[NETFILTER]: Fix invalid module autoloading by splitting iptable_nat
When you've enabled conntrack and NAT as a module (standard case in all distributions), and you've also enabled the new conntrack netlink interface, loading ip_conntrack_netlink.ko will auto-load iptable_nat.ko. This causes a huge performance penalty, since for every packet you iterate the nat code, even if you don't want it. This patch splits iptable_nat.ko into the NAT core (ip_nat.ko) and the iptables frontend (iptable_nat.ko). Threfore, ip_conntrack_netlink.ko will only pull ip_nat.ko, but not the frontend. ip_nat.ko will "only" allocate some resources, but not affect runtime performance. This separation is also a nice step in anticipation of new packet filters (nf-hipac, ipset, pkttables) being able to use the NAT core. Signed-off-by:Harald Welte <laforge@netfilter.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
Showing
- include/linux/netfilter_ipv4/ip_nat_core.h 5 additions, 7 deletionsinclude/linux/netfilter_ipv4/ip_nat_core.h
- net/ipv4/netfilter/Makefile 3 additions, 2 deletionsnet/ipv4/netfilter/Makefile
- net/ipv4/netfilter/ip_nat_core.c 24 additions, 11 deletionsnet/ipv4/netfilter/ip_nat_core.c
- net/ipv4/netfilter/ip_nat_helper.c 4 additions, 0 deletionsnet/ipv4/netfilter/ip_nat_helper.c
- net/ipv4/netfilter/ip_nat_standalone.c 4 additions, 21 deletionsnet/ipv4/netfilter/ip_nat_standalone.c
Please register or sign in to comment