tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: add missing IS_ENABLED(CONFIG_NETFILTER) checks to some header-files.
linux/netfilter.h defines a number of struct and inline function
definitions which are only available is CONFIG_NETFILTER is enabled.
These structs and functions are used in declarations and definitions in
other header-files. Added preprocessor checks to make sure these
headers will compile if CONFIG_NETFILTER is disabled.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
authored by
Jeremy Sowden
and committed by
Pablo Neira Ayuso
78458e3e
0abc8bf4
+52
+6
include/linux/netfilter/x_tables.h
+6
include/linux/netfilter/x_tables.h
···
35
35
union {
36
36
const void *matchinfo, *targinfo;
37
37
};
38
+
#if IS_ENABLED(CONFIG_NETFILTER)
38
39
const struct nf_hook_state *state;
40
+
#endif
39
41
int fragoff;
40
42
unsigned int thoff;
41
43
bool hotdrop;
42
44
};
43
45
46
+
#if IS_ENABLED(CONFIG_NETFILTER)
44
47
static inline struct net *xt_net(const struct xt_action_param *par)
45
48
{
46
49
return par->state->net;
···
78
75
{
79
76
return par->state->pf;
80
77
}
78
+
#endif
81
79
82
80
/**
83
81
* struct xt_mtchk_param - parameters for match extensions'
···
450
446
return cnt;
451
447
}
452
448
449
+
#if IS_ENABLED(CONFIG_NETFILTER)
453
450
struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *, nf_hookfn *);
451
+
#endif
454
452
455
453
#ifdef CONFIG_COMPAT
456
454
#include <net/compat.h>
+2
include/linux/netfilter_arp/arp_tables.h
+2
include/linux/netfilter_arp/arp_tables.h
···
49
49
}
50
50
51
51
extern void *arpt_alloc_initial_table(const struct xt_table *);
52
+
#if IS_ENABLED(CONFIG_NETFILTER)
52
53
int arpt_register_table(struct net *net, const struct xt_table *table,
53
54
const struct arpt_replace *repl,
54
55
const struct nf_hook_ops *ops, struct xt_table **res);
···
58
57
extern unsigned int arpt_do_table(struct sk_buff *skb,
59
58
const struct nf_hook_state *state,
60
59
struct xt_table *table);
60
+
#endif
61
61
62
62
#ifdef CONFIG_COMPAT
63
63
#include <net/compat.h>
+2
include/linux/netfilter_bridge/ebtables.h
+2
include/linux/netfilter_bridge/ebtables.h
···
105
105
106
106
#define EBT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) & \
107
107
~(__alignof__(struct _xt_align)-1))
108
+
#if IS_ENABLED(CONFIG_NETFILTER)
108
109
extern int ebt_register_table(struct net *net,
109
110
const struct ebt_table *table,
110
111
const struct nf_hook_ops *ops,
···
115
114
extern unsigned int ebt_do_table(struct sk_buff *skb,
116
115
const struct nf_hook_state *state,
117
116
struct ebt_table *table);
117
+
#endif
118
118
119
119
/* True if the hook mask denotes that the rule is in a base chain,
120
120
* used in the check() functions */
+4
include/linux/netfilter_ipv4/ip_tables.h
+4
include/linux/netfilter_ipv4/ip_tables.h
···
25
25
26
26
extern void ipt_init(void) __init;
27
27
28
+
#if IS_ENABLED(CONFIG_NETFILTER)
28
29
int ipt_register_table(struct net *net, const struct xt_table *table,
29
30
const struct ipt_replace *repl,
30
31
const struct nf_hook_ops *ops, struct xt_table **res);
31
32
void ipt_unregister_table(struct net *net, struct xt_table *table,
32
33
const struct nf_hook_ops *ops);
34
+
#endif
33
35
34
36
/* Standard entry. */
35
37
struct ipt_standard {
···
67
65
}
68
66
69
67
extern void *ipt_alloc_initial_table(const struct xt_table *);
68
+
#if IS_ENABLED(CONFIG_NETFILTER)
70
69
extern unsigned int ipt_do_table(struct sk_buff *skb,
71
70
const struct nf_hook_state *state,
72
71
struct xt_table *table);
72
+
#endif
73
73
74
74
#ifdef CONFIG_COMPAT
75
75
#include <net/compat.h>
+2
include/linux/netfilter_ipv6/ip6_tables.h
+2
include/linux/netfilter_ipv6/ip6_tables.h
···
26
26
extern void ip6t_init(void) __init;
27
27
28
28
extern void *ip6t_alloc_initial_table(const struct xt_table *);
29
+
#if IS_ENABLED(CONFIG_NETFILTER)
29
30
int ip6t_register_table(struct net *net, const struct xt_table *table,
30
31
const struct ip6t_replace *repl,
31
32
const struct nf_hook_ops *ops, struct xt_table **res);
···
35
34
extern unsigned int ip6t_do_table(struct sk_buff *skb,
36
35
const struct nf_hook_state *state,
37
36
struct xt_table *table);
37
+
#endif
38
38
39
39
/* Check for an extension */
40
40
static inline int
+2
include/net/netfilter/br_netfilter.h
+2
include/net/netfilter/br_netfilter.h
···
55
55
struct net_device *setup_pre_routing(struct sk_buff *skb,
56
56
const struct net *net);
57
57
58
+
#if IS_ENABLED(CONFIG_NETFILTER)
58
59
#if IS_ENABLED(CONFIG_IPV6)
59
60
int br_validate_ipv6(struct net *net, struct sk_buff *skb);
60
61
unsigned int br_nf_pre_routing_ipv6(void *priv,
···
73
72
{
74
73
return NF_ACCEPT;
75
74
}
75
+
#endif
76
76
#endif
77
77
78
78
#endif /* _BR_NETFILTER_H_ */
+2
include/net/netfilter/nf_conntrack_bridge.h
+2
include/net/netfilter/nf_conntrack_bridge.h
+3
include/net/netfilter/nf_conntrack_core.h
+3
include/net/netfilter/nf_conntrack_core.h
···
20
20
/* This header is used to share core functionality between the
21
21
standalone connection tracking module, and the compatibility layer's use
22
22
of connection tracking. */
23
+
24
+
#if IS_ENABLED(CONFIG_NETFILTER)
23
25
unsigned int nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state);
26
+
#endif
24
27
25
28
int nf_conntrack_init_net(struct net *net);
26
29
void nf_conntrack_cleanup_net(struct net *net);
+2
include/net/netfilter/nf_conntrack_l4proto.h
+2
include/net/netfilter/nf_conntrack_l4proto.h
···
75
75
bool nf_conntrack_invert_icmpv6_tuple(struct nf_conntrack_tuple *tuple,
76
76
const struct nf_conntrack_tuple *orig);
77
77
78
+
#if IS_ENABLED(CONFIG_NETFILTER)
78
79
int nf_conntrack_inet_error(struct nf_conn *tmpl, struct sk_buff *skb,
79
80
unsigned int dataoff,
80
81
const struct nf_hook_state *state,
···
132
131
unsigned int dataoff,
133
132
enum ip_conntrack_info ctinfo,
134
133
const struct nf_hook_state *state);
134
+
#endif
135
135
136
136
void nf_conntrack_generic_init_net(struct net *net);
137
137
void nf_conntrack_tcp_init_net(struct net *net);
+2
include/net/netfilter/nf_conntrack_tuple.h
+2
include/net/netfilter/nf_conntrack_tuple.h
···
121
121
struct nf_conntrack_tuple tuple;
122
122
};
123
123
124
+
#if IS_ENABLED(CONFIG_NETFILTER)
124
125
static inline bool __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
125
126
const struct nf_conntrack_tuple *t2)
126
127
{
···
184
183
return nf_ct_tuple_src_mask_cmp(t, tuple, mask) &&
185
184
__nf_ct_tuple_dst_equal(t, tuple);
186
185
}
186
+
#endif
187
187
188
188
#endif /* _NF_CONNTRACK_TUPLE_H */
+4
include/net/netfilter/nf_flow_table.h
+4
include/net/netfilter/nf_flow_table.h
···
17
17
int family;
18
18
int (*init)(struct nf_flowtable *ft);
19
19
void (*free)(struct nf_flowtable *ft);
20
+
#if IS_ENABLED(CONFIG_NETFILTER)
20
21
nf_hookfn *hook;
22
+
#endif
21
23
struct module *owner;
22
24
};
23
25
···
117
115
__be16 source, dest;
118
116
};
119
117
118
+
#if IS_ENABLED(CONFIG_NETFILTER)
120
119
unsigned int nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
121
120
const struct nf_hook_state *state);
122
121
unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
123
122
const struct nf_hook_state *state);
123
+
#endif
124
124
125
125
#define MODULE_ALIAS_NF_FLOWTABLE(family) \
126
126
MODULE_ALIAS("nf-flowtable-" __stringify(family))
+4
include/net/netfilter/nf_nat.h
+4
include/net/netfilter/nf_nat.h
···
69
69
#endif
70
70
}
71
71
72
+
#if IS_ENABLED(CONFIG_NETFILTER)
72
73
int nf_nat_register_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
73
74
const struct nf_hook_ops *nat_ops, unsigned int ops_count);
74
75
void nf_nat_unregister_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
75
76
unsigned int ops_count);
77
+
#endif
76
78
77
79
unsigned int nf_nat_packet(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
78
80
unsigned int hooknum, struct sk_buff *skb);
···
94
92
enum ip_conntrack_info ctinfo,
95
93
unsigned int hooknum, unsigned int hdrlen);
96
94
95
+
#if IS_ENABLED(CONFIG_NETFILTER)
97
96
int nf_nat_ipv4_register_fn(struct net *net, const struct nf_hook_ops *ops);
98
97
void nf_nat_ipv4_unregister_fn(struct net *net, const struct nf_hook_ops *ops);
99
98
···
107
104
unsigned int
108
105
nf_nat_inet_fn(void *priv, struct sk_buff *skb,
109
106
const struct nf_hook_state *state);
107
+
#endif
110
108
111
109
int nf_xfrm_me_harder(struct net *n, struct sk_buff *s, unsigned int family);
112
110
+5
include/net/netfilter/nf_queue.h
+5
include/net/netfilter/nf_queue.h
···
15
15
unsigned int id;
16
16
unsigned int hook_index; /* index in hook_entries->hook[] */
17
17
18
+
#if IS_ENABLED(CONFIG_NETFILTER)
18
19
struct nf_hook_state state;
20
+
#endif
19
21
u16 size; /* sizeof(entry) + saved route keys */
20
22
21
23
/* extra space to store route keys */
···
123
121
return queue;
124
122
}
125
123
124
+
#if IS_ENABLED(CONFIG_NETFILTER)
126
125
int nf_queue(struct sk_buff *skb, struct nf_hook_state *state,
127
126
unsigned int index, unsigned int verdict);
127
+
#endif
128
+
128
129
#endif /* _NF_QUEUE_H */
+4
include/net/netfilter/nf_synproxy.h
+4
include/net/netfilter/nf_synproxy.h
···
20
20
const struct tcphdr *th,
21
21
struct synproxy_options *opts, u32 recv_seq);
22
22
23
+
#if IS_ENABLED(CONFIG_NETFILTER)
23
24
unsigned int ipv4_synproxy_hook(void *priv, struct sk_buff *skb,
24
25
const struct nf_hook_state *nhs);
26
+
#endif
25
27
int nf_synproxy_ipv4_init(struct synproxy_net *snet, struct net *net);
26
28
void nf_synproxy_ipv4_fini(struct synproxy_net *snet, struct net *net);
27
29
···
37
35
const struct tcphdr *th,
38
36
struct synproxy_options *opts, u32 recv_seq);
39
37
38
+
#if IS_ENABLED(CONFIG_NETFILTER)
40
39
unsigned int ipv6_synproxy_hook(void *priv, struct sk_buff *skb,
41
40
const struct nf_hook_state *nhs);
41
+
#endif
42
42
int nf_synproxy_ipv6_init(struct synproxy_net *snet, struct net *net);
43
43
void nf_synproxy_ipv6_fini(struct synproxy_net *snet, struct net *net);
44
44
#else
+8
include/net/netfilter/nf_tables.h
+8
include/net/netfilter/nf_tables.h
···
25
25
struct xt_action_param xt;
26
26
};
27
27
28
+
#if IS_ENABLED(CONFIG_NETFILTER)
28
29
static inline struct net *nft_net(const struct nft_pktinfo *pkt)
29
30
{
30
31
return pkt->xt.state->net;
···
58
57
pkt->skb = skb;
59
58
pkt->xt.state = state;
60
59
}
60
+
#endif
61
61
62
62
static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
63
63
struct sk_buff *skb)
···
929
927
int family;
930
928
struct module *owner;
931
929
unsigned int hook_mask;
930
+
#if IS_ENABLED(CONFIG_NETFILTER)
932
931
nf_hookfn *hooks[NF_MAX_HOOKS];
933
932
int (*ops_register)(struct net *net, const struct nf_hook_ops *ops);
934
933
void (*ops_unregister)(struct net *net, const struct nf_hook_ops *ops);
934
+
#endif
935
935
};
936
936
937
937
int nft_chain_validate_dependency(const struct nft_chain *chain,
···
959
955
* @flow_block: flow block (for hardware offload)
960
956
*/
961
957
struct nft_base_chain {
958
+
#if IS_ENABLED(CONFIG_NETFILTER)
962
959
struct nf_hook_ops ops;
960
+
#endif
963
961
const struct nft_chain_type *type;
964
962
u8 policy;
965
963
u8 flags;
···
1158
1152
use:30;
1159
1153
u64 handle;
1160
1154
/* runtime data below here */
1155
+
#if IS_ENABLED(CONFIG_NETFILTER)
1161
1156
struct nf_hook_ops *ops ____cacheline_aligned;
1157
+
#endif
1162
1158
struct nf_flowtable data;
1163
1159
};
1164
1160