lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 11 Jan 2022 10:01:17 +0100 (CET)
From:   Geert Uytterhoeven <geert@...ux-m68k.org>
To:     Pablo Neira Ayuso <pablo@...filter.org>,
        Florian Westphal <fw@...len.de>
cc:     netfilter-devel@...r.kernel.org, davem@...emloft.net,
        netdev@...r.kernel.org, kuba@...nel.org,
        linux-kernel@...ux-m68k.org
Subject: Re: [PATCH net-next 10/32] netfilter: flowtable: remove ipv4/ipv6
 modules

 	Hi Pablo, Florian,

On Mon, 10 Jan 2022, Pablo Neira Ayuso wrote:
> From: Florian Westphal <fw@...len.de>
>
> Just place the structs and registration in the inet module.
> nf_flow_table_ipv6, nf_flow_table_ipv4 and nf_flow_table_inet share
> same module dependencies: nf_flow_table, nf_tables.
>
> before:
>   text	   data	    bss	    dec	    hex	filename
>   2278	   1480	      0	   3758	    eae	nf_flow_table_inet.ko
>   1159	   1352	      0	   2511	    9cf	nf_flow_table_ipv6.ko
>   1154	   1352	      0	   2506	    9ca	nf_flow_table_ipv4.ko
>
> after:
>   2369	   1672	      0	   4041	    fc9	nf_flow_table_inet.ko
>
> Signed-off-by: Florian Westphal <fw@...len.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>

Thanks for your patch, which is now commit c42ba4290b2147aa
("netfilter: flowtable: remove ipv4/ipv6 modules") upstream.

> --- a/net/ipv4/netfilter/Kconfig
> +++ b/net/ipv4/netfilter/Kconfig
> @@ -59,12 +59,8 @@ config NF_TABLES_ARP
> endif # NF_TABLES
>
> config NF_FLOW_TABLE_IPV4
> -	tristate "Netfilter flow table IPv4 module"
> -	depends on NF_FLOW_TABLE
> -	help
> -	  This option adds the flow table IPv4 support.
> -
> -	  To compile it as a module, choose M here.
> +	tristate
> +	select NF_FLOW_TABLE_INET

What is the point in keeping this symbol? It is invisble, selected
by nothing (so it can no longer be enabled), and its last user is
removed below.
Is there a mistake, or should this symbol just be removed?

> config NF_DUP_IPV4
> 	tristate "Netfilter IPv4 packet duplication to alternate destination"

> --- a/net/ipv4/netfilter/Makefile
> +++ b/net/ipv4/netfilter/Makefile
> @@ -24,9 +24,6 @@ obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o
>  obj-$(CONFIG_NFT_FIB_IPV4) += nft_fib_ipv4.o
>  obj-$(CONFIG_NFT_DUP_IPV4) += nft_dup_ipv4.o
> 
> -# flow table support
> -obj-$(CONFIG_NF_FLOW_TABLE_IPV4) += nf_flow_table_ipv4.o
> -
>  # generic IP tables
>  obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o

> --- a/net/ipv6/netfilter/Kconfig
> +++ b/net/ipv6/netfilter/Kconfig
> @@ -48,12 +48,8 @@ endif # NF_TABLES_IPV6
> endif # NF_TABLES
>
> config NF_FLOW_TABLE_IPV6
> -	tristate "Netfilter flow table IPv6 module"
> -	depends on NF_FLOW_TABLE
> -	help
> -	  This option adds the flow table IPv6 support.
> -
> -	  To compile it as a module, choose M here.
> +	tristate
> +	select NF_FLOW_TABLE_INET

Likewise, except that its last user was not removed:

     net/ipv6/netfilter/Makefile:obj-$(CONFIG_NF_FLOW_TABLE_IPV6) += nf_flow_table_ipv6.o

> config NF_DUP_IPV6
> 	tristate "Netfilter IPv6 packet duplication to alternate destination"

Gr{oetje,eeting}s,

 						Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
 							    -- Linus Torvalds

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ