[PATCH nf-next v4 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[PATCH nf-next v4 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY
Kconfigs user selectable, avoiding creating an extra dependency by
enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY.

Changelog:

v4:
 * Remove the "depends on" part, which may come later in a separate
   change, given its intrusive on how to configure selftests

v3:
 * Make sure that the generate from  tools/testing/selftests/net/config
   look the same before and after. (Jakub)
 * https://lore.kernel.org/all/20240827145242.3094777-1-leitao@debian.org/

v2:
 * Added the new configuration in the selftest configs (Jakub)
 * Added this simple cover letter
 * https://lore.kernel.org/all/20240823174855.3052334-1-leitao@debian.org/

v1:
 * https://lore.kernel.org/all/20240822175537.3626036-1-leitao@debian.org/

Breno Leitao (2):
  netfilter: Make IP6_NF_IPTABLES_LEGACY selectable
  netfilter: Make IP_NF_IPTABLES_LEGACY selectable

 net/ipv4/netfilter/Kconfig | 7 ++++++-
 net/ipv6/netfilter/Kconfig | 8 +++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

-- 
2.43.5

[PATCH nf-next v4 1/2] netfilter: Make IP6_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving
users the option to configure iptables without enabling any other
config.

Signed-off-by: Breno Leitao <leitao@debian.org>
---
 net/ipv6/netfilter/Kconfig | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index f3c8e2d918e1..cbe88cc5b897 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -8,7 +8,13 @@ menu "IPv6: Netfilter Configuration"
 
 # old sockopt interface and eval loop
 config IP6_NF_IPTABLES_LEGACY
-	tristate
+	tristate "Legacy IP6 tables support"
+	depends on INET && IPV6
+	select NETFILTER_XTABLES
+	default n
+	help
+	  ip6tables is a general, extensible packet identification legacy framework.
+	  This is not needed if you are using iptables over nftables (iptables-nft).
 
 config NF_SOCKET_IPV6
 	tristate "IPv6 socket lookup support"
-- 
2.43.5

[PATCH nf-next v4 2/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

This option makes IP_NF_IPTABLES_LEGACY user selectable, giving
users the option to configure iptables without enabling any other
config.

Signed-off-by: Breno Leitao <leitao@debian.org>
---
 net/ipv4/netfilter/Kconfig | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 1b991b889506..16507ae13736 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -12,7 +12,12 @@ config NF_DEFRAG_IPV4
 
 # old sockopt interface and eval loop
 config IP_NF_IPTABLES_LEGACY
-	tristate
+	tristate "Legacy IP tables support"
+	default	n
+	select NETFILTER_XTABLES
+	help
+	  iptables is a general, extensible packet identification legacy framework.
+	  This is not needed if you are using iptables over nftables (iptables-nft).
 
 config NF_SOCKET_IPV4
 	tristate "IPv4 socket lookup support"
-- 
2.43.5

Re: [PATCH nf-next v4 1/2] netfilter: Make IP6_NF_IPTABLES_LEGACY selectable

[Florian Westphal]

Breno Leitao <leitao@debian.org> wrote:
> This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving
> users the option to configure iptables without enabling any other
> config.

I don't get it.

IP(6)_NF_IPTABLES_LEGACY without iptable_filter, mangle etc.
is useless, rules get attached to basechains that get registered
by the iptable_{mangle,filter,nat,...} modules, i.e. those that
"select IP(6)_NF_IPTABLES_LEGACY".

The old get/setsockopt UAPI is useless without them, iptables -L, -A,
etc. won't work.

What am I missing?

I'm fine with this because this is needed anyway to allow
disabling the get/setsockopt api (needs the 'depends on' changes
though) later, but this change is a mystery to me.

Re: [PATCH nf-next v4 1/2] netfilter: Make IP6_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

Hello Florian,

On Thu, Aug 29, 2024 at 06:25:12PM +0200, Florian Westphal wrote:
> Breno Leitao <leitao@debian.org> wrote:
> > This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving
> > users the option to configure iptables without enabling any other
> > config.
> 
> I don't get it.
> 
> IP(6)_NF_IPTABLES_LEGACY without iptable_filter, mangle etc.
> is useless,

Correct. We need to have iptable_filter, mangle, etc available.

I would like to have ip6_tables as built-in
(IP(6)_NF_IPTABLES_LEGACY=y), all the other tables built as modules.

So, I am used to a configure similar to the following (before
a9525c7f6219c ("netfilter: xtables: allow xtables-nft only builds"))

	CONFIG_IP6_NF_IPTABLES=y
	CONFIG_IP6_NF_MANGLE=m
	CONFIG_IP6_NF_RAW=m
	...

After a9525c7f6219c ("netfilter: xtables: allow xtables-nft only
builds"), the same configuration is not possible anymore, because 
CONFIG_IP6_NF_IPTABLES is not user selectable anymore, thus, in order to
set it as built-in (=y), I need to set the tables as =y.

Sorry for not being clear before, and thanks for reviewing it.
--breno

Re: [PATCH nf-next v4 1/2] netfilter: Make IP6_NF_IPTABLES_LEGACY selectable

[Florian Westphal]

Breno Leitao <leitao@debian.org> wrote:
> Hello Florian,
> 
> On Thu, Aug 29, 2024 at 06:25:12PM +0200, Florian Westphal wrote:
> > Breno Leitao <leitao@debian.org> wrote:
> > > This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving
> > > users the option to configure iptables without enabling any other
> > > config.
> > 
> > I don't get it.
> > 
> > IP(6)_NF_IPTABLES_LEGACY without iptable_filter, mangle etc.
> > is useless,
> 
> Correct. We need to have iptable_filter, mangle, etc available.
> 
> I would like to have ip6_tables as built-in
> (IP(6)_NF_IPTABLES_LEGACY=y), all the other tables built as modules.
> 
> So, I am used to a configure similar to the following (before
> a9525c7f6219c ("netfilter: xtables: allow xtables-nft only builds"))
> 
> 	CONFIG_IP6_NF_IPTABLES=y
> 	CONFIG_IP6_NF_MANGLE=m
> 	CONFIG_IP6_NF_RAW=m
> 	...
> 
> After a9525c7f6219c ("netfilter: xtables: allow xtables-nft only
> builds"), the same configuration is not possible anymore, because 
> CONFIG_IP6_NF_IPTABLES is not user selectable anymore, thus, in order to
> set it as built-in (=y), I need to set the tables as =y.

Good, I was worried  there was a functional regression here, but
this is more "matter of taste" then.

I thunk patch is fine, I will try to add the relevant
depends-on change some time in the near future.

Re: [PATCH nf-next v4 1/2] netfilter: Make IP6_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

Hello Florian,

On Fri, Aug 30, 2024 at 03:13:01PM +0200, Florian Westphal wrote:
> > After a9525c7f6219c ("netfilter: xtables: allow xtables-nft only
> > builds"), the same configuration is not possible anymore, because 
> > CONFIG_IP6_NF_IPTABLES is not user selectable anymore, thus, in order to
> > set it as built-in (=y), I need to set the tables as =y.
> 
> Good, I was worried  there was a functional regression here, but
> this is more "matter of taste" then.
> 
> I thunk patch is fine, I will try to add the relevant
> depends-on change some time in the near future.

I am more than happy to do it, if you wish. I just want to decouple both
changes from each other.

Re: [PATCH nf-next v4 1/2] netfilter: Make IP6_NF_IPTABLES_LEGACY selectable

[Florian Westphal]

Breno Leitao <leitao@debian.org> wrote:
> > I thunk patch is fine, I will try to add the relevant
> > depends-on change some time in the near future.
> 
> I am more than happy to do it, if you wish. I just want to decouple both
> changes from each other.

Ah, that makes sense to me.

The "depends" change would be good to have, see
https://lore.kernel.org/netfilter-devel/20240813183202.GA13864@breakpoint.cc/

(TL;DR: PREEMPT_RT requirements would need more surgery in old
 x_tables infra)

Re: [PATCH nf-next v4 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Jakub Kicinski]

On Thu, 29 Aug 2024 09:16:53 -0700 Breno Leitao wrote:
> These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY
> Kconfigs user selectable, avoiding creating an extra dependency by
> enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY.

FWIW I can confirm this version causes no disturbances to known CIs.
-- 
pw-bot: au

Re: [PATCH nf-next v4 1/2] netfilter: Make IP6_NF_IPTABLES_LEGACY selectable

[Pablo Neira Ayuso]

Hi,

On Thu, Aug 29, 2024 at 09:16:54AM -0700, Breno Leitao wrote:
> This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving
> users the option to configure iptables without enabling any other
> config.

IUC this is to allow to compile iptables core built-in while allowing
extensions to be compiled as module? What is exactly the combination
you are trying to achieve which is not possible with the current
toggle?

Florian's motivation to add this knob is to allow to compile kernels
without iptables-legacy support.

One more comment below.

> Signed-off-by: Breno Leitao <leitao@debian.org>
> ---
>  net/ipv6/netfilter/Kconfig | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> index f3c8e2d918e1..cbe88cc5b897 100644
> --- a/net/ipv6/netfilter/Kconfig
> +++ b/net/ipv6/netfilter/Kconfig
> @@ -8,7 +8,13 @@ menu "IPv6: Netfilter Configuration"
>  
>  # old sockopt interface and eval loop
>  config IP6_NF_IPTABLES_LEGACY
> -	tristate
> +	tristate "Legacy IP6 tables support"
> +	depends on INET && IPV6
> +	select NETFILTER_XTABLES
> +	default n
> +	help
> +	  ip6tables is a general, extensible packet identification legacy framework.

"packet classification" is generally the more appropriate and widely
used term for firewalls.

Maybe simply reword this description to ...

	  ip6tables is a legacy packet classification.

> +	  This is not needed if you are using iptables over nftables (iptables-nft).
>  
>  config NF_SOCKET_IPV6
>  	tristate "IPv6 socket lookup support"
> -- 
> 2.43.5
> 

Re: [PATCH nf-next v4 1/2] netfilter: Make IP6_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

Hello Pablom

On Fri, Sep 06, 2024 at 01:01:46AM +0200, Pablo Neira Ayuso wrote:
> On Thu, Aug 29, 2024 at 09:16:54AM -0700, Breno Leitao wrote:
> > This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving
> > users the option to configure iptables without enabling any other
> > config.
> 
> IUC this is to allow to compile iptables core built-in while allowing
> extensions to be compiled as module? What is exactly the combination
> you are trying to achieve which is not possible with the current
> toggle?

Correct. iptable core is built-in, and any extension is a module.

> Florian's motivation to add this knob is to allow to compile kernels
> without iptables-legacy support.

Correct, and this continue to be an option. This change only introduces
you the option to set the core as built-in or module, independent of the
extensions.

> > Signed-off-by: Breno Leitao <leitao@debian.org>
> > ---
> >  net/ipv6/netfilter/Kconfig | 8 +++++++-
> >  1 file changed, 7 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> > index f3c8e2d918e1..cbe88cc5b897 100644
> > --- a/net/ipv6/netfilter/Kconfig
> > +++ b/net/ipv6/netfilter/Kconfig
> > @@ -8,7 +8,13 @@ menu "IPv6: Netfilter Configuration"
> >  
> >  # old sockopt interface and eval loop
> >  config IP6_NF_IPTABLES_LEGACY
> > -	tristate
> > +	tristate "Legacy IP6 tables support"
> > +	depends on INET && IPV6
> > +	select NETFILTER_XTABLES
> > +	default n
> > +	help
> > +	  ip6tables is a general, extensible packet identification legacy framework.
> 
> "packet classification" is generally the more appropriate and widely
> used term for firewalls.
> 
> Maybe simply reword this description to ...
> 
> 	  ip6tables is a legacy packet classification.

Sure, I will send an updated version with this change.

Thanks!