netfilter: bridge: move br_netfilter out of the core

Jesper reported that br_netfilter always registers the hooks since
this is part of the bridge core. This harms performance for people that
don't need this.

This patch modularizes br_netfilter so it can be rmmod'ed, thus,
the hooks can be unregistered. I think the bridge netfilter should have
been a separated module since the beginning, Patrick agreed on that.

Note that this is breaking compatibility for users that expect that
bridge netfilter is going to be available after explicitly 'modprobe
bridge' or via automatic load through brctl.

However, the damage can be easily undone by modprobing br_netfilter.
The bridge core also spots a message to provide a clue to people that
didn't notice that this has been deprecated.

On top of that, the plan is that nftables will not rely on this software
layer, but integrate the connection tracking into the bridge layer to
enable stateful filtering and NAT, which is was bridge netfilter users
seem to require.

This patch still keeps the fake_dst_ops in the bridge core, since this
is required by when the bridge port is initialized. So we can safely
modprobe/rmmod br_netfilter anytime.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>

1 files changed, 8 insertions, 6 deletions

diff --git a/net/bridge/br.c b/net/bridge/br.c
index 1a755a1e5410..44425aff7cba 100644
--- a/net/bridge/br.c
+++ b/net/bridge/br.c
@@ -161,7 +161,7 @@ static int __init br_init(void)
         if (err)
                 goto err_out1;
 
-        err = br_netfilter_init();
+        err = br_nf_core_init();
         if (err)
                 goto err_out2;
 
@@ -179,11 +179,16 @@ static int __init br_init(void)
         br_fdb_test_addr_hook = br_fdb_test_addr;
 #endif
 
+        pr_info("bridge: automatic filtering via arp/ip/ip6tables has been "
+                "deprecated. Update your scripts to load br_netfilter if you "
+                "need this.\n");
+
         return 0;
+
 err_out4:
         unregister_netdevice_notifier(&br_device_notifier);
 err_out3:
-        br_netfilter_fini();
+        br_nf_core_fini();
 err_out2:
         unregister_pernet_subsys(&br_net_ops);
 err_out1:
@@ -196,20 +201,17 @@ err_out:
 static void __exit br_deinit(void)
 {
         stp_proto_unregister(&br_stp_proto);
-
         br_netlink_fini();
         unregister_netdevice_notifier(&br_device_notifier);
         brioctl_set(NULL);
-
         unregister_pernet_subsys(&br_net_ops);
 
         rcu_barrier(); /* Wait for completion of call_rcu()'s */
 
-        br_netfilter_fini();
+        br_nf_core_fini();
 #if IS_ENABLED(CONFIG_ATM_LANE)
         br_fdb_test_addr_hook = NULL;
 #endif
-
         br_fdb_fini();
 }