -12,7 +12,6 @@
#include <net/sock.h>
#include <net/inet_sock.h>
#include <net/inet6_hashtables.h>
-#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
#include <net/netfilter/nf_socket.h>
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
#include <net/netfilter/nf_conntrack.h>
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index ead7c6022208..4f311e5703e8 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -10,7 +10,6 @@
#include <linux/netfilter_bridge.h>
#include <linux/netfilter/xt_physdev.h>
#include <linux/netfilter/x_tables.h>
-#include <net/netfilter/br_netfilter.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 10/30] netfilter: include the right header in nf_conntrack_zones.h.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (8 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 09/30] netfilter: remove unused includes Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 11/30] netfilter: fix inclusions of <linux/netfilter/nf_nat.h> Jeremy Sowden
` (20 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
nf_conntrack_zones.h includes nf_conntrack_extend.h, but it doesn't
actually use anything from it. It does, however, require stuff from
nf_conntrack.h which it includes transitively. Include nf_conntrack.h
directly instead.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/net/netfilter/nf_conntrack_zones.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/net/netfilter/nf_conntrack_zones.h b/include/net/netfilter/nf_conntrack_zones.h
index 52950baa3ab5..33b91d19cb7d 100644
--- a/include/net/netfilter/nf_conntrack_zones.h
+++ b/include/net/netfilter/nf_conntrack_zones.h
@@ -5,7 +5,8 @@
#include <linux/netfilter/nf_conntrack_zones_common.h>
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
-#include <net/netfilter/nf_conntrack_extend.h>
+
+#include <net/netfilter/nf_conntrack.h>
static inline const struct nf_conntrack_zone *
nf_ct_zone(const struct nf_conn *ct)
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 11/30] netfilter: fix inclusions of <linux/netfilter/nf_nat.h>.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (9 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 10/30] netfilter: include the right header in nf_conntrack_zones.h Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 12/30] netfilter: added missing includes Jeremy Sowden
` (19 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
Three files include linux/netfilter/nf_nat.h, which doesn't exist,
instead of uapi/linux/netfilter/nf_nat.h. Fix them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/net/netfilter/nf_nat.h | 5 ++++-
net/netfilter/nf_nat_core.c | 6 +++---
net/sched/act_ct.c | 2 +-
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index eec208fb9c23..c3ac2751952d 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -2,8 +2,11 @@
#ifndef _NF_NAT_H
#define _NF_NAT_H
#include <linux/netfilter_ipv4.h>
-#include <linux/netfilter/nf_nat.h>
+#include <linux/netfilter/nf_conntrack_pptp.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_extend.h>
#include <net/netfilter/nf_conntrack_tuple.h>
+#include <uapi/linux/netfilter/nf_nat.h>
enum nf_nat_manip_type {
NF_NAT_MANIP_SRC,
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 3f6023ed4966..bfc555fcbc72 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -18,12 +18,12 @@
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h>
-#include <net/netfilter/nf_nat.h>
-#include <net/netfilter/nf_nat_helper.h>
#include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_seqadj.h>
#include <net/netfilter/nf_conntrack_zones.h>
-#include <linux/netfilter/nf_nat.h>
+#include <net/netfilter/nf_nat.h>
+#include <net/netfilter/nf_nat_helper.h>
+#include <uapi/linux/netfilter/nf_nat.h>
#include "nf_internals.h"
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index 33a1a7406e87..5a3c5c5885ef 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -24,12 +24,12 @@
#include <uapi/linux/tc_act/tc_ct.h>
#include <net/tc_act/tc_ct.h>
-#include <linux/netfilter/nf_nat.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_zones.h>
#include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
+#include <uapi/linux/netfilter/nf_nat.h>
static struct tc_action_ops act_ct_ops;
static unsigned int ct_net_id;
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 12/30] netfilter: added missing includes.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (10 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 11/30] netfilter: fix inclusions of <linux/netfilter/nf_nat.h> Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 13/30] netfilter: inline three headers Jeremy Sowden
` (18 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
Include some headers in files which use them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/net/netfilter/nf_conntrack_core.h | 3 ++-
include/net/netfilter/nf_nat.h | 8 ++------
include/net/netfilter/nf_nat_masquerade.h | 1 +
net/netfilter/nf_conntrack_ecache.c | 1 +
net/netfilter/nf_conntrack_expect.c | 2 ++
net/netfilter/nf_conntrack_helper.c | 5 +++--
net/netfilter/nf_conntrack_timeout.c | 1 +
net/netfilter/nf_flow_table_core.c | 1 +
net/netfilter/nft_flow_offload.c | 3 ++-
net/netfilter/xt_connlimit.c | 2 ++
10 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 71a2d9cb64ea..d340886e012d 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -14,8 +14,9 @@
#define _NF_CONNTRACK_CORE_H
#include <linux/netfilter.h>
-#include <net/netfilter/nf_conntrack_l4proto.h>
+#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_ecache.h>
+#include <net/netfilter/nf_conntrack_l4proto.h>
/* This header is used to share core functionality between the
standalone connection tracking module, and the compatibility layer's use
diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index c3ac2751952d..eeb336809679 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -1,6 +1,8 @@
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _NF_NAT_H
#define _NF_NAT_H
+
+#include <linux/list.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter/nf_conntrack_pptp.h>
#include <net/netfilter/nf_conntrack.h>
@@ -17,10 +19,6 @@ enum nf_nat_manip_type {
#define HOOK2MANIP(hooknum) ((hooknum) != NF_INET_POST_ROUTING && \
(hooknum) != NF_INET_LOCAL_IN)
-#include <linux/list.h>
-#include <linux/netfilter/nf_conntrack_pptp.h>
-#include <net/netfilter/nf_conntrack_extend.h>
-
/* per conntrack: nat application helper private data */
union nf_conntrack_nat_help {
/* insert nat helper private data here */
@@ -29,8 +27,6 @@ union nf_conntrack_nat_help {
#endif
};
-struct nf_conn;
-
/* The structure embedded in the conntrack structure. */
struct nf_conn_nat {
union nf_conntrack_nat_help help;
diff --git a/include/net/netfilter/nf_nat_masquerade.h b/include/net/netfilter/nf_nat_masquerade.h
index 54a14d643c34..be7abc9d5f22 100644
--- a/include/net/netfilter/nf_nat_masquerade.h
+++ b/include/net/netfilter/nf_nat_masquerade.h
@@ -2,6 +2,7 @@
#ifndef _NF_NAT_MASQUERADE_H_
#define _NF_NAT_MASQUERADE_H_
+#include <linux/skbuff.h>
#include <net/netfilter/nf_nat.h>
unsigned int
diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
index 5e2812ee2149..6fba74b5aaf7 100644
--- a/net/netfilter/nf_conntrack_ecache.c
+++ b/net/netfilter/nf_conntrack_ecache.c
@@ -24,6 +24,7 @@
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_conntrack_ecache.h>
#include <net/netfilter/nf_conntrack_extend.h>
static DEFINE_MUTEX(nf_ct_ecache_mutex);
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 65364de915d1..42557d2b6a90 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -25,8 +25,10 @@
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_conntrack_ecache.h>
#include <net/netfilter/nf_conntrack_expect.h>
#include <net/netfilter/nf_conntrack_helper.h>
+#include <net/netfilter/nf_conntrack_l4proto.h>
#include <net/netfilter/nf_conntrack_tuple.h>
#include <net/netfilter/nf_conntrack_zones.h>
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 8d729e7c36ff..118f415928ae 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -21,10 +21,11 @@
#include <linux/rtnetlink.h>
#include <net/netfilter/nf_conntrack.h>
-#include <net/netfilter/nf_conntrack_l4proto.h>
-#include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_conntrack_ecache.h>
#include <net/netfilter/nf_conntrack_extend.h>
+#include <net/netfilter/nf_conntrack_helper.h>
+#include <net/netfilter/nf_conntrack_l4proto.h>
#include <net/netfilter/nf_log.h>
static DEFINE_MUTEX(nf_ct_helper_mutex);
diff --git a/net/netfilter/nf_conntrack_timeout.c b/net/netfilter/nf_conntrack_timeout.c
index 13d0f4a92647..14387e0b8008 100644
--- a/net/netfilter/nf_conntrack_timeout.c
+++ b/net/netfilter/nf_conntrack_timeout.c
@@ -19,6 +19,7 @@
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_extend.h>
+#include <net/netfilter/nf_conntrack_l4proto.h>
#include <net/netfilter/nf_conntrack_timeout.h>
struct nf_ct_timeout *
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 80a8f9ae4c93..09310a1bd91f 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -11,6 +11,7 @@
#include <net/netfilter/nf_flow_table.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_conntrack_l4proto.h>
#include <net/netfilter/nf_conntrack_tuple.h>
struct flow_offload_entry {
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 060a4ed46d5e..b2dec0185056 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -6,12 +6,13 @@
#include <linux/netfilter.h>
#include <linux/workqueue.h>
#include <linux/spinlock.h>
+#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter/nf_tables.h>
#include <net/ip.h> /* for ipv4 options. */
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_conntrack_core.h>
-#include <linux/netfilter/nf_conntrack_common.h>
+#include <net/netfilter/nf_conntrack_extend.h>
#include <net/netfilter/nf_flow_table.h>
struct nft_flow_offload {
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index bc6c8ab0fa62..46fcac75f726 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -13,6 +13,8 @@
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/ip.h>
+#include <linux/ipv6.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netfilter/x_tables.h>
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 13/30] netfilter: inline three headers.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (11 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 12/30] netfilter: added missing includes Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 14/30] netfilter: remove superfluous header Jeremy Sowden
` (17 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
Three netfilter headers are only included once. Inline their contents
at those sites and remove them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/linux/netfilter/xt_hashlimit.h | 11 -----------
include/linux/netfilter/xt_physdev.h | 8 --------
include/linux/netfilter_bridge/ebt_802_3.h | 12 ------------
net/bridge/netfilter/ebt_802_3.c | 8 +++++++-
net/netfilter/xt_hashlimit.c | 7 ++++++-
net/netfilter/xt_physdev.c | 5 +++--
6 files changed, 16 insertions(+), 35 deletions(-)
delete mode 100644 include/linux/netfilter/xt_hashlimit.h
delete mode 100644 include/linux/netfilter/xt_physdev.h
delete mode 100644 include/linux/netfilter_bridge/ebt_802_3.h
diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
deleted file mode 100644
index 169d03983589..000000000000
--- a/include/linux/netfilter/xt_hashlimit.h
+++ /dev/null
@@ -1,11 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-#ifndef _XT_HASHLIMIT_H
-#define _XT_HASHLIMIT_H
-
-#include <uapi/linux/netfilter/xt_hashlimit.h>
-
-#define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \
- XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | \
- XT_HASHLIMIT_INVERT | XT_HASHLIMIT_BYTES |\
- XT_HASHLIMIT_RATE_MATCH)
-#endif /*_XT_HASHLIMIT_H*/
diff --git a/include/linux/netfilter/xt_physdev.h b/include/linux/netfilter/xt_physdev.h
deleted file mode 100644
index 4ca0593949cd..000000000000
--- a/include/linux/netfilter/xt_physdev.h
+++ /dev/null
@@ -1,8 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-#ifndef _XT_PHYSDEV_H
-#define _XT_PHYSDEV_H
-
-#include <linux/if.h>
-#include <uapi/linux/netfilter/xt_physdev.h>
-
-#endif /*_XT_PHYSDEV_H*/
diff --git a/include/linux/netfilter_bridge/ebt_802_3.h b/include/linux/netfilter_bridge/ebt_802_3.h
deleted file mode 100644
index c6147f9c0d80..000000000000
--- a/include/linux/netfilter_bridge/ebt_802_3.h
+++ /dev/null
@@ -1,12 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-#ifndef __LINUX_BRIDGE_EBT_802_3_H
-#define __LINUX_BRIDGE_EBT_802_3_H
-
-#include <linux/skbuff.h>
-#include <uapi/linux/netfilter_bridge/ebt_802_3.h>
-
-static inline struct ebt_802_3_hdr *ebt_802_3_hdr(const struct sk_buff *skb)
-{
- return (struct ebt_802_3_hdr *)skb_mac_header(skb);
-}
-#endif
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index 2c8fe24400e5..68c2519bdc52 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -11,7 +11,13 @@
#include <linux/module.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h>
-#include <linux/netfilter_bridge/ebt_802_3.h>
+#include <linux/skbuff.h>
+#include <uapi/linux/netfilter_bridge/ebt_802_3.h>
+
+static struct ebt_802_3_hdr *ebt_802_3_hdr(const struct sk_buff *skb)
+{
+ return (struct ebt_802_3_hdr *)skb_mac_header(skb);
+}
static bool
ebt_802_3_mt(const struct sk_buff *skb, struct xt_action_param *par)
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 2d2691dd51e0..ced3fc8fad7c 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -34,9 +34,14 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter/xt_hashlimit.h>
#include <linux/mutex.h>
#include <linux/kernel.h>
+#include <uapi/linux/netfilter/xt_hashlimit.h>
+
+#define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \
+ XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | \
+ XT_HASHLIMIT_INVERT | XT_HASHLIMIT_BYTES |\
+ XT_HASHLIMIT_RATE_MATCH)
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 4f311e5703e8..559a0572557f 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -5,11 +5,13 @@
/* (C) 2001-2003 Bart De Schuymer <bdschuym@pandora.be>
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/if.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netfilter_bridge.h>
-#include <linux/netfilter/xt_physdev.h>
#include <linux/netfilter/x_tables.h>
+#include <uapi/linux/netfilter/xt_physdev.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
@@ -17,7 +19,6 @@ MODULE_DESCRIPTION("Xtables: Bridge physical device match");
MODULE_ALIAS("ipt_physdev");
MODULE_ALIAS("ip6t_physdev");
-
static bool
physdev_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 14/30] netfilter: remove superfluous header.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (12 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 13/30] netfilter: inline three headers Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 15/30] netfilter: move inline function to a more appropriate header Jeremy Sowden
` (16 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
nf_conntrack_icmpv6.h contains two object macros which duplicate macros
in linux/icmpv6.h. The latter definitions are also visible wherever it
is included, so remove it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
.../net/netfilter/ipv6/nf_conntrack_icmpv6.h | 21 -------------------
include/net/netfilter/nf_conntrack.h | 1 -
net/netfilter/nf_conntrack_proto_icmpv6.c | 1 -
3 files changed, 23 deletions(-)
delete mode 100644 include/net/netfilter/ipv6/nf_conntrack_icmpv6.h
diff --git a/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h b/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h
deleted file mode 100644
index c86895bc5eb6..000000000000
--- a/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-/*
- * ICMPv6 tracking.
- *
- * 21 Apl 2004: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
- * - separated from nf_conntrack_icmp.h
- *
- * Derived from include/linux/netfiter_ipv4/ip_conntrack_icmp.h
- */
-
-#ifndef _NF_CONNTRACK_ICMPV6_H
-#define _NF_CONNTRACK_ICMPV6_H
-
-#ifndef ICMPV6_NI_QUERY
-#define ICMPV6_NI_QUERY 139
-#endif
-#ifndef ICMPV6_NI_REPLY
-#define ICMPV6_NI_REPLY 140
-#endif
-
-#endif /* _NF_CONNTRACK_ICMPV6_H */
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 2cc304efe7f9..22275f42f0bb 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -23,7 +23,6 @@
#include <linux/netfilter/nf_conntrack_dccp.h>
#include <linux/netfilter/nf_conntrack_sctp.h>
#include <linux/netfilter/nf_conntrack_proto_gre.h>
-#include <net/netfilter/ipv6/nf_conntrack_icmpv6.h>
#include <net/netfilter/nf_conntrack_tuple.h>
diff --git a/net/netfilter/nf_conntrack_proto_icmpv6.c b/net/netfilter/nf_conntrack_proto_icmpv6.c
index 7e317e6698ba..6f9144e1f1c1 100644
--- a/net/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/netfilter/nf_conntrack_proto_icmpv6.c
@@ -22,7 +22,6 @@
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_timeout.h>
#include <net/netfilter/nf_conntrack_zones.h>
-#include <net/netfilter/ipv6/nf_conntrack_icmpv6.h>
#include <net/netfilter/nf_log.h>
static const unsigned int nf_ct_icmpv6_timeout = 30*HZ;
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 15/30] netfilter: move inline function to a more appropriate header.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (13 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 14/30] netfilter: remove superfluous header Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 16/30] netfilter: move code between synproxy headers Jeremy Sowden
` (15 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
There is an inline function in ip6_tables.h which is not specific to
ip6tables and is used elswhere in netfilter. Move it into
netfilter_ipv6.h and update the callers.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/linux/netfilter_ipv6.h | 12 ++++++++++++
include/linux/netfilter_ipv6/ip6_tables.h | 12 ------------
| 4 ++--
net/ipv6/netfilter/nf_log_ipv6.c | 4 ++--
4 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 9797685d1e11..b8f872844ba3 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -11,6 +11,18 @@
#include <uapi/linux/netfilter_ipv6.h>
#include <net/tcp.h>
+/* Check for an extension */
+static inline int
+nf_ip6_ext_hdr(u8 nexthdr)
+{ return (nexthdr == IPPROTO_HOPOPTS) ||
+ (nexthdr == IPPROTO_ROUTING) ||
+ (nexthdr == IPPROTO_FRAGMENT) ||
+ (nexthdr == IPPROTO_ESP) ||
+ (nexthdr == IPPROTO_AH) ||
+ (nexthdr == IPPROTO_NONE) ||
+ (nexthdr == IPPROTO_DSTOPTS);
+}
+
/* Extra routing may needed on local out, as the QUEUE target never returns
* control to the table.
*/
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 666450c117bf..3a0a2bd054cc 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -36,18 +36,6 @@ extern unsigned int ip6t_do_table(struct sk_buff *skb,
struct xt_table *table);
#endif
-/* Check for an extension */
-static inline int
-ip6t_ext_hdr(u8 nexthdr)
-{ return (nexthdr == IPPROTO_HOPOPTS) ||
- (nexthdr == IPPROTO_ROUTING) ||
- (nexthdr == IPPROTO_FRAGMENT) ||
- (nexthdr == IPPROTO_ESP) ||
- (nexthdr == IPPROTO_AH) ||
- (nexthdr == IPPROTO_NONE) ||
- (nexthdr == IPPROTO_DSTOPTS);
-}
-
#ifdef CONFIG_COMPAT
#include <net/compat.h>
--git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 0fc6326ef499..c52ff929c93b 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -16,7 +16,7 @@
#include <net/ipv6.h>
#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6.h>
#include <linux/netfilter_ipv6/ip6t_ipv6header.h>
MODULE_LICENSE("GPL");
@@ -42,7 +42,7 @@ ipv6header_mt6(const struct sk_buff *skb, struct xt_action_param *par)
len = skb->len - ptr;
temp = 0;
- while (ip6t_ext_hdr(nexthdr)) {
+ while (nf_ip6_ext_hdr(nexthdr)) {
const struct ipv6_opt_hdr *hp;
struct ipv6_opt_hdr _hdr;
int hdrlen;
diff --git a/net/ipv6/netfilter/nf_log_ipv6.c b/net/ipv6/netfilter/nf_log_ipv6.c
index f53bd8f01219..22b80db6d882 100644
--- a/net/ipv6/netfilter/nf_log_ipv6.c
+++ b/net/ipv6/netfilter/nf_log_ipv6.c
@@ -18,7 +18,7 @@
#include <net/route.h>
#include <linux/netfilter.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6.h>
#include <linux/netfilter/xt_LOG.h>
#include <net/netfilter/nf_log.h>
@@ -70,7 +70,7 @@ static void dump_ipv6_packet(struct net *net, struct nf_log_buf *m,
fragment = 0;
ptr = ip6hoff + sizeof(struct ipv6hdr);
currenthdr = ih->nexthdr;
- while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) {
+ while (currenthdr != NEXTHDR_NONE && nf_ip6_ext_hdr(currenthdr)) {
struct ipv6_opt_hdr _hdr;
const struct ipv6_opt_hdr *hp;
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 16/30] netfilter: move code between synproxy headers.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (14 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 15/30] netfilter: move inline function to a more appropriate header Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 17/30] netfilter: move struct definition function to a more appropriate header Jeremy Sowden
` (14 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
There is some non-conntrack code in the nf_conntrack_synproxy.h header.
Move it to the nf_synproxy.h header.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/net/netfilter/nf_conntrack_synproxy.h | 39 -------------------
include/net/netfilter/nf_synproxy.h | 38 ++++++++++++++++++
2 files changed, 38 insertions(+), 39 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_synproxy.h b/include/net/netfilter/nf_conntrack_synproxy.h
index 2f0171d24997..c22f0c11cc82 100644
--- a/include/net/netfilter/nf_conntrack_synproxy.h
+++ b/include/net/netfilter/nf_conntrack_synproxy.h
@@ -43,43 +43,4 @@ static inline bool nf_ct_add_synproxy(struct nf_conn *ct,
return true;
}
-struct synproxy_stats {
- unsigned int syn_received;
- unsigned int cookie_invalid;
- unsigned int cookie_valid;
- unsigned int cookie_retrans;
- unsigned int conn_reopened;
-};
-
-struct synproxy_net {
- struct nf_conn *tmpl;
- struct synproxy_stats __percpu *stats;
- unsigned int hook_ref4;
- unsigned int hook_ref6;
-};
-
-extern unsigned int synproxy_net_id;
-static inline struct synproxy_net *synproxy_pernet(struct net *net)
-{
- return net_generic(net, synproxy_net_id);
-}
-
-struct synproxy_options {
- u8 options;
- u8 wscale;
- u16 mss_option;
- u16 mss_encode;
- u32 tsval;
- u32 tsecr;
-};
-
-struct tcphdr;
-struct nf_synproxy_info;
-bool synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
- const struct tcphdr *th,
- struct synproxy_options *opts);
-
-void synproxy_init_timestamp_cookie(const struct nf_synproxy_info *info,
- struct synproxy_options *opts);
-
#endif /* _NF_CONNTRACK_SYNPROXY_H */
diff --git a/include/net/netfilter/nf_synproxy.h b/include/net/netfilter/nf_synproxy.h
index dc420b47e3aa..19d1af7a0348 100644
--- a/include/net/netfilter/nf_synproxy.h
+++ b/include/net/netfilter/nf_synproxy.h
@@ -11,6 +11,44 @@
#include <net/netfilter/nf_conntrack_seqadj.h>
#include <net/netfilter/nf_conntrack_synproxy.h>
+struct synproxy_stats {
+ unsigned int syn_received;
+ unsigned int cookie_invalid;
+ unsigned int cookie_valid;
+ unsigned int cookie_retrans;
+ unsigned int conn_reopened;
+};
+
+struct synproxy_net {
+ struct nf_conn *tmpl;
+ struct synproxy_stats __percpu *stats;
+ unsigned int hook_ref4;
+ unsigned int hook_ref6;
+};
+
+extern unsigned int synproxy_net_id;
+static inline struct synproxy_net *synproxy_pernet(struct net *net)
+{
+ return net_generic(net, synproxy_net_id);
+}
+
+struct synproxy_options {
+ u8 options;
+ u8 wscale;
+ u16 mss_option;
+ u16 mss_encode;
+ u32 tsval;
+ u32 tsecr;
+};
+
+struct nf_synproxy_info;
+bool synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
+ const struct tcphdr *th,
+ struct synproxy_options *opts);
+
+void synproxy_init_timestamp_cookie(const struct nf_synproxy_info *info,
+ struct synproxy_options *opts);
+
void synproxy_send_client_synack(struct net *net, const struct sk_buff *skb,
const struct tcphdr *th,
const struct synproxy_options *opts);
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 17/30] netfilter: move struct definition function to a more appropriate header.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (15 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 16/30] netfilter: move code between synproxy headers Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 18/30] netfilter: use consistent style when defining inline functions in nf_conntrack_ecache.h Jeremy Sowden
` (13 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
There is a struct definition function in nf_conntrack_bridge.h which is
not specific to conntrack and is used elswhere in netfilter. Move it
into netfilter.h.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/linux/netfilter.h | 7 +++++++
include/linux/netfilter_ipv6.h | 14 +++++++-------
include/net/netfilter/nf_conntrack_bridge.h | 7 -------
net/bridge/netfilter/nf_conntrack_bridge.c | 14 +++++++-------
net/ipv6/netfilter.c | 4 ++--
5 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 049aeb40fa35..4c94dd4cc8d0 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -479,4 +479,11 @@ extern struct nfnl_ct_hook __rcu *nfnl_ct_hook;
*/
DECLARE_PER_CPU(bool, nf_skb_duplicated);
+struct nf_bridge_frag_data {
+ char mac[ETH_HLEN];
+ bool vlan_present;
+ u16 vlan_tci;
+ __be16 vlan_proto;
+};
+
#endif /*__LINUX_NETFILTER_H*/
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index b8f872844ba3..cec3253e736d 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -33,7 +33,7 @@ struct ip6_rt_info {
};
struct nf_queue_entry;
-struct nf_ct_bridge_frag_data;
+struct nf_bridge_frag_data;
/*
* Hook functions for ipv6 to allow xt_* modules to be built-in even
@@ -62,9 +62,9 @@ struct nf_ipv6_ops {
int (*br_defrag)(struct net *net, struct sk_buff *skb, u32 user);
int (*br_fragment)(struct net *net, struct sock *sk,
struct sk_buff *skb,
- struct nf_ct_bridge_frag_data *data,
+ struct nf_bridge_frag_data *data,
int (*output)(struct net *, struct sock *sk,
- const struct nf_ct_bridge_frag_data *data,
+ const struct nf_bridge_frag_data *data,
struct sk_buff *));
#endif
};
@@ -136,16 +136,16 @@ static inline int nf_ipv6_br_defrag(struct net *net, struct sk_buff *skb,
}
int br_ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
- struct nf_ct_bridge_frag_data *data,
+ struct nf_bridge_frag_data *data,
int (*output)(struct net *, struct sock *sk,
- const struct nf_ct_bridge_frag_data *data,
+ const struct nf_bridge_frag_data *data,
struct sk_buff *));
static inline int nf_br_ip6_fragment(struct net *net, struct sock *sk,
struct sk_buff *skb,
- struct nf_ct_bridge_frag_data *data,
+ struct nf_bridge_frag_data *data,
int (*output)(struct net *, struct sock *sk,
- const struct nf_ct_bridge_frag_data *data,
+ const struct nf_bridge_frag_data *data,
struct sk_buff *))
{
#if IS_MODULE(CONFIG_IPV6)
diff --git a/include/net/netfilter/nf_conntrack_bridge.h b/include/net/netfilter/nf_conntrack_bridge.h
index 34c28f248b18..01b62fd5efa2 100644
--- a/include/net/netfilter/nf_conntrack_bridge.h
+++ b/include/net/netfilter/nf_conntrack_bridge.h
@@ -16,11 +16,4 @@ struct nf_ct_bridge_info {
void nf_ct_bridge_register(struct nf_ct_bridge_info *info);
void nf_ct_bridge_unregister(struct nf_ct_bridge_info *info);
-struct nf_ct_bridge_frag_data {
- char mac[ETH_HLEN];
- bool vlan_present;
- u16 vlan_tci;
- __be16 vlan_proto;
-};
-
#endif
diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
index c9ce321fcac1..8842798c29e6 100644
--- a/net/bridge/netfilter/nf_conntrack_bridge.c
+++ b/net/bridge/netfilter/nf_conntrack_bridge.c
@@ -26,9 +26,9 @@
*/
static int nf_br_ip_fragment(struct net *net, struct sock *sk,
struct sk_buff *skb,
- struct nf_ct_bridge_frag_data *data,
+ struct nf_bridge_frag_data *data,
int (*output)(struct net *, struct sock *sk,
- const struct nf_ct_bridge_frag_data *data,
+ const struct nf_bridge_frag_data *data,
struct sk_buff *))
{
int frag_max_size = BR_INPUT_SKB_CB(skb)->frag_max_size;
@@ -278,7 +278,7 @@ static unsigned int nf_ct_bridge_pre(void *priv, struct sk_buff *skb,
}
static void nf_ct_bridge_frag_save(struct sk_buff *skb,
- struct nf_ct_bridge_frag_data *data)
+ struct nf_bridge_frag_data *data)
{
if (skb_vlan_tag_present(skb)) {
data->vlan_present = true;
@@ -293,10 +293,10 @@ static void nf_ct_bridge_frag_save(struct sk_buff *skb,
static unsigned int
nf_ct_bridge_refrag(struct sk_buff *skb, const struct nf_hook_state *state,
int (*output)(struct net *, struct sock *sk,
- const struct nf_ct_bridge_frag_data *data,
+ const struct nf_bridge_frag_data *data,
struct sk_buff *))
{
- struct nf_ct_bridge_frag_data data;
+ struct nf_bridge_frag_data data;
if (!BR_INPUT_SKB_CB(skb)->frag_max_size)
return NF_ACCEPT;
@@ -319,7 +319,7 @@ nf_ct_bridge_refrag(struct sk_buff *skb, const struct nf_hook_state *state,
/* Actually only slow path refragmentation needs this. */
static int nf_ct_bridge_frag_restore(struct sk_buff *skb,
- const struct nf_ct_bridge_frag_data *data)
+ const struct nf_bridge_frag_data *data)
{
int err;
@@ -340,7 +340,7 @@ static int nf_ct_bridge_frag_restore(struct sk_buff *skb,
}
static int nf_ct_bridge_refrag_post(struct net *net, struct sock *sk,
- const struct nf_ct_bridge_frag_data *data,
+ const struct nf_bridge_frag_data *data,
struct sk_buff *skb)
{
int err;
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 61819ed858b1..a9bff556d3b2 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -113,9 +113,9 @@ int __nf_ip6_route(struct net *net, struct dst_entry **dst,
EXPORT_SYMBOL_GPL(__nf_ip6_route);
int br_ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
- struct nf_ct_bridge_frag_data *data,
+ struct nf_bridge_frag_data *data,
int (*output)(struct net *, struct sock *sk,
- const struct nf_ct_bridge_frag_data *data,
+ const struct nf_bridge_frag_data *data,
struct sk_buff *))
{
int frag_max_size = BR_INPUT_SKB_CB(skb)->frag_max_size;
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 18/30] netfilter: use consistent style when defining inline functions in nf_conntrack_ecache.h.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (16 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 17/30] netfilter: move struct definition function to a more appropriate header Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 19/30] netfilter: replace defined(CONFIG...) || defined(CONFIG...MODULE) with IS_ENABLED(CONFIG...) Jeremy Sowden
` (12 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
The header contains some inline functions defined as:
static inline f (...)
{
#ifdef CONFIG_NF_CONNTRACK_EVENTS
...
#else
...
#endif
}
and a few others as:
#ifdef CONFIG_NF_CONNTRACK_EVENTS
static inline f (...)
{
...
}
#else
static inline f (...)
{
...
}
#endif
Prefer the former style, which is more numerous.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/net/netfilter/nf_conntrack_ecache.h | 82 +++++++++++++--------
1 file changed, 50 insertions(+), 32 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index 0815bfadfefe..eb81f9195e28 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -64,6 +64,7 @@ nf_ct_ecache_ext_add(struct nf_conn *ct, u16 ctmask, u16 expmask, gfp_t gfp)
}
#ifdef CONFIG_NF_CONNTRACK_EVENTS
+
/* This structure is passed to event handler */
struct nf_ct_event {
struct nf_conn *ct;
@@ -84,9 +85,26 @@ void nf_ct_deliver_cached_events(struct nf_conn *ct);
int nf_conntrack_eventmask_report(unsigned int eventmask, struct nf_conn *ct,
u32 portid, int report);
+#else
+
+static inline void nf_ct_deliver_cached_events(const struct nf_conn *ct)
+{
+}
+
+static inline int nf_conntrack_eventmask_report(unsigned int eventmask,
+ struct nf_conn *ct,
+ u32 portid,
+ int report)
+{
+ return 0;
+}
+
+#endif
+
static inline void
nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct)
{
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
struct net *net = nf_ct_net(ct);
struct nf_conntrack_ecache *e;
@@ -98,31 +116,42 @@ nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct)
return;
set_bit(event, &e->cache);
+#endif
}
static inline int
nf_conntrack_event_report(enum ip_conntrack_events event, struct nf_conn *ct,
u32 portid, int report)
{
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
const struct net *net = nf_ct_net(ct);
if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb))
return 0;
return nf_conntrack_eventmask_report(1 << event, ct, portid, report);
+#else
+ return 0;
+#endif
}
static inline int
nf_conntrack_event(enum ip_conntrack_events event, struct nf_conn *ct)
{
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
const struct net *net = nf_ct_net(ct);
if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb))
return 0;
return nf_conntrack_eventmask_report(1 << event, ct, 0, 0);
+#else
+ return 0;
+#endif
}
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
+
struct nf_exp_event {
struct nf_conntrack_expect *exp;
u32 portid;
@@ -148,41 +177,18 @@ void nf_conntrack_ecache_pernet_fini(struct net *net);
int nf_conntrack_ecache_init(void);
void nf_conntrack_ecache_fini(void);
-static inline void nf_conntrack_ecache_delayed_work(struct net *net)
+#else /* CONFIG_NF_CONNTRACK_EVENTS */
+
+static inline void nf_ct_expect_event_report(enum ip_conntrack_expect_events e,
+ struct nf_conntrack_expect *exp,
+ u32 portid,
+ int report)
{
- if (!delayed_work_pending(&net->ct.ecache_dwork)) {
- schedule_delayed_work(&net->ct.ecache_dwork, HZ);
- net->ct.ecache_dwork_pending = true;
- }
}
-static inline void nf_conntrack_ecache_work(struct net *net)
+static inline void nf_conntrack_ecache_pernet_init(struct net *net)
{
- if (net->ct.ecache_dwork_pending) {
- net->ct.ecache_dwork_pending = false;
- mod_delayed_work(system_wq, &net->ct.ecache_dwork, 0);
- }
}
-#else /* CONFIG_NF_CONNTRACK_EVENTS */
-static inline void nf_conntrack_event_cache(enum ip_conntrack_events event,
- struct nf_conn *ct) {}
-static inline int nf_conntrack_eventmask_report(unsigned int eventmask,
- struct nf_conn *ct,
- u32 portid,
- int report) { return 0; }
-static inline int nf_conntrack_event(enum ip_conntrack_events event,
- struct nf_conn *ct) { return 0; }
-static inline int nf_conntrack_event_report(enum ip_conntrack_events event,
- struct nf_conn *ct,
- u32 portid,
- int report) { return 0; }
-static inline void nf_ct_deliver_cached_events(const struct nf_conn *ct) {}
-static inline void nf_ct_expect_event_report(enum ip_conntrack_expect_events e,
- struct nf_conntrack_expect *exp,
- u32 portid,
- int report) {}
-
-static inline void nf_conntrack_ecache_pernet_init(struct net *net) {}
static inline void nf_conntrack_ecache_pernet_fini(struct net *net)
{
@@ -197,14 +203,26 @@ static inline void nf_conntrack_ecache_fini(void)
{
}
+#endif /* CONFIG_NF_CONNTRACK_EVENTS */
+
static inline void nf_conntrack_ecache_delayed_work(struct net *net)
{
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
+ if (!delayed_work_pending(&net->ct.ecache_dwork)) {
+ schedule_delayed_work(&net->ct.ecache_dwork, HZ);
+ net->ct.ecache_dwork_pending = true;
+ }
+#endif
}
static inline void nf_conntrack_ecache_work(struct net *net)
{
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
+ if (net->ct.ecache_dwork_pending) {
+ net->ct.ecache_dwork_pending = false;
+ mod_delayed_work(system_wq, &net->ct.ecache_dwork, 0);
+ }
+#endif
}
-#endif /* CONFIG_NF_CONNTRACK_EVENTS */
#endif /*_NF_CONNTRACK_ECACHE_H*/
-
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 19/30] netfilter: replace defined(CONFIG...) || defined(CONFIG...MODULE) with IS_ENABLED(CONFIG...).
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (17 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 18/30] netfilter: use consistent style when defining inline functions in nf_conntrack_ecache.h Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 20/30] netfilter: wrap union nf_conntrack_proto members in CONFIG_NF_CT_PROTO_* check Jeremy Sowden
` (11 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
A few headers contain instances of:
#if defined(CONFIG_XXX) or defined(CONFIG_XXX_MODULE)
Replace them with:
#if IS_ENABLED(CONFIG_XXX)
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/linux/netfilter.h | 2 +-
include/linux/netfilter/ipset/ip_set_getport.h | 2 +-
include/net/netfilter/nf_conntrack_extend.h | 2 +-
include/net/netfilter/nf_nat.h | 4 ++--
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 4c94dd4cc8d0..3bed59528fed 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -422,7 +422,7 @@ nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
}
#endif /*CONFIG_NETFILTER*/
-#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
#include <linux/netfilter/nf_conntrack_zones_common.h>
extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu;
diff --git a/include/linux/netfilter/ipset/ip_set_getport.h b/include/linux/netfilter/ipset/ip_set_getport.h
index a906df06948b..d74cd112b88a 100644
--- a/include/linux/netfilter/ipset/ip_set_getport.h
+++ b/include/linux/netfilter/ipset/ip_set_getport.h
@@ -9,7 +9,7 @@
extern bool ip_set_get_ip4_port(const struct sk_buff *skb, bool src,
__be16 *port, u8 *proto);
-#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
extern bool ip_set_get_ip6_port(const struct sk_buff *skb, bool src,
__be16 *port, u8 *proto);
#else
diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
index 21f887c5058c..112a6f40dfaf 100644
--- a/include/net/netfilter/nf_conntrack_extend.h
+++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -8,7 +8,7 @@
enum nf_ct_ext_id {
NF_CT_EXT_HELPER,
-#if defined(CONFIG_NF_NAT) || defined(CONFIG_NF_NAT_MODULE)
+#if IS_ENABLED(CONFIG_NF_NAT)
NF_CT_EXT_NAT,
#endif
NF_CT_EXT_SEQADJ,
diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index eeb336809679..362ff94fa6b0 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -22,7 +22,7 @@ enum nf_nat_manip_type {
/* per conntrack: nat application helper private data */
union nf_conntrack_nat_help {
/* insert nat helper private data here */
-#if defined(CONFIG_NF_NAT_PPTP) || defined(CONFIG_NF_NAT_PPTP_MODULE)
+#if IS_ENABLED(CONFIG_NF_NAT_PPTP)
struct nf_nat_pptp nat_pptp_info;
#endif
};
@@ -47,7 +47,7 @@ struct nf_conn_nat *nf_ct_nat_ext_add(struct nf_conn *ct);
static inline struct nf_conn_nat *nfct_nat(const struct nf_conn *ct)
{
-#if defined(CONFIG_NF_NAT) || defined(CONFIG_NF_NAT_MODULE)
+#if IS_ENABLED(CONFIG_NF_NAT)
return nf_ct_ext_find(ct, NF_CT_EXT_NAT);
#else
return NULL;
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 20/30] netfilter: wrap union nf_conntrack_proto members in CONFIG_NF_CT_PROTO_* check.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (18 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 19/30] netfilter: replace defined(CONFIG...) || defined(CONFIG...MODULE) with IS_ENABLED(CONFIG...) Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 21/30] netfilter: wrap inline synproxy function in CONFIG_NETFILTER_SYNPROXY check Jeremy Sowden
` (10 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
dccp, sctp and gre are only used in code enabled by particular
CONFIG_NF_CT_PROTO_* options. Wrap them in the checks for those
options.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/net/netfilter/nf_conntrack.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 22275f42f0bb..0673cf685741 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -33,11 +33,17 @@ struct nf_ct_udp {
/* per conntrack: protocol private data */
union nf_conntrack_proto {
/* insert conntrack proto private data here */
+#ifdef CONFIG_NF_CT_PROTO_DCCP
struct nf_ct_dccp dccp;
+#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
struct ip_ct_sctp sctp;
+#endif
struct ip_ct_tcp tcp;
struct nf_ct_udp udp;
+#ifdef CONFIG_NF_CT_PROTO_GRE
struct nf_ct_gre gre;
+#endif
unsigned int tmpl_padto;
};
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 21/30] netfilter: wrap inline synproxy function in CONFIG_NETFILTER_SYNPROXY check.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (19 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 20/30] netfilter: wrap union nf_conntrack_proto members in CONFIG_NF_CT_PROTO_* check Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 22/30] netfilter: wrap inline timeout function in CONFIG_NETFILTER_TIMEOUT check Jeremy Sowden
` (9 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
nf_conntrack_synproxy.h contains three inline functions. The contents
of two of them are wrapped in CONFIG_NETFILTER_SYNPROXY checks and just
return NULL if it is not enabled. The third does nothing if they return
NULL, so wrap its contents as well.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/net/netfilter/nf_conntrack_synproxy.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/net/netfilter/nf_conntrack_synproxy.h b/include/net/netfilter/nf_conntrack_synproxy.h
index c22f0c11cc82..6a3ab081e4bf 100644
--- a/include/net/netfilter/nf_conntrack_synproxy.h
+++ b/include/net/netfilter/nf_conntrack_synproxy.h
@@ -32,6 +32,7 @@ static inline struct nf_conn_synproxy *nfct_synproxy_ext_add(struct nf_conn *ct)
static inline bool nf_ct_add_synproxy(struct nf_conn *ct,
const struct nf_conn *tmpl)
{
+#if IS_ENABLED(CONFIG_NETFILTER_SYNPROXY)
if (tmpl && nfct_synproxy(tmpl)) {
if (!nfct_seqadj_ext_add(ct))
return false;
@@ -39,6 +40,7 @@ static inline bool nf_ct_add_synproxy(struct nf_conn *ct,
if (!nfct_synproxy_ext_add(ct))
return false;
}
+#endif
return true;
}
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 22/30] netfilter: wrap inline timeout function in CONFIG_NETFILTER_TIMEOUT check.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (20 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 21/30] netfilter: wrap inline synproxy function in CONFIG_NETFILTER_SYNPROXY check Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 23/30] netfilter: wrap some nat-related conntrack code in a CONFIG_NF_NAT check Jeremy Sowden
` (8 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
nf_ct_timeout_data is only called if CONFIG_NETFILTER_TIMEOUT is
enabled. Wrap its contents in a CONFIG_NETFILTER_TIMEOUT check like the
other inline functions in nf_conntrack_timeout.h.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/net/netfilter/nf_conntrack_timeout.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/include/net/netfilter/nf_conntrack_timeout.h b/include/net/netfilter/nf_conntrack_timeout.h
index 00a8fbb2d735..6dd72396f534 100644
--- a/include/net/netfilter/nf_conntrack_timeout.h
+++ b/include/net/netfilter/nf_conntrack_timeout.h
@@ -32,6 +32,7 @@ struct nf_conn_timeout {
static inline unsigned int *
nf_ct_timeout_data(const struct nf_conn_timeout *t)
{
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
struct nf_ct_timeout *timeout;
timeout = rcu_dereference(t->timeout);
@@ -39,6 +40,9 @@ nf_ct_timeout_data(const struct nf_conn_timeout *t)
return NULL;
return (unsigned int *)timeout->data;
+#else
+ return NULL;
+#endif
}
static inline
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 23/30] netfilter: wrap some nat-related conntrack code in a CONFIG_NF_NAT check.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (21 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 22/30] netfilter: wrap inline timeout function in CONFIG_NETFILTER_TIMEOUT check Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 24/30] netfilter: wrap some ipv6 tables code in a CONFIG_NF_TABLES_IPV6 check Jeremy Sowden
` (7 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
nf_conntrack_update uses nf_nat_hook to do some nat stuff. However, it
will only be not NULL if CONFIG_NF_NAT is enabled. Wrap the code in a
CONFIG_NF_NAT check to skip it altogether.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
net/netfilter/nf_conntrack_core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 81a8ef42b88d..c597b3e8450b 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1885,7 +1885,9 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb)
struct nf_conntrack_tuple_hash *h;
struct nf_conntrack_tuple tuple;
enum ip_conntrack_info ctinfo;
+#if IS_ENABLED(CONFIG_NF_NAT)
struct nf_nat_hook *nat_hook;
+#endif
unsigned int status;
struct nf_conn *ct;
int dataoff;
@@ -1935,6 +1937,7 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb)
ct = nf_ct_tuplehash_to_ctrack(h);
nf_ct_set(skb, ct, ctinfo);
+#if IS_ENABLED(CONFIG_NF_NAT)
nat_hook = rcu_dereference(nf_nat_hook);
if (!nat_hook)
return 0;
@@ -1948,6 +1951,7 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb)
nat_hook->manip_pkt(skb, ct, NF_NAT_MANIP_DST,
IP_CT_DIR_ORIGINAL) == NF_DROP)
return -1;
+#endif
return 0;
}
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 24/30] netfilter: wrap some ipv6 tables code in a CONFIG_NF_TABLES_IPV6 check.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (22 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 23/30] netfilter: wrap some nat-related conntrack code in a CONFIG_NF_NAT check Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 25/30] netfilter: wrap some conntrack code in a CONFIG_NF_CONNTRACK check Jeremy Sowden
` (6 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
nft_set_pktinfo_ipv6_validate does nothing unless CONFIG_IPV6, and
therefore by implication CONFIG_NF_TABLES_IPV6, is enabled. Wrap the
calls in a CONFIG_NF_TABLES_IPV6 check.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
net/netfilter/nft_chain_filter.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c
index b5d5d071d765..f411d9993612 100644
--- a/net/netfilter/nft_chain_filter.c
+++ b/net/netfilter/nft_chain_filter.c
@@ -207,9 +207,11 @@ nft_do_chain_bridge(void *priv,
case htons(ETH_P_IP):
nft_set_pktinfo_ipv4_validate(&pkt, skb);
break;
+#ifdef CONFIG_NF_TABLES_IPV6
case htons(ETH_P_IPV6):
nft_set_pktinfo_ipv6_validate(&pkt, skb);
break;
+#endif
default:
nft_set_pktinfo_unspec(&pkt, skb);
break;
@@ -262,9 +264,11 @@ static unsigned int nft_do_chain_netdev(void *priv, struct sk_buff *skb,
case htons(ETH_P_IP):
nft_set_pktinfo_ipv4_validate(&pkt, skb);
break;
+#ifdef CONFIG_NF_TABLES_IPV6
case htons(ETH_P_IPV6):
nft_set_pktinfo_ipv6_validate(&pkt, skb);
break;
+#endif
default:
nft_set_pktinfo_unspec(&pkt, skb);
break;
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 25/30] netfilter: wrap some conntrack code in a CONFIG_NF_CONNTRACK check.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (23 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 24/30] netfilter: wrap some ipv6 tables code in a CONFIG_NF_TABLES_IPV6 check Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 26/30] netfilter: add CONFIG_NETFILTER check to linux/netfilter.h Jeremy Sowden
` (5 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
struct nf_conntrack_zone is only required if CONFIG_NF_CONNTRACK.
Wrap its definition in a CONFIG_NF_CONNTRACK check.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/linux/netfilter/nf_conntrack_zones_common.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/include/linux/netfilter/nf_conntrack_zones_common.h b/include/linux/netfilter/nf_conntrack_zones_common.h
index 8f3905e12a64..4596f9eb2e8f 100644
--- a/include/linux/netfilter/nf_conntrack_zones_common.h
+++ b/include/linux/netfilter/nf_conntrack_zones_common.h
@@ -13,6 +13,8 @@
#define NF_CT_FLAG_MARK 1
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
struct nf_conntrack_zone {
u16 id;
u8 flags;
@@ -21,4 +23,6 @@ struct nf_conntrack_zone {
extern const struct nf_conntrack_zone nf_ct_zone_dflt;
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif /* _NF_CONNTRACK_ZONES_COMMON_H */
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 26/30] netfilter: add CONFIG_NETFILTER check to linux/netfilter.h.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (24 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 25/30] netfilter: wrap some conntrack code in a CONFIG_NF_CONNTRACK check Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 27/30] netfilter: add NF_TPROXY config option Jeremy Sowden
` (4 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
The bulk of this header is already wrapped in CONFIG_NETFILTER or
CONFIG_NF_CONNTRACK checks. The last few definitions are also only
required if CONFIG_NETFILTER is enabled. Add another conditional for
that remainder.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/linux/netfilter.h | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 3bed59528fed..075d48ef6a48 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -16,6 +16,7 @@
#include <net/net_namespace.h>
#ifdef CONFIG_NETFILTER
+
static inline int NF_DROP_GETERR(int verdict)
{
return -(verdict >> NF_VERDICT_QBITS);
@@ -415,11 +416,13 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
{
return 1;
}
+
struct flowi;
static inline void
nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
{
}
+
#endif /*CONFIG_NETFILTER*/
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
@@ -440,6 +443,8 @@ static inline bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple,
}
#endif
+#ifdef CONFIG_NETFILTER
+
struct nf_conn;
enum ip_conntrack_info;
@@ -486,4 +491,6 @@ struct nf_bridge_frag_data {
__be16 vlan_proto;
};
+#endif /* CONFIG_NETFILTER */
+
#endif /*__LINUX_NETFILTER_H*/
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 27/30] netfilter: add NF_TPROXY config option.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (25 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 26/30] netfilter: add CONFIG_NETFILTER check to linux/netfilter.h Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 28/30] netfilter: add IP_SET_BITMAP " Jeremy Sowden
` (3 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
Add a hidden tristate option which is select by NF_TPROXY_IPV4 and
NF_TPROXY_IPV6. It will be used to wrap nf_tproxy.h.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
net/ipv4/netfilter/Kconfig | 1 +
net/ipv6/netfilter/Kconfig | 1 +
net/netfilter/Kconfig | 3 +++
3 files changed, 5 insertions(+)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index f17b402111ce..50c02bd80ca7 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -18,6 +18,7 @@ config NF_SOCKET_IPV4
config NF_TPROXY_IPV4
tristate "IPv4 tproxy support"
+ select NF_TPROXY
if NF_TABLES
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 6120a7800975..273803f008f9 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -14,6 +14,7 @@ config NF_SOCKET_IPV6
config NF_TPROXY_IPV6
tristate "IPv6 tproxy support"
+ select NF_TPROXY
if NF_TABLES
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 34ec7afec116..7118352c78c4 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -439,6 +439,9 @@ config NETFILTER_SYNPROXY
endif # NF_CONNTRACK
+config NF_TPROXY
+ tristate
+
config NF_TABLES
select NETFILTER_NETLINK
tristate "Netfilter nf_tables support"
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 28/30] netfilter: add IP_SET_BITMAP config option.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (26 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 27/30] netfilter: add NF_TPROXY config option Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 29/30] netfilter: add IP_SET_HASH " Jeremy Sowden
` (2 subsequent siblings)
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
Add a hidden tristate option which is selected by all the
IP_SET_BITMAP_* options. It will be used to wrap ip_set_bitmap.h.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
net/netfilter/ipset/Kconfig | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter/ipset/Kconfig
index 3c273483df23..8a5498a86df0 100644
--- a/net/netfilter/ipset/Kconfig
+++ b/net/netfilter/ipset/Kconfig
@@ -25,9 +25,13 @@ config IP_SET_MAX
The value can be overridden by the 'max_sets' module
parameter of the 'ip_set' module.
+config IP_SET_BITMAP
+ tristate
+
config IP_SET_BITMAP_IP
tristate "bitmap:ip set support"
depends on IP_SET
+ select IP_SET_BITMAP
help
This option adds the bitmap:ip set type support, by which one
can store IPv4 addresses (or network addresse) from a range.
@@ -37,6 +41,7 @@ config IP_SET_BITMAP_IP
config IP_SET_BITMAP_IPMAC
tristate "bitmap:ip,mac set support"
depends on IP_SET
+ select IP_SET_BITMAP
help
This option adds the bitmap:ip,mac set type support, by which one
can store IPv4 address and (source) MAC address pairs from a range.
@@ -46,6 +51,7 @@ config IP_SET_BITMAP_IPMAC
config IP_SET_BITMAP_PORT
tristate "bitmap:port set support"
depends on IP_SET
+ select IP_SET_BITMAP
help
This option adds the bitmap:port set type support, by which one
can store TCP/UDP port numbers from a range.
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 29/30] netfilter: add IP_SET_HASH config option.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (27 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 28/30] netfilter: add IP_SET_BITMAP " Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-02 23:06 ` [PATCH nf-next v2 30/30] netfilter: wrap headers in CONFIG checks Jeremy Sowden
2019-09-04 19:05 ` [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Pablo Neira Ayuso
30 siblings, 0 replies; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
Add a hidden tristate option which is selected by all the IP_SET_HASH_*
options. It will be used to wrap ip_set_hash.h.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
net/netfilter/ipset/Kconfig | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter/ipset/Kconfig
index 8a5498a86df0..56b95e859043 100644
--- a/net/netfilter/ipset/Kconfig
+++ b/net/netfilter/ipset/Kconfig
@@ -58,9 +58,13 @@ config IP_SET_BITMAP_PORT
To compile it as a module, choose M here. If unsure, say N.
+config IP_SET_HASH
+ tristate
+
config IP_SET_HASH_IP
tristate "hash:ip set support"
depends on IP_SET
+ select IP_SET_HASH
help
This option adds the hash:ip set type support, by which one
can store arbitrary IPv4 or IPv6 addresses (or network addresses)
@@ -71,6 +75,7 @@ config IP_SET_HASH_IP
config IP_SET_HASH_IPMARK
tristate "hash:ip,mark set support"
depends on IP_SET
+ select IP_SET_HASH
help
This option adds the hash:ip,mark set type support, by which one
can store IPv4/IPv6 address and mark pairs.
@@ -80,6 +85,7 @@ config IP_SET_HASH_IPMARK
config IP_SET_HASH_IPPORT
tristate "hash:ip,port set support"
depends on IP_SET
+ select IP_SET_HASH
help
This option adds the hash:ip,port set type support, by which one
can store IPv4/IPv6 address and protocol/port pairs.
@@ -89,6 +95,7 @@ config IP_SET_HASH_IPPORT
config IP_SET_HASH_IPPORTIP
tristate "hash:ip,port,ip set support"
depends on IP_SET
+ select IP_SET_HASH
help
This option adds the hash:ip,port,ip set type support, by which
one can store IPv4/IPv6 address, protocol/port, and IPv4/IPv6
@@ -99,6 +106,7 @@ config IP_SET_HASH_IPPORTIP
config IP_SET_HASH_IPPORTNET
tristate "hash:ip,port,net set support"
depends on IP_SET
+ select IP_SET_HASH
help
This option adds the hash:ip,port,net set type support, by which
one can store IPv4/IPv6 address, protocol/port, and IPv4/IPv6
@@ -109,6 +117,7 @@ config IP_SET_HASH_IPPORTNET
config IP_SET_HASH_IPMAC
tristate "hash:ip,mac set support"
depends on IP_SET
+ select IP_SET_HASH
help
This option adds the hash:ip,mac set type support, by which
one can store IPv4/IPv6 address and MAC (ethernet address) pairs in a set.
@@ -118,6 +127,7 @@ config IP_SET_HASH_IPMAC
config IP_SET_HASH_MAC
tristate "hash:mac set support"
depends on IP_SET
+ select IP_SET_HASH
help
This option adds the hash:mac set type support, by which
one can store MAC (ethernet address) elements in a set.
@@ -127,6 +137,7 @@ config IP_SET_HASH_MAC
config IP_SET_HASH_NETPORTNET
tristate "hash:net,port,net set support"
depends on IP_SET
+ select IP_SET_HASH
help
This option adds the hash:net,port,net set type support, by which
one can store two IPv4/IPv6 subnets, and a protocol/port in a set.
@@ -136,6 +147,7 @@ config IP_SET_HASH_NETPORTNET
config IP_SET_HASH_NET
tristate "hash:net set support"
depends on IP_SET
+ select IP_SET_HASH
help
This option adds the hash:net set type support, by which
one can store IPv4/IPv6 network address/prefix elements in a set.
@@ -145,6 +157,7 @@ config IP_SET_HASH_NET
config IP_SET_HASH_NETNET
tristate "hash:net,net set support"
depends on IP_SET
+ select IP_SET_HASH
help
This option adds the hash:net,net set type support, by which
one can store IPv4/IPv6 network address/prefix pairs in a set.
@@ -154,6 +167,7 @@ config IP_SET_HASH_NETNET
config IP_SET_HASH_NETPORT
tristate "hash:net,port set support"
depends on IP_SET
+ select IP_SET_HASH
help
This option adds the hash:net,port set type support, by which
one can store IPv4/IPv6 network address/prefix and
@@ -164,6 +178,7 @@ config IP_SET_HASH_NETPORT
config IP_SET_HASH_NETIFACE
tristate "hash:net,iface set support"
depends on IP_SET
+ select IP_SET_HASH
help
This option adds the hash:net,iface set type support, by which
one can store IPv4/IPv6 network address/prefix and
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH nf-next v2 30/30] netfilter: wrap headers in CONFIG checks.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (28 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 29/30] netfilter: add IP_SET_HASH " Jeremy Sowden
@ 2019-09-02 23:06 ` Jeremy Sowden
2019-09-04 13:50 ` kbuild test robot
2019-09-04 19:05 ` [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Pablo Neira Ayuso
30 siblings, 1 reply; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-02 23:06 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal; +Cc: Netfilter Devel
These headers are only required if some config option is enabled. Wrap
each one in a check for that option.
This allows us to remove existing CONFIG checks wrapping smaller
sections of code.
In cases where a header includes a related uapi header, we leave that
inclusion outside the conditional in order to avoid having to update
inclusions in other parts of the kernel.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
include/linux/netfilter/ipset/ip_set.h | 7 ++++++-
include/linux/netfilter/ipset/ip_set_bitmap.h | 4 ++++
.../linux/netfilter/ipset/ip_set_getport.h | 4 ++++
include/linux/netfilter/ipset/ip_set_hash.h | 3 +++
include/linux/netfilter/ipset/ip_set_list.h | 3 +++
include/linux/netfilter/ipset/pfxlen.h | 4 ++++
include/linux/netfilter/nf_conntrack_amanda.h | 6 ++++++
include/linux/netfilter/nf_conntrack_common.h | 4 ++++
include/linux/netfilter/nf_conntrack_dccp.h | 4 ++++
include/linux/netfilter/nf_conntrack_ftp.h | 8 +++++++-
include/linux/netfilter/nf_conntrack_h323.h | 4 ++++
.../linux/netfilter/nf_conntrack_h323_asn1.h | 4 ++++
.../linux/netfilter/nf_conntrack_h323_types.h | 4 ++++
include/linux/netfilter/nf_conntrack_irc.h | 4 ++++
include/linux/netfilter/nf_conntrack_pptp.h | 4 ++++
.../linux/netfilter/nf_conntrack_proto_gre.h | 6 ++++++
include/linux/netfilter/nf_conntrack_sane.h | 5 +++++
include/linux/netfilter/nf_conntrack_sctp.h | 5 +++++
include/linux/netfilter/nf_conntrack_sip.h | 4 ++++
include/linux/netfilter/nf_conntrack_snmp.h | 4 ++++
include/linux/netfilter/nf_conntrack_tcp.h | 3 +++
include/linux/netfilter/nf_conntrack_tftp.h | 4 ++++
.../netfilter/nf_conntrack_zones_common.h | 4 ++++
include/linux/netfilter/nfnetlink.h | 7 ++++++-
include/linux/netfilter/nfnetlink_acct.h | 6 ++++++
include/linux/netfilter/nfnetlink_osf.h | 4 ++++
include/linux/netfilter/x_tables.h | 13 ++++++-------
include/linux/netfilter_arp/arp_tables.h | 8 +++++++-
include/linux/netfilter_bridge/ebtables.h | 10 +++++++---
include/linux/netfilter_ipv4.h | 4 ++++
include/linux/netfilter_ipv4/ip_tables.h | 15 ++++++++-------
include/linux/netfilter_ipv6/ip6_tables.h | 13 ++++++++-----
include/net/netfilter/br_netfilter.h | 14 ++++----------
.../net/netfilter/ipv4/nf_conntrack_ipv4.h | 4 ++++
include/net/netfilter/ipv4/nf_defrag_ipv4.h | 4 ++++
include/net/netfilter/ipv4/nf_dup_ipv4.h | 4 ++++
include/net/netfilter/ipv4/nf_reject.h | 4 ++++
.../net/netfilter/ipv6/nf_conntrack_ipv6.h | 4 ++++
include/net/netfilter/ipv6/nf_defrag_ipv6.h | 4 ++++
include/net/netfilter/ipv6/nf_dup_ipv6.h | 4 ++++
include/net/netfilter/ipv6/nf_reject.h | 4 ++++
include/net/netfilter/nf_conntrack.h | 14 ++++----------
include/net/netfilter/nf_conntrack_acct.h | 17 +++++------------
include/net/netfilter/nf_conntrack_bridge.h | 6 ++++--
include/net/netfilter/nf_conntrack_core.h | 19 ++++++++++++-------
include/net/netfilter/nf_conntrack_count.h | 4 ++++
include/net/netfilter/nf_conntrack_ecache.h | 10 +++++++---
include/net/netfilter/nf_conntrack_expect.h | 6 ++++--
include/net/netfilter/nf_conntrack_extend.h | 6 +++++-
include/net/netfilter/nf_conntrack_helper.h | 6 ++++++
include/net/netfilter/nf_conntrack_l4proto.h | 7 +++++--
include/net/netfilter/nf_conntrack_labels.h | 4 ++++
include/net/netfilter/nf_conntrack_seqadj.h | 4 ++++
include/net/netfilter/nf_conntrack_synproxy.h | 4 ++++
include/net/netfilter/nf_conntrack_timeout.h | 4 ++++
.../net/netfilter/nf_conntrack_timestamp.h | 6 +++++-
include/net/netfilter/nf_conntrack_tuple.h | 6 ++++--
include/net/netfilter/nf_dup_netdev.h | 4 ++++
include/net/netfilter/nf_flow_table.h | 8 ++++----
include/net/netfilter/nf_log.h | 4 ++++
include/net/netfilter/nf_nat.h | 9 +++++----
include/net/netfilter/nf_nat_helper.h | 5 +++++
include/net/netfilter/nf_nat_masquerade.h | 4 ++++
include/net/netfilter/nf_nat_redirect.h | 4 ++++
include/net/netfilter/nf_queue.h | 8 ++++----
include/net/netfilter/nf_reject.h | 4 ++++
include/net/netfilter/nf_socket.h | 4 ++++
include/net/netfilter/nf_synproxy.h | 8 ++++----
include/net/netfilter/nf_tables.h | 17 +++++------------
include/net/netfilter/nf_tables_core.h | 5 +++++
include/net/netfilter/nf_tables_ipv4.h | 4 ++++
include/net/netfilter/nf_tables_ipv6.h | 10 +++++-----
include/net/netfilter/nf_tables_offload.h | 4 ++++
include/net/netfilter/nf_tproxy.h | 4 ++++
include/net/netfilter/nft_fib.h | 5 +++++
include/net/netfilter/nft_meta.h | 4 ++++
include/net/netfilter/nft_reject.h | 4 ++++
include/net/netfilter/xt_rateest.h | 4 ++++
78 files changed, 363 insertions(+), 111 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index 9bc255a8461b..2884511700a0 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -7,6 +7,10 @@
#ifndef _IP_SET_H
#define _IP_SET_H
+#include <uapi/linux/netfilter/ipset/ip_set.h>
+
+#if IS_ENABLED(CONFIG_IP_SET)
+
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/netlink.h>
@@ -15,7 +19,6 @@
#include <linux/stringify.h>
#include <linux/vmalloc.h>
#include <net/netlink.h>
-#include <uapi/linux/netfilter/ipset/ip_set.h>
#define _IP_SET_MODULE_DESC(a, b, c) \
MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c)
@@ -698,4 +701,6 @@ ip_set_init_skbinfo(struct ip_set_skbinfo *skbinfo,
#define IPSET_CONCAT(a, b) a##b
#define IPSET_TOKEN(a, b) IPSET_CONCAT(a, b)
+#endif /* IS_ENABLED(CONFIG_IP_SET) */
+
#endif /*_IP_SET_H */
diff --git a/include/linux/netfilter/ipset/ip_set_bitmap.h b/include/linux/netfilter/ipset/ip_set_bitmap.h
index 2dddbc6dcac7..4a7d0dd68cd3 100644
--- a/include/linux/netfilter/ipset/ip_set_bitmap.h
+++ b/include/linux/netfilter/ipset/ip_set_bitmap.h
@@ -4,6 +4,8 @@
#include <uapi/linux/netfilter/ipset/ip_set_bitmap.h>
+#if IS_ENABLED(CONFIG_IP_SET_BITMAP)
+
#define IPSET_BITMAP_MAX_RANGE 0x0000FFFF
enum {
@@ -26,4 +28,6 @@ range_to_mask(u32 from, u32 to, u8 *bits)
return mask;
}
+#endif /* IS_ENABLED(CONFIG_IP_SET_BITMAP) */
+
#endif /* __IP_SET_BITMAP_H */
diff --git a/include/linux/netfilter/ipset/ip_set_getport.h b/include/linux/netfilter/ipset/ip_set_getport.h
index d74cd112b88a..d47b5a2104b3 100644
--- a/include/linux/netfilter/ipset/ip_set_getport.h
+++ b/include/linux/netfilter/ipset/ip_set_getport.h
@@ -2,6 +2,8 @@
#ifndef _IP_SET_GETPORT_H
#define _IP_SET_GETPORT_H
+#if IS_ENABLED(CONFIG_IP_SET)
+
#include <linux/skbuff.h>
#include <linux/types.h>
#include <uapi/linux/in.h>
@@ -35,4 +37,6 @@ static inline bool ip_set_proto_with_ports(u8 proto)
return false;
}
+#endif /* IS_ENABLED(CONFIG_IP_SET) */
+
#endif /*_IP_SET_GETPORT_H*/
diff --git a/include/linux/netfilter/ipset/ip_set_hash.h b/include/linux/netfilter/ipset/ip_set_hash.h
index 838abab672af..fa0cdf8ee8b8 100644
--- a/include/linux/netfilter/ipset/ip_set_hash.h
+++ b/include/linux/netfilter/ipset/ip_set_hash.h
@@ -4,6 +4,7 @@
#include <uapi/linux/netfilter/ipset/ip_set_hash.h>
+#if IS_ENABLED(CONFIG_IP_SET_HASH)
#define IPSET_DEFAULT_HASHSIZE 1024
#define IPSET_MIMINAL_HASHSIZE 64
@@ -11,4 +12,6 @@
#define IPSET_DEFAULT_PROBES 4
#define IPSET_DEFAULT_RESIZE 100
+#endif /* IS_ENABLED(CONFIG_IP_SET_HASH) */
+
#endif /* __IP_SET_HASH_H */
diff --git a/include/linux/netfilter/ipset/ip_set_list.h b/include/linux/netfilter/ipset/ip_set_list.h
index a61fe2a7e655..180b6549f811 100644
--- a/include/linux/netfilter/ipset/ip_set_list.h
+++ b/include/linux/netfilter/ipset/ip_set_list.h
@@ -4,9 +4,12 @@
#include <uapi/linux/netfilter/ipset/ip_set_list.h>
+#if IS_ENABLED(CONFIG_IP_SET_LIST_SET)
#define IP_SET_LIST_DEFAULT_SIZE 8
#define IP_SET_LIST_MIN_SIZE 4
#define IP_SET_LIST_MAX_SIZE 65536
+#endif /* IS_ENABLED(CONFIG_IP_SET_LIST_SET) */
+
#endif /* __IP_SET_LIST_H */
diff --git a/include/linux/netfilter/ipset/pfxlen.h b/include/linux/netfilter/ipset/pfxlen.h
index f59094e6158b..7b9408e911e1 100644
--- a/include/linux/netfilter/ipset/pfxlen.h
+++ b/include/linux/netfilter/ipset/pfxlen.h
@@ -2,6 +2,8 @@
#ifndef _PFXLEN_H
#define _PFXLEN_H
+#if IS_ENABLED(CONFIG_IP_SET)
+
#include <asm/byteorder.h>
#include <linux/netfilter.h>
#include <net/tcp.h>
@@ -51,4 +53,6 @@ ip6_netmask(union nf_inet_addr *ip, u8 prefix)
ip->ip6[3] &= ip_set_netmask6(prefix)[3];
}
+#endif /* IS_ENABLED(CONFIG_IP_SET) */
+
#endif /*_PFXLEN_H */
diff --git a/include/linux/netfilter/nf_conntrack_amanda.h b/include/linux/netfilter/nf_conntrack_amanda.h
index 6f0ac896fcc9..8a4ac5fe25d0 100644
--- a/include/linux/netfilter/nf_conntrack_amanda.h
+++ b/include/linux/netfilter/nf_conntrack_amanda.h
@@ -1,8 +1,11 @@
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _NF_CONNTRACK_AMANDA_H
#define _NF_CONNTRACK_AMANDA_H
+
/* AMANDA tracking. */
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_AMANDA)
+
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <net/netfilter/nf_conntrack_expect.h>
@@ -13,4 +16,7 @@ extern unsigned int (*nf_nat_amanda_hook)(struct sk_buff *skb,
unsigned int matchoff,
unsigned int matchlen,
struct nf_conntrack_expect *exp);
+
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_AMANDA) */
+
#endif /* _NF_CONNTRACK_AMANDA_H */
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index e142b2b5f1ea..31d10682abbe 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -4,6 +4,8 @@
#include <uapi/linux/netfilter/nf_conntrack_common.h>
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
struct ip_conntrack_stat {
unsigned int found;
unsigned int invalid;
@@ -19,4 +21,6 @@ struct ip_conntrack_stat {
unsigned int search_restart;
};
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif /* _NF_CONNTRACK_COMMON_H */
diff --git a/include/linux/netfilter/nf_conntrack_dccp.h b/include/linux/netfilter/nf_conntrack_dccp.h
index c509ed76e714..80245ff88321 100644
--- a/include/linux/netfilter/nf_conntrack_dccp.h
+++ b/include/linux/netfilter/nf_conntrack_dccp.h
@@ -2,6 +2,8 @@
#ifndef _NF_CONNTRACK_DCCP_H
#define _NF_CONNTRACK_DCCP_H
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+
/* Exposed to userspace over nfnetlink */
enum ct_dccp_states {
CT_DCCP_NONE,
@@ -35,4 +37,6 @@ struct nf_ct_dccp {
u_int64_t handshake_seq;
};
+#endif
+
#endif /* _NF_CONNTRACK_DCCP_H */
diff --git a/include/linux/netfilter/nf_conntrack_ftp.h b/include/linux/netfilter/nf_conntrack_ftp.h
index 0e38302820b9..0d1bb4c15f48 100644
--- a/include/linux/netfilter/nf_conntrack_ftp.h
+++ b/include/linux/netfilter/nf_conntrack_ftp.h
@@ -2,11 +2,14 @@
#ifndef _NF_CONNTRACK_FTP_H
#define _NF_CONNTRACK_FTP_H
+#include <uapi/linux/netfilter/nf_conntrack_ftp.h>
+
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_FTP)
+
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <linux/types.h>
#include <net/netfilter/nf_conntrack_expect.h>
-#include <uapi/linux/netfilter/nf_conntrack_ftp.h>
#include <uapi/linux/netfilter/nf_conntrack_tuple_common.h>
#define FTP_PORT 21
@@ -33,4 +36,7 @@ extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb,
unsigned int matchoff,
unsigned int matchlen,
struct nf_conntrack_expect *exp);
+
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_FTP) */
+
#endif /* _NF_CONNTRACK_FTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_h323.h b/include/linux/netfilter/nf_conntrack_h323.h
index 4561ec0fcea4..6435ee527637 100644
--- a/include/linux/netfilter/nf_conntrack_h323.h
+++ b/include/linux/netfilter/nf_conntrack_h323.h
@@ -2,6 +2,8 @@
#ifndef _NF_CONNTRACK_H323_H
#define _NF_CONNTRACK_H323_H
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_H323)
+
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <linux/types.h>
@@ -94,4 +96,6 @@ extern int (*nat_q931_hook) (struct sk_buff *skb, struct nf_conn *ct,
int idx, __be16 port,
struct nf_conntrack_expect *exp);
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_H323) */
+
#endif
diff --git a/include/linux/netfilter/nf_conntrack_h323_asn1.h b/include/linux/netfilter/nf_conntrack_h323_asn1.h
index bd6797f823b2..37aa39e22e9d 100644
--- a/include/linux/netfilter/nf_conntrack_h323_asn1.h
+++ b/include/linux/netfilter/nf_conntrack_h323_asn1.h
@@ -34,6 +34,8 @@
#ifndef _NF_CONNTRACK_HELPER_H323_ASN1_H_
#define _NF_CONNTRACK_HELPER_H323_ASN1_H_
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_H323)
+
/*****************************************************************************
* H.323 Types
****************************************************************************/
@@ -94,4 +96,6 @@ int DecodeMultimediaSystemControlMessage(unsigned char *buf, size_t sz,
MultimediaSystemControlMessage *
mscm);
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_H323) */
+
#endif
diff --git a/include/linux/netfilter/nf_conntrack_h323_types.h b/include/linux/netfilter/nf_conntrack_h323_types.h
index 74c6f9241944..4027361eb1c4 100644
--- a/include/linux/netfilter/nf_conntrack_h323_types.h
+++ b/include/linux/netfilter/nf_conntrack_h323_types.h
@@ -7,6 +7,8 @@
#ifndef _NF_CONNTRACK_H323_TYPES_H
#define _NF_CONNTRACK_H323_TYPES_H
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_H323)
+
typedef struct TransportAddress_ipAddress { /* SEQUENCE */
int options; /* No use */
unsigned int ip;
@@ -935,4 +937,6 @@ typedef struct RasMessage { /* CHOICE */
};
} RasMessage;
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_H323) */
+
#endif /* _NF_CONNTRACK_H323_TYPES_H */
diff --git a/include/linux/netfilter/nf_conntrack_irc.h b/include/linux/netfilter/nf_conntrack_irc.h
index d02255f721e1..2ca66e71ccef 100644
--- a/include/linux/netfilter/nf_conntrack_irc.h
+++ b/include/linux/netfilter/nf_conntrack_irc.h
@@ -2,6 +2,8 @@
#ifndef _NF_CONNTRACK_IRC_H
#define _NF_CONNTRACK_IRC_H
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_IRC)
+
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <net/netfilter/nf_conntrack_expect.h>
@@ -15,4 +17,6 @@ extern unsigned int (*nf_nat_irc_hook)(struct sk_buff *skb,
unsigned int matchlen,
struct nf_conntrack_expect *exp);
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_IRC) */
+
#endif /* _NF_CONNTRACK_IRC_H */
diff --git a/include/linux/netfilter/nf_conntrack_pptp.h b/include/linux/netfilter/nf_conntrack_pptp.h
index fcc409de31a4..c8e300be2b4c 100644
--- a/include/linux/netfilter/nf_conntrack_pptp.h
+++ b/include/linux/netfilter/nf_conntrack_pptp.h
@@ -3,6 +3,8 @@
#ifndef _NF_CONNTRACK_PPTP_H
#define _NF_CONNTRACK_PPTP_H
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_PPTP)
+
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <linux/types.h>
@@ -322,4 +324,6 @@ extern void
(*nf_nat_pptp_hook_expectfn)(struct nf_conn *ct,
struct nf_conntrack_expect *exp);
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_PPTP) */
+
#endif /* _NF_CONNTRACK_PPTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_proto_gre.h b/include/linux/netfilter/nf_conntrack_proto_gre.h
index f33aa6021364..0ee9fe25043c 100644
--- a/include/linux/netfilter/nf_conntrack_proto_gre.h
+++ b/include/linux/netfilter/nf_conntrack_proto_gre.h
@@ -1,6 +1,9 @@
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _CONNTRACK_PROTO_GRE_H
#define _CONNTRACK_PROTO_GRE_H
+
+#ifdef CONFIG_NF_CT_PROTO_GRE
+
#include <asm/byteorder.h>
#include <net/gre.h>
#include <net/pptp.h>
@@ -31,4 +34,7 @@ void nf_ct_gre_keymap_destroy(struct nf_conn *ct);
bool gre_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
struct net *net, struct nf_conntrack_tuple *tuple);
+
+#endif /* CONFIG_NF_CT_PROTO_GRE */
+
#endif /* _CONNTRACK_PROTO_GRE_H */
diff --git a/include/linux/netfilter/nf_conntrack_sane.h b/include/linux/netfilter/nf_conntrack_sane.h
index 46c7acd1b4a7..d091f2ad567e 100644
--- a/include/linux/netfilter/nf_conntrack_sane.h
+++ b/include/linux/netfilter/nf_conntrack_sane.h
@@ -1,8 +1,11 @@
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _NF_CONNTRACK_SANE_H
#define _NF_CONNTRACK_SANE_H
+
/* SANE tracking. */
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_SANE)
+
#define SANE_PORT 6566
enum sane_state {
@@ -15,4 +18,6 @@ struct nf_ct_sane_master {
enum sane_state state;
};
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_SANE) */
+
#endif /* _NF_CONNTRACK_SANE_H */
diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/linux/netfilter/nf_conntrack_sctp.h
index 9a33f171aa82..4531a33e6182 100644
--- a/include/linux/netfilter/nf_conntrack_sctp.h
+++ b/include/linux/netfilter/nf_conntrack_sctp.h
@@ -1,14 +1,19 @@
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _NF_CONNTRACK_SCTP_H
#define _NF_CONNTRACK_SCTP_H
+
/* SCTP tracking. */
#include <uapi/linux/netfilter/nf_conntrack_sctp.h>
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+
struct ip_ct_sctp {
enum sctp_conntrack state;
__be32 vtag[IP_CT_DIR_MAX];
};
+#endif /* CONFIG_NF_CT_PROTO_SCTP */
+
#endif /* _NF_CONNTRACK_SCTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index c620521c42bc..b4b4d9f6f168 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -2,6 +2,8 @@
#ifndef __NF_CONNTRACK_SIP_H__
#define __NF_CONNTRACK_SIP_H__
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_SIP)
+
#include <linux/skbuff.h>
#include <linux/types.h>
#include <net/netfilter/nf_conntrack_expect.h>
@@ -195,4 +197,6 @@ int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
enum sdp_header_types term,
unsigned int *matchoff, unsigned int *matchlen);
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_SIP) */
+
#endif /* __NF_CONNTRACK_SIP_H__ */
diff --git a/include/linux/netfilter/nf_conntrack_snmp.h b/include/linux/netfilter/nf_conntrack_snmp.h
index 87e4f33eb55f..276328ed68f7 100644
--- a/include/linux/netfilter/nf_conntrack_snmp.h
+++ b/include/linux/netfilter/nf_conntrack_snmp.h
@@ -2,6 +2,8 @@
#ifndef _NF_CONNTRACK_SNMP_H
#define _NF_CONNTRACK_SNMP_H
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_SNMP)
+
#include <linux/netfilter.h>
#include <linux/skbuff.h>
@@ -10,4 +12,6 @@ extern int (*nf_nat_snmp_hook)(struct sk_buff *skb,
struct nf_conn *ct,
enum ip_conntrack_info ctinfo);
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_SNMP) */
+
#endif /* _NF_CONNTRACK_SNMP_H */
diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h
index f9e3a663037b..136cbd3999f8 100644
--- a/include/linux/netfilter/nf_conntrack_tcp.h
+++ b/include/linux/netfilter/nf_conntrack_tcp.h
@@ -4,6 +4,7 @@
#include <uapi/linux/netfilter/nf_conntrack_tcp.h>
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
struct ip_ct_tcp_state {
u_int32_t td_end; /* max of seq + len */
@@ -30,4 +31,6 @@ struct ip_ct_tcp {
u_int8_t last_flags; /* Last flags set */
};
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif /* _NF_CONNTRACK_TCP_H */
diff --git a/include/linux/netfilter/nf_conntrack_tftp.h b/include/linux/netfilter/nf_conntrack_tftp.h
index dc4c1b9beac0..6db39d3501bb 100644
--- a/include/linux/netfilter/nf_conntrack_tftp.h
+++ b/include/linux/netfilter/nf_conntrack_tftp.h
@@ -2,6 +2,8 @@
#ifndef _NF_CONNTRACK_TFTP_H
#define _NF_CONNTRACK_TFTP_H
+#if IS_ENABLED(CONFIG_NF_CONNTRACK_TFTP)
+
#define TFTP_PORT 69
#include <linux/netfilter.h>
@@ -23,4 +25,6 @@ extern unsigned int (*nf_nat_tftp_hook)(struct sk_buff *skb,
enum ip_conntrack_info ctinfo,
struct nf_conntrack_expect *exp);
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK_TFTP) */
+
#endif /* _NF_CONNTRACK_TFTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_zones_common.h b/include/linux/netfilter/nf_conntrack_zones_common.h
index 4596f9eb2e8f..d92b2c77ee82 100644
--- a/include/linux/netfilter/nf_conntrack_zones_common.h
+++ b/include/linux/netfilter/nf_conntrack_zones_common.h
@@ -2,6 +2,8 @@
#ifndef _NF_CONNTRACK_ZONES_COMMON_H
#define _NF_CONNTRACK_ZONES_COMMON_H
+#ifdef CONFIG_NETFILTER
+
#include <uapi/linux/netfilter/nf_conntrack_tuple_common.h>
#define NF_CT_DEFAULT_ZONE_ID 0
@@ -25,4 +27,6 @@ extern const struct nf_conntrack_zone nf_ct_zone_dflt;
#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+#endif /* CONFIG_NETFILTER */
+
#endif /* _NF_CONNTRACK_ZONES_COMMON_H */
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index cf09ab37b45b..97fac10f8199 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -2,10 +2,13 @@
#ifndef _NFNETLINK_H
#define _NFNETLINK_H
+#include <uapi/linux/netfilter/nfnetlink.h>
+
+#if IS_ENABLED(CONFIG_NETFILTER_NETLINK)
+
#include <linux/netlink.h>
#include <linux/capability.h>
#include <net/netlink.h>
-#include <uapi/linux/netfilter/nfnetlink.h>
struct nfnl_callback {
int (*call)(struct net *net, struct sock *nl, struct sk_buff *skb,
@@ -65,4 +68,6 @@ static inline bool lockdep_nfnl_is_held(__u8 subsys_id)
#define MODULE_ALIAS_NFNL_SUBSYS(subsys) \
MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys))
+#endif /* IS_ENABLED(CONFIG_NETFILTER_NETLINK) */
+
#endif /* _NFNETLINK_H */
diff --git a/include/linux/netfilter/nfnetlink_acct.h b/include/linux/netfilter/nfnetlink_acct.h
index beee8bffe49e..c4f11f056af4 100644
--- a/include/linux/netfilter/nfnetlink_acct.h
+++ b/include/linux/netfilter/nfnetlink_acct.h
@@ -3,6 +3,9 @@
#define _NFNL_ACCT_H_
#include <uapi/linux/netfilter/nfnetlink_acct.h>
+
+#if IS_ENABLED(CONFIG_NETFILTER_NETLINK_ACCT)
+
#include <net/net_namespace.h>
enum {
@@ -17,4 +20,7 @@ struct nf_acct *nfnl_acct_find_get(struct net *net, const char *filter_name);
void nfnl_acct_put(struct nf_acct *acct);
void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct);
int nfnl_acct_overquota(struct net *net, struct nf_acct *nfacct);
+
+#endif /* IS_ENABLED(CONFIG_NETFILTER_NETLINK_ACCT) */
+
#endif /* _NFNL_ACCT_H */
diff --git a/include/linux/netfilter/nfnetlink_osf.h b/include/linux/netfilter/nfnetlink_osf.h
index 788613f36935..0e23e7ee4cd4 100644
--- a/include/linux/netfilter/nfnetlink_osf.h
+++ b/include/linux/netfilter/nfnetlink_osf.h
@@ -4,6 +4,8 @@
#include <uapi/linux/netfilter/nfnetlink_osf.h>
+#if IS_ENABLED(CONFIG_NETFILTER_NETLINK_OSF)
+
enum osf_fmatch_states {
/* Packet does not match the fingerprint */
FMATCH_WRONG = 0,
@@ -35,4 +37,6 @@ bool nf_osf_find(const struct sk_buff *skb,
const struct list_head *nf_osf_fingers,
const int ttl_check, struct nf_osf_data *data);
+#endif /* IS_ENABLED(CONFIG_NETFILTER_NETLINK_OSF) */
+
#endif /* _NFOSF_H */
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b9bc25f57c8e..65216379a398 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -2,11 +2,13 @@
#ifndef _X_TABLES_H
#define _X_TABLES_H
+#include <uapi/linux/netfilter/x_tables.h>
+
+#ifdef CONFIG_NETFILTER
#include <linux/netdevice.h>
#include <linux/static_key.h>
#include <linux/netfilter.h>
-#include <uapi/linux/netfilter/x_tables.h>
/* Test a struct->invflags and a boolean for inequality */
#define NF_INVF(ptr, flag, boolean) \
@@ -35,15 +37,12 @@ struct xt_action_param {
union {
const void *matchinfo, *targinfo;
};
-#if IS_ENABLED(CONFIG_NETFILTER)
const struct nf_hook_state *state;
-#endif
int fragoff;
unsigned int thoff;
bool hotdrop;
};
-#if IS_ENABLED(CONFIG_NETFILTER)
static inline struct net *xt_net(const struct xt_action_param *par)
{
return par->state->net;
@@ -78,7 +77,6 @@ static inline u_int8_t xt_family(const struct xt_action_param *par)
{
return par->state->pf;
}
-#endif
/**
* struct xt_mtchk_param - parameters for match extensions'
@@ -450,9 +448,7 @@ xt_get_per_cpu_counter(struct xt_counters *cnt, unsigned int cpu)
return cnt;
}
-#if IS_ENABLED(CONFIG_NETFILTER)
struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *, nf_hookfn *);
-#endif
#ifdef CONFIG_COMPAT
#include <net/compat.h>
@@ -536,4 +532,7 @@ int xt_compat_check_entry_offsets(const void *base, const char *elems,
unsigned int next_offset);
#endif /* CONFIG_COMPAT */
+
+#endif /* CONFIG_NETFILTER */
+
#endif /* _X_TABLES_H */
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 1b7b35bb9c27..24e473120493 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -9,11 +9,14 @@
#ifndef _ARPTABLES_H
#define _ARPTABLES_H
+#include <uapi/linux/netfilter_arp/arp_tables.h>
+
+#ifdef CONFIG_NETFILTER_FAMILY_ARP
+
#include <linux/if.h>
#include <linux/in.h>
#include <linux/if_arp.h>
#include <linux/skbuff.h>
-#include <uapi/linux/netfilter_arp/arp_tables.h>
/* Standard entry. */
struct arpt_standard {
@@ -79,4 +82,7 @@ compat_arpt_get_target(struct compat_arpt_entry *e)
}
#endif /* CONFIG_COMPAT */
+
+#endif /* CONFIG_NETFILTER_FAMILY_ARP */
+
#endif /* _ARPTABLES_H */
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h
index b5b2d371f0ef..d12a175a7b9a 100644
--- a/include/linux/netfilter_bridge/ebtables.h
+++ b/include/linux/netfilter_bridge/ebtables.h
@@ -13,9 +13,12 @@
#ifndef __LINUX_BRIDGE_EFF_H
#define __LINUX_BRIDGE_EFF_H
+#include <uapi/linux/netfilter_bridge/ebtables.h>
+
+#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
+
#include <linux/if.h>
#include <linux/if_ether.h>
-#include <uapi/linux/netfilter_bridge/ebtables.h>
struct ebt_match {
struct list_head list;
@@ -105,7 +108,7 @@ struct ebt_table {
#define EBT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) & \
~(__alignof__(struct _xt_align)-1))
-#if IS_ENABLED(CONFIG_NETFILTER)
+
extern int ebt_register_table(struct net *net,
const struct ebt_table *table,
const struct nf_hook_ops *ops,
@@ -115,7 +118,6 @@ extern void ebt_unregister_table(struct net *net, struct ebt_table *table,
extern unsigned int ebt_do_table(struct sk_buff *skb,
const struct nf_hook_state *state,
struct ebt_table *table);
-#endif
/* True if the hook mask denotes that the rule is in a base chain,
* used in the check() functions */
@@ -128,4 +130,6 @@ static inline bool ebt_invalid_target(int target)
return (target < -NUM_STANDARD_TARGETS || target >= 0);
}
+#endif /* CONFIG_NETFILTER_FAMILY_BRIDGE */
+
#endif
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index cab891485752..ed8f17ae1fed 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -7,6 +7,8 @@
#include <uapi/linux/netfilter_ipv4.h>
+#ifdef CONFIG_NETFILTER
+
/* Extra routing may needed on local out, as the QUEUE target never returns
* control to the table.
*/
@@ -39,4 +41,6 @@ static inline int nf_ip_route(struct net *net, struct dst_entry **dst,
}
#endif /* CONFIG_INET */
+#endif /* CONFIG_NETFILTER */
+
#endif /*__LINUX_IP_NETFILTER_H*/
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 0b0d43ad9ed9..b9eb9165a7cb 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -15,21 +15,21 @@
#ifndef _IPTABLES_H
#define _IPTABLES_H
+#include <uapi/linux/netfilter_ipv4/ip_tables.h>
+
+#if IS_ENABLED(CONFIG_IP_NF_IPTABLES)
+
#include <linux/if.h>
#include <linux/in.h>
+#include <linux/init.h>
#include <linux/ip.h>
#include <linux/skbuff.h>
-#include <linux/init.h>
-#include <uapi/linux/netfilter_ipv4/ip_tables.h>
-
-#if IS_ENABLED(CONFIG_NETFILTER)
int ipt_register_table(struct net *net, const struct xt_table *table,
const struct ipt_replace *repl,
const struct nf_hook_ops *ops, struct xt_table **res);
void ipt_unregister_table(struct net *net, struct xt_table *table,
const struct nf_hook_ops *ops);
-#endif
/* Standard entry. */
struct ipt_standard {
@@ -65,11 +65,9 @@ struct ipt_error {
}
extern void *ipt_alloc_initial_table(const struct xt_table *);
-#if IS_ENABLED(CONFIG_NETFILTER)
extern unsigned int ipt_do_table(struct sk_buff *skb,
const struct nf_hook_state *state,
struct xt_table *table);
-#endif
#ifdef CONFIG_COMPAT
#include <net/compat.h>
@@ -92,4 +90,7 @@ compat_ipt_get_target(struct compat_ipt_entry *e)
}
#endif /* CONFIG_COMPAT */
+
+#endif /* IS_ENABLED(CONFIG_IP_NF_IPTABLES) */
+
#endif /* _IPTABLES_H */
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 3a0a2bd054cc..3fbff8334ef0 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -15,17 +15,18 @@
#ifndef _IP6_TABLES_H
#define _IP6_TABLES_H
+#include <uapi/linux/netfilter_ipv6/ip6_tables.h>
+
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+
#include <linux/if.h>
#include <linux/in6.h>
+#include <linux/init.h>
#include <linux/ipv6.h>
#include <linux/skbuff.h>
-#include <linux/init.h>
-#include <uapi/linux/netfilter_ipv6/ip6_tables.h>
-
extern void *ip6t_alloc_initial_table(const struct xt_table *);
-#if IS_ENABLED(CONFIG_NETFILTER)
int ip6t_register_table(struct net *net, const struct xt_table *table,
const struct ip6t_replace *repl,
const struct nf_hook_ops *ops, struct xt_table **res);
@@ -34,7 +35,6 @@ void ip6t_unregister_table(struct net *net, struct xt_table *table,
extern unsigned int ip6t_do_table(struct sk_buff *skb,
const struct nf_hook_state *state,
struct xt_table *table);
-#endif
#ifdef CONFIG_COMPAT
#include <net/compat.h>
@@ -56,4 +56,7 @@ compat_ip6t_get_target(struct compat_ip6t_entry *e)
}
#endif /* CONFIG_COMPAT */
+
+#endif /* IS_ENABLED(CONFIG_IP6_NF_IPTABLES) */
+
#endif /* _IP6_TABLES_H */
diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h
index 2a613c84d49f..e08126b3fa92 100644
--- a/include/net/netfilter/br_netfilter.h
+++ b/include/net/netfilter/br_netfilter.h
@@ -2,22 +2,20 @@
#ifndef _BR_NETFILTER_H_
#define _BR_NETFILTER_H_
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+
#include <linux/netfilter.h>
#include "../../../net/bridge/br_private.h"
static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
{
-#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
struct nf_bridge_info *b = skb_ext_add(skb, SKB_EXT_BRIDGE_NF);
if (b)
memset(b, 0, sizeof(*b));
return b;
-#else
- return NULL;
-#endif
}
void nf_bridge_update_protocol(struct sk_buff *skb);
@@ -42,20 +40,15 @@ int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_
static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
{
-#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
struct net_bridge_port *port;
port = br_port_get_rcu(dev);
return port ? &port->br->fake_rtable : NULL;
-#else
- return NULL;
-#endif
}
struct net_device *setup_pre_routing(struct sk_buff *skb,
const struct net *net);
-#if IS_ENABLED(CONFIG_NETFILTER)
#if IS_ENABLED(CONFIG_IPV6)
int br_validate_ipv6(struct net *net, struct sk_buff *skb);
unsigned int br_nf_pre_routing_ipv6(void *priv,
@@ -74,6 +67,7 @@ br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops, struct sk_buff *skb,
return NF_ACCEPT;
}
#endif
-#endif
+
+#endif /* IS_ENABLED(CONFIG_BRIDGE_NETFILTER) */
#endif /* _BR_NETFILTER_H_ */
diff --git a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
index 2c8c2b023848..1841b1f8ffe1 100644
--- a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
@@ -10,6 +10,8 @@
#ifndef _NF_CONNTRACK_IPV4_H
#define _NF_CONNTRACK_IPV4_H
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp;
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp;
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;
@@ -26,4 +28,6 @@ extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite;
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_gre;
#endif
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif /*_NF_CONNTRACK_IPV4_H*/
diff --git a/include/net/netfilter/ipv4/nf_defrag_ipv4.h b/include/net/netfilter/ipv4/nf_defrag_ipv4.h
index bcbd724cc048..d052d75fb9a9 100644
--- a/include/net/netfilter/ipv4/nf_defrag_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_defrag_ipv4.h
@@ -2,7 +2,11 @@
#ifndef _NF_DEFRAG_IPV4_H
#define _NF_DEFRAG_IPV4_H
+#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4)
+
struct net;
int nf_defrag_ipv4_enable(struct net *);
+#endif
+
#endif /* _NF_DEFRAG_IPV4_H */
diff --git a/include/net/netfilter/ipv4/nf_dup_ipv4.h b/include/net/netfilter/ipv4/nf_dup_ipv4.h
index a2bc16cdbcd3..e3655d9f4650 100644
--- a/include/net/netfilter/ipv4/nf_dup_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_dup_ipv4.h
@@ -2,10 +2,14 @@
#ifndef _NF_DUP_IPV4_H_
#define _NF_DUP_IPV4_H_
+#if IS_ENABLED(CONFIG_NF_DUP_IPV4)
+
#include <linux/skbuff.h>
#include <uapi/linux/in.h>
void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
const struct in_addr *gw, int oif);
+#endif /* IS_ENABLED(CONFIG_NF_DUP_IPV4) */
+
#endif /* _NF_DUP_IPV4_H_ */
diff --git a/include/net/netfilter/ipv4/nf_reject.h b/include/net/netfilter/ipv4/nf_reject.h
index 40e0e0623f46..7f0a76278c94 100644
--- a/include/net/netfilter/ipv4/nf_reject.h
+++ b/include/net/netfilter/ipv4/nf_reject.h
@@ -2,6 +2,8 @@
#ifndef _IPV4_NF_REJECT_H
#define _IPV4_NF_REJECT_H
+#if IS_ENABLED(CONFIG_NF_REJECT_IPV4)
+
#include <linux/skbuff.h>
#include <net/ip.h>
#include <net/icmp.h>
@@ -18,4 +20,6 @@ struct iphdr *nf_reject_iphdr_put(struct sk_buff *nskb,
void nf_reject_ip_tcphdr_put(struct sk_buff *nskb, const struct sk_buff *oldskb,
const struct tcphdr *oth);
+#endif /* IS_ENABLED(CONFIG_NF_REJECT_IPV4) */
+
#endif /* _IPV4_NF_REJECT_H */
diff --git a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
index 7b3c873f8839..73dfa7d42169 100644
--- a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
@@ -2,9 +2,13 @@
#ifndef _NF_CONNTRACK_IPV6_H
#define _NF_CONNTRACK_IPV6_H
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6;
#include <linux/sysctl.h>
extern struct ctl_table nf_ct_ipv6_sysctl_table[];
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif /* _NF_CONNTRACK_IPV6_H*/
diff --git a/include/net/netfilter/ipv6/nf_defrag_ipv6.h b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
index 6d31cd041143..30250f213856 100644
--- a/include/net/netfilter/ipv6/nf_defrag_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
@@ -2,6 +2,8 @@
#ifndef _NF_DEFRAG_IPV6_H
#define _NF_DEFRAG_IPV6_H
+#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
+
#include <linux/skbuff.h>
#include <linux/types.h>
@@ -13,4 +15,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user);
struct inet_frags_ctl;
+#endif /* IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) */
+
#endif /* _NF_DEFRAG_IPV6_H */
diff --git a/include/net/netfilter/ipv6/nf_dup_ipv6.h b/include/net/netfilter/ipv6/nf_dup_ipv6.h
index f6312bb04a13..81bb9096fe5a 100644
--- a/include/net/netfilter/ipv6/nf_dup_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_dup_ipv6.h
@@ -2,9 +2,13 @@
#ifndef _NF_DUP_IPV6_H_
#define _NF_DUP_IPV6_H_
+#if IS_ENABLED(CONFIG_NF_DUP_IPV6)
+
#include <linux/skbuff.h>
void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
const struct in6_addr *gw, int oif);
+#endif
+
#endif /* _NF_DUP_IPV6_H_ */
diff --git a/include/net/netfilter/ipv6/nf_reject.h b/include/net/netfilter/ipv6/nf_reject.h
index 4a3ef9ebdf6f..6d5cc6537319 100644
--- a/include/net/netfilter/ipv6/nf_reject.h
+++ b/include/net/netfilter/ipv6/nf_reject.h
@@ -2,6 +2,8 @@
#ifndef _IPV6_NF_REJECT_H
#define _IPV6_NF_REJECT_H
+#if IS_ENABLED(CONFIG_NF_REJECT_IPV6)
+
#include <linux/icmpv6.h>
#include <net/netfilter/nf_reject.h>
@@ -20,4 +22,6 @@ void nf_reject_ip6_tcphdr_put(struct sk_buff *nskb,
const struct sk_buff *oldskb,
const struct tcphdr *oth, unsigned int otcplen);
+#endif /* IS_ENABLED(CONFIG_NF_REJECT_IPV6) */
+
#endif /* _IPV6_NF_REJECT_H */
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 0673cf685741..7dc5c913eb7f 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -13,6 +13,8 @@
#ifndef _NF_CONNTRACK_H
#define _NF_CONNTRACK_H
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/bitops.h>
@@ -64,7 +66,6 @@ struct nf_conntrack_net {
#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
struct nf_conn {
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
/* Usage count in here is 1 for hash table, 1 per skb,
* plus 1 for any connection(s) we are `master' for
*
@@ -74,7 +75,6 @@ struct nf_conn {
* beware nf_ct_get() is different and don't inc refcnt.
*/
struct nf_conntrack ct_general;
-#endif
spinlock_t lock;
/* jiffies32 when this ct is considered dead */
@@ -155,8 +155,6 @@ void nf_conntrack_alter_reply(struct nf_conn *ct,
int nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
const struct nf_conn *ignored_conntrack);
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
-
#define NFCT_INFOMASK 7UL
#define NFCT_PTRMASK ~(NFCT_INFOMASK)
@@ -176,8 +174,6 @@ static inline void nf_ct_put(struct nf_conn *ct)
nf_conntrack_put(&ct->ct_general);
}
-#endif
-
/* Protocol module loading */
int nf_ct_l3proto_try_module_get(unsigned short l3proto);
void nf_ct_l3proto_module_put(unsigned short l3proto);
@@ -329,16 +325,12 @@ void nf_ct_tmpl_free(struct nf_conn *tmpl);
u32 nf_ct_get_id(const struct nf_conn *ct);
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
-
static inline void
nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info)
{
skb->_nfct = (unsigned long)ct | info;
}
-#endif
-
#define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count)
#define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
#define NF_CT_STAT_ADD_ATOMIC(net, count, v) this_cpu_add((net)->ct.stat->count, (v))
@@ -346,4 +338,6 @@ nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info)
#define MODULE_ALIAS_NFCT_HELPER(helper) \
MODULE_ALIAS("nfct-helper-" helper)
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif /* _NF_CONNTRACK_H */
diff --git a/include/net/netfilter/nf_conntrack_acct.h b/include/net/netfilter/nf_conntrack_acct.h
index 5b5287bb49db..b8994e20136f 100644
--- a/include/net/netfilter/nf_conntrack_acct.h
+++ b/include/net/netfilter/nf_conntrack_acct.h
@@ -5,11 +5,14 @@
#ifndef _NF_CONNTRACK_ACCT_H
#define _NF_CONNTRACK_ACCT_H
-#include <net/net_namespace.h>
+
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter/nf_conntrack_tuple_common.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_extend.h>
+#include <net/net_namespace.h>
struct nf_conn_counter {
atomic64_t packets;
@@ -29,7 +32,6 @@ struct nf_conn_acct *nf_conn_acct_find(const struct nf_conn *ct)
static inline
struct nf_conn_acct *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp)
{
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
struct net *net = nf_ct_net(ct);
struct nf_conn_acct *acct;
@@ -42,34 +44,25 @@ struct nf_conn_acct *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp)
return acct;
-#else
- return NULL;
-#endif
}
/* Check if connection tracking accounting is enabled */
static inline bool nf_ct_acct_enabled(struct net *net)
{
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
return net->ct.sysctl_acct != 0;
-#else
- return false;
-#endif
}
/* Enable/disable connection tracking accounting */
static inline void nf_ct_set_acct(struct net *net, bool enable)
{
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
net->ct.sysctl_acct = enable;
-#endif
}
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
void nf_conntrack_acct_pernet_init(struct net *net);
int nf_conntrack_acct_init(void);
void nf_conntrack_acct_fini(void);
+
#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
#endif /* _NF_CONNTRACK_ACCT_H */
diff --git a/include/net/netfilter/nf_conntrack_bridge.h b/include/net/netfilter/nf_conntrack_bridge.h
index 01b62fd5efa2..fb5fb167a20e 100644
--- a/include/net/netfilter/nf_conntrack_bridge.h
+++ b/include/net/netfilter/nf_conntrack_bridge.h
@@ -1,14 +1,14 @@
#ifndef NF_CONNTRACK_BRIDGE_
#define NF_CONNTRACK_BRIDGE_
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
#include <linux/module.h>
#include <linux/types.h>
#include <uapi/linux/if_ether.h>
struct nf_ct_bridge_info {
-#if IS_ENABLED(CONFIG_NETFILTER)
struct nf_hook_ops *ops;
-#endif
unsigned int ops_size;
struct module *me;
};
@@ -16,4 +16,6 @@ struct nf_ct_bridge_info {
void nf_ct_bridge_register(struct nf_ct_bridge_info *info);
void nf_ct_bridge_unregister(struct nf_ct_bridge_info *info);
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index d340886e012d..8653ddd45c0b 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -13,18 +13,21 @@
#ifndef _NF_CONNTRACK_CORE_H
#define _NF_CONNTRACK_CORE_H
+/*
+ * This header is used to share core functionality between the standalone
+ * connection tracking module, and the compatibility layer's use of connection
+ * tracking.
+ */
+
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
#include <linux/netfilter.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_ecache.h>
#include <net/netfilter/nf_conntrack_l4proto.h>
-/* This header is used to share core functionality between the
- standalone connection tracking module, and the compatibility layer's use
- of connection tracking. */
-
-#if IS_ENABLED(CONFIG_NETFILTER)
-unsigned int nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state);
-#endif
+unsigned int nf_conntrack_in(struct sk_buff *skb,
+ const struct nf_hook_state *state);
int nf_conntrack_init_net(struct net *net);
void nf_conntrack_cleanup_net(struct net *net);
@@ -81,4 +84,6 @@ void nf_conntrack_lock(spinlock_t *lock);
extern spinlock_t nf_conntrack_expect_lock;
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif /* _NF_CONNTRACK_CORE_H */
diff --git a/include/net/netfilter/nf_conntrack_count.h b/include/net/netfilter/nf_conntrack_count.h
index 9645b47fa7e4..a5b43b9259e0 100644
--- a/include/net/netfilter/nf_conntrack_count.h
+++ b/include/net/netfilter/nf_conntrack_count.h
@@ -1,6 +1,8 @@
#ifndef _NF_CONNTRACK_COUNT_H
#define _NF_CONNTRACK_COUNT_H
+#if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
+
#include <linux/list.h>
#include <linux/spinlock.h>
#include <net/netfilter/nf_conntrack_tuple.h>
@@ -36,4 +38,6 @@ bool nf_conncount_gc_list(struct net *net,
void nf_conncount_cache_free(struct nf_conncount_list *list);
+#endif /* IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT) */
+
#endif
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index eb81f9195e28..2d9dfcea9f2b 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -5,12 +5,14 @@
#ifndef _NF_CONNTRACK_ECACHE_H
#define _NF_CONNTRACK_ECACHE_H
-#include <net/netfilter/nf_conntrack.h>
-#include <net/net_namespace.h>
-#include <net/netfilter/nf_conntrack_expect.h>
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter/nf_conntrack_tuple_common.h>
+#include <net/net_namespace.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_expect.h>
#include <net/netfilter/nf_conntrack_extend.h>
enum nf_ct_ecache_state {
@@ -225,4 +227,6 @@ static inline void nf_conntrack_ecache_work(struct net *net)
#endif
}
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif /*_NF_CONNTRACK_ECACHE_H*/
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 0855b60fba17..7899ceb3c1be 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -6,8 +6,9 @@
#ifndef _NF_CONNTRACK_EXPECT_H
#define _NF_CONNTRACK_EXPECT_H
-#include <linux/refcount.h>
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+#include <linux/refcount.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_zones.h>
@@ -134,5 +135,6 @@ static inline int nf_ct_expect_related(struct nf_conntrack_expect *expect,
return nf_ct_expect_related_report(expect, 0, 0, flags);
}
-#endif /*_NF_CONNTRACK_EXPECT_H*/
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+#endif /*_NF_CONNTRACK_EXPECT_H*/
diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
index 112a6f40dfaf..2e43f8683434 100644
--- a/include/net/netfilter/nf_conntrack_extend.h
+++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -2,8 +2,9 @@
#ifndef _NF_CONNTRACK_EXTEND_H
#define _NF_CONNTRACK_EXTEND_H
-#include <linux/slab.h>
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+#include <linux/slab.h>
#include <net/netfilter/nf_conntrack.h>
enum nf_ct_ext_id {
@@ -97,4 +98,7 @@ struct nf_ct_ext_type {
int nf_ct_extend_register(const struct nf_ct_ext_type *type);
void nf_ct_extend_unregister(const struct nf_ct_ext_type *type);
+
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif /* _NF_CONNTRACK_EXTEND_H */
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index 44b5a00a9c64..c4a164eeab89 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -10,6 +10,9 @@
#ifndef _NF_CONNTRACK_HELPER_H
#define _NF_CONNTRACK_HELPER_H
+
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
#include <linux/refcount.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_extend.h>
@@ -177,4 +180,7 @@ void nf_nat_helper_unregister(struct nf_conntrack_nat_helper *nat);
int nf_nat_helper_try_module_get(const char *name, u16 l3num,
u8 protonum);
void nf_nat_helper_put(struct nf_conntrack_helper *helper);
+
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif /*_NF_CONNTRACK_HELPER_H*/
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index c200b95d27ae..6912367da3ec 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -10,6 +10,9 @@
#ifndef _NF_CONNTRACK_L4PROTO_H
#define _NF_CONNTRACK_L4PROTO_H
+
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
#include <linux/netlink.h>
#include <net/netlink.h>
#include <net/netfilter/nf_conntrack.h>
@@ -178,7 +181,6 @@ void nf_ct_l4proto_log_invalid(const struct sk_buff *skb,
const char *fmt, ...) { }
#endif /* CONFIG_SYSCTL */
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
static inline struct nf_generic_net *nf_generic_pernet(struct net *net)
{
return &net->ct.nf_ct_proto.generic;
@@ -203,7 +205,6 @@ static inline struct nf_icmp_net *nf_icmpv6_pernet(struct net *net)
{
return &net->ct.nf_ct_proto.icmpv6;
}
-#endif
#ifdef CONFIG_NF_CT_PROTO_DCCP
static inline struct nf_dccp_net *nf_dccp_pernet(struct net *net)
@@ -226,4 +227,6 @@ static inline struct nf_gre_net *nf_gre_pernet(struct net *net)
}
#endif
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif /*_NF_CONNTRACK_PROTOCOL_H*/
diff --git a/include/net/netfilter/nf_conntrack_labels.h b/include/net/netfilter/nf_conntrack_labels.h
index ba916411c4e1..ffe08252a70d 100644
--- a/include/net/netfilter/nf_conntrack_labels.h
+++ b/include/net/netfilter/nf_conntrack_labels.h
@@ -3,6 +3,8 @@
#ifndef _NF_CONNTRACK_LABELS_H
#define _NF_CONNTRACK_LABELS_H
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter/nf_conntrack_tuple_common.h>
#include <linux/types.h>
@@ -55,4 +57,6 @@ static inline int nf_connlabels_get(struct net *net, unsigned int bit) { return
static inline void nf_connlabels_put(struct net *net) {}
#endif
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif /* _NF_CONNTRACK_LABELS_H */
diff --git a/include/net/netfilter/nf_conntrack_seqadj.h b/include/net/netfilter/nf_conntrack_seqadj.h
index 0a10b50537ae..d7b22f4e1a66 100644
--- a/include/net/netfilter/nf_conntrack_seqadj.h
+++ b/include/net/netfilter/nf_conntrack_seqadj.h
@@ -2,6 +2,8 @@
#ifndef _NF_CONNTRACK_SEQADJ_H
#define _NF_CONNTRACK_SEQADJ_H
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
#include <net/netfilter/nf_conntrack_extend.h>
/**
@@ -45,4 +47,6 @@ s32 nf_ct_seq_offset(const struct nf_conn *ct, enum ip_conntrack_dir, u32 seq);
int nf_conntrack_seqadj_init(void);
void nf_conntrack_seqadj_fini(void);
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif /* _NF_CONNTRACK_SEQADJ_H */
diff --git a/include/net/netfilter/nf_conntrack_synproxy.h b/include/net/netfilter/nf_conntrack_synproxy.h
index 6a3ab081e4bf..3c0395ada5b5 100644
--- a/include/net/netfilter/nf_conntrack_synproxy.h
+++ b/include/net/netfilter/nf_conntrack_synproxy.h
@@ -2,6 +2,8 @@
#ifndef _NF_CONNTRACK_SYNPROXY_H
#define _NF_CONNTRACK_SYNPROXY_H
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
#include <net/netfilter/nf_conntrack_seqadj.h>
#include <net/netns/generic.h>
@@ -45,4 +47,6 @@ static inline bool nf_ct_add_synproxy(struct nf_conn *ct,
return true;
}
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif /* _NF_CONNTRACK_SYNPROXY_H */
diff --git a/include/net/netfilter/nf_conntrack_timeout.h b/include/net/netfilter/nf_conntrack_timeout.h
index 6dd72396f534..dfc37f4ea49c 100644
--- a/include/net/netfilter/nf_conntrack_timeout.h
+++ b/include/net/netfilter/nf_conntrack_timeout.h
@@ -2,6 +2,8 @@
#ifndef _NF_CONNTRACK_TIMEOUT_H
#define _NF_CONNTRACK_TIMEOUT_H
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
#include <net/net_namespace.h>
#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter/nf_conntrack_tuple_common.h>
@@ -124,4 +126,6 @@ extern struct nf_ct_timeout *(*nf_ct_timeout_find_get_hook)(struct net *net, con
extern void (*nf_ct_timeout_put_hook)(struct nf_ct_timeout *timeout);
#endif
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif /* _NF_CONNTRACK_TIMEOUT_H */
diff --git a/include/net/netfilter/nf_conntrack_timestamp.h b/include/net/netfilter/nf_conntrack_timestamp.h
index 2b8aeba649aa..5ffa8b27cb77 100644
--- a/include/net/netfilter/nf_conntrack_timestamp.h
+++ b/include/net/netfilter/nf_conntrack_timestamp.h
@@ -2,9 +2,11 @@
#ifndef _NF_CONNTRACK_TSTAMP_H
#define _NF_CONNTRACK_TSTAMP_H
-#include <net/net_namespace.h>
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter/nf_conntrack_tuple_common.h>
+#include <net/net_namespace.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_extend.h>
@@ -73,4 +75,6 @@ static inline void nf_conntrack_tstamp_fini(void)
}
#endif /* CONFIG_NF_CONNTRACK_TIMESTAMP */
+#endif /* CONFIG_NF_CONNTRACK */
+
#endif /* _NF_CONNTRACK_TSTAMP_H */
diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h
index 68ea9b932736..70af4b169eee 100644
--- a/include/net/netfilter/nf_conntrack_tuple.h
+++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -11,6 +11,8 @@
#ifndef _NF_CONNTRACK_TUPLE_H
#define _NF_CONNTRACK_TUPLE_H
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/nf_conntrack_tuple_common.h>
#include <linux/list_nulls.h>
@@ -121,7 +123,6 @@ struct nf_conntrack_tuple_hash {
struct nf_conntrack_tuple tuple;
};
-#if IS_ENABLED(CONFIG_NETFILTER)
static inline bool __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
const struct nf_conntrack_tuple *t2)
{
@@ -184,6 +185,7 @@ nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,
return nf_ct_tuple_src_mask_cmp(t, tuple, mask) &&
__nf_ct_tuple_dst_equal(t, tuple);
}
-#endif
+
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
#endif /* _NF_CONNTRACK_TUPLE_H */
diff --git a/include/net/netfilter/nf_dup_netdev.h b/include/net/netfilter/nf_dup_netdev.h
index 181672672160..e84227c68ea1 100644
--- a/include/net/netfilter/nf_dup_netdev.h
+++ b/include/net/netfilter/nf_dup_netdev.h
@@ -2,9 +2,13 @@
#ifndef _NF_DUP_NETDEV_H_
#define _NF_DUP_NETDEV_H_
+#if IS_ENABLED(CONFIG_NF_DUP_NETDEV)
+
#include <net/netfilter/nf_tables.h>
void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif);
void nf_fwd_netdev_egress(const struct nft_pktinfo *pkt, int oif);
+#endif /* IS_ENABLED(CONFIG_NF_DUP_NETDEV) */
+
#endif
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index d875be62cdf0..afaf4b882f53 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -1,6 +1,8 @@
#ifndef _NF_FLOW_TABLE_H
#define _NF_FLOW_TABLE_H
+#if IS_ENABLED(CONFIG_NF_TABLES)
+
#include <linux/in.h>
#include <linux/in6.h>
#include <linux/netdevice.h>
@@ -17,9 +19,7 @@ struct nf_flowtable_type {
int family;
int (*init)(struct nf_flowtable *ft);
void (*free)(struct nf_flowtable *ft);
-#if IS_ENABLED(CONFIG_NETFILTER)
nf_hookfn *hook;
-#endif
struct module *owner;
};
@@ -117,14 +117,14 @@ struct flow_ports {
__be16 source, dest;
};
-#if IS_ENABLED(CONFIG_NETFILTER)
unsigned int nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state);
unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state);
-#endif
#define MODULE_ALIAS_NF_FLOWTABLE(family) \
MODULE_ALIAS("nf-flowtable-" __stringify(family))
+#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
+
#endif /* _NF_FLOW_TABLE_H */
diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
index 0d3920896d50..0dd375db4eda 100644
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -2,6 +2,8 @@
#ifndef _NF_LOG_H
#define _NF_LOG_H
+#ifdef CONFIG_NETFILTER
+
#include <linux/netfilter.h>
#include <linux/netfilter/nf_log.h>
@@ -122,4 +124,6 @@ void nf_log_l2packet(struct net *net, u_int8_t pf,
const struct net_device *out,
const struct nf_loginfo *loginfo, const char *prefix);
+#endif /* CONFIG_NETFILTER */
+
#endif /* _NF_LOG_H */
diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index 362ff94fa6b0..d9d4acdc0776 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -2,6 +2,8 @@
#ifndef _NF_NAT_H
#define _NF_NAT_H
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+
#include <linux/list.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter/nf_conntrack_pptp.h>
@@ -68,12 +70,10 @@ static inline bool nf_nat_oif_changed(unsigned int hooknum,
#endif
}
-#if IS_ENABLED(CONFIG_NETFILTER)
int nf_nat_register_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
const struct nf_hook_ops *nat_ops, unsigned int ops_count);
void nf_nat_unregister_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
unsigned int ops_count);
-#endif
unsigned int nf_nat_packet(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
unsigned int hooknum, struct sk_buff *skb);
@@ -93,7 +93,6 @@ int nf_nat_icmpv6_reply_translation(struct sk_buff *skb, struct nf_conn *ct,
enum ip_conntrack_info ctinfo,
unsigned int hooknum, unsigned int hdrlen);
-#if IS_ENABLED(CONFIG_NETFILTER)
int nf_nat_ipv4_register_fn(struct net *net, const struct nf_hook_ops *ops);
void nf_nat_ipv4_unregister_fn(struct net *net, const struct nf_hook_ops *ops);
@@ -106,7 +105,6 @@ void nf_nat_inet_unregister_fn(struct net *net, const struct nf_hook_ops *ops);
unsigned int
nf_nat_inet_fn(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state);
-#endif
int nf_xfrm_me_harder(struct net *n, struct sk_buff *s, unsigned int family);
@@ -118,4 +116,7 @@ static inline int nf_nat_initialized(struct nf_conn *ct,
else
return ct->status & IPS_DST_NAT_DONE;
}
+
+#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
+
#endif
diff --git a/include/net/netfilter/nf_nat_helper.h b/include/net/netfilter/nf_nat_helper.h
index efae84646353..11692d9b6913 100644
--- a/include/net/netfilter/nf_nat_helper.h
+++ b/include/net/netfilter/nf_nat_helper.h
@@ -1,6 +1,9 @@
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _NF_NAT_HELPER_H
#define _NF_NAT_HELPER_H
+
+#if IS_ENABLED(CONFIG_NF_NAT)
+
/* NAT protocol helper routines. */
#include <linux/skbuff.h>
@@ -38,4 +41,6 @@ bool nf_nat_mangle_udp_packet(struct sk_buff *skb, struct nf_conn *ct,
* to port ct->master->saved_proto. */
void nf_nat_follow_master(struct nf_conn *ct, struct nf_conntrack_expect *this);
+#endif /* IS_ENABLED(CONFIG_NF_NAT) */
+
#endif
diff --git a/include/net/netfilter/nf_nat_masquerade.h b/include/net/netfilter/nf_nat_masquerade.h
index be7abc9d5f22..d6ef5e6f84dd 100644
--- a/include/net/netfilter/nf_nat_masquerade.h
+++ b/include/net/netfilter/nf_nat_masquerade.h
@@ -2,6 +2,8 @@
#ifndef _NF_NAT_MASQUERADE_H_
#define _NF_NAT_MASQUERADE_H_
+#ifdef CONFIG_NF_NAT_MASQUERADE
+
#include <linux/skbuff.h>
#include <net/netfilter/nf_nat.h>
@@ -17,4 +19,6 @@ unsigned int
nf_nat_masquerade_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,
const struct net_device *out);
+#endif /* CONFIG_NF_NAT_MASQUERADE */
+
#endif /*_NF_NAT_MASQUERADE_H_ */
diff --git a/include/net/netfilter/nf_nat_redirect.h b/include/net/netfilter/nf_nat_redirect.h
index 2418653a66db..2a2c818523eb 100644
--- a/include/net/netfilter/nf_nat_redirect.h
+++ b/include/net/netfilter/nf_nat_redirect.h
@@ -2,6 +2,8 @@
#ifndef _NF_NAT_REDIRECT_H_
#define _NF_NAT_REDIRECT_H_
+#ifdef CONFIG_NF_NAT_REDIRECT
+
#include <linux/skbuff.h>
#include <uapi/linux/netfilter/nf_nat.h>
@@ -13,4 +15,6 @@ unsigned int
nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,
unsigned int hooknum);
+#endif /* CONFIG_NF_NAT_REDIRECT */
+
#endif /* _NF_NAT_REDIRECT_H_ */
diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
index 80edb46a1bbc..5f0986357ad8 100644
--- a/include/net/netfilter/nf_queue.h
+++ b/include/net/netfilter/nf_queue.h
@@ -2,6 +2,8 @@
#ifndef _NF_QUEUE_H
#define _NF_QUEUE_H
+#ifdef CONFIG_NETFILTER
+
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/jhash.h>
@@ -15,9 +17,7 @@ struct nf_queue_entry {
unsigned int id;
unsigned int hook_index; /* index in hook_entries->hook[] */
-#if IS_ENABLED(CONFIG_NETFILTER)
struct nf_hook_state state;
-#endif
u16 size; /* sizeof(entry) + saved route keys */
/* extra space to store route keys */
@@ -123,9 +123,9 @@ nfqueue_hash(const struct sk_buff *skb, u16 queue, u16 queues_total, u8 family,
return queue;
}
-#if IS_ENABLED(CONFIG_NETFILTER)
int nf_queue(struct sk_buff *skb, struct nf_hook_state *state,
unsigned int index, unsigned int verdict);
-#endif
+
+#endif /* CONFIG_NETFILTER */
#endif /* _NF_QUEUE_H */
diff --git a/include/net/netfilter/nf_reject.h b/include/net/netfilter/nf_reject.h
index 9051c3a0c8e7..664db093d24a 100644
--- a/include/net/netfilter/nf_reject.h
+++ b/include/net/netfilter/nf_reject.h
@@ -2,6 +2,8 @@
#ifndef _NF_REJECT_H
#define _NF_REJECT_H
+#ifdef CONFIG_NETFILTER
+
#include <linux/types.h>
#include <uapi/linux/in.h>
@@ -27,4 +29,6 @@ static inline bool nf_reject_verify_csum(__u8 proto)
return true;
}
+#endif /* CONFIG_NETFILTER */
+
#endif /* _NF_REJECT_H */
diff --git a/include/net/netfilter/nf_socket.h b/include/net/netfilter/nf_socket.h
index f9d7bee9bd4e..642cb6640e23 100644
--- a/include/net/netfilter/nf_socket.h
+++ b/include/net/netfilter/nf_socket.h
@@ -2,6 +2,8 @@
#ifndef _NF_SOCK_H_
#define _NF_SOCK_H_
+#ifdef CONFIG_NETFILTER
+
#include <net/sock.h>
struct sock *nf_sk_lookup_slow_v4(struct net *net, const struct sk_buff *skb,
@@ -10,4 +12,6 @@ struct sock *nf_sk_lookup_slow_v4(struct net *net, const struct sk_buff *skb,
struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb,
const struct net_device *indev);
+#endif /* CONFIG_NETFILTER */
+
#endif
diff --git a/include/net/netfilter/nf_synproxy.h b/include/net/netfilter/nf_synproxy.h
index 19d1af7a0348..e1661141a0b8 100644
--- a/include/net/netfilter/nf_synproxy.h
+++ b/include/net/netfilter/nf_synproxy.h
@@ -2,6 +2,8 @@
#ifndef _NF_SYNPROXY_SHARED_H
#define _NF_SYNPROXY_SHARED_H
+#if IS_ENABLED(CONFIG_NETFILTER_SYNPROXY)
+
#include <linux/module.h>
#include <linux/skbuff.h>
#include <net/ip6_checksum.h>
@@ -58,10 +60,8 @@ bool synproxy_recv_client_ack(struct net *net,
const struct tcphdr *th,
struct synproxy_options *opts, u32 recv_seq);
-#if IS_ENABLED(CONFIG_NETFILTER)
unsigned int ipv4_synproxy_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *nhs);
-#endif
int nf_synproxy_ipv4_init(struct synproxy_net *snet, struct net *net);
void nf_synproxy_ipv4_fini(struct synproxy_net *snet, struct net *net);
@@ -75,10 +75,8 @@ bool synproxy_recv_client_ack_ipv6(struct net *net, const struct sk_buff *skb,
const struct tcphdr *th,
struct synproxy_options *opts, u32 recv_seq);
-#if IS_ENABLED(CONFIG_NETFILTER)
unsigned int ipv6_synproxy_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *nhs);
-#endif
int nf_synproxy_ipv6_init(struct synproxy_net *snet, struct net *net);
void nf_synproxy_ipv6_fini(struct synproxy_net *snet, struct net *net);
#else
@@ -88,4 +86,6 @@ static inline void
nf_synproxy_ipv6_fini(struct synproxy_net *snet, struct net *net) {};
#endif /* CONFIG_IPV6 */
+#endif /* IS_ENABLED(CONFIG_NETFILTER_SYNPROXY) */
+
#endif /* _NF_SYNPROXY_SHARED_H */
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 498665158ee0..a172f0923542 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -2,6 +2,8 @@
#ifndef _NET_NF_TABLES_H
#define _NET_NF_TABLES_H
+#if IS_ENABLED(CONFIG_NF_TABLES)
+
#include <asm/unaligned.h>
#include <linux/list.h>
#include <linux/netfilter.h>
@@ -26,7 +28,6 @@ struct nft_pktinfo {
struct xt_action_param xt;
};
-#if IS_ENABLED(CONFIG_NETFILTER)
static inline struct net *nft_net(const struct nft_pktinfo *pkt)
{
return pkt->xt.state->net;
@@ -59,7 +60,6 @@ static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
pkt->skb = skb;
pkt->xt.state = state;
}
-#endif
static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
struct sk_buff *skb)
@@ -947,11 +947,9 @@ struct nft_chain_type {
int family;
struct module *owner;
unsigned int hook_mask;
-#if IS_ENABLED(CONFIG_NETFILTER)
nf_hookfn *hooks[NF_MAX_HOOKS];
int (*ops_register)(struct net *net, const struct nf_hook_ops *ops);
void (*ops_unregister)(struct net *net, const struct nf_hook_ops *ops);
-#endif
};
int nft_chain_validate_dependency(const struct nft_chain *chain,
@@ -977,9 +975,7 @@ struct nft_stats {
* @flow_block: flow block (for hardware offload)
*/
struct nft_base_chain {
-#if IS_ENABLED(CONFIG_NETFILTER)
struct nf_hook_ops ops;
-#endif
const struct nft_chain_type *type;
u8 policy;
u8 flags;
@@ -1176,9 +1172,7 @@ struct nft_flowtable {
use:30;
u64 handle;
/* runtime data below here */
-#if IS_ENABLED(CONFIG_NETFILTER)
struct nf_hook_ops *ops ____cacheline_aligned;
-#endif
struct nf_flowtable data;
};
@@ -1233,8 +1227,6 @@ void nft_trace_notify(struct nft_traceinfo *info);
#define MODULE_ALIAS_NFT_OBJ(type) \
MODULE_ALIAS("nft-obj-" __stringify(type))
-#if IS_ENABLED(CONFIG_NF_TABLES)
-
/*
* The gencursor defines two generations, the currently active and the
* next one. Objects contain a bitmask of 2 bits specifying the generations
@@ -1308,8 +1300,6 @@ static inline void nft_set_elem_change_active(const struct net *net,
ext->genmask ^= nft_genmask_next(net);
}
-#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
-
/*
* We use a free bit in the genmask field to indicate the element
* is busy, meaning it is currently being processed either by
@@ -1446,4 +1436,7 @@ void nft_chain_filter_fini(void);
void __init nft_chain_route_init(void);
void nft_chain_route_fini(void);
+
+#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
+
#endif /* _NET_NF_TABLES_H */
diff --git a/include/net/netfilter/nf_tables_core.h b/include/net/netfilter/nf_tables_core.h
index 7281895fa6d9..7fa23fb4383c 100644
--- a/include/net/netfilter/nf_tables_core.h
+++ b/include/net/netfilter/nf_tables_core.h
@@ -2,6 +2,8 @@
#ifndef _NET_NF_TABLES_CORE_H
#define _NET_NF_TABLES_CORE_H
+#if IS_ENABLED(CONFIG_NF_TABLES)
+
#include <net/netfilter/nf_tables.h>
extern struct nft_expr_type nft_imm_type;
@@ -98,4 +100,7 @@ void nft_dynset_eval(const struct nft_expr *expr,
struct nft_regs *regs, const struct nft_pktinfo *pkt);
void nft_rt_get_eval(const struct nft_expr *expr,
struct nft_regs *regs, const struct nft_pktinfo *pkt);
+
+#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
+
#endif /* _NET_NF_TABLES_CORE_H */
diff --git a/include/net/netfilter/nf_tables_ipv4.h b/include/net/netfilter/nf_tables_ipv4.h
index ed7b511f0a59..5156a6e4e7d6 100644
--- a/include/net/netfilter/nf_tables_ipv4.h
+++ b/include/net/netfilter/nf_tables_ipv4.h
@@ -2,6 +2,8 @@
#ifndef _NF_TABLES_IPV4_H_
#define _NF_TABLES_IPV4_H_
+#if IS_ENABLED(CONFIG_NF_TABLES)
+
#include <net/netfilter/nf_tables.h>
#include <net/ip.h>
@@ -53,4 +55,6 @@ static inline void nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt,
nft_set_pktinfo_unspec(pkt, skb);
}
+#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
+
#endif
diff --git a/include/net/netfilter/nf_tables_ipv6.h b/include/net/netfilter/nf_tables_ipv6.h
index d0f1c537b017..46bf20eecf3a 100644
--- a/include/net/netfilter/nf_tables_ipv6.h
+++ b/include/net/netfilter/nf_tables_ipv6.h
@@ -2,6 +2,8 @@
#ifndef _NF_TABLES_IPV6_H_
#define _NF_TABLES_IPV6_H_
+#ifdef CONFIG_NF_TABLES_IPV6
+
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <net/ipv6.h>
#include <net/netfilter/nf_tables.h>
@@ -28,7 +30,6 @@ static inline void nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
struct sk_buff *skb)
{
-#if IS_ENABLED(CONFIG_IPV6)
unsigned int flags = IP6_FH_F_AUTH;
struct ipv6hdr *ip6h, _ip6h;
unsigned int thoff = 0;
@@ -58,9 +59,6 @@ static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
pkt->xt.fragoff = frag_off;
return 0;
-#else
- return -1;
-#endif
}
static inline void nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
@@ -70,4 +68,6 @@ static inline void nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
nft_set_pktinfo_unspec(pkt, skb);
}
-#endif
+#endif /* CONFIG_NF_TABLES_IPV6 */
+
+#endif /* _NF_TABLES_IPV6_H_ */
diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
index db104665a9e4..79a4a78f2f01 100644
--- a/include/net/netfilter/nf_tables_offload.h
+++ b/include/net/netfilter/nf_tables_offload.h
@@ -1,6 +1,8 @@
#ifndef _NET_NF_TABLES_OFFLOAD_H
#define _NET_NF_TABLES_OFFLOAD_H
+#if IS_ENABLED(CONFIG_NF_TABLES)
+
#include <net/flow_offload.h>
#include <net/netfilter/nf_tables.h>
@@ -80,4 +82,6 @@ void nft_indr_block_get_and_ing_cmd(struct net_device *dev,
int nft_chain_offload_priority(struct nft_base_chain *basechain);
+#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
+
#endif
diff --git a/include/net/netfilter/nf_tproxy.h b/include/net/netfilter/nf_tproxy.h
index 82d0e41b76f2..0321ec632502 100644
--- a/include/net/netfilter/nf_tproxy.h
+++ b/include/net/netfilter/nf_tproxy.h
@@ -1,6 +1,8 @@
#ifndef _NF_TPROXY_H_
#define _NF_TPROXY_H_
+#if IS_ENABLED(CONFIG_NF_TPROXY)
+
#include <net/tcp.h>
enum nf_tproxy_lookup_t {
@@ -118,4 +120,6 @@ nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,
const struct net_device *in,
const enum nf_tproxy_lookup_t lookup_type);
+#endif /* IS_ENABLED(CONFIG_NF_TPROXY) */
+
#endif /* _NF_TPROXY_H_ */
diff --git a/include/net/netfilter/nft_fib.h b/include/net/netfilter/nft_fib.h
index 628b6fa579cd..b753729ce591 100644
--- a/include/net/netfilter/nft_fib.h
+++ b/include/net/netfilter/nft_fib.h
@@ -2,6 +2,8 @@
#ifndef _NFT_FIB_H_
#define _NFT_FIB_H_
+#if IS_ENABLED(CONFIG_NFT_FIB)
+
#include <net/netfilter/nf_tables.h>
struct nft_fib {
@@ -37,4 +39,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
void nft_fib_store_result(void *reg, const struct nft_fib *priv,
const struct net_device *dev);
+
+#endif /* IS_ENABLED(CONFIG_NFT_FIB) */
+
#endif
diff --git a/include/net/netfilter/nft_meta.h b/include/net/netfilter/nft_meta.h
index 07e2fd507963..bbd18b64eaf8 100644
--- a/include/net/netfilter/nft_meta.h
+++ b/include/net/netfilter/nft_meta.h
@@ -2,6 +2,8 @@
#ifndef _NFT_META_H_
#define _NFT_META_H_
+#if IS_ENABLED(CONFIG_NF_TABLES)
+
#include <net/netfilter/nf_tables.h>
struct nft_meta {
@@ -43,4 +45,6 @@ int nft_meta_set_validate(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nft_data **data);
+#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
+
#endif
diff --git a/include/net/netfilter/nft_reject.h b/include/net/netfilter/nft_reject.h
index 56b123a42220..502961721d30 100644
--- a/include/net/netfilter/nft_reject.h
+++ b/include/net/netfilter/nft_reject.h
@@ -2,6 +2,8 @@
#ifndef _NFT_REJECT_H_
#define _NFT_REJECT_H_
+#if IS_ENABLED(CONFIG_NFT_REJECT)
+
#include <linux/types.h>
#include <net/netlink.h>
#include <net/netfilter/nf_tables.h>
@@ -27,4 +29,6 @@ int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr);
int nft_reject_icmp_code(u8 code);
int nft_reject_icmpv6_code(u8 code);
+#endif /* IS_ENABLED(CONFIG_NFT_REJECT) */
+
#endif
diff --git a/include/net/netfilter/xt_rateest.h b/include/net/netfilter/xt_rateest.h
index 832ab69efda5..9fae3397d62c 100644
--- a/include/net/netfilter/xt_rateest.h
+++ b/include/net/netfilter/xt_rateest.h
@@ -2,6 +2,8 @@
#ifndef _XT_RATEEST_H
#define _XT_RATEEST_H
+#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_RATEEST)
+
#include <net/gen_stats.h>
struct xt_rateest {
@@ -24,4 +26,6 @@ struct xt_rateest {
struct xt_rateest *xt_rateest_lookup(struct net *net, const char *name);
void xt_rateest_put(struct net *net, struct xt_rateest *est);
+#endif /* IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_RATEEST) */
+
#endif /* _XT_RATEEST_H */
--
2.23.0.rc1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH nf-next v2 30/30] netfilter: wrap headers in CONFIG checks.
2019-09-02 23:06 ` [PATCH nf-next v2 30/30] netfilter: wrap headers in CONFIG checks Jeremy Sowden
@ 2019-09-04 13:50 ` kbuild test robot
0 siblings, 0 replies; 35+ messages in thread
From: kbuild test robot @ 2019-09-04 13:50 UTC (permalink / raw)
To: Jeremy Sowden
Cc: kbuild-all, Pablo Neira Ayuso, Jozsef Kadlecsik,
Florian Westphal, Netfilter Devel
[-- Attachment #1: Type: text/plain, Size: 2809 bytes --]
Hi Jeremy,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url: https://github.com/0day-ci/linux/commits/Jeremy-Sowden/Add-config-option-checks-to-netfilter-headers/20190903-075100
base: https://kernel.googlesource.com/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: x86_64-randconfig-s0-09021303 (attached as .config)
compiler: gcc-7 (Debian 7.4.0-11) 7.4.0
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
In file included from security/apparmor/lsm.c:23:0:
include/linux/netfilter_ipv6.h: In function 'nf_ipv6_br_defrag':
>> include/linux/netfilter_ipv6.h:132:9: error: implicit declaration of function 'nf_ct_frag6_gather'; did you mean 'nf_ct_attach'? [-Werror=implicit-function-declaration]
return nf_ct_frag6_gather(net, skb, user);
^~~~~~~~~~~~~~~~~~
nf_ct_attach
cc1: some warnings being treated as errors
vim +132 include/linux/netfilter_ipv6.h
c9bb6165a16e6d Pablo Neira Ayuso 2019-05-31 120
764dd163ac922f Pablo Neira Ayuso 2019-05-29 121 static inline int nf_ipv6_br_defrag(struct net *net, struct sk_buff *skb,
764dd163ac922f Pablo Neira Ayuso 2019-05-29 122 u32 user)
764dd163ac922f Pablo Neira Ayuso 2019-05-29 123 {
764dd163ac922f Pablo Neira Ayuso 2019-05-29 124 #if IS_MODULE(CONFIG_IPV6)
764dd163ac922f Pablo Neira Ayuso 2019-05-29 125 const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
764dd163ac922f Pablo Neira Ayuso 2019-05-29 126
764dd163ac922f Pablo Neira Ayuso 2019-05-29 127 if (!v6_ops)
764dd163ac922f Pablo Neira Ayuso 2019-05-29 128 return 1;
764dd163ac922f Pablo Neira Ayuso 2019-05-29 129
764dd163ac922f Pablo Neira Ayuso 2019-05-29 130 return v6_ops->br_defrag(net, skb, user);
43a38c3f318082 Arnd Bergmann 2019-06-17 131 #elif IS_BUILTIN(CONFIG_IPV6)
764dd163ac922f Pablo Neira Ayuso 2019-05-29 @132 return nf_ct_frag6_gather(net, skb, user);
43a38c3f318082 Arnd Bergmann 2019-06-17 133 #else
43a38c3f318082 Arnd Bergmann 2019-06-17 134 return 1;
764dd163ac922f Pablo Neira Ayuso 2019-05-29 135 #endif
764dd163ac922f Pablo Neira Ayuso 2019-05-29 136 }
764dd163ac922f Pablo Neira Ayuso 2019-05-29 137
:::::: The code at line 132 was first introduced by commit
:::::: 764dd163ac922f8683b5bcd3007251ce7b26cd33 netfilter: nf_conntrack_bridge: add support for IPv6
:::::: TO: Pablo Neira Ayuso <pablo@netfilter.org>
:::::: CC: David S. Miller <davem@davemloft.net>
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 35083 bytes --]
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH nf-next v2 00/30] Add config option checks to netfilter headers.
2019-09-02 23:06 [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Jeremy Sowden
` (29 preceding siblings ...)
2019-09-02 23:06 ` [PATCH nf-next v2 30/30] netfilter: wrap headers in CONFIG checks Jeremy Sowden
@ 2019-09-04 19:05 ` Pablo Neira Ayuso
2019-09-07 19:16 ` Jeremy Sowden
30 siblings, 1 reply; 35+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-04 19:05 UTC (permalink / raw)
To: Jeremy Sowden; +Cc: Jozsef Kadlecsik, Florian Westphal, Netfilter Devel
Hi Jeremy,
Thanks for working on this.
Could you squash a few of these patches to get a smaller patchset?
My suggestions:
* Squash 01/30, 02/30 and 03/30, call this something like: "netfilter: add
missing include guard". Just document that the chunk for the
flowtable is fixing up a comment.
* For 04/30, since this is about SPDX, I would suggest you leave this
behind and we wait for someone to make a whole pass over the netfilter
headers to check for missing SPDX tags? Not a deal breaker, you can
keep it in this batch if you like.
* Squash 05/30, 06/30 and 07/30, call this I'd suggest: "netfilter:
fix coding style errors", document the stray semi-colons, the
Kconfig missing indent and the trailing whitespaces.
* Squash 09/30, 10/30, 11/30, 12/30 and 12/30. They all refer to
#include updates, could you squash and document these updates?
* 14/30, "netfilter: remove superfluous header" I'd suggest you rename
this to "netfilter: remove nf_conntrack_icmpv6.h header".
* 15/30 and 16/30 LGTM.
* 17/30 I don't think struct nf_bridge_frag_data qualifies for the
global netfilter.h header.
* 19/30 LGTM.
* With 20/30 gets more ifdef pollution to optimize a case where kernel
is compiled without this trackers. I would prefer you keep this
back.
* Please, squash 21/30 and 22/30.
* 24/30 nft_set_pktinfo_ipv6_validate() definition already
deals with this in the right way.
* 25/30 nf_conntrack_zones_common.h only makes sense if NF_CONNTRACK
is enabled, I don't understand.
* 27/30 identation is not correct, not using tabs.
* 26/30 is adding more #ifdef CONFIG_NETFILTER to the netfilter.h
header. They make sense to make this new infra to compile headers,
but from developer perspective is confusing.
* 30/30 very similar to 26/30...
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -7,6 +7,10 @@
#ifndef _IP_SET_H
#define _IP_SET_H
+#include <uapi/linux/netfilter/ipset/ip_set.h>
+
+#if IS_ENABLED(CONFIG_IP_SET)
...
Shouldn't probably the CONFIG_HEADER_TEST infrastructure check if the
Kconfig option is set on before blindy compiling headers?
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH nf-next v2 00/30] Add config option checks to netfilter headers.
2019-09-04 19:05 ` [PATCH nf-next v2 00/30] Add config option checks to netfilter headers Pablo Neira Ayuso
@ 2019-09-07 19:16 ` Jeremy Sowden
2019-09-08 18:14 ` Pablo Neira Ayuso
0 siblings, 1 reply; 35+ messages in thread
From: Jeremy Sowden @ 2019-09-07 19:16 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Jozsef Kadlecsik, Florian Westphal, Netfilter Devel
[-- Attachment #1: Type: text/plain, Size: 2593 bytes --]
On 2019-09-04, at 21:05:35 +0200, Pablo Neira Ayuso wrote:
> Thanks for working on this.
Happy to help.
> Could you squash a few of these patches to get a smaller patchset?
Absolutely.
> My suggestions:
>
> * Squash 01/30, 02/30 and 03/30, call this something like: "netfilter:
> add missing include guard". Just document that the chunk for the
> flowtable is fixing up a comment.
Will do.
> * For 04/30, since this is about SPDX, I would suggest you leave this
> behind and we wait for someone to make a whole pass over the
> netfilter headers to check for missing SPDX tags? Not a deal
> breaker, you can keep it in this batch if you like.
Will drop it. This was a bit speculative: I think I've got it right,
but, as you say, this may be one to leave to someone with more
expertise.
> * Squash 05/30, 06/30 and 07/30, call this I'd suggest: "netfilter:
> fix coding style errors", document the stray semi-colons, the
> Kconfig missing indent and the trailing whitespaces.
Will do.
> * Squash 09/30, 10/30, 11/30, 12/30 and 12/30. They all refer to
> #include updates, could you squash and document these updates?
Will do.
> * 14/30, "netfilter: remove superfluous header" I'd suggest you rename
> this to "netfilter: remove nf_conntrack_icmpv6.h header".
Will do.
> * 17/30 I don't think struct nf_bridge_frag_data qualifies for the
> global netfilter.h header.
What about netfilter_bridge.h?
> * Please, squash 21/30 and 22/30.
Will do.
> * With 20/30 gets more ifdef pollution to optimize a case where kernel
> is compiled without this trackers. I would prefer you keep this
> back.
>
> * 24/30 nft_set_pktinfo_ipv6_validate() definition already
> deals with this in the right way.
>
> * 25/30 nf_conntrack_zones_common.h only makes sense if NF_CONNTRACK
> is enabled, I don't understand.
>
> * 27/30 identation is not correct, not using tabs.
>
> * 26/30 is adding more #ifdef CONFIG_NETFILTER to the netfilter.h
> header. They make sense to make this new infra to compile headers,
> but from developer perspective is confusing.
>
> * 30/30 very similar to 26/30...
As I mentioned in the cover-letter the idea behind my approach was to
config out as much code as possible: if header H is only required when
config C is enabled, then wrap it in an `#if IS_ENABLED(CONFIG_C)`.
However, you're clearly not keen, and, having had a poke around in other
headers that have been moved off the blacklist, I've come to the con-
clusion that it was the wrong way to go: we want less #ifdeffery, not
more. Will rework this part of the series.
J.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH nf-next v2 00/30] Add config option checks to netfilter headers.
2019-09-07 19:16 ` Jeremy Sowden
@ 2019-09-08 18:14 ` Pablo Neira Ayuso
0 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-08 18:14 UTC (permalink / raw)
To: Jeremy Sowden; +Cc: Jozsef Kadlecsik, Florian Westphal, Netfilter Devel
On Sat, Sep 07, 2019 at 08:16:59PM +0100, Jeremy Sowden wrote:
> On 2019-09-04, at 21:05:35 +0200, Pablo Neira Ayuso wrote:
[...]
> > * 17/30 I don't think struct nf_bridge_frag_data qualifies for the
> > global netfilter.h header.
>
> What about netfilter_bridge.h?
That's fine indeed.
[...]
> As I mentioned in the cover-letter the idea behind my approach was to
> config out as much code as possible: if header H is only required when
> config C is enabled, then wrap it in an `#if IS_ENABLED(CONFIG_C)`.
> However, you're clearly not keen, and, having had a poke around in other
> headers that have been moved off the blacklist, I've come to the con-
> clusion that it was the wrong way to go: we want less #ifdeffery, not
> more. Will rework this part of the series.
It would be great if all those are #if IS_ENABLED(CONFIG_C) only to
make happy CONFIG_HEADER_TEST go away, and no more new ones are added
indeed.
Thanks.
^ permalink raw reply [flat|nested] 35+ messages in thread