netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH nf-next] netfilter: replace select by depends on for IP{6}_NF_IPTABLES_LEGACY
@ 2025-03-21 10:36 Pablo Neira Ayuso
  2025-03-21 14:58 ` Florian Westphal
  0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2025-03-21 10:36 UTC (permalink / raw)
  To: netfilter-devel; +Cc: fw

Relax dependencies on iptables legacy, replace select by depends on,
this should cause no harm to existing kernel configs and users can still
toggle IP{6}_NF_IPTABLES_LEGACY in any case.

Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv4/netfilter/Kconfig | 10 +++++-----
 net/ipv6/netfilter/Kconfig | 10 +++++-----
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index ef8009281da5..a215f01d16a3 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -183,7 +183,7 @@ config IP_NF_MATCH_TTL
 config IP_NF_FILTER
 	tristate "Packet filtering"
 	default m if NETFILTER_ADVANCED=n
-	select IP_NF_IPTABLES_LEGACY
+	depends on IP_NF_IPTABLES_LEGACY
 	help
 	  Packet filtering defines a table `filter', which has a series of
 	  rules for simple packet filtering at local input, forwarding and
@@ -220,10 +220,10 @@ config IP_NF_TARGET_SYNPROXY
 config IP_NF_NAT
 	tristate "iptables NAT support"
 	depends on NF_CONNTRACK
+	depends on IP_NF_IPTABLES_LEGACY
 	default m if NETFILTER_ADVANCED=n
 	select NF_NAT
 	select NETFILTER_XT_NAT
-	select IP_NF_IPTABLES_LEGACY
 	help
 	  This enables the `nat' table in iptables. This allows masquerading,
 	  port forwarding and other forms of full Network Address Port
@@ -264,7 +264,7 @@ endif # IP_NF_NAT
 config IP_NF_MANGLE
 	tristate "Packet mangling"
 	default m if NETFILTER_ADVANCED=n
-	select IP_NF_IPTABLES_LEGACY
+	depends on IP_NF_IPTABLES_LEGACY
 	help
 	  This option adds a `mangle' table to iptables: see the man page for
 	  iptables(8).  This table is used for various packet alterations
@@ -299,7 +299,7 @@ config IP_NF_TARGET_TTL
 # raw + specific targets
 config IP_NF_RAW
 	tristate  'raw table support (required for NOTRACK/TRACE)'
-	select IP_NF_IPTABLES_LEGACY
+	depends on IP_NF_IPTABLES_LEGACY
 	help
 	  This option adds a `raw' table to iptables. This table is the very
 	  first in the netfilter framework and hooks in at the PREROUTING
@@ -313,7 +313,7 @@ config IP_NF_SECURITY
 	tristate "Security table"
 	depends on SECURITY
 	depends on NETFILTER_ADVANCED
-	select IP_NF_IPTABLES_LEGACY
+	depends on IP_NF_IPTABLES_LEGACY
 	help
 	  This option adds a `security' table to iptables, for use
 	  with Mandatory Access Control (MAC) policy.
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index e087a8e97ba7..490200b7c209 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -197,7 +197,7 @@ config IP6_NF_TARGET_HL
 config IP6_NF_FILTER
 	tristate "Packet filtering"
 	default m if NETFILTER_ADVANCED=n
-	select IP6_NF_IPTABLES_LEGACY
+	depends on IP6_NF_IPTABLES_LEGACY
 	tristate
 	help
 	  Packet filtering defines a table `filter', which has a series of
@@ -234,7 +234,7 @@ config IP6_NF_TARGET_SYNPROXY
 config IP6_NF_MANGLE
 	tristate "Packet mangling"
 	default m if NETFILTER_ADVANCED=n
-	select IP6_NF_IPTABLES_LEGACY
+	depends on IP6_NF_IPTABLES_LEGACY
 	help
 	  This option adds a `mangle' table to iptables: see the man page for
 	  iptables(8).  This table is used for various packet alterations
@@ -244,7 +244,7 @@ config IP6_NF_MANGLE
 
 config IP6_NF_RAW
 	tristate  'raw table support (required for TRACE)'
-	select IP6_NF_IPTABLES_LEGACY
+	depends on IP6_NF_IPTABLES_LEGACY
 	help
 	  This option adds a `raw' table to ip6tables. This table is the very
 	  first in the netfilter framework and hooks in at the PREROUTING
@@ -258,7 +258,7 @@ config IP6_NF_SECURITY
 	tristate "Security table"
 	depends on SECURITY
 	depends on NETFILTER_ADVANCED
-	select IP6_NF_IPTABLES_LEGACY
+	depends on IP6_NF_IPTABLES_LEGACY
 	help
 	  This option adds a `security' table to iptables, for use
 	  with Mandatory Access Control (MAC) policy.
@@ -269,8 +269,8 @@ config IP6_NF_NAT
 	tristate "ip6tables NAT support"
 	depends on NF_CONNTRACK
 	depends on NETFILTER_ADVANCED
+	depends on IP6_NF_IPTABLES_LEGACY
 	select NF_NAT
-	select IP6_NF_IPTABLES_LEGACY
 	select NETFILTER_XT_NAT
 	help
 	  This enables the `nat' table in ip6tables. This allows masquerading,
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH nf-next] netfilter: replace select by depends on for IP{6}_NF_IPTABLES_LEGACY
  2025-03-21 10:36 [PATCH nf-next] netfilter: replace select by depends on for IP{6}_NF_IPTABLES_LEGACY Pablo Neira Ayuso
@ 2025-03-21 14:58 ` Florian Westphal
  2025-03-22 23:07   ` Florian Westphal
  0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2025-03-21 14:58 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel, fw

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Relax dependencies on iptables legacy, replace select by depends on,
> this should cause no harm to existing kernel configs and users can still
> toggle IP{6}_NF_IPTABLES_LEGACY in any case.

I applied following delta on top:

diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -65,7 +65,7 @@ if BRIDGE_NF_EBTABLES
 #
 config BRIDGE_EBT_BROUTE
        tristate "ebt: broute table support"
-       select BRIDGE_NF_EBTABLES_LEGACY
+       depends on BRIDGE_NF_EBTABLES_LEGACY
        help
          The ebtables broute table is used to define rules that decide between
          bridging and routing frames, giving Linux the functionality of a
@@ -76,7 +76,7 @@ config BRIDGE_EBT_BROUTE
 
 config BRIDGE_EBT_T_FILTER
        tristate "ebt: filter table support"
-       select BRIDGE_NF_EBTABLES_LEGACY
+       depends on BRIDGE_NF_EBTABLES_LEGACY
        help
          The ebtables filter table is used to define frame filtering rules at
          local input, forwarding and local output. See the man page for
@@ -86,7 +86,7 @@ config BRIDGE_EBT_T_FILTER
 
 config BRIDGE_EBT_T_NAT
        tristate "ebt: nat table support"
-       select BRIDGE_NF_EBTABLES_LEGACY
+       depends on BRIDGE_NF_EBTABLES_LEGACY
        help
          The ebtables nat table is used to define rules that alter the MAC
          source address (MAC SNAT) or the MAC destination address (MAC DNAT).


./iptables-test.py -n
[..]
./extensions/libxt_TCPOPTSTRIP.t: ERROR: line 4 (cannot load: ip6tables -A PREROUTING -t mangle -p tcp -j TCPOPTSTRIP)
./extensions/libxt_TCPOPTSTRIP.t: ERROR: line 5 (cannot load: ip6tables -A PREROUTING -t mangle -p tcp -j TCPOPTSTRIP --strip-options 2,3,4,5,6,7)

The kernel module has a 'defined' check for ipv6 mangle table, not sure
yet how to replace this (ipv4 works).

shell tests worked.  I think we also might want to revisit/harmonize
arptables, ATM legacy support is controlled via IP_NF_ARPTABLES.

So perhaps (UNTESTED!) also change:
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -326,6 +326,7 @@ endif # IP_NF_IPTABLES
 config IP_NF_ARPTABLES
        tristate "Legacy ARPTABLES support"
        depends on NETFILTER_XTABLES
+       select NETFILTER_FAMILY_ARP
        default n
        help
          arptables is a legacy packet classifier.
@@ -340,9 +341,7 @@ config NFT_COMPAT_ARP
 
 config IP_NF_ARPFILTER
        tristate "arptables-legacy packet filtering support"
-       select IP_NF_ARPTABLES
-       select NETFILTER_FAMILY_ARP
-       depends on NETFILTER_XTABLES
+       depends on IP_NF_ARPTABLES
        help
          ARP packet filtering defines a table `filter', which has a series of
          rules for simple ARP packet filtering at local input and


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH nf-next] netfilter: replace select by depends on for IP{6}_NF_IPTABLES_LEGACY
  2025-03-21 14:58 ` Florian Westphal
@ 2025-03-22 23:07   ` Florian Westphal
  0 siblings, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2025-03-22 23:07 UTC (permalink / raw)
  To: Florian Westphal; +Cc: Pablo Neira Ayuso, netfilter-devel

Florian Westphal <fw@strlen.de> wrote:
> ./extensions/libxt_TCPOPTSTRIP.t: ERROR: line 4 (cannot load: ip6tables -A PREROUTING -t mangle -p tcp -j TCPOPTSTRIP)
> ./extensions/libxt_TCPOPTSTRIP.t: ERROR: line 5 (cannot load: ip6tables -A PREROUTING -t mangle -p tcp -j TCPOPTSTRIP --strip-options 2,3,4,5,6,7)
> 
> The kernel module has a 'defined' check for ipv6 mangle table, not sure
> yet how to replace this (ipv4 works).

Probably best to replace two
IS_ENABLED(CONFIG_IP6_NF_MANGLE)
with
IS_ENABLED(CONFIG_IP6_NF_IPTABLES)

The Kconfig dependencies require either NFT_COMPAT or IP6_NF_MANGLE.
With the planned LEGACY change MANGLE table isn't set anymore but
NFT_COMPAT is.

For existing cases (LEGACY set) there would be no difference in
behavior given MANGLE is a subset of IP6_NF_IPTABLES.

We should propbably also select
CONFIG_IP6_NF_IPTABLES in case CONFIG_IP6_NF_IPTABLES=y|m to make
sure you can't create a kernel with
CONFIG_IP6_NF_IPTABLES=n
CONFIG_IP6_NF_IPTABLES_LEGACY=m|y

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-03-22 23:07 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-21 10:36 [PATCH nf-next] netfilter: replace select by depends on for IP{6}_NF_IPTABLES_LEGACY Pablo Neira Ayuso
2025-03-21 14:58 ` Florian Westphal
2025-03-22 23:07   ` Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).