subject:"\[PATCH 40\/47\] netfilter\: nf_tables\: build\-in filter chain type"

Re: [PATCH 40/47] netfilter: nf_tables: build-in filter chain type

2018-04-04 Thread Pablo Neira Ayuso

On Wed, Apr 04, 2018 at 05:38:31PM +0200, Arnd Bergmann wrote:
> On Fri, Mar 30, 2018 at 1:46 PM, Pablo Neira Ayuso  
> wrote:
> > One module per supported filter chain family type takes too much memory
> > for very little code - too much modularization - place all chain filter
> > definitions in one single file.
> >
> > Signed-off-by: Pablo Neira Ayuso 
> 
> Hi Pablo,
> 
> I've bisected a link error to this patch:
> 
> net/netfilter/nft_reject_inet.o: In function `nft_reject_inet_eval':
> nft_reject_inet.c:(.text+0xa7): undefined reference to `nf_send_unreach6'
> nft_reject_inet.c:(.text+0x10c): undefined reference to `nf_send_unreach6'
> nft_reject_inet.c:(.text+0x138): undefined reference to `nf_send_reset6'
> 
> Unfortunately I don't immediately see what went wrong, maybe you
> can spot it.

Can you pass me your .config file? I will have a look at it. Thanks.
Looks like some missing Kconfig stuff.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 40/47] netfilter: nf_tables: build-in filter chain type

2018-04-04 Thread Arnd Bergmann

On Fri, Mar 30, 2018 at 1:46 PM, Pablo Neira Ayuso  wrote:
> One module per supported filter chain family type takes too much memory
> for very little code - too much modularization - place all chain filter
> definitions in one single file.
>
> Signed-off-by: Pablo Neira Ayuso 

Hi Pablo,

I've bisected a link error to this patch:

net/netfilter/nft_reject_inet.o: In function `nft_reject_inet_eval':
nft_reject_inet.c:(.text+0xa7): undefined reference to `nf_send_unreach6'
nft_reject_inet.c:(.text+0x10c): undefined reference to `nf_send_unreach6'
nft_reject_inet.c:(.text+0x138): undefined reference to `nf_send_reset6'

Unfortunately I don't immediately see what went wrong, maybe you
can spot it.

   Arnd
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 40/47] netfilter: nf_tables: build-in filter chain type

2018-03-30 Thread Pablo Neira Ayuso

One module per supported filter chain family type takes too much memory
for very little code - too much modularization - place all chain filter
definitions in one single file.

Signed-off-by: Pablo Neira Ayuso 
---
 include/net/netfilter/nf_tables.h   |   3 +
 net/bridge/netfilter/Kconfig|   2 +-
 net/bridge/netfilter/Makefile   |   1 -
 net/bridge/netfilter/nf_tables_bridge.c |  81 ---
 net/ipv4/netfilter/Kconfig  |   4 +-
 net/ipv4/netfilter/Makefile |   2 -
 net/ipv4/netfilter/nf_tables_arp.c  |  60 -
 net/ipv4/netfilter/nf_tables_ipv4.c |  69 --
 net/ipv6/netfilter/Kconfig  |   2 +-
 net/ipv6/netfilter/Makefile |   1 -
 net/ipv6/netfilter/nf_tables_ipv6.c |  67 --
 net/netfilter/Kconfig   |   4 +-
 net/netfilter/Makefile  |   9 +-
 net/netfilter/nf_tables_api.c   |   3 +
 net/netfilter/nf_tables_inet.c  |  77 --
 net/netfilter/nf_tables_netdev.c| 140 ---
 net/netfilter/nft_chain_filter.c| 398 
 17 files changed, 414 insertions(+), 509 deletions(-)
 delete mode 100644 net/bridge/netfilter/nf_tables_bridge.c
 delete mode 100644 net/ipv4/netfilter/nf_tables_arp.c
 delete mode 100644 net/ipv4/netfilter/nf_tables_ipv4.c
 delete mode 100644 net/ipv6/netfilter/nf_tables_ipv6.c
 delete mode 100644 net/netfilter/nf_tables_inet.c
 delete mode 100644 net/netfilter/nf_tables_netdev.c
 create mode 100644 net/netfilter/nft_chain_filter.c

diff --git a/include/net/netfilter/nf_tables.h 
b/include/net/netfilter/nf_tables.h
index 1f7148fe0504..77c3c04c27ac 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1345,4 +1345,7 @@ struct nft_trans_flowtable {
 #define nft_trans_flowtable(trans) \
(((struct nft_trans_flowtable *)trans->data)->flowtable)
 
+int __init nft_chain_filter_init(void);
+void __exit nft_chain_filter_fini(void);
+
 #endif /* _NET_NF_TABLES_H */
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 225d1668dfdd..f212447794bd 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -5,7 +5,7 @@
 menuconfig NF_TABLES_BRIDGE
depends on BRIDGE && NETFILTER && NF_TABLES
select NETFILTER_FAMILY_BRIDGE
-   tristate "Ethernet Bridge nf_tables support"
+   bool "Ethernet Bridge nf_tables support"
 
 if NF_TABLES_BRIDGE
 
diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile
index 2f28e16de6c7..4bc758dd4a8c 100644
--- a/net/bridge/netfilter/Makefile
+++ b/net/bridge/netfilter/Makefile
@@ -3,7 +3,6 @@
 # Makefile for the netfilter modules for Link Layer filtering on a bridge.
 #
 
-obj-$(CONFIG_NF_TABLES_BRIDGE) += nf_tables_bridge.o
 obj-$(CONFIG_NFT_BRIDGE_META)  += nft_meta_bridge.o
 obj-$(CONFIG_NFT_BRIDGE_REJECT)  += nft_reject_bridge.o
 
diff --git a/net/bridge/netfilter/nf_tables_bridge.c 
b/net/bridge/netfilter/nf_tables_bridge.c
deleted file mode 100644
index ffb8580dfdac..
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Copyright (c) 2008 Patrick McHardy 
- * Copyright (c) 2013 Pablo Neira Ayuso 
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- *
- * Development of this code funded by Astaro AG (http://www.astaro.com/)
- */
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-static unsigned int
-nft_do_chain_bridge(void *priv,
-   struct sk_buff *skb,
-   const struct nf_hook_state *state)
-{
-   struct nft_pktinfo pkt;
-
-   nft_set_pktinfo(, skb, state);
-
-   switch (eth_hdr(skb)->h_proto) {
-   case htons(ETH_P_IP):
-   nft_set_pktinfo_ipv4_validate(, skb);
-   break;
-   case htons(ETH_P_IPV6):
-   nft_set_pktinfo_ipv6_validate(, skb);
-   break;
-   default:
-   nft_set_pktinfo_unspec(, skb);
-   break;
-   }
-
-   return nft_do_chain(, priv);
-}
-
-static const struct nft_chain_type filter_bridge = {
-   .name   = "filter",
-   .type   = NFT_CHAIN_T_DEFAULT,
-   .family = NFPROTO_BRIDGE,
-   .owner  = THIS_MODULE,
-   .hook_mask  = (1 << NF_BR_PRE_ROUTING) |
- (1 << NF_BR_LOCAL_IN) |
- (1 << NF_BR_FORWARD) |
- (1 << NF_BR_LOCAL_OUT) |
- (1 << NF_BR_POST_ROUTING),
-   .hooks  = {
-   [NF_BR_PRE_ROUTING] = nft_do_chain_bridge,
-   [NF_BR_LOCAL_IN]= nft_do_chain_bridge,
-   [NF_BR_FORWARD] = nft_do_chain_bridge,
-

Re: [PATCH 40/47] netfilter: nf_tables: build-in filter chain type

Re: [PATCH 40/47] netfilter: nf_tables: build-in filter chain type

[PATCH 40/47] netfilter: nf_tables: build-in filter chain type

3 matches

Site Navigation

Mail list logo

Footer information