On Sat, Dec 11, 2021 at 07:35:58PM +0100, Toke Høiland-Jørgensen wrote:

Pablo Neira Ayuso [off-list ref] writes:

quoted

On Fri, Dec 10, 2021 at 09:01:29PM +0530, Kumar Kartikeya Dwivedi wrote:

quoted

On Fri, Dec 10, 2021 at 08:39:14PM IST, Pablo Neira Ayuso wrote:

quoted

On Fri, Dec 10, 2021 at 06:32:28PM +0530, Kumar Kartikeya Dwivedi wrote:
[...]

quoted

 net/netfilter/nf_conntrack_core.c | 252 ++++++++++++++++++++++++++++++
 7 files changed, 497 insertions(+), 1 deletion(-)

[...]

quoted

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 770a63103c7a..85042cb6f82e 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c

Please, keep this new code away from net/netfilter/nf_conntrack_core.c

Ok. Can it be a new file under net/netfilter, or should it live elsewhere?

IPVS and OVS use conntrack for already quite a bit of time and they
keep their code in their respective folders.

Those are users, though.

OK, I see this as a yet user of the conntrack infrastructure.

This is adding a different set of exported functions, like a BPF
version of EXPORT_SYMBOL(). We don't put those outside the module
where the code lives either...

OVS and IPVS uses Kconfig to enable the conntrack module as a
dependency. Then, add module that is loaded when conntrack is used.

I can buy not wanting to bloat nf_conntrack_core.c, but what's the
problem with adding a net/netfilter_nf_conntrack_bpf.c that gets linked
into the same kmod?

I might be missing the reason why this can't be done in
self-contained way here.