[PATCH nf-next v5 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[PATCH nf-next v5 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY
Kconfigs user selectable, avoiding creating an extra dependency by
enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY.

Changelog:

v5:
 * Change the description of the legacy Kconfig (Pablo)

v4:
 * Remove the "depends on" part, which may come later in a separate
   change, given its intrusive on how to configure selftests
 * https://lore.kernel.org/all/20240829161656.832208-1-leitao@debian.org/

v3:
 * Make sure that the generate from  tools/testing/selftests/net/config
   look the same before and after. (Jakub)
 * https://lore.kernel.org/all/20240827145242.3094777-1-leitao@debian.org/

v2:
 * Added the new configuration in the selftest configs (Jakub)
 * Added this simple cover letter
 * https://lore.kernel.org/all/20240823174855.3052334-1-leitao@debian.org/

v1:
 * https://lore.kernel.org/all/20240822175537.3626036-1-leitao@debian.org/

Breno Leitao (2):
  netfilter: Make IP6_NF_IPTABLES_LEGACY selectable
  netfilter: Make IP_NF_IPTABLES_LEGACY selectable

 net/ipv4/netfilter/Kconfig | 8 +++++++-
 net/ipv6/netfilter/Kconfig | 9 ++++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

-- 
2.43.5

[PATCH nf-next v5 1/2] netfilter: Make IP6_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving
users the option to configure iptables without enabling any other
config.

Signed-off-by: Breno Leitao <leitao@debian.org>
---
 net/ipv6/netfilter/Kconfig | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index f3c8e2d918e1..425cb7a3571b 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -8,7 +8,14 @@ menu "IPv6: Netfilter Configuration"
 
 # old sockopt interface and eval loop
 config IP6_NF_IPTABLES_LEGACY
-	tristate
+	tristate "Legacy IP6 tables support"
+	depends on INET && IPV6
+	select NETFILTER_XTABLES
+	default n
+	help
+	  ip6tables is a legacy packet classification.
+	  This is not needed if you are using iptables over nftables
+	  (iptables-nft).
 
 config NF_SOCKET_IPV6
 	tristate "IPv6 socket lookup support"
-- 
2.43.5

[PATCH nf-next v5 2/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

This option makes IP_NF_IPTABLES_LEGACY user selectable, giving
users the option to configure iptables without enabling any other
config.

Signed-off-by: Breno Leitao <leitao@debian.org>
---
 net/ipv4/netfilter/Kconfig | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 1b991b889506..1fcbf6db40fa 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -12,7 +12,13 @@ config NF_DEFRAG_IPV4
 
 # old sockopt interface and eval loop
 config IP_NF_IPTABLES_LEGACY
-	tristate
+	tristate "Legacy IP tables support"
+	default	n
+	select NETFILTER_XTABLES
+	help
+	  iptables is a legacy packet classification.
+	  This is not needed if you are using iptables over nftables
+	  (iptables-nft).
 
 config NF_SOCKET_IPV4
 	tristate "IPv4 socket lookup support"
-- 
2.43.5

Re: [PATCH nf-next v5 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

Hello,

On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote:
> These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY
> Kconfigs user selectable, avoiding creating an extra dependency by
> enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY.

Any other feedback regarding this change? This is technically causing
user visible regression and blocks us from rolling out recent kernels.

Thank you,
--breno

Re: [PATCH nf-next v5 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Pablo Neira Ayuso]

On Wed, Sep 11, 2024 at 08:25:52AM -0700, Breno Leitao wrote:
> Hello,
> 
> On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote:
> > These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY
> > Kconfigs user selectable, avoiding creating an extra dependency by
> > enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY.
> 
> Any other feedback regarding this change? This is technically causing
> user visible regression and blocks us from rolling out recent kernels.

What regressions? This patch comes with no Fixes: tag.

Re: [PATCH nf-next v5 1/2] netfilter: Make IP6_NF_IPTABLES_LEGACY selectable

[Pablo Neira Ayuso]

One more question below.

On Mon, Sep 09, 2024 at 01:46:18AM -0700, Breno Leitao wrote:
> This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving
> users the option to configure iptables without enabling any other
> config.
>
> Signed-off-by: Breno Leitao <leitao@debian.org>
> ---
>  net/ipv6/netfilter/Kconfig | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> index f3c8e2d918e1..425cb7a3571b 100644
> --- a/net/ipv6/netfilter/Kconfig
> +++ b/net/ipv6/netfilter/Kconfig
> @@ -8,7 +8,14 @@ menu "IPv6: Netfilter Configuration"
>  
>  # old sockopt interface and eval loop
>  config IP6_NF_IPTABLES_LEGACY
> -	tristate
> +	tristate "Legacy IP6 tables support"
> +	depends on INET && IPV6
> +	select NETFILTER_XTABLES
> +	default n
> +	help
> +	  ip6tables is a legacy packet classification.

                                Is "packet classifier" the right term?

I can mangle this patch before applying, no need to send one more.

Thanks.

> +	  This is not needed if you are using iptables over nftables
> +	  (iptables-nft).
>  
>  config NF_SOCKET_IPV6
>  	tristate "IPv6 socket lookup support"
> -- 
> 2.43.5
> 

Re: [PATCH nf-next v5 1/2] netfilter: Make IP6_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

On Thu, Sep 12, 2024 at 12:12:01AM +0200, Pablo Neira Ayuso wrote:
> One more question below.
> 
> On Mon, Sep 09, 2024 at 01:46:18AM -0700, Breno Leitao wrote:
> > This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving
> > users the option to configure iptables without enabling any other
> > config.
> >
> > Signed-off-by: Breno Leitao <leitao@debian.org>
> > ---
> >  net/ipv6/netfilter/Kconfig | 9 ++++++++-
> >  1 file changed, 8 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> > index f3c8e2d918e1..425cb7a3571b 100644
> > --- a/net/ipv6/netfilter/Kconfig
> > +++ b/net/ipv6/netfilter/Kconfig
> > @@ -8,7 +8,14 @@ menu "IPv6: Netfilter Configuration"
> >  
> >  # old sockopt interface and eval loop
> >  config IP6_NF_IPTABLES_LEGACY
> > -	tristate
> > +	tristate "Legacy IP6 tables support"
> > +	depends on INET && IPV6
> > +	select NETFILTER_XTABLES
> > +	default n
> > +	help
> > +	  ip6tables is a legacy packet classification.
> 
>                                 Is "packet classifier" the right term?
> 
> I can mangle this patch before applying, no need to send one more.

Thanks
--breno

Re: [PATCH nf-next v5 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

On Thu, Sep 12, 2024 at 12:09:36AM +0200, Pablo Neira Ayuso wrote:
> On Wed, Sep 11, 2024 at 08:25:52AM -0700, Breno Leitao wrote:
> > Hello,
> > 
> > On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote:
> > > These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY
> > > Kconfigs user selectable, avoiding creating an extra dependency by
> > > enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY.
> > 
> > Any other feedback regarding this change? This is technically causing
> > user visible regression and blocks us from rolling out recent kernels.
> 
> What regressions? This patch comes with no Fixes: tag.

Sorry, I should have said "This is technically causing user lack of
flexibility when configuring the kernel"

Re: [PATCH nf-next v5 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Pablo Neira Ayuso]

On Thu, Sep 12, 2024 at 05:18:29AM -0700, Breno Leitao wrote:
> On Thu, Sep 12, 2024 at 12:09:36AM +0200, Pablo Neira Ayuso wrote:
> > On Wed, Sep 11, 2024 at 08:25:52AM -0700, Breno Leitao wrote:
> > > Hello,
> > > 
> > > On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote:
> > > > These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY
> > > > Kconfigs user selectable, avoiding creating an extra dependency by
> > > > enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY.
> > > 
> > > Any other feedback regarding this change? This is technically causing
> > > user visible regression and blocks us from rolling out recent kernels.
> > 
> > What regressions? This patch comes with no Fixes: tag.
> 
> Sorry, I should have said "This is technically causing user lack of
> flexibility when configuring the kernel"

Sure, to allow for in-kernel iptables compilation but extensions as
modules? How in the world is that ever used, really?

Re: [PATCH nf-next v5 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Pablo Neira Ayuso]

On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote:
> These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY
> Kconfigs user selectable, avoiding creating an extra dependency by
> enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY.

This needs a v6. There is also:

BRIDGE_NF_EBTABLES_LEGACY

We have more copy and paste in the bridge.

Would you submit a single patch covering this too?

Re: [PATCH nf-next v5 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Pablo Neira Ayuso]

On Wed, Sep 18, 2024 at 01:13:32PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote:
> > These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY
> > Kconfigs user selectable, avoiding creating an extra dependency by
> > enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY.
> 
> This needs a v6. There is also:
> 
> BRIDGE_NF_EBTABLES_LEGACY
> 
> We have more copy and paste in the bridge.
> 
> Would you submit a single patch covering this too?

There is also:

# ARP tables
config IP_NF_ARPTABLES
        tristate

which has never had a description. Could you also add?

         arptables is a legacy packet classification.
         This is not needed if you are using arptables over nftables
         (iptables-nft).

There is no need for _LEGACY in this case.

Single patch to update them all should be fine.

Thanks

Re: [PATCH nf-next v5 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

Hello Pablo,

On Wed, Sep 18, 2024 at 01:13:29PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote:
> > These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY
> > Kconfigs user selectable, avoiding creating an extra dependency by
> > enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY.
> 
> This needs a v6. There is also:
> 
> BRIDGE_NF_EBTABLES_LEGACY
> 
> We have more copy and paste in the bridge.
> 
> Would you submit a single patch covering this too?

Sure, I am more than happy to work on this one and also on
IP_NF_ARPTABLES.

Would you like a v6 with all the four changes, or, two extra patches and
keep this thread ready for merge?

PS: I am in LPC and in Kernel Recipes next week, I might not be able to
do it until next week.

Thanks

Re: [PATCH nf-next v5 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Pablo Neira Ayuso]

On Thu, Sep 19, 2024 at 02:31:12AM -0700, Breno Leitao wrote:
> Hello Pablo,
> 
> On Wed, Sep 18, 2024 at 01:13:29PM +0200, Pablo Neira Ayuso wrote:
> > On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote:
> > > These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY
> > > Kconfigs user selectable, avoiding creating an extra dependency by
> > > enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY.
> > 
> > This needs a v6. There is also:
> > 
> > BRIDGE_NF_EBTABLES_LEGACY
> > 
> > We have more copy and paste in the bridge.
> > 
> > Would you submit a single patch covering this too?
> 
> Sure, I am more than happy to work on this one and also on
> IP_NF_ARPTABLES.
> 
> Would you like a v6 with all the four changes, or, two extra patches and
> keep this thread ready for merge?

One single patch is fine, thanks.

> PS: I am in LPC and in Kernel Recipes next week, I might not be able to
> do it until next week.
> 
> Thanks

Re: [PATCH nf-next v5 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Breno Leitao]

Hello Pablo,

On Wed, Sep 18, 2024 at 01:21:02PM +0200, Pablo Neira Ayuso wrote:
> Single patch to update them all should be fine.

I am planning to send the following patch, please let me know if you
have any concern before I send it:

Author: Breno Leitao <leitao@debian.org>
Date:   Thu Aug 29 02:51:02 2024 -0700

    netfilter: Make legacy configs user selectable
    
    This option makes legacy Netfilter Kconfig user selectable, giving users
    the option to configure iptables without enabling any other config.
    
    Make the following KConfig entries user selectable:
     * BRIDGE_NF_EBTABLES_LEGACY
     * IP_NF_ARPTABLES
     * IP_NF_IPTABLES_LEGACY
     * IP6_NF_IPTABLES_LEGACY
    
    Signed-off-by: Breno Leitao <leitao@debian.org>

diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 104c0125e32e..b7bdb094f708 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -41,7 +41,13 @@ config NF_CONNTRACK_BRIDGE
 
 # old sockopt interface and eval loop
 config BRIDGE_NF_EBTABLES_LEGACY
-	tristate
+	tristate "Legacy EBTABLES support"
+	depends on BRIDGE && NETFILTER_XTABLES
+	default n
+	help
+	 Legacy ebtable packet/frame classifier.
+	 This is not needed if you are using ebtables over nftables
+	 (iptables-nft).
 
 menuconfig BRIDGE_NF_EBTABLES
 	tristate "Ethernet Bridge tables (ebtables) support"
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 1b991b889506..2c4d42b5bed1 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -12,7 +12,13 @@ config NF_DEFRAG_IPV4
 
 # old sockopt interface and eval loop
 config IP_NF_IPTABLES_LEGACY
-	tristate
+	tristate "Legacy IP tables support"
+	default	n
+	select NETFILTER_XTABLES
+	help
+	  iptables is a legacy packet classifier.
+	  This is not needed if you are using iptables over nftables
+	  (iptables-nft).
 
 config NF_SOCKET_IPV4
 	tristate "IPv4 socket lookup support"
@@ -318,7 +324,13 @@ endif # IP_NF_IPTABLES
 
 # ARP tables
 config IP_NF_ARPTABLES
-	tristate
+	tristate "Legacy ARPTABLE support"
+	depends on NETFILTER_XTABLES
+	default n
+	help
+	  arptables is a legacy packet classifier.
+	  This is not needed if you are using arptables over nftables
+	  (iptables-nft).
 
 config NFT_COMPAT_ARP
 	tristate
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index f3c8e2d918e1..e087a8e97ba7 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -8,7 +8,14 @@ menu "IPv6: Netfilter Configuration"
 
 # old sockopt interface and eval loop
 config IP6_NF_IPTABLES_LEGACY
-	tristate
+	tristate "Legacy IP6 tables support"
+	depends on INET && IPV6
+	select NETFILTER_XTABLES
+	default n
+	help
+	  ip6tables is a legacy packet classifier.
+	  This is not needed if you are using iptables over nftables
+	  (iptables-nft).
 
 config NF_SOCKET_IPV6
 	tristate "IPv6 socket lookup support"

Re: [PATCH nf-next v5 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable

[Pablo Neira Ayuso]

On Thu, Sep 26, 2024 at 04:11:39AM -0700, Breno Leitao wrote:
> Hello Pablo,
> 
> On Wed, Sep 18, 2024 at 01:21:02PM +0200, Pablo Neira Ayuso wrote:
> > Single patch to update them all should be fine.
> 
> I am planning to send the following patch, please let me know if you
> have any concern before I send it:
> 
> Author: Breno Leitao <leitao@debian.org>
> Date:   Thu Aug 29 02:51:02 2024 -0700
> 
>     netfilter: Make legacy configs user selectable
>     
>     This option makes legacy Netfilter Kconfig user selectable, giving users
>     the option to configure iptables without enabling any other config.

LGTM, a few cosmetic nitpicks below.

>     Make the following KConfig entries user selectable:
>      * BRIDGE_NF_EBTABLES_LEGACY
>      * IP_NF_ARPTABLES
>      * IP_NF_IPTABLES_LEGACY
>      * IP6_NF_IPTABLES_LEGACY
>     
>     Signed-off-by: Breno Leitao <leitao@debian.org>
> 
> diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
> index 104c0125e32e..b7bdb094f708 100644
> --- a/net/bridge/netfilter/Kconfig
> +++ b/net/bridge/netfilter/Kconfig
> @@ -41,7 +41,13 @@ config NF_CONNTRACK_BRIDGE
>  
>  # old sockopt interface and eval loop
>  config BRIDGE_NF_EBTABLES_LEGACY
> -	tristate
> +	tristate "Legacy EBTABLES support"
> +	depends on BRIDGE && NETFILTER_XTABLES
> +	default n
> +	help
> +	 Legacy ebtable packet/frame classifier.
                ^^^^^^^
                ebtables

> +	 This is not needed if you are using ebtables over nftables
> +	 (iptables-nft).
>  
>  menuconfig BRIDGE_NF_EBTABLES
>  	tristate "Ethernet Bridge tables (ebtables) support"
> diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> index 1b991b889506..2c4d42b5bed1 100644
> --- a/net/ipv4/netfilter/Kconfig
> +++ b/net/ipv4/netfilter/Kconfig
> @@ -12,7 +12,13 @@ config NF_DEFRAG_IPV4
>  
>  # old sockopt interface and eval loop
>  config IP_NF_IPTABLES_LEGACY
> -	tristate
> +	tristate "Legacy IP tables support"
> +	default	n
> +	select NETFILTER_XTABLES
> +	help
> +	  iptables is a legacy packet classifier.
> +	  This is not needed if you are using iptables over nftables
> +	  (iptables-nft).
>  
>  config NF_SOCKET_IPV4
>  	tristate "IPv4 socket lookup support"
> @@ -318,7 +324,13 @@ endif # IP_NF_IPTABLES
>  
>  # ARP tables
>  config IP_NF_ARPTABLES
> -	tristate
> +	tristate "Legacy ARPTABLE support"
                         ^^^^^^^^
                         ARPTABLES

> +	depends on NETFILTER_XTABLES
> +	default n
> +	help
> +	  arptables is a legacy packet classifier.
> +	  This is not needed if you are using arptables over nftables
> +	  (iptables-nft).
>  
>  config NFT_COMPAT_ARP
>  	tristate
> diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> index f3c8e2d918e1..e087a8e97ba7 100644
> --- a/net/ipv6/netfilter/Kconfig
> +++ b/net/ipv6/netfilter/Kconfig
> @@ -8,7 +8,14 @@ menu "IPv6: Netfilter Configuration"
>  
>  # old sockopt interface and eval loop
>  config IP6_NF_IPTABLES_LEGACY
> -	tristate
> +	tristate "Legacy IP6 tables support"
> +	depends on INET && IPV6
> +	select NETFILTER_XTABLES
> +	default n
> +	help
> +	  ip6tables is a legacy packet classifier.
> +	  This is not needed if you are using iptables over nftables
> +	  (iptables-nft).
>  
>  config NF_SOCKET_IPV6
>  	tristate "IPv6 socket lookup support"