* [PATCH nf-next] netfilter: arptables: allow arptables-nft only builds
@ 2024-01-23 15:42 Florian Westphal
2024-01-24 13:46 ` Phil Sutter
0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2024-01-23 15:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Allows to build kernel that supports the arptables mangle target
via nftables' compat infra but without the arptables get/setsockopt
interface or the old arptables filter interpreter.
IOW, setting IP_NF_ARPFILTER=n will break arptables-legacy, but
arptables-nft will continue to work as long as nftables compat
support is enabled.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/ipv4/netfilter/Kconfig | 28 +++++++++++++---------------
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index f71a7e9a7de6..070475392236 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -309,36 +309,34 @@ endif # IP_NF_IPTABLES
# ARP tables
config IP_NF_ARPTABLES
- tristate "ARP tables support"
- select NETFILTER_XTABLES
- select NETFILTER_FAMILY_ARP
- depends on NETFILTER_ADVANCED
- help
- arptables is a general, extensible packet identification framework.
- The ARP packet filtering and mangling (manipulation)subsystems
- use this: say Y or M here if you want to use either of those.
-
- To compile it as a module, choose M here. If unsure, say N.
+ tristate
-if IP_NF_ARPTABLES
+config NFT_COMPAT_ARP
+ tristate
+ depends on NF_TABLES_ARP && NFT_COMPAT
+ default m if NFT_COMPAT=m
+ default y if NFT_COMPAT=y
config IP_NF_ARPFILTER
- tristate "ARP packet filtering"
+ tristate "arptables-legacy packet filtering support"
+ select IP_NF_ARPTABLES
help
ARP packet filtering defines a table `filter', which has a series of
rules for simple ARP packet filtering at local input and
- local output. On a bridge, you can also specify filtering rules
- for forwarded ARP packets. See the man page for arptables(8).
+ local output. This is only needed for arptables-legacy(8).
+ Neither arptables-nft nor nftables need this to work.
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_ARP_MANGLE
tristate "ARP payload mangling"
+ depends on IP_NF_ARPTABLES || NFT_COMPAT_ARP
help
Allows altering the ARP packet payload: source and destination
hardware and network addresses.
-endif # IP_NF_ARPTABLES
+ This option is needed by both arptables-legacy and arptables-nft.
+ It is not used by nftables.
endmenu
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH nf-next] netfilter: arptables: allow arptables-nft only builds
2024-01-23 15:42 [PATCH nf-next] netfilter: arptables: allow arptables-nft only builds Florian Westphal
@ 2024-01-24 13:46 ` Phil Sutter
0 siblings, 0 replies; 2+ messages in thread
From: Phil Sutter @ 2024-01-24 13:46 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Tue, Jan 23, 2024 at 04:42:48PM +0100, Florian Westphal wrote:
> Allows to build kernel that supports the arptables mangle target
> via nftables' compat infra but without the arptables get/setsockopt
> interface or the old arptables filter interpreter.
>
> IOW, setting IP_NF_ARPFILTER=n will break arptables-legacy, but
> arptables-nft will continue to work as long as nftables compat
> support is enabled.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Phil Sutter <phil@nwl.cc>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-01-24 13:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-23 15:42 [PATCH nf-next] netfilter: arptables: allow arptables-nft only builds Florian Westphal
2024-01-24 13:46 ` Phil Sutter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).