[PATCH 0/2] nftables: minor Kconfig fixes

[PATCH 0/2] nftables: minor Kconfig fixes

[Eric Leblond]

Hello,

This patchset only contains two small patches aiming to improve
nftables configuration inside the kernel.

BR,
--
Eric Leblond

[PATCH 1/2] netfilter: nft: select NFNETLINK

[Eric Leblond]

In Kconfig, nft is set as depending on NFNETLINK so building nft as a
module or inside kernel is depending of the state of NFNETLINK inside
the kernel config. If someone wants to build nftables inside the
kernel, it is necessary to also build NFNETLINK inside the kernel.
But NFNETLINK can not be set in the menu so it is necessary to toggle
an external value such as logging or nfacct to have a switch of
NFNETLINK to kernel build.
This patch change the dependency to a select inside Kconfig to be able
to set the build of nftables as modules or inside kernel independently.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 net/netfilter/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 4371c98..01f9f64 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -414,7 +414,7 @@ config NETFILTER_SYNPROXY
 endif # NF_CONNTRACK
 
 config NF_TABLES
-	depends on NETFILTER_NETLINK
+	select NETFILTER_NETLINK
 	tristate "Netfilter nf_tables support"
 
 config NFT_EXTHDR
-- 
1.8.5.2

[PATCH 2/2] netfilter: nft: explicit dependency to IPv6

[Eric Leblond]

nftables IPv6 tables could be selected independently of other
Netfilter component so it needs to be dependent of IPv6.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 net/ipv6/netfilter/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 7702f9e..36c71da 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -27,6 +27,7 @@ config NF_CONNTRACK_IPV6
 
 config NF_TABLES_IPV6
 	depends on NF_TABLES
+	depends on INET && IPV6
 	tristate "IPv6 nf_tables support"
 
 config NFT_CHAIN_ROUTE_IPV6
-- 
1.8.5.2

Re: [PATCH 2/2] netfilter: nft: explicit dependency to IPv6

[Pablo Neira Ayuso]

Hi Eric,

On Sun, Dec 29, 2013 at 11:01:30AM +0100, Eric Leblond wrote:
> nftables IPv6 tables could be selected independently of other
> Netfilter component so it needs to be dependent of IPv6.
> 
> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
>  net/ipv6/netfilter/Kconfig | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> index 7702f9e..36c71da 100644
> --- a/net/ipv6/netfilter/Kconfig
> +++ b/net/ipv6/netfilter/Kconfig
> @@ -27,6 +27,7 @@ config NF_CONNTRACK_IPV6
>  
>  config NF_TABLES_IPV6
>  	depends on NF_TABLES
> +	depends on INET && IPV6
>  	tristate "IPv6 nf_tables support"

We already have this dependency in the parent menu

 #
 # IP netfilter configuration
 #

 menu "IPv6: Netfilter Configuration"
         depends on INET && IPV6 && NETFILTER

So I think that should be enough, let me know if you're noticing any
problem. Thanks.

Re: [PATCH 1/2] netfilter: nft: select NFNETLINK

[Pablo Neira Ayuso]

On Sun, Dec 29, 2013 at 11:01:29AM +0100, Eric Leblond wrote:
> In Kconfig, nft is set as depending on NFNETLINK so building nft as a
> module or inside kernel is depending of the state of NFNETLINK inside
> the kernel config. If someone wants to build nftables inside the
> kernel, it is necessary to also build NFNETLINK inside the kernel.
> But NFNETLINK can not be set in the menu so it is necessary to toggle
> an external value such as logging or nfacct to have a switch of
> NFNETLINK to kernel build.
> This patch change the dependency to a select inside Kconfig to be able
> to set the build of nftables as modules or inside kernel independently.

Applied, thanks Eric.