| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.DEB.2.22.394.2201110953410.2167203@ramsan.of.borg>
Date: Tue, 11 Jan 2022 10:01:17 +0100 (CET)
From: Geert Uytterhoeven <geert@...ux-m68k.org>
To: Pablo Neira Ayuso <pablo@...filter.org>,
Florian Westphal <fw@...len.de>
cc: netfilter-devel@...r.kernel.org, davem@...emloft.net,
netdev@...r.kernel.org, kuba@...nel.org,
linux-kernel@...ux-m68k.org
Subject: Re: [PATCH net-next 10/32] netfilter: flowtable: remove ipv4/ipv6
modules
Hi Pablo, Florian,
On Mon, 10 Jan 2022, Pablo Neira Ayuso wrote:
> From: Florian Westphal <fw@...len.de>
>
> Just place the structs and registration in the inet module.
> nf_flow_table_ipv6, nf_flow_table_ipv4 and nf_flow_table_inet share
> same module dependencies: nf_flow_table, nf_tables.
>
> before:
> text data bss dec hex filename
> 2278 1480 0 3758 eae nf_flow_table_inet.ko
> 1159 1352 0 2511 9cf nf_flow_table_ipv6.ko
> 1154 1352 0 2506 9ca nf_flow_table_ipv4.ko
>
> after:
> 2369 1672 0 4041 fc9 nf_flow_table_inet.ko
>
> Signed-off-by: Florian Westphal <fw@...len.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
Thanks for your patch, which is now commit c42ba4290b2147aa
("netfilter: flowtable: remove ipv4/ipv6 modules") upstream.
> --- a/net/ipv4/netfilter/Kconfig
> +++ b/net/ipv4/netfilter/Kconfig
> @@ -59,12 +59,8 @@ config NF_TABLES_ARP
> endif # NF_TABLES
>
> config NF_FLOW_TABLE_IPV4
> - tristate "Netfilter flow table IPv4 module"
> - depends on NF_FLOW_TABLE
> - help
> - This option adds the flow table IPv4 support.
> -
> - To compile it as a module, choose M here.
> + tristate
> + select NF_FLOW_TABLE_INET
What is the point in keeping this symbol? It is invisble, selected
by nothing (so it can no longer be enabled), and its last user is
removed below.
Is there a mistake, or should this symbol just be removed?
> config NF_DUP_IPV4
> tristate "Netfilter IPv4 packet duplication to alternate destination"
> --- a/net/ipv4/netfilter/Makefile
> +++ b/net/ipv4/netfilter/Makefile
> @@ -24,9 +24,6 @@ obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o
> obj-$(CONFIG_NFT_FIB_IPV4) += nft_fib_ipv4.o
> obj-$(CONFIG_NFT_DUP_IPV4) += nft_dup_ipv4.o
>
> -# flow table support
> -obj-$(CONFIG_NF_FLOW_TABLE_IPV4) += nf_flow_table_ipv4.o
> -
> # generic IP tables
> obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
> --- a/net/ipv6/netfilter/Kconfig
> +++ b/net/ipv6/netfilter/Kconfig
> @@ -48,12 +48,8 @@ endif # NF_TABLES_IPV6
> endif # NF_TABLES
>
> config NF_FLOW_TABLE_IPV6
> - tristate "Netfilter flow table IPv6 module"
> - depends on NF_FLOW_TABLE
> - help
> - This option adds the flow table IPv6 support.
> -
> - To compile it as a module, choose M here.
> + tristate
> + select NF_FLOW_TABLE_INET
Likewise, except that its last user was not removed:
net/ipv6/netfilter/Makefile:obj-$(CONFIG_NF_FLOW_TABLE_IPV6) += nf_flow_table_ipv6.o
> config NF_DUP_IPV6
> tristate "Netfilter IPv6 packet duplication to alternate destination"
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
Powered by blists - more mailing lists