[BRIDGE]: Create CONFIG_BRIDGE_NETFILTER and use it instead of messy tests.

include/linux/netfilter_bridge.h

@@ -6,7 +6,7 @@
 
 #include <linux/config.h>
 #include <linux/netfilter.h>
-#if defined(__KERNEL__) && defined(CONFIG_NETFILTER)
+#if defined(__KERNEL__) && defined(CONFIG_BRIDGE_NETFILTER)
 #include <asm/atomic.h>
 #endif
 
@@ -27,11 +27,6 @@
 
 #ifdef __KERNEL__
 
-#define BRNF_PKT_TYPE			0x01
-#define BRNF_BRIDGED_DNAT		0x02
-#define BRNF_DONT_TAKE_PARENT		0x04
-#define BRNF_BRIDGED			0x08
-
 enum nf_br_hook_priorities {
 	NF_BR_PRI_FIRST = INT_MIN,
 	NF_BR_PRI_NAT_DST_BRIDGED = -300,
@@ -43,7 +38,13 @@ enum nf_br_hook_priorities {
 	NF_BR_PRI_LAST = INT_MAX,
 };
 
-#ifdef CONFIG_NETFILTER
+#ifdef CONFIG_BRIDGE_NETFILTER
+
+#define BRNF_PKT_TYPE			0x01
+#define BRNF_BRIDGED_DNAT		0x02
+#define BRNF_DONT_TAKE_PARENT		0x04
+#define BRNF_BRIDGED			0x08
+
 static inline
 struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
 {
@@ -63,7 +64,7 @@ struct bridge_skb_cb {
 		__u32 ipv4;
 	} daddr;
 };
-#endif /* CONFIG_NETFILTER */
+#endif /* CONFIG_BRIDGE_NETFILTER */
 
 #endif /* __KERNEL__ */
 #endif

include/linux/skbuff.h

@@ -98,7 +98,7 @@ struct nf_ct_info {
 	struct nf_conntrack *master;
 };
 
-#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
+#ifdef CONFIG_BRIDGE_NETFILTER
 struct nf_bridge_info {
 	atomic_t use;
 	struct net_device *physindev;
@@ -244,7 +244,7 @@ struct sk_buff {
 #ifdef CONFIG_NETFILTER_DEBUG
         unsigned int		nf_debug;
 #endif
-#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
+#ifdef CONFIG_BRIDGE_NETFILTER
 	struct nf_bridge_info	*nf_bridge;
 #endif
 #endif /* CONFIG_NETFILTER */
@@ -1195,7 +1195,7 @@ static inline void nf_conntrack_get(struct nf_ct_info *nfct)
 		atomic_inc(&nfct->master->use);
 }
 
-#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
+#ifdef CONFIG_BRIDGE_NETFILTER
 static inline void nf_bridge_put(struct nf_bridge_info *nf_bridge)
 {
 	if (nf_bridge && atomic_dec_and_test(&nf_bridge->use))

net/Kconfig

@@ -272,6 +272,19 @@ config NETFILTER_DEBUG
 	  You can say Y here if you want to get additional messages useful in
 	  debugging the netfilter code.
 
+config BRIDGE_NETFILTER
+	bool "Bridged IP/ARP packets filtering"
+	depends on BRIDGE && NETFILTER && INET
+	default y
+	---help---
+	  Enabling this option will let arptables resp. iptables see bridged
+	  ARP resp. IP traffic. If you want a bridging firewall, you probably
+	  want this option enabled.
+	  Enabling or disabling this option doesn't enable or disable
+	  ebtables.
+
+	  If unsure, say N.
+
 source "net/ipv4/netfilter/Kconfig"
 source "net/ipv6/netfilter/Kconfig"
 source "net/decnet/netfilter/Kconfig"

net/bridge/Makefile

@@ -8,9 +8,6 @@ bridge-y	:= br.o br_device.o br_fdb.o br_forward.o br_if.o br_input.o \
 			br_ioctl.o br_notify.o br_stp.o br_stp_bpdu.o \
 			br_stp_if.o br_stp_timer.o
 
-# br_netfilter only deals with IPv4 and ARP filtering, both are INET protocols
-ifeq ($(CONFIG_INET),y)
-bridge-$(CONFIG_NETFILTER)	+= br_netfilter.o
-endif
+bridge-$(CONFIG_BRIDGE_NETFILTER) += br_netfilter.o
 
 obj-$(CONFIG_BRIDGE_NF_EBTABLES) += netfilter/

net/bridge/br_forward.c

@@ -33,7 +33,7 @@ static inline int should_deliver(const struct net_bridge_port *p,
 
 int br_dev_queue_push_xmit(struct sk_buff *skb)
 {
-#ifdef CONFIG_NETFILTER
+#ifdef CONFIG_BRIDGE_NETFILTER
 	/* ip_refrag calls ip_fragment, which doesn't copy the MAC header. */
 	if (skb->nf_bridge)
 		memcpy(skb->data - 16, skb->nf_bridge->hh, 16);

net/core/netfilter.c

@@ -430,7 +430,7 @@ static int nf_queue(struct sk_buff *skb,
 {
 	int status;
 	struct nf_info *info;
-#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
+#ifdef CONFIG_BRIDGE_NETFILTER
 	struct net_device *physindev = NULL;
 	struct net_device *physoutdev = NULL;
 #endif
@@ -467,7 +467,7 @@ static int nf_queue(struct sk_buff *skb,
 	if (indev) dev_hold(indev);
 	if (outdev) dev_hold(outdev);
 
-#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
+#ifdef CONFIG_BRIDGE_NETFILTER
 	if (skb->nf_bridge) {
 		physindev = skb->nf_bridge->physindev;
 		if (physindev) dev_hold(physindev);
@@ -483,7 +483,7 @@ static int nf_queue(struct sk_buff *skb,
 		/* James M doesn't say fuck enough. */
 		if (indev) dev_put(indev);
 		if (outdev) dev_put(outdev);
-#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
+#ifdef CONFIG_BRIDGE_NETFILTER
 		if (physindev) dev_put(physindev);
 		if (physoutdev) dev_put(physoutdev);
 #endif
@@ -560,7 +560,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
 	/* Release those devices we held, or Alexey will kill me. */
 	if (info->indev) dev_put(info->indev);
 	if (info->outdev) dev_put(info->outdev);
-#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
+#ifdef CONFIG_BRIDGE_NETFILTER
 	if (skb->nf_bridge) {
 		if (skb->nf_bridge->physindev)
 			dev_put(skb->nf_bridge->physindev);

net/core/skbuff.c

@@ -236,7 +236,7 @@ void __kfree_skb(struct sk_buff *skb)
 	}
 #ifdef CONFIG_NETFILTER
 	nf_conntrack_put(skb->nfct);
-#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
+#ifdef CONFIG_BRIDGE_NETFILTER
 	nf_bridge_put(skb->nf_bridge);
 #endif
 #endif
@@ -301,7 +301,7 @@ struct sk_buff *skb_clone(struct sk_buff *skb, int gfp_mask)
 #ifdef CONFIG_NETFILTER_DEBUG
 	C(nf_debug);
 #endif
-#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
+#ifdef CONFIG_BRIDGE_NETFILTER
 	C(nf_bridge);
 	nf_bridge_get(skb->nf_bridge);
 #endif
@@ -359,7 +359,7 @@ static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
 #ifdef CONFIG_NETFILTER_DEBUG
 	new->nf_debug	= old->nf_debug;
 #endif
-#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
+#ifdef CONFIG_BRIDGE_NETFILTER
 	new->nf_bridge	= old->nf_bridge;
 	nf_bridge_get(old->nf_bridge);
 #endif

net/ipv4/ip_output.c

@@ -414,7 +414,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)
 	/* Connection association is same as pre-frag packet */
 	to->nfct = from->nfct;
 	nf_conntrack_get(to->nfct);
-#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
+#ifdef CONFIG_BRIDGE_NETFILTER
 	to->nf_bridge = from->nf_bridge;
 	nf_bridge_get(to->nf_bridge);
 #endif

net/ipv4/netfilter/Kconfig

@@ -292,7 +292,7 @@ config IP_NF_MATCH_OWNER
 
 config IP_NF_MATCH_PHYSDEV
 	tristate "Physdev match support"
-	depends on IP_NF_IPTABLES!=n && BRIDGE!=n
+	depends on IP_NF_IPTABLES!=n && BRIDGE_NETFILTER
 	help
 	  Physdev packet matching matches against the physical bridge ports
 	  the IP packet arrived on or will leave by.

net/ipv4/netfilter/ipt_LOG.c

@@ -333,7 +333,7 @@ ipt_log_target(struct sk_buff **pskb,
 	       loginfo->prefix,
 	       in ? in->name : "",
 	       out ? out->name : "");
-#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
+#ifdef CONFIG_BRIDGE_NETFILTER
 	if ((*pskb)->nf_bridge) {
 		struct net_device *physindev = (*pskb)->nf_bridge->physindev;
 		struct net_device *physoutdev = (*pskb)->nf_bridge->physoutdev;

net/ipv6/ip6_output.c

@@ -876,7 +876,7 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
 	/* Connection association is same as pre-frag packet */
 	to->nfct = from->nfct;
 	nf_conntrack_get(to->nfct);
-#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
+#ifdef CONFIG_BRIDGE_NETFILTER
 	to->nf_bridge = from->nf_bridge;
 	nf_bridge_get(to->nf_bridge);
 #endif