Re: netfilter: Kconfig: IP6_NF_IPTABLES_LEGACY old =y behaviour question

[Florian Westphal <fw@strlen.de>]

Breno Leitao <leitao@debian.org> wrote:
> On Thu, Aug 22, 2024 at 01:23:39PM +0200, Florian Westphal wrote:
> > Breno Leitao <leitao@debian.org> wrote:
> > > Hello Florian,
> > > 
> > > I am rebasing my workflow in into a new kernel, and I have a question
> > > that you might be able to help me. It is related to
> > > IP6_NF_IPTABLES_LEGACY Kconfig, and the change in a9525c7f6219cee9
> > > ("netfilter: xtables: allow xtables-nft only builds").
> > > 
> > > In my kernel before this change, I used to have ip6_tables "module" as
> > > builtin (CONFIG_IP6_NF_IPTABLES=y), and all the other dependencies as
> > > modules, such as IP6_NF_FILTER=m, IP6_NF_MANGLE=m, IP6_NF_RAW=m.
> > > 
> > > After the mentioned commit above, I am not able to have ip6_tables set
> > > as a builtin (=y) anymore, give that it is a "hidden" configuration, and
> > > the only way is to change some of the selectable dependencies
> > > (IP6_NF_RAW for insntance) to be a built-in (=y).
> > > 
> > > That said, do you know if I can keep the ip6_tables as builtin without
> > > changing any of the selectable dependencies configuration. In other
> > > words, is it possible to keep the old behaviour (ip6_table builtin and
> > > the dependenceis as modules) with the new IP6_NF_IPTABLES_LEGACY
> > > configuration?
> > 
> > No.  But why would you need it?
> 
> In certain environments, iptables needs to run, but there is *no*
> permission to load modules.
> 
> For those cases, I have CONFIG_IP6_NF_IPTABLES configured as y in
> previous kernels, and now it becomes a "m", which doesn't work because
> iptables doesn't have permission to load modules, returning:
> 
> 	$ ip6tables -L
> 	modprobe: FATAL: Module ip6_tables not found in directory /lib/modules/....
> 	ip6tables v1.8.10 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
> 	Perhaps ip6tables or your kernel needs to be upgraded.

Hmm, but how can that work?  If you can't load modules, you can't load
ip6t_filter either.

And if thats builtin, then IP6_NF_IPTABLES_LEGACY is supposed to become
=y too.

> > You could make a patch for nf-next that exposes those symbols as per description
> > in a9525c7f6219cee9284c0031c5930e8d41384677, i.e. with 'depends on'
> > change.
> 
> Sure, I am happy to do it, but I would like to understand a bit better
> before. Does it mean we make IP_NF_IPTABLES_LEGACY selectable by the
> user, and changes the dependable configs from "selects" to "depends on"?
> Something as the following (not heavily tested)?
> 
> Thanks for the quick answer!
> --breno
> 
> Author: Breno Leitao <leitao@debian.org>
> Date:   Thu Aug 22 05:35:41 2024 -0700
>     netfilter: Make IP_NF_IPTABLES_LEGACY selectable
>     
>     This option makes IP_NF_IPTABLES_LEGACY user selectable, giving
>     users the option to configure iptables without enabling any other
>     config.
>     
>     Suggested-by: Florian Westphal <fw@strlen.de>
>     Signed-off-by: Breno Leitao <leitao@debian.org>
> 
> diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> index 1b991b889506..b5ff14a5272a 100644
> --- a/net/ipv4/netfilter/Kconfig
> +++ b/net/ipv4/netfilter/Kconfig
> @@ -12,7 +12,11 @@ config NF_DEFRAG_IPV4
>  
>  # old sockopt interface and eval loop
>  config IP_NF_IPTABLES_LEGACY
> -	tristate
> +	tristate "Legacy IP tables support"
> +	default	n
> +	select NETFILTER_XTABLES
> +	help
> +	  iptables is a general, extensible packet identification legacy framework.

I would also add that this isn't needed for iptables-nft (iptables over
nftables api).

Otherwise, yes, something like that.