struct net contains: struct nf_hook_entries __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; where NFPROTO_NUMPROTO = 13 and NF_MAX_HOOKS = 8. ... and that needs a *lot* more space than what we really need. We only need hooks for arp, bridge, ipv4, ipv6 and decnet. Arp only has 3 hook types, decnet has 7, all others have 5. So replace this with dedicated arrays of the correct size to save some space. Changes since RFC: - bridge only needs 5, not 6 hooks (BROUTE isn't a real hookpoint) - Use run-time check to reject register requests for hook types that don't fit the array size. RFC tried to use BUILD_BUG_ON checks in nf_hook(), but that breaks build on some older gcc releases. include/linux/netfilter.h | 30 ++++++++++++++++++-- include/net/netns/netfilter.h | 15 +++++++++- net/bridge/br_netfilter_hooks.c | 2 - net/netfilter/core.c | 60 ++++++++++++++++++++++++++++++++++------ net/netfilter/nf_queue.c | 21 ++++++++++++-- 5 files changed, 114 insertions(+), 14 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
