+1 -1

include/linux/netfilter.h

reviewed

··· 15 15 #include <linux/netdevice.h> 16 16 #include <net/net_namespace.h> 17 17 18 18 - #ifdef CONFIG_NETFILTER 19 18 static inline int NF_DROP_GETERR(int verdict) 20 19 { 21 20 return -(verdict >> NF_VERDICT_QBITS); ··· 117 118 */ 118 119 }; 119 120 121 121 + #ifdef CONFIG_NETFILTER 120 122 static inline struct nf_hook_ops **nf_hook_entries_get_hook_ops(const struct nf_hook_entries *e) 121 123 { 122 124 unsigned int n = e->num_hook_entries;

-6

include/linux/netfilter/x_tables.h

reviewed

··· 35 35 union { 36 36 const void *matchinfo, *targinfo; 37 37 }; 38 38 - #if IS_ENABLED(CONFIG_NETFILTER) 39 38 const struct nf_hook_state *state; 40 40 - #endif 41 39 int fragoff; 42 40 unsigned int thoff; 43 41 bool hotdrop; 44 42 }; 45 43 46 46 - #if IS_ENABLED(CONFIG_NETFILTER) 47 44 static inline struct net *xt_net(const struct xt_action_param *par) 48 45 { 49 46 return par->state->net; ··· 75 78 { 76 79 return par->state->pf; 77 80 } 78 78 - #endif 79 81 80 82 /** 81 83 * struct xt_mtchk_param - parameters for match extensions' ··· 446 450 return cnt; 447 451 } 448 452 449 449 - #if IS_ENABLED(CONFIG_NETFILTER) 450 453 struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *, nf_hookfn *); 451 451 - #endif 452 454 453 455 #ifdef CONFIG_COMPAT 454 456 #include <net/compat.h>

-2

include/linux/netfilter_arp/arp_tables.h

reviewed

··· 49 49 } 50 50 51 51 extern void *arpt_alloc_initial_table(const struct xt_table *); 52 52 - #if IS_ENABLED(CONFIG_NETFILTER) 53 52 int arpt_register_table(struct net *net, const struct xt_table *table, 54 53 const struct arpt_replace *repl, 55 54 const struct nf_hook_ops *ops, struct xt_table **res); ··· 57 58 extern unsigned int arpt_do_table(struct sk_buff *skb, 58 59 const struct nf_hook_state *state, 59 60 struct xt_table *table); 60 60 - #endif 61 61 62 62 #ifdef CONFIG_COMPAT 63 63 #include <net/compat.h>

+1 -2

include/linux/netfilter_bridge/ebtables.h

reviewed

··· 105 105 106 106 #define EBT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) & \ 107 107 ~(__alignof__(struct _xt_align)-1)) 108 108 - #if IS_ENABLED(CONFIG_NETFILTER) 108 108 + 109 109 extern int ebt_register_table(struct net *net, 110 110 const struct ebt_table *table, 111 111 const struct nf_hook_ops *ops, ··· 115 115 extern unsigned int ebt_do_table(struct sk_buff *skb, 116 116 const struct nf_hook_state *state, 117 117 struct ebt_table *table); 118 118 - #endif 119 118 120 119 /* True if the hook mask denotes that the rule is in a base chain, 121 120 * used in the check() functions */

+1 -6

include/linux/netfilter_ipv4/ip_tables.h

reviewed

··· 17 17 18 18 #include <linux/if.h> 19 19 #include <linux/in.h> 20 20 + #include <linux/init.h> 20 21 #include <linux/ip.h> 21 22 #include <linux/skbuff.h> 22 22 - 23 23 - #include <linux/init.h> 24 23 #include <uapi/linux/netfilter_ipv4/ip_tables.h> 25 24 26 26 - #if IS_ENABLED(CONFIG_NETFILTER) 27 25 int ipt_register_table(struct net *net, const struct xt_table *table, 28 26 const struct ipt_replace *repl, 29 27 const struct nf_hook_ops *ops, struct xt_table **res); 30 28 void ipt_unregister_table(struct net *net, struct xt_table *table, 31 29 const struct nf_hook_ops *ops); 32 32 - #endif 33 30 34 31 /* Standard entry. */ 35 32 struct ipt_standard { ··· 62 65 } 63 66 64 67 extern void *ipt_alloc_initial_table(const struct xt_table *); 65 65 - #if IS_ENABLED(CONFIG_NETFILTER) 66 68 extern unsigned int ipt_do_table(struct sk_buff *skb, 67 69 const struct nf_hook_state *state, 68 70 struct xt_table *table); 69 69 - #endif 70 71 71 72 #ifdef CONFIG_COMPAT 72 73 #include <net/compat.h>

+1 -4

include/linux/netfilter_ipv6/ip6_tables.h

reviewed

··· 17 17 18 18 #include <linux/if.h> 19 19 #include <linux/in6.h> 20 20 + #include <linux/init.h> 20 21 #include <linux/ipv6.h> 21 22 #include <linux/skbuff.h> 22 22 - 23 23 - #include <linux/init.h> 24 23 #include <uapi/linux/netfilter_ipv6/ip6_tables.h> 25 24 26 25 extern void *ip6t_alloc_initial_table(const struct xt_table *); 27 26 28 28 - #if IS_ENABLED(CONFIG_NETFILTER) 29 27 int ip6t_register_table(struct net *net, const struct xt_table *table, 30 28 const struct ip6t_replace *repl, 31 29 const struct nf_hook_ops *ops, struct xt_table **res); ··· 32 34 extern unsigned int ip6t_do_table(struct sk_buff *skb, 33 35 const struct nf_hook_state *state, 34 36 struct xt_table *table); 35 35 - #endif 36 37 37 38 #ifdef CONFIG_COMPAT 38 39 #include <net/compat.h>

-2

include/net/netfilter/br_netfilter.h

reviewed

··· 55 55 struct net_device *setup_pre_routing(struct sk_buff *skb, 56 56 const struct net *net); 57 57 58 58 - #if IS_ENABLED(CONFIG_NETFILTER) 59 58 #if IS_ENABLED(CONFIG_IPV6) 60 59 int br_validate_ipv6(struct net *net, struct sk_buff *skb); 61 60 unsigned int br_nf_pre_routing_ipv6(void *priv, ··· 72 73 { 73 74 return NF_ACCEPT; 74 75 } 75 75 - #endif 76 76 #endif 77 77 78 78 #endif /* _BR_NETFILTER_H_ */

+2 -2

include/net/netfilter/nf_conntrack_bridge.h

reviewed

··· 5 5 #include <linux/types.h> 6 6 #include <uapi/linux/if_ether.h> 7 7 8 8 + struct nf_hook_ops; 9 9 + 8 10 struct nf_ct_bridge_info { 9 9 - #if IS_ENABLED(CONFIG_NETFILTER) 10 11 struct nf_hook_ops *ops; 11 11 - #endif 12 12 unsigned int ops_size; 13 13 struct module *me; 14 14 };

+2 -3

include/net/netfilter/nf_conntrack_core.h

reviewed

··· 22 22 standalone connection tracking module, and the compatibility layer's use 23 23 of connection tracking. */ 24 24 25 25 - #if IS_ENABLED(CONFIG_NETFILTER) 26 26 - unsigned int nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state); 27 27 - #endif 25 25 + unsigned int nf_conntrack_in(struct sk_buff *skb, 26 26 + const struct nf_hook_state *state); 28 27 29 28 int nf_conntrack_init_net(struct net *net); 30 29 void nf_conntrack_cleanup_net(struct net *net);

-2

include/net/netfilter/nf_conntrack_l4proto.h

reviewed

··· 75 75 bool nf_conntrack_invert_icmpv6_tuple(struct nf_conntrack_tuple *tuple, 76 76 const struct nf_conntrack_tuple *orig); 77 77 78 78 - #if IS_ENABLED(CONFIG_NETFILTER) 79 78 int nf_conntrack_inet_error(struct nf_conn *tmpl, struct sk_buff *skb, 80 79 unsigned int dataoff, 81 80 const struct nf_hook_state *state, ··· 131 132 unsigned int dataoff, 132 133 enum ip_conntrack_info ctinfo, 133 134 const struct nf_hook_state *state); 134 134 - #endif 135 135 136 136 void nf_conntrack_generic_init_net(struct net *net); 137 137 void nf_conntrack_tcp_init_net(struct net *net);

-2

include/net/netfilter/nf_conntrack_tuple.h

reviewed

··· 121 121 struct nf_conntrack_tuple tuple; 122 122 }; 123 123 124 124 - #if IS_ENABLED(CONFIG_NETFILTER) 125 124 static inline bool __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1, 126 125 const struct nf_conntrack_tuple *t2) 127 126 { ··· 183 184 return nf_ct_tuple_src_mask_cmp(t, tuple, mask) && 184 185 __nf_ct_tuple_dst_equal(t, tuple); 185 186 } 186 186 - #endif 187 187 188 188 #endif /* _NF_CONNTRACK_TUPLE_H */

-4

include/net/netfilter/nf_flow_table.h

reviewed

··· 17 17 int family; 18 18 int (*init)(struct nf_flowtable *ft); 19 19 void (*free)(struct nf_flowtable *ft); 20 20 - #if IS_ENABLED(CONFIG_NETFILTER) 21 20 nf_hookfn *hook; 22 22 - #endif 23 21 struct module *owner; 24 22 }; 25 23 ··· 115 117 __be16 source, dest; 116 118 }; 117 119 118 118 - #if IS_ENABLED(CONFIG_NETFILTER) 119 120 unsigned int nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, 120 121 const struct nf_hook_state *state); 121 122 unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, 122 123 const struct nf_hook_state *state); 123 123 - #endif 124 124 125 125 #define MODULE_ALIAS_NF_FLOWTABLE(family) \ 126 126 MODULE_ALIAS("nf-flowtable-" __stringify(family))

-4

include/net/netfilter/nf_nat.h

reviewed

··· 68 68 #endif 69 69 } 70 70 71 71 - #if IS_ENABLED(CONFIG_NETFILTER) 72 71 int nf_nat_register_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops, 73 72 const struct nf_hook_ops *nat_ops, unsigned int ops_count); 74 73 void nf_nat_unregister_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops, 75 74 unsigned int ops_count); 76 76 - #endif 77 75 78 76 unsigned int nf_nat_packet(struct nf_conn *ct, enum ip_conntrack_info ctinfo, 79 77 unsigned int hooknum, struct sk_buff *skb); ··· 91 93 enum ip_conntrack_info ctinfo, 92 94 unsigned int hooknum, unsigned int hdrlen); 93 95 94 94 - #if IS_ENABLED(CONFIG_NETFILTER) 95 96 int nf_nat_ipv4_register_fn(struct net *net, const struct nf_hook_ops *ops); 96 97 void nf_nat_ipv4_unregister_fn(struct net *net, const struct nf_hook_ops *ops); 97 98 ··· 103 106 unsigned int 104 107 nf_nat_inet_fn(void *priv, struct sk_buff *skb, 105 108 const struct nf_hook_state *state); 106 106 - #endif 107 109 108 110 int nf_xfrm_me_harder(struct net *n, struct sk_buff *s, unsigned int family); 109 111

-4

include/net/netfilter/nf_queue.h

reviewed

··· 15 15 unsigned int id; 16 16 unsigned int hook_index; /* index in hook_entries->hook[] */ 17 17 18 18 - #if IS_ENABLED(CONFIG_NETFILTER) 19 18 struct nf_hook_state state; 20 20 - #endif 21 19 u16 size; /* sizeof(entry) + saved route keys */ 22 20 23 21 /* extra space to store route keys */ ··· 121 123 return queue; 122 124 } 123 125 124 124 - #if IS_ENABLED(CONFIG_NETFILTER) 125 126 int nf_queue(struct sk_buff *skb, struct nf_hook_state *state, 126 127 unsigned int index, unsigned int verdict); 127 127 - #endif 128 128 129 129 #endif /* _NF_QUEUE_H */

+2 -4

include/net/netfilter/nf_synproxy.h

reviewed

··· 58 58 const struct tcphdr *th, 59 59 struct synproxy_options *opts, u32 recv_seq); 60 60 61 61 - #if IS_ENABLED(CONFIG_NETFILTER) 61 61 + struct nf_hook_state; 62 62 + 62 63 unsigned int ipv4_synproxy_hook(void *priv, struct sk_buff *skb, 63 64 const struct nf_hook_state *nhs); 64 64 - #endif 65 65 int nf_synproxy_ipv4_init(struct synproxy_net *snet, struct net *net); 66 66 void nf_synproxy_ipv4_fini(struct synproxy_net *snet, struct net *net); 67 67 ··· 75 75 const struct tcphdr *th, 76 76 struct synproxy_options *opts, u32 recv_seq); 77 77 78 78 - #if IS_ENABLED(CONFIG_NETFILTER) 79 78 unsigned int ipv6_synproxy_hook(void *priv, struct sk_buff *skb, 80 79 const struct nf_hook_state *nhs); 81 81 - #endif 82 80 int nf_synproxy_ipv6_init(struct synproxy_net *snet, struct net *net); 83 81 void nf_synproxy_ipv6_fini(struct synproxy_net *snet, struct net *net); 84 82 #else

-8

include/net/netfilter/nf_tables.h

reviewed

··· 26 26 struct xt_action_param xt; 27 27 }; 28 28 29 29 - #if IS_ENABLED(CONFIG_NETFILTER) 30 29 static inline struct net *nft_net(const struct nft_pktinfo *pkt) 31 30 { 32 31 return pkt->xt.state->net; ··· 58 59 pkt->skb = skb; 59 60 pkt->xt.state = state; 60 61 } 61 61 - #endif 62 62 63 63 static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt, 64 64 struct sk_buff *skb) ··· 945 947 int family; 946 948 struct module *owner; 947 949 unsigned int hook_mask; 948 948 - #if IS_ENABLED(CONFIG_NETFILTER) 949 950 nf_hookfn *hooks[NF_MAX_HOOKS]; 950 951 int (*ops_register)(struct net *net, const struct nf_hook_ops *ops); 951 952 void (*ops_unregister)(struct net *net, const struct nf_hook_ops *ops); 952 952 - #endif 953 953 }; 954 954 955 955 int nft_chain_validate_dependency(const struct nft_chain *chain, ··· 973 977 * @flow_block: flow block (for hardware offload) 974 978 */ 975 979 struct nft_base_chain { 976 976 - #if IS_ENABLED(CONFIG_NETFILTER) 977 980 struct nf_hook_ops ops; 978 978 - #endif 979 981 const struct nft_chain_type *type; 980 982 u8 policy; 981 983 u8 flags; ··· 1173 1179 use:30; 1174 1180 u64 handle; 1175 1181 /* runtime data below here */ 1176 1176 - #if IS_ENABLED(CONFIG_NETFILTER) 1177 1182 struct nf_hook_ops *ops ____cacheline_aligned; 1178 1178 - #endif 1179 1183 struct nf_flowtable data; 1180 1184 }; 1181 1185