[PATCH 03/04]: conntrack: don't use nfct in skb if conntrack is disabled

[PATCH 03/04]: conntrack: don't use nfct in skb if conntrack is disabled

[Yasuyuki KOZAKAI]

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
---
 include/linux/netfilter.h |   12 ++++++++----
 include/linux/skbuff.h    |   30 ++++++++++++++++++------------
 net/core/skbuff.c         |    5 +++--
 net/netfilter/core.c      |    3 +++
 4 files changed, 32 insertions(+), 18 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 70d3b4f..5efab09 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -281,9 +281,6 @@ extern void nf_reinject(struct sk_buff *
 			struct nf_info *info,
 			unsigned int verdict);
 
-extern void (*ip_ct_attach)(struct sk_buff *, struct sk_buff *);
-extern void nf_ct_attach(struct sk_buff *, struct sk_buff *);
-
 /* FIXME: Before cache is ever used, this must be implemented for real. */
 extern void nf_invalidate_cache(int pf);
 
@@ -388,11 +385,18 @@ static inline int nf_hook(int pf, unsign
 {
 	return 1;
 }
-static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
 struct flowi;
 static inline void
 nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family) {}
 #endif /*CONFIG_NETFILTER*/
 
+#if defined(CONFIG_NF_CONNTRACK_ENABLED) ||	\
+    defined(CONFIG_NF_CONNTRACK_ENABLED_MODULE)
+extern void (*ip_ct_attach)(struct sk_buff *, struct sk_buff *);
+extern void nf_ct_attach(struct sk_buff *, struct sk_buff *);
+#else
+static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
+#endif
+
 #endif /*__KERNEL__*/
 #endif /*__LINUX_NETFILTER_H*/
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 6aa68f0..aa08872 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -84,11 +84,13 @@
 
 struct net_device;
 
-#ifdef CONFIG_NETFILTER
+#if defined(CONFIG_NF_CONNTRACK_ENABLED) ||	\
+    defined(CONFIG_NF_CONNTRACK_ENABLED_MODULE)
 struct nf_conntrack {
 	atomic_t use;
 	void (*destroy)(struct nf_conntrack *);
 };
+#endif
 
 #ifdef CONFIG_BRIDGE_NETFILTER
 struct nf_bridge_info {
@@ -103,8 +105,6 @@ struct nf_bridge_info {
 };
 #endif
 
-#endif
-
 struct sk_buff_head {
 	/* These two members must be first. */
 	struct sk_buff	*next;
@@ -288,15 +288,16 @@ struct sk_buff {
 	__be16			protocol;
 
 	void			(*destructor)(struct sk_buff *skb);
-#ifdef CONFIG_NETFILTER
+#if defined(CONFIG_NF_CONNTRACK_ENABLED) ||	\
+    defined(CONFIG_NF_CONNTRACK_ENABLED_MODULE)
 	struct nf_conntrack	*nfct;
+#endif
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	struct sk_buff		*nfct_reasm;
 #endif
 #ifdef CONFIG_BRIDGE_NETFILTER
 	struct nf_bridge_info	*nf_bridge;
 #endif
-#endif /* CONFIG_NETFILTER */
 #ifdef CONFIG_NET_SCHED
 	__u16			tc_index;	/* traffic control index */
 #ifdef CONFIG_NET_CLS_ACT
@@ -1405,7 +1406,8 @@ static inline unsigned int skb_checksum_
 		__skb_checksum_complete(skb);
 }
 
-#ifdef CONFIG_NETFILTER
+#if defined(CONFIG_NF_CONNTRACK_ENABLED) ||	\
+    defined(CONFIG_NF_CONNTRACK_ENABLED_MODULE)
 static inline void nf_conntrack_put(struct nf_conntrack *nfct)
 {
 	if (nfct && atomic_dec_and_test(&nfct->use))
@@ -1416,6 +1418,7 @@ static inline void nf_conntrack_get(stru
 	if (nfct)
 		atomic_inc(&nfct->use);
 }
+#endif
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 static inline void nf_conntrack_get_reasm(struct sk_buff *skb)
 {
@@ -1442,8 +1445,11 @@ static inline void nf_bridge_get(struct
 #endif /* CONFIG_BRIDGE_NETFILTER */
 static inline void nf_reset(struct sk_buff *skb)
 {
+#if defined(CONFIG_NF_CONNTRACK_ENABLED) ||	\
+    defined(CONFIG_NF_CONNTRACK_ENABLED_MODULE)
 	nf_conntrack_put(skb->nfct);
 	skb->nfct = NULL;
+#endif
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	nf_conntrack_put_reasm(skb->nfct_reasm);
 	skb->nfct_reasm = NULL;
@@ -1457,9 +1463,12 @@ static inline void nf_reset(struct sk_bu
 /* Note: This doesn't put any conntrack and bridge info in dst. */
 static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src)
 {
+#if defined(CONFIG_NF_CONNTRACK_ENABLED) ||	\
+    defined(CONFIG_NF_CONNTRACK_ENABLED_MODULE)
 	dst->nfct = src->nfct;
 	nf_conntrack_get(src->nfct);
 	dst->nfctinfo = src->nfctinfo;
+#endif
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	dst->nfct_reasm = src->nfct_reasm;
 	nf_conntrack_get_reasm(src->nfct_reasm);
@@ -1472,7 +1481,10 @@ static inline void __nf_copy(struct sk_b
 
 static inline void nf_copy(struct sk_buff *dst, const struct sk_buff *src)
 {
+#if defined(CONFIG_NF_CONNTRACK_ENABLED) ||	\
+    defined(CONFIG_NF_CONNTRACK_ENABLED_MODULE)
 	nf_conntrack_put(dst->nfct);
+#endif
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	nf_conntrack_put_reasm(dst->nfct_reasm);
 #endif
@@ -1482,12 +1494,6 @@ static inline void nf_copy(struct sk_buf
 	__nf_copy(dst, src);
 }
 
-#else /* CONFIG_NETFILTER */
-static inline void nf_reset(struct sk_buff *skb) {}
-static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src) {}
-static inline void nf_copy(struct sk_buff *dst, const struct sk_buff *src) {}
-#endif /* CONFIG_NETFILTER */
-
 #ifdef CONFIG_NETWORK_SECMARK
 static inline void skb_copy_secmark(struct sk_buff *to, const struct sk_buff *from)
 {
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 91ad63a..eeaca6d 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -376,15 +376,16 @@ void __kfree_skb(struct sk_buff *skb)
 		WARN_ON(in_irq());
 		skb->destructor(skb);
 	}
-#ifdef CONFIG_NETFILTER
+#if defined(CONFIG_NF_CONNTRACK_ENABLED) ||	\
+    defined(CONFIG_NF_CONNTRACK_ENABLED_MODULE)
 	nf_conntrack_put(skb->nfct);
+#endif
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	nf_conntrack_put_reasm(skb->nfct_reasm);
 #endif
 #ifdef CONFIG_BRIDGE_NETFILTER
 	nf_bridge_put(skb->nf_bridge);
 #endif
-#endif
 /* XXX: IS this still necessary? - JHS */
 #ifdef CONFIG_NET_SCHED
 	skb->tc_index = 0;
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index c3ebdbd..7e295a5 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -244,6 +244,8 @@ void nf_proto_csum_replace4(__sum16 *sum
 }
 EXPORT_SYMBOL(nf_proto_csum_replace4);
 
+#if defined(CONFIG_NF_CONNTRACK_ENABLED) ||	\
+    defined(CONFIG_NF_CONNTRACK_ENABLED_MODULE)
 /* This does not belong here, but locally generated errors need it if connection
    tracking in use: without this, connection may not be in hash table, and hence
    manufactured ICMP or RST packets will not be associated with it. */
@@ -263,6 +265,7 @@ void nf_ct_attach(struct sk_buff *new, s
 	}
 }
 EXPORT_SYMBOL(nf_ct_attach);
+#endif
 
 #ifdef CONFIG_PROC_FS
 struct proc_dir_entry *proc_net_netfilter;
-- 
1.4.4

Re: [PATCH 03/04]: conntrack: don't use nfct in skb if conntrack is disabled

[Patrick McHardy]

Yasuyuki KOZAKAI wrote:
> Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
> ---
>  include/linux/netfilter.h |   12 ++++++++----
>  include/linux/skbuff.h    |   30 ++++++++++++++++++------------
>  net/core/skbuff.c         |    5 +++--
>  net/netfilter/core.c      |    3 +++
>  4 files changed, 32 insertions(+), 18 deletions(-)


I have a patch queued for 2.6.22 that removes ip_conntrack and
the related config options, which breaks this and the next
patch. I'll push everything to Dave today or tommorrow, please
resend this and the next patch once my patches are in Dave's
tree.

Thanks.