1 files changed, 165 insertions, 0 deletions

diff --git a/target/linux/generic/backport-4.14/296-v4.16-netfilter-don-t-allocate-space-for-arp-bridge-hooks-.patch b/target/linux/generic/backport-4.14/296-v4.16-netfilter-don-t-allocate-space-for-arp-bridge-hooks-.patch
new file mode 100644
index 0000000000..9444f6bb48
--- /dev/null
+++ b/target/linux/generic/backport-4.14/296-v4.16-netfilter-don-t-allocate-space-for-arp-bridge-hooks-.patch
@@ -0,0 +1,165 @@
+From 2a95183a5e0375df756efb2ca37602d71e8455f9 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 7 Dec 2017 16:28:26 +0100
+Subject: [PATCH 08/11] netfilter: don't allocate space for arp/bridge hooks
+ unless needed
+
+no need to define hook points if the family isn't supported.
+Because we need these hooks for either nftables, arp/ebtables
+or the 'call-iptables' hack we have in the bridge layer add two
+new dependencies, NETFILTER_FAMILY_{ARP,BRIDGE}, and have the
+users select them.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ include/linux/netfilter.h     | 4 ++++
+ include/net/netns/netfilter.h | 4 ++++
+ net/Kconfig                   | 1 +
+ net/bridge/netfilter/Kconfig  | 2 ++
+ net/ipv4/netfilter/Kconfig    | 2 ++
+ net/netfilter/Kconfig         | 6 ++++++
+ net/netfilter/core.c          | 8 ++++++++
+ net/netfilter/nf_queue.c      | 2 ++
+ 8 files changed, 29 insertions(+)
+
+--- a/include/linux/netfilter.h
++++ b/include/linux/netfilter.h
+@@ -214,10 +214,14 @@ static inline int nf_hook(u_int8_t pf, u
+ 		hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
+ 		break;
+ 	case NFPROTO_ARP:
++#ifdef CONFIG_NETFILTER_FAMILY_ARP
+ 		hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
++#endif
+ 		break;
+ 	case NFPROTO_BRIDGE:
++#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
+ 		hook_head = rcu_dereference(net->nf.hooks_bridge[hook]);
++#endif
+ 		break;
+ #if IS_ENABLED(CONFIG_DECNET)
+ 	case NFPROTO_DECNET:
+--- a/include/net/netns/netfilter.h
++++ b/include/net/netns/netfilter.h
+@@ -19,8 +19,12 @@ struct netns_nf {
+ #endif
+ 	struct nf_hook_entries __rcu *hooks_ipv4[NF_INET_NUMHOOKS];
+ 	struct nf_hook_entries __rcu *hooks_ipv6[NF_INET_NUMHOOKS];
++#ifdef CONFIG_NETFILTER_FAMILY_ARP
+ 	struct nf_hook_entries __rcu *hooks_arp[NF_ARP_NUMHOOKS];
++#endif
++#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
+ 	struct nf_hook_entries __rcu *hooks_bridge[NF_INET_NUMHOOKS];
++#endif
+ #if IS_ENABLED(CONFIG_DECNET)
+ 	struct nf_hook_entries __rcu *hooks_decnet[NF_DN_NUMHOOKS];
+ #endif
+--- a/net/Kconfig
++++ b/net/Kconfig
+@@ -182,6 +182,7 @@ config BRIDGE_NETFILTER
+ 	depends on BRIDGE
+ 	depends on NETFILTER && INET
+ 	depends on NETFILTER_ADVANCED
++	select NETFILTER_FAMILY_BRIDGE
+ 	default m
+ 	---help---
+ 	  Enabling this option will let arptables resp. iptables see bridged
+--- a/net/bridge/netfilter/Kconfig
++++ b/net/bridge/netfilter/Kconfig
+@@ -4,6 +4,7 @@
+ #
+ menuconfig NF_TABLES_BRIDGE
+ 	depends on BRIDGE && NETFILTER && NF_TABLES
++	select NETFILTER_FAMILY_BRIDGE
+ 	tristate "Ethernet Bridge nf_tables support"
+ 
+ if NF_TABLES_BRIDGE
+@@ -29,6 +30,7 @@ endif # NF_TABLES_BRIDGE
+ menuconfig BRIDGE_NF_EBTABLES
+ 	tristate "Ethernet Bridge tables (ebtables) support"
+ 	depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
++	select NETFILTER_FAMILY_BRIDGE
+ 	help
+ 	  ebtables is a general, extensible frame/packet identification
+ 	  framework. Say 'Y' or 'M' here if you want to do Ethernet
+--- a/net/ipv4/netfilter/Kconfig
++++ b/net/ipv4/netfilter/Kconfig
+@@ -72,6 +72,7 @@ endif # NF_TABLES_IPV4
+ 
+ config NF_TABLES_ARP
+ 	tristate "ARP nf_tables support"
++	select NETFILTER_FAMILY_ARP
+ 	help
+ 	  This option enables the ARP support for nf_tables.
+ 
+@@ -392,6 +393,7 @@ endif # IP_NF_IPTABLES
+ config IP_NF_ARPTABLES
+ 	tristate "ARP tables support"
+ 	select NETFILTER_XTABLES
++	select NETFILTER_FAMILY_ARP
+ 	depends on NETFILTER_ADVANCED
+ 	help
+ 	  arptables is a general, extensible packet identification framework.
+--- a/net/netfilter/Kconfig
++++ b/net/netfilter/Kconfig
+@@ -12,6 +12,12 @@ config NETFILTER_INGRESS
+ config NETFILTER_NETLINK
+ 	tristate
+ 
++config NETFILTER_FAMILY_BRIDGE
++	bool
++
++config NETFILTER_FAMILY_ARP
++	bool
++
+ config NETFILTER_NETLINK_ACCT
+ tristate "Netfilter NFACCT over NFNETLINK interface"
+ 	depends on NETFILTER_ADVANCED
+--- a/net/netfilter/core.c
++++ b/net/netfilter/core.c
+@@ -267,14 +267,18 @@ static struct nf_hook_entries __rcu **nf
+ 	switch (reg->pf) {
+ 	case NFPROTO_NETDEV:
+ 		break;
++#ifdef CONFIG_NETFILTER_FAMILY_ARP
+ 	case NFPROTO_ARP:
+ 		if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_arp) <= reg->hooknum))
+ 			return NULL;
+ 		return net->nf.hooks_arp + reg->hooknum;
++#endif
++#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
+ 	case NFPROTO_BRIDGE:
+ 		if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_bridge) <= reg->hooknum))
+ 			return NULL;
+ 		return net->nf.hooks_bridge + reg->hooknum;
++#endif
+ 	case NFPROTO_IPV4:
+ 		if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv4) <= reg->hooknum))
+ 			return NULL;
+@@ -573,8 +577,12 @@ static int __net_init netfilter_net_init
+ {
+ 	__netfilter_net_init(net->nf.hooks_ipv4, ARRAY_SIZE(net->nf.hooks_ipv4));
+ 	__netfilter_net_init(net->nf.hooks_ipv6, ARRAY_SIZE(net->nf.hooks_ipv6));
++#ifdef CONFIG_NETFILTER_FAMILY_ARP
+ 	__netfilter_net_init(net->nf.hooks_arp, ARRAY_SIZE(net->nf.hooks_arp));
++#endif
++#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
+ 	__netfilter_net_init(net->nf.hooks_bridge, ARRAY_SIZE(net->nf.hooks_bridge));
++#endif
+ #if IS_ENABLED(CONFIG_DECNET)
+ 	__netfilter_net_init(net->nf.hooks_decnet, ARRAY_SIZE(net->nf.hooks_decnet));
+ #endif
+--- a/net/netfilter/nf_queue.c
++++ b/net/netfilter/nf_queue.c
+@@ -204,8 +204,10 @@ repeat:
+ static struct nf_hook_entries *nf_hook_entries_head(const struct net *net, u8 pf, u8 hooknum)
+ {
+ 	switch (pf) {
++#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
+ 	case NFPROTO_BRIDGE:
+ 		return rcu_dereference(net->nf.hooks_bridge[hooknum]);
++#endif
+ 	case NFPROTO_IPV4:
+ 		return rcu_dereference(net->nf.hooks_ipv4[hooknum]);
+ 	case NFPROTO_IPV6: