net/ipv4/netfilter/Kconfig | 8 +++++++- net/ipv6/netfilter/Kconfig | 9 ++++++++- 2 files changed, 15 insertions(+), 2 deletions(-)
These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY Kconfigs user selectable, avoiding creating an extra dependency by enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY. Changelog: v5: * Change the description of the legacy Kconfig (Pablo) v4: * Remove the "depends on" part, which may come later in a separate change, given its intrusive on how to configure selftests * https://lore.kernel.org/all/20240829161656.832208-1-leitao@debian.org/ v3: * Make sure that the generate from tools/testing/selftests/net/config look the same before and after. (Jakub) * https://lore.kernel.org/all/20240827145242.3094777-1-leitao@debian.org/ v2: * Added the new configuration in the selftest configs (Jakub) * Added this simple cover letter * https://lore.kernel.org/all/20240823174855.3052334-1-leitao@debian.org/ v1: * https://lore.kernel.org/all/20240822175537.3626036-1-leitao@debian.org/ Breno Leitao (2): netfilter: Make IP6_NF_IPTABLES_LEGACY selectable netfilter: Make IP_NF_IPTABLES_LEGACY selectable net/ipv4/netfilter/Kconfig | 8 +++++++- net/ipv6/netfilter/Kconfig | 9 ++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) -- 2.43.5
On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote: > These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY > Kconfigs user selectable, avoiding creating an extra dependency by > enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY. This needs a v6. There is also: BRIDGE_NF_EBTABLES_LEGACY We have more copy and paste in the bridge. Would you submit a single patch covering this too?
Hello Pablo, On Wed, Sep 18, 2024 at 01:13:29PM +0200, Pablo Neira Ayuso wrote: > On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote: > > These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY > > Kconfigs user selectable, avoiding creating an extra dependency by > > enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY. > > This needs a v6. There is also: > > BRIDGE_NF_EBTABLES_LEGACY > > We have more copy and paste in the bridge. > > Would you submit a single patch covering this too? Sure, I am more than happy to work on this one and also on IP_NF_ARPTABLES. Would you like a v6 with all the four changes, or, two extra patches and keep this thread ready for merge? PS: I am in LPC and in Kernel Recipes next week, I might not be able to do it until next week. Thanks
On Thu, Sep 19, 2024 at 02:31:12AM -0700, Breno Leitao wrote: > Hello Pablo, > > On Wed, Sep 18, 2024 at 01:13:29PM +0200, Pablo Neira Ayuso wrote: > > On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote: > > > These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY > > > Kconfigs user selectable, avoiding creating an extra dependency by > > > enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY. > > > > This needs a v6. There is also: > > > > BRIDGE_NF_EBTABLES_LEGACY > > > > We have more copy and paste in the bridge. > > > > Would you submit a single patch covering this too? > > Sure, I am more than happy to work on this one and also on > IP_NF_ARPTABLES. > > Would you like a v6 with all the four changes, or, two extra patches and > keep this thread ready for merge? One single patch is fine, thanks. > PS: I am in LPC and in Kernel Recipes next week, I might not be able to > do it until next week. > > Thanks
On Wed, Sep 18, 2024 at 01:13:32PM +0200, Pablo Neira Ayuso wrote: > On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote: > > These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY > > Kconfigs user selectable, avoiding creating an extra dependency by > > enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY. > > This needs a v6. There is also: > > BRIDGE_NF_EBTABLES_LEGACY > > We have more copy and paste in the bridge. > > Would you submit a single patch covering this too? There is also: # ARP tables config IP_NF_ARPTABLES tristate which has never had a description. Could you also add? arptables is a legacy packet classification. This is not needed if you are using arptables over nftables (iptables-nft). There is no need for _LEGACY in this case. Single patch to update them all should be fine. Thanks
Hello Pablo, On Wed, Sep 18, 2024 at 01:21:02PM +0200, Pablo Neira Ayuso wrote: > Single patch to update them all should be fine. I am planning to send the following patch, please let me know if you have any concern before I send it: Author: Breno Leitao <leitao@debian.org> Date: Thu Aug 29 02:51:02 2024 -0700 netfilter: Make legacy configs user selectable This option makes legacy Netfilter Kconfig user selectable, giving users the option to configure iptables without enabling any other config. Make the following KConfig entries user selectable: * BRIDGE_NF_EBTABLES_LEGACY * IP_NF_ARPTABLES * IP_NF_IPTABLES_LEGACY * IP6_NF_IPTABLES_LEGACY Signed-off-by: Breno Leitao <leitao@debian.org> diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig index 104c0125e32e..b7bdb094f708 100644 --- a/net/bridge/netfilter/Kconfig +++ b/net/bridge/netfilter/Kconfig @@ -41,7 +41,13 @@ config NF_CONNTRACK_BRIDGE # old sockopt interface and eval loop config BRIDGE_NF_EBTABLES_LEGACY - tristate + tristate "Legacy EBTABLES support" + depends on BRIDGE && NETFILTER_XTABLES + default n + help + Legacy ebtable packet/frame classifier. + This is not needed if you are using ebtables over nftables + (iptables-nft). menuconfig BRIDGE_NF_EBTABLES tristate "Ethernet Bridge tables (ebtables) support" diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 1b991b889506..2c4d42b5bed1 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig @@ -12,7 +12,13 @@ config NF_DEFRAG_IPV4 # old sockopt interface and eval loop config IP_NF_IPTABLES_LEGACY - tristate + tristate "Legacy IP tables support" + default n + select NETFILTER_XTABLES + help + iptables is a legacy packet classifier. + This is not needed if you are using iptables over nftables + (iptables-nft). config NF_SOCKET_IPV4 tristate "IPv4 socket lookup support" @@ -318,7 +324,13 @@ endif # IP_NF_IPTABLES # ARP tables config IP_NF_ARPTABLES - tristate + tristate "Legacy ARPTABLE support" + depends on NETFILTER_XTABLES + default n + help + arptables is a legacy packet classifier. + This is not needed if you are using arptables over nftables + (iptables-nft). config NFT_COMPAT_ARP tristate diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index f3c8e2d918e1..e087a8e97ba7 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig @@ -8,7 +8,14 @@ menu "IPv6: Netfilter Configuration" # old sockopt interface and eval loop config IP6_NF_IPTABLES_LEGACY - tristate + tristate "Legacy IP6 tables support" + depends on INET && IPV6 + select NETFILTER_XTABLES + default n + help + ip6tables is a legacy packet classifier. + This is not needed if you are using iptables over nftables + (iptables-nft). config NF_SOCKET_IPV6 tristate "IPv6 socket lookup support"
On Thu, Sep 26, 2024 at 04:11:39AM -0700, Breno Leitao wrote: > Hello Pablo, > > On Wed, Sep 18, 2024 at 01:21:02PM +0200, Pablo Neira Ayuso wrote: > > Single patch to update them all should be fine. > > I am planning to send the following patch, please let me know if you > have any concern before I send it: > > Author: Breno Leitao <leitao@debian.org> > Date: Thu Aug 29 02:51:02 2024 -0700 > > netfilter: Make legacy configs user selectable > > This option makes legacy Netfilter Kconfig user selectable, giving users > the option to configure iptables without enabling any other config. LGTM, a few cosmetic nitpicks below. > Make the following KConfig entries user selectable: > * BRIDGE_NF_EBTABLES_LEGACY > * IP_NF_ARPTABLES > * IP_NF_IPTABLES_LEGACY > * IP6_NF_IPTABLES_LEGACY > > Signed-off-by: Breno Leitao <leitao@debian.org> > > diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig > index 104c0125e32e..b7bdb094f708 100644 > --- a/net/bridge/netfilter/Kconfig > +++ b/net/bridge/netfilter/Kconfig > @@ -41,7 +41,13 @@ config NF_CONNTRACK_BRIDGE > > # old sockopt interface and eval loop > config BRIDGE_NF_EBTABLES_LEGACY > - tristate > + tristate "Legacy EBTABLES support" > + depends on BRIDGE && NETFILTER_XTABLES > + default n > + help > + Legacy ebtable packet/frame classifier. ^^^^^^^ ebtables > + This is not needed if you are using ebtables over nftables > + (iptables-nft). > > menuconfig BRIDGE_NF_EBTABLES > tristate "Ethernet Bridge tables (ebtables) support" > diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig > index 1b991b889506..2c4d42b5bed1 100644 > --- a/net/ipv4/netfilter/Kconfig > +++ b/net/ipv4/netfilter/Kconfig > @@ -12,7 +12,13 @@ config NF_DEFRAG_IPV4 > > # old sockopt interface and eval loop > config IP_NF_IPTABLES_LEGACY > - tristate > + tristate "Legacy IP tables support" > + default n > + select NETFILTER_XTABLES > + help > + iptables is a legacy packet classifier. > + This is not needed if you are using iptables over nftables > + (iptables-nft). > > config NF_SOCKET_IPV4 > tristate "IPv4 socket lookup support" > @@ -318,7 +324,13 @@ endif # IP_NF_IPTABLES > > # ARP tables > config IP_NF_ARPTABLES > - tristate > + tristate "Legacy ARPTABLE support" ^^^^^^^^ ARPTABLES > + depends on NETFILTER_XTABLES > + default n > + help > + arptables is a legacy packet classifier. > + This is not needed if you are using arptables over nftables > + (iptables-nft). > > config NFT_COMPAT_ARP > tristate > diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig > index f3c8e2d918e1..e087a8e97ba7 100644 > --- a/net/ipv6/netfilter/Kconfig > +++ b/net/ipv6/netfilter/Kconfig > @@ -8,7 +8,14 @@ menu "IPv6: Netfilter Configuration" > > # old sockopt interface and eval loop > config IP6_NF_IPTABLES_LEGACY > - tristate > + tristate "Legacy IP6 tables support" > + depends on INET && IPV6 > + select NETFILTER_XTABLES > + default n > + help > + ip6tables is a legacy packet classifier. > + This is not needed if you are using iptables over nftables > + (iptables-nft). > > config NF_SOCKET_IPV6 > tristate "IPv6 socket lookup support"
Hello, On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote: > These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY > Kconfigs user selectable, avoiding creating an extra dependency by > enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY. Any other feedback regarding this change? This is technically causing user visible regression and blocks us from rolling out recent kernels. Thank you, --breno
On Wed, Sep 11, 2024 at 08:25:52AM -0700, Breno Leitao wrote: > Hello, > > On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote: > > These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY > > Kconfigs user selectable, avoiding creating an extra dependency by > > enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY. > > Any other feedback regarding this change? This is technically causing > user visible regression and blocks us from rolling out recent kernels. What regressions? This patch comes with no Fixes: tag.
On Thu, Sep 12, 2024 at 12:09:36AM +0200, Pablo Neira Ayuso wrote: > On Wed, Sep 11, 2024 at 08:25:52AM -0700, Breno Leitao wrote: > > Hello, > > > > On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote: > > > These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY > > > Kconfigs user selectable, avoiding creating an extra dependency by > > > enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY. > > > > Any other feedback regarding this change? This is technically causing > > user visible regression and blocks us from rolling out recent kernels. > > What regressions? This patch comes with no Fixes: tag. Sorry, I should have said "This is technically causing user lack of flexibility when configuring the kernel"
On Thu, Sep 12, 2024 at 05:18:29AM -0700, Breno Leitao wrote: > On Thu, Sep 12, 2024 at 12:09:36AM +0200, Pablo Neira Ayuso wrote: > > On Wed, Sep 11, 2024 at 08:25:52AM -0700, Breno Leitao wrote: > > > Hello, > > > > > > On Mon, Sep 09, 2024 at 01:46:17AM -0700, Breno Leitao wrote: > > > > These two patches make IP_NF_IPTABLES_LEGACY and IP6_NF_IPTABLES_LEGACY > > > > Kconfigs user selectable, avoiding creating an extra dependency by > > > > enabling some other config that would select IP{6}_NF_IPTABLES_LEGACY. > > > > > > Any other feedback regarding this change? This is technically causing > > > user visible regression and blocks us from rolling out recent kernels. > > > > What regressions? This patch comes with no Fixes: tag. > > Sorry, I should have said "This is technically causing user lack of > flexibility when configuring the kernel" Sure, to allow for in-kernel iptables compilation but extensions as modules? How in the world is that ever used, really?
© 2016 - 2024 Red Hat, Inc.