netfilter: xtables: generate initial table on-demand

The static initial tables are pretty large, and after the net namespace has been instantiated, they just hang around for nothing. This commit removes them and creates tables on-demand at runtime when needed. Size shrinks by 7735 bytes (x86_64). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
author: Jan Engelhardt <jengelh@medozas.de> 2009-06-17 16:14:54 -0400
committer: Jan Engelhardt <jengelh@medozas.de> 2010-02-10 11:50:47 -0500
commit: e3eaa9910b380530cfd2c0670fcd3f627674da8a (patch)
tree: 309e522e78f78149ec3cb99ffc386d1b72415a96 /net/netfilter
parent: 2b95efe7f6bb750256a702cc32d33b0cb2cd8223 (diff)
2 files changed, 38 insertions, 1 deletions
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index b51cb0d7234..dc2e05cb54c 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -26,7 +26,9 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_arp.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_arp/arp_tables.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
diff --git a/net/netfilter/xt_repldata.h b/net/netfilter/xt_repldata.h
new file mode 100644
index 00000000000..6efe4e5a81c
--- /dev/null
+++ b/net/netfilter/xt_repldata.h
@@ -0,0 +1,35 @@
+/*
+ * Today's hack: quantum tunneling in structs
+ *
+ * 'entries' and 'term' are never anywhere referenced by word in code. In fact,
+ * they serve as the hanging-off data accessed through repl.data[].
+ */
+#define xt_alloc_initial_table(type, typ2) ({ \
+        unsigned int hook_mask = info->valid_hooks; \
+        unsigned int nhooks = hweight32(hook_mask); \
+        unsigned int bytes = 0, hooknum = 0, i = 0; \
+        struct { \
+                struct type##_replace repl; \
+                struct type##_standard entries[nhooks]; \
+                struct type##_error term; \
+        } *tbl = kzalloc(sizeof(*tbl), GFP_KERNEL); \
+        if (tbl == NULL) \
+                return NULL; \
+        strncpy(tbl->repl.name, info->name, sizeof(tbl->repl.name)); \
+        tbl->term = (struct type##_error)typ2##_ERROR_INIT;  \
+        tbl->repl.valid_hooks = hook_mask; \
+        tbl->repl.num_entries = nhooks + 1; \
+        tbl->repl.size = nhooks * sizeof(struct type##_standard) + \
+                         sizeof(struct type##_error); \
+        for (; hook_mask != 0; hook_mask >>= 1, ++hooknum) { \
+                if (!(hook_mask & 1)) \
+                        continue; \
+                tbl->repl.hook_entry[hooknum] = bytes; \
+                tbl->repl.underflow[hooknum]  = bytes; \
+                tbl->entries[i++] = (struct type##_standard) \
+                        typ2##_STANDARD_INIT(NF_ACCEPT); \
+                bytes += sizeof(struct type##_standard); \
+        } \
+        tbl; \
+})
author	Jan Engelhardt <jengelh@medozas.de>	2009-06-17 16:14:54 -0400
committer	Jan Engelhardt <jengelh@medozas.de>	2010-02-10 11:50:47 -0500
commit	e3eaa9910b380530cfd2c0670fcd3f627674da8a (patch)
tree	309e522e78f78149ec3cb99ffc386d1b72415a96 /net/netfilter
parent	2b95efe7f6bb750256a702cc32d33b0cb2cd8223 (diff)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index b51cb0d7234..dc2e05cb54c 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c
@@ -26,7 +26,9 @@
26		26
27	#include <linux/netfilter/x_tables.h>	27	#include <linux/netfilter/x_tables.h>
28	#include <linux/netfilter_arp.h>	28	#include <linux/netfilter_arp.h>
29		29	#include <linux/netfilter_ipv4/ip_tables.h>
		30	#include <linux/netfilter_ipv6/ip6_tables.h>
		31	#include <linux/netfilter_arp/arp_tables.h>
30		32
31	MODULE_LICENSE("GPL");	33	MODULE_LICENSE("GPL");
32	MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");	34	MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");


diff --git a/net/netfilter/xt_repldata.h b/net/netfilter/xt_repldata.h new file mode 100644 index 00000000000..6efe4e5a81c --- /dev/null +++ b/net/netfilter/xt_repldata.h
@@ -0,0 +1,35 @@
		1	/*
		2	* Today's hack: quantum tunneling in structs
		3	*
		4	* 'entries' and 'term' are never anywhere referenced by word in code. In fact,
		5	* they serve as the hanging-off data accessed through repl.data[].
		6	*/
		7
		8	#define xt_alloc_initial_table(type, typ2) ({ \
		9	unsigned int hook_mask = info->valid_hooks; \
		10	unsigned int nhooks = hweight32(hook_mask); \
		11	unsigned int bytes = 0, hooknum = 0, i = 0; \
		12	struct { \
		13	struct type##_replace repl; \
		14	struct type##_standard entries[nhooks]; \
		15	struct type##_error term; \
		16	} tbl = kzalloc(sizeof(tbl), GFP_KERNEL); \
		17	if (tbl == NULL) \
		18	return NULL; \
		19	strncpy(tbl->repl.name, info->name, sizeof(tbl->repl.name)); \
		20	tbl->term = (struct type##_error)typ2##_ERROR_INIT; \
		21	tbl->repl.valid_hooks = hook_mask; \
		22	tbl->repl.num_entries = nhooks + 1; \
		23	tbl->repl.size = nhooks * sizeof(struct type##_standard) + \
		24	sizeof(struct type##_error); \
		25	for (; hook_mask != 0; hook_mask >>= 1, ++hooknum) { \
		26	if (!(hook_mask & 1)) \
		27	continue; \
		28	tbl->repl.hook_entry[hooknum] = bytes; \
		29	tbl->repl.underflow[hooknum] = bytes; \
		30	tbl->entries[i++] = (struct type##_standard) \
		31	typ2##_STANDARD_INIT(NF_ACCEPT); \
		32	bytes += sizeof(struct type##_standard); \
		33	} \
		34	tbl; \
		35	})