This series removes following following module options by merging
them into the nftables core:


 96407    2064     400   98871   18237 net/netfilter/nf_tables.ko
106410    2392     401  109203   1aa93 net/netfilter/nf_tables.ko

which is ~10% increase post-merging.
If its deemed too much, we can keep nft_meta and nft_exthdr as extra
modules and merge rt into meta instead.

However, I think meta is too important from a functionality p.ov.
so that it doesn't make much sense to offer a off-config option
for it.


are downgraded to dependency-only symbols.
Redirect and masquerade are then built into nf_nat_ipv4/6 modules.

This is an initial effort to address criticism that netfilter is too

More similar changes can be made, but I prefer to not do
everything in one go.

If anyone is interested, other candidates that mighe be worth checking
are fib, fwd, dup and redir+masquerade.

In nft_fib case we currently have 5 modules:
- common code
- ipv4 backend
- ipv6 backend
- wrapper for netdev
- wrapper for inet

We can probably merge these five into single nft_fib module.

Florian Westphal (6):
      netfilter: merge meta_bridge into nft_meta
      netfilter: nftables: make meta expression builtin
      netfilter: nf_tables: merge rt expression into nft core
      netfilter: nf_tables: merge exthdr expression into nft core
      netfilter: nat: merge ipv4/ipv6 masquerade code into main nat module
      netfilter: nat: merge nf_nat_redirect into nf_nat

To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
More majordomo info at

Reply via email to