[PATCH nf-next v3 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[PATCH nf-next v3 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY
Kconfigs user selectable, avoiding creating an extra dependency by
enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY.

Changelog:

v3:
 * Make sure that the generate from  tools/testing/selftests/net/config
 * look the same before and after. (Jakub)

v2:
 * Added the new configuration in the selftest configs (Jakub)
 * Added this simple cover letter
 * https://lore.kernel.org/all/20240823174855.3052334-1-leitao@debian.org/

v1:
 * https://lore.kernel.org/all/20240822175537.3626036-1-leitao@debian.org/

Breno Leitao (2):
  netfilter: Make IP_NF_IPTABLES_LEGACY selectable
  netfilter: Make IP6_NF_IPTABLES_LEGACY selectable

 net/ipv4/netfilter/Kconfig         | 19 +++++++++++--------
 net/ipv6/netfilter/Kconfig         | 22 ++++++++++++----------
 tools/testing/selftests/net/config | 13 +++++++++++++
 3 files changed, 36 insertions(+), 18 deletions(-)

-- 
2.43.5

[PATCH nf-next v3 1/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

This option makes IP_NF_IPTABLES_LEGACY user selectable, giving
users the option to configure iptables without enabling any other
config.

Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Breno Leitao <leitao@debian.org>
---
 net/ipv4/netfilter/Kconfig         | 19 +++++++++++--------
 tools/testing/selftests/net/config |  8 ++++++++
 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 1b991b889506..a06c1903183f 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -12,7 +12,12 @@ config NF_DEFRAG_IPV4
 
 # old sockopt interface and eval loop
 config IP_NF_IPTABLES_LEGACY
-	tristate
+	tristate "Legacy IP tables support"
+	default	n
+	select NETFILTER_XTABLES
+	help
+	  iptables is a general, extensible packet identification legacy framework.
+	  This is not needed if you are using iptables over nftables (iptables-nft).
 
 config NF_SOCKET_IPV4
 	tristate "IPv4 socket lookup support"
@@ -177,7 +182,7 @@ config IP_NF_MATCH_TTL
 config IP_NF_FILTER
 	tristate "Packet filtering"
 	default m if NETFILTER_ADVANCED=n
-	select IP_NF_IPTABLES_LEGACY
+	depends on IP_NF_IPTABLES_LEGACY
 	help
 	  Packet filtering defines a table `filter', which has a series of
 	  rules for simple packet filtering at local input, forwarding and
@@ -217,7 +222,7 @@ config IP_NF_NAT
 	default m if NETFILTER_ADVANCED=n
 	select NF_NAT
 	select NETFILTER_XT_NAT
-	select IP_NF_IPTABLES_LEGACY
+	depends on IP_NF_IPTABLES_LEGACY
 	help
 	  This enables the `nat' table in iptables. This allows masquerading,
 	  port forwarding and other forms of full Network Address Port
@@ -258,7 +263,7 @@ endif # IP_NF_NAT
 config IP_NF_MANGLE
 	tristate "Packet mangling"
 	default m if NETFILTER_ADVANCED=n
-	select IP_NF_IPTABLES_LEGACY
+	depends on IP_NF_IPTABLES_LEGACY
 	help
 	  This option adds a `mangle' table to iptables: see the man page for
 	  iptables(8).  This table is used for various packet alterations
@@ -293,7 +298,7 @@ config IP_NF_TARGET_TTL
 # raw + specific targets
 config IP_NF_RAW
 	tristate  'raw table support (required for NOTRACK/TRACE)'
-	select IP_NF_IPTABLES_LEGACY
+	depends on IP_NF_IPTABLES_LEGACY
 	help
 	  This option adds a `raw' table to iptables. This table is the very
 	  first in the netfilter framework and hooks in at the PREROUTING
@@ -305,9 +310,7 @@ config IP_NF_RAW
 # security table for MAC policy
 config IP_NF_SECURITY
 	tristate "Security table"
-	depends on SECURITY
-	depends on NETFILTER_ADVANCED
-	select IP_NF_IPTABLES_LEGACY
+	depends on SECURITY && NETFILTER_ADVANCED && IP_NF_IPTABLES_LEGACY
 	help
 	  This option adds a `security' table to iptables, for use
 	  with Mandatory Access Control (MAC) policy.
diff --git a/tools/testing/selftests/net/config b/tools/testing/selftests/net/config
index 5b9baf708950..90e997cfa12e 100644
--- a/tools/testing/selftests/net/config
+++ b/tools/testing/selftests/net/config
@@ -28,6 +28,7 @@ CONFIG_NET_FOU=y
 CONFIG_NET_FOU_IP_TUNNELS=y
 CONFIG_NETFILTER=y
 CONFIG_NETFILTER_ADVANCED=y
+CONFIG_NETFILTER_XT_TARGET_HL=m
 CONFIG_NF_CONNTRACK=m
 CONFIG_IPV6_MROUTE=y
 CONFIG_IPV6_SIT=y
@@ -35,6 +36,11 @@ CONFIG_IP_DCCP=m
 CONFIG_NF_NAT=m
 CONFIG_IP6_NF_IPTABLES=m
 CONFIG_IP_NF_IPTABLES=m
+CONFIG_IP_NF_IPTABLES_LEGACY=m
+CONFIG_IP_NF_FILTER=m
+CONFIG_IP_NF_TARGET_REJECT=m
+CONFIG_IP_NF_TARGET_MASQUERADE=m
+CONFIG_IP_NF_MANGLE=m
 CONFIG_IP6_NF_NAT=m
 CONFIG_IP6_NF_RAW=m
 CONFIG_IP_NF_NAT=m
@@ -54,6 +60,7 @@ CONFIG_MPTCP=y
 CONFIG_NF_TABLES=m
 CONFIG_NF_TABLES_IPV6=y
 CONFIG_NF_TABLES_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
 CONFIG_NFT_NAT=m
 CONFIG_NETFILTER_XT_MATCH_LENGTH=m
 CONFIG_NET_ACT_CSUM=m
@@ -106,4 +113,5 @@ CONFIG_CRYPTO_ARIA=y
 CONFIG_XFRM_INTERFACE=m
 CONFIG_XFRM_USER=m
 CONFIG_IP_NF_MATCH_RPFILTER=m
+CONFIG_IP_NF_TARGET_MASQUERADE=m
 CONFIG_IP6_NF_MATCH_RPFILTER=m
-- 
2.43.5

Re: [PATCH nf-next v3 1/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Jakub Kicinski]

On Tue, 27 Aug 2024 07:52:40 -0700 Breno Leitao wrote:
> +++ b/tools/testing/selftests/net/config

You gotta check all the configs, net is now fine, but bpf still breaks.
There may be more configs we don't use in CI.

BTW I'm not saying anything about the change itself. There's a non-zero
chance that netfilter maintainers made the option hidden on purpose..

Re: [PATCH nf-next v3 1/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

Hello Jakub,

On Wed, Aug 28, 2024 at 07:42:40AM -0700, Jakub Kicinski wrote:
> On Tue, 27 Aug 2024 07:52:40 -0700 Breno Leitao wrote:
> > +++ b/tools/testing/selftests/net/config
> 
> You gotta check all the configs, net is now fine, but bpf still breaks.
> There may be more configs we don't use in CI.

Sure, how can I find which configs I should care about?

> BTW I'm not saying anything about the change itself. There's a non-zero
> chance that netfilter maintainers made the option hidden on purpose..

Right, but it seems there was a plan to have it enabled in the future,
as least that is what I read in a9525c7f6219c ("netfilter: xtables:
allow xtables-nft only builds")

	In the future the _LEGACY symbol will become visible and the select
	statements will be turned into 'depends on', but for now be on safe side
	so "make oldconfig" won't break things.


Also, this was discussed in the thread below, and it seems it is fine to
make the symbols visible:

https://lore.kernel.org/all/20240822132022.GA25665@breakpoint.cc/

Thanks for the review,
--breno

Re: [PATCH nf-next v3 1/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Jakub Kicinski]

On Wed, 28 Aug 2024 08:05:09 -0700 Breno Leitao wrote:
> On Wed, Aug 28, 2024 at 07:42:40AM -0700, Jakub Kicinski wrote:
> > On Tue, 27 Aug 2024 07:52:40 -0700 Breno Leitao wrote:  
> > > +++ b/tools/testing/selftests/net/config  
> > 
> > You gotta check all the configs, net is now fine, but bpf still breaks.
> > There may be more configs we don't use in CI.  
> 
> Sure, how can I find which configs I should care about?

There are various configs in the tree. Grep for the configs you convert
from select to depends on, they will all need updating.

Re: [PATCH nf-next v3 1/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

Hello Jakub,

On Wed, Aug 28, 2024 at 11:41:23AM -0700, Jakub Kicinski wrote:
> On Wed, 28 Aug 2024 08:05:09 -0700 Breno Leitao wrote:
> > On Wed, Aug 28, 2024 at 07:42:40AM -0700, Jakub Kicinski wrote:
> > > On Tue, 27 Aug 2024 07:52:40 -0700 Breno Leitao wrote:  
> > > > +++ b/tools/testing/selftests/net/config  
> > > 
> > > You gotta check all the configs, net is now fine, but bpf still breaks.
> > > There may be more configs we don't use in CI.  
> > 
> > Sure, how can I find which configs I should care about?
> 
> There are various configs in the tree. Grep for the configs you convert
> from select to depends on, they will all need updating.

I am looking at all files that depend on these Kconfig options, and
there are a lot of tests.

Thinking more about the problem, it doesn't seem to be a good idea to
change dependency from all NF modules to NF_IPTABLES_LEGACY. In other
words, the `s/selects/depends on/` is the part that is causing all this
hassle, and it seems unnecessary.

That said, I would suggest we do not change the dependency, and keep the
"select NF_IPTABLES_LEGACY", and keep NF_IPTABLES_LEGACY user selectable.

This will make the patch safer, while fixing the problem.

Re: [PATCH nf-next v3 1/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Jakub Kicinski]

On Thu, 29 Aug 2024 03:08:01 -0700 Breno Leitao wrote:
> > There are various configs in the tree. Grep for the configs you convert
> > from select to depends on, they will all need updating.  
> 
> I am looking at all files that depend on these Kconfig options, and
> there are a lot of tests.
> 
> Thinking more about the problem, it doesn't seem to be a good idea to
> change dependency from all NF modules to NF_IPTABLES_LEGACY. In other
> words, the `s/selects/depends on/` is the part that is causing all this
> hassle, and it seems unnecessary.
> 
> That said, I would suggest we do not change the dependency, and keep the
> "select NF_IPTABLES_LEGACY", and keep NF_IPTABLES_LEGACY user selectable.

Good idea, sounds much simpler!

Re: [PATCH nf-next v3 1/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

On Thu, Aug 29, 2024 at 07:53:03AM -0700, Jakub Kicinski wrote:
> On Thu, 29 Aug 2024 03:08:01 -0700 Breno Leitao wrote:
> > > There are various configs in the tree. Grep for the configs you convert
> > > from select to depends on, they will all need updating.  
> > 
> > I am looking at all files that depend on these Kconfig options, and
> > there are a lot of tests.
> > 
> > Thinking more about the problem, it doesn't seem to be a good idea to
> > change dependency from all NF modules to NF_IPTABLES_LEGACY. In other
> > words, the `s/selects/depends on/` is the part that is causing all this
> > hassle, and it seems unnecessary.
> > 
> > That said, I would suggest we do not change the dependency, and keep the
> > "select NF_IPTABLES_LEGACY", and keep NF_IPTABLES_LEGACY user selectable.
> 
> Good idea, sounds much simpler!

Thanks, I will submit the patch soon.
--breno

[PATCH nf-next v3 2/2] netfilter: Make IP6_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving
users the option to configure iptables without enabling any other
config.

Signed-off-by: Breno Leitao <leitao@debian.org>
---
 net/ipv6/netfilter/Kconfig         | 22 ++++++++++++----------
 tools/testing/selftests/net/config |  5 +++++
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index f3c8e2d918e1..dad0a50d3ef4 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -8,7 +8,13 @@ menu "IPv6: Netfilter Configuration"
 
 # old sockopt interface and eval loop
 config IP6_NF_IPTABLES_LEGACY
-	tristate
+	tristate "Legacy IP6 tables support"
+	depends on INET && IPV6
+	select NETFILTER_XTABLES
+	default n
+	help
+	  ip6tables is a general, extensible packet identification legacy framework.
+	  This is not needed if you are using iptables over nftables (iptables-nft).
 
 config NF_SOCKET_IPV6
 	tristate "IPv6 socket lookup support"
@@ -190,7 +196,7 @@ config IP6_NF_TARGET_HL
 config IP6_NF_FILTER
 	tristate "Packet filtering"
 	default m if NETFILTER_ADVANCED=n
-	select IP6_NF_IPTABLES_LEGACY
+	depends on IP6_NF_IPTABLES_LEGACY
 	tristate
 	help
 	  Packet filtering defines a table `filter', which has a series of
@@ -227,7 +233,7 @@ config IP6_NF_TARGET_SYNPROXY
 config IP6_NF_MANGLE
 	tristate "Packet mangling"
 	default m if NETFILTER_ADVANCED=n
-	select IP6_NF_IPTABLES_LEGACY
+	depends on IP6_NF_IPTABLES_LEGACY
 	help
 	  This option adds a `mangle' table to iptables: see the man page for
 	  iptables(8).  This table is used for various packet alterations
@@ -237,7 +243,7 @@ config IP6_NF_MANGLE
 
 config IP6_NF_RAW
 	tristate  'raw table support (required for TRACE)'
-	select IP6_NF_IPTABLES_LEGACY
+	depends on IP6_NF_IPTABLES_LEGACY
 	help
 	  This option adds a `raw' table to ip6tables. This table is the very
 	  first in the netfilter framework and hooks in at the PREROUTING
@@ -249,9 +255,7 @@ config IP6_NF_RAW
 # security table for MAC policy
 config IP6_NF_SECURITY
 	tristate "Security table"
-	depends on SECURITY
-	depends on NETFILTER_ADVANCED
-	select IP6_NF_IPTABLES_LEGACY
+	depends on SECURITY && NETFILTER_ADVANCED && IP6_NF_IPTABLES_LEGACY
 	help
 	  This option adds a `security' table to iptables, for use
 	  with Mandatory Access Control (MAC) policy.
@@ -260,10 +264,8 @@ config IP6_NF_SECURITY
 
 config IP6_NF_NAT
 	tristate "ip6tables NAT support"
-	depends on NF_CONNTRACK
-	depends on NETFILTER_ADVANCED
+	depends on NF_CONNTRACK && NETFILTER_ADVANCED && IP6_NF_IPTABLES_LEGACY
 	select NF_NAT
-	select IP6_NF_IPTABLES_LEGACY
 	select NETFILTER_XT_NAT
 	help
 	  This enables the `nat' table in ip6tables. This allows masquerading,
diff --git a/tools/testing/selftests/net/config b/tools/testing/selftests/net/config
index 90e997cfa12e..e534144c75ea 100644
--- a/tools/testing/selftests/net/config
+++ b/tools/testing/selftests/net/config
@@ -35,12 +35,16 @@ CONFIG_IPV6_SIT=y
 CONFIG_IP_DCCP=m
 CONFIG_NF_NAT=m
 CONFIG_IP6_NF_IPTABLES=m
+CONFIG_IP6_NF_IPTABLES_LEGACY=m
 CONFIG_IP_NF_IPTABLES=m
 CONFIG_IP_NF_IPTABLES_LEGACY=m
 CONFIG_IP_NF_FILTER=m
 CONFIG_IP_NF_TARGET_REJECT=m
 CONFIG_IP_NF_TARGET_MASQUERADE=m
 CONFIG_IP_NF_MANGLE=m
+CONFIG_IP6_NF_MANGLE=m
+CONFIG_IP6_NF_FILTER=m
+CONFIG_IP6_NF_TARGET_REJECT=m
 CONFIG_IP6_NF_NAT=m
 CONFIG_IP6_NF_RAW=m
 CONFIG_IP_NF_NAT=m
@@ -61,6 +65,7 @@ CONFIG_NF_TABLES=m
 CONFIG_NF_TABLES_IPV6=y
 CONFIG_NF_TABLES_IPV4=y
 CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_REJECT_IPV6=y
 CONFIG_NFT_NAT=m
 CONFIG_NETFILTER_XT_MATCH_LENGTH=m
 CONFIG_NET_ACT_CSUM=m
-- 
2.43.5