This series removes following following module options by merging
them into the nftables core:
CONFIG_NFT_EXTHDR=y
CONFIG_NFT_META=y
CONFIG_NFT_RT=y
CONFIG_NFT_BRIDGE_META=y
Before:
96407 2064 400 98871 18237 net/netfilter/nf_tables.ko
After:
106410 2392 401 109203 1aa93 net/netfilter/nf_tables.ko
which is ~10% increase post-merging.
If its deemed too much, we can keep nft_meta and nft_exthdr as extra
modules and merge rt into meta instead.
However, I think meta is too important from a functionality p.ov.
so that it doesn't make much sense to offer a off-config option
for it.
NF_NAT_REDIRECT
NF_NAT_MASQUERADE_IPV4
NF_NAT_MASQUERADE_IPV6
are downgraded to dependency-only symbols.
Redirect and masquerade are then built into nf_nat_ipv4/6 modules.
This is an initial effort to address criticism that netfilter is too
modular.
More similar changes can be made, but I prefer to not do
everything in one go.
If anyone is interested, other candidates that mighe be worth checking
are fib, fwd, dup and redir+masquerade.
In nft_fib case we currently have 5 modules:
- common code
- ipv4 backend
- ipv6 backend
- wrapper for netdev
- wrapper for inet
We can probably merge these five into single nft_fib module.
Florian Westphal (6):
netfilter: merge meta_bridge into nft_meta
netfilter: nftables: make meta expression builtin
netfilter: nf_tables: merge rt expression into nft core
netfilter: nf_tables: merge exthdr expression into nft core
netfilter: nat: merge ipv4/ipv6 masquerade code into main nat module
netfilter: nat: merge nf_nat_redirect into nf_nat
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
