Re: RFC: net/netfilter reorganization

[Patrick McHardy <kaber@trash.net>]

Jozsef Kadlecsik wrote:
> If restructuring is on the way, then it should cover all possible parts.
> Just my quick thoughts, with suggested module names:
>
> addr/packet type matches in one module (addrtype):
> 	addrtype, pkttype
>
> mark modules, targets in one module (route):
> 	connmark, mark, realm
> 	CLASSIFY, CONNMARK, MARK
>   

CONNMARK and connmark needs to be separated from MARK etc. because
they depend on the conntrack module.

> conntrack related modules in one module (conntrack): 
> 	conntrack, helper, state
>
> IPv4/IPv6 header matching and modifying in one module (iphdr):
> 	dscp, length, tos, ttl
> 	DSCP, TOS, TTL
>
> IPv6 extension headers matching and modifying in one module (exthdr):
> 	dst, frag, hbh, hl, ipv6hdr, mh, rt
> 	HL
>
> TCP header matching and modifying in one module (tcphdr):
> 	ecn, tcpmss
> 	ECN, TCPMSS, TCPOPTSTRIP
>
> ipsec in one module (ipsec)
> 	ah, esp, policy
>
> security markings in one module: (secmark):
> 	CONNSECMARK, SECMARK	
>
> Something similar should be done with the different type of 
> limit/statistics modules as well.
>
>   
>> Funny thing is, only when you try you see more problems a-coming.
>> Like, Kconfig option names. Keep/Lose
>> NETFILTER_XT_{MATCH,TARGET}_CONNMARK, and query users for a new one?
>>     
>
> Definitely yes. Kconfig is overloaded with netfilter targets/matches and 
> if matches/targets are collapsed into a single file, then Kconfig options 
> should be unified, as in your sample patch.

Agreed, but please keep the old options around (doing just a select
on the new ones) for one or two releases.