From nobody Wed Apr  1 22:37:18 2026
Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D31438A720;
	Wed,  1 Apr 2026 07:45:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=90.155.92.199
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775029546; cv=none;
 b=gQl1QYk0f5YvfRWeCfEYtoM1Whm6q6WLlSgXZTnjduIfOXzLIk383maW8Kl/sabtXMn8NVnQd3q/fnSHK8U9XNdZEmKh5LW/QF2ycs4vJGErCOTpMqcEnHBnDEFLkxoiM+qottVCCUKZ163u0b07dvt+0kDcoMAHUS7uMzNuYqA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775029546; c=relaxed/simple;
	bh=G+MOIw6te2PEYObUvRNoONaiOWjDHRklhl8RTcJVPZI=;
	h=From:To:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=miO9NgUiIXL7xUA4YrDvuGqmEjnhgwCUngY3kdlzJ6s6x+j3TTH8t0ydSuYinVLQZaJvgCo2gsQzJOH9uJmIHUbz4LGc2+z5q+O0zK+Mkp8LtkMSCLRx6f+GCDTpCV5X75VHNxSipxDeIC9aHcpdEJRP8m/bGEkAg7j8j03rpWg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=infradead.org;
 spf=none smtp.mailfrom=desiato.srs.infradead.org;
 dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org
 header.b=Cj5jYf8L; arc=none smtp.client-ip=90.155.92.199
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=infradead.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=desiato.srs.infradead.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org
 header.b="Cj5jYf8L"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding:
	MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:To:From:Reply-To:
	Cc:Content-Type:Content-ID:Content-Description;
	bh=h+p+VmdWrOOE3XGa5ETBNDsBTi8oEa3Q6yVdlq8p0TQ=; b=Cj5jYf8LEO52SYJSteJD++g+jR
	nxIMi2FBOq6FCP5C1gDwhsPoPpYGA9vx+jXOkaIfMVFWqsqNVOKYhZSO1U91eV6SyU6l4e1vtVVt8
	CRNdM6eFadOnbCYoBPXxXZps8ykTWb6jG/w3nid2e5/e/trzQDLXJKKisSQ+1Cb8okh+eAwxsIubl
	x4tr5WC2fydMBYBVHmjEXNZuKknil+uGbfBpbvlwZKsQ39AT06qKDQMdKHmNKRld4luM6SayP4CKf
	vrpwcDhzc3qkEVGuaanf2jMapJLhWqhn0GTgfW+USWPhYLux76UlPlWzlTigUJ4z30UuWJoath5TZ
	bp9qQlUA==;
Received: from [2001:8b0:10b:1::425] (helo=i7.infradead.org)
	by desiato.infradead.org with esmtpsa (Exim 4.98.2 #2 (Red Hat Linux))
	id 1w7qGN-0000000HLQP-0C5r;
	Wed, 01 Apr 2026 07:45:20 +0000
Received: from dwoodhou by i7.infradead.org with local (Exim 4.98.2 #2 (Red
 Hat Linux))
	id 1w7qGM-00000007xe5-1ZeE;
	Wed, 01 Apr 2026 08:45:18 +0100
From: David Woodhouse <dwmw2@infradead.org>
To: Saeed Mahameed <saeedm@nvidia.com>,
	Leon Romanovsky <leon@kernel.org>,
	Tariq Toukan <tariqt@nvidia.com>,
	Mark Bloch <mbloch@nvidia.com>,
	Andrew Lunn <andrew+netdev@lunn.ch>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	Nikolay Aleksandrov <razor@blackwall.org>,
	Ido Schimmel <idosch@nvidia.com>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Daniel Borkmann <daniel@iogearbox.net>,
	John Fastabend <john.fastabend@gmail.com>,
	Stanislav Fomichev <sdf@fomichev.me>,
	Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Song Liu <song@kernel.org>,
	Yonghong Song <yonghong.song@linux.dev>,
	KP Singh <kpsingh@kernel.org>,
	Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	Willem de Bruijn <willemb@google.com>,
	David Ahern <dsahern@kernel.org>,
	Neal Cardwell <ncardwell@google.com>,
	Johannes Berg <johannes@sipsolutions.net>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Florian Westphal <fw@strlen.de>,
	Phil Sutter <phil@nwl.cc>,
	Guillaume Nault <gnault@redhat.com>,
	David Woodhouse <dwmw@amazon.co.uk>,
	Kees Cook <kees@kernel.org>,
	Alexei Lazar <alazar@nvidia.com>,
	Gal Pressman <gal@nvidia.com>,
	Paul Moore <paul@paul-moore.com>,
	netdev@vger.kernel.org,
	linux-rdma@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	oss-drivers@corigine.com,
	bridge@lists.linux.dev,
	bpf@vger.kernel.org,
	linux-wireless@vger.kernel.org,
	netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org,
	torvalds@linux-foundation.org,
	jon.maddog.hall@gmail.com
Subject: [PATCH 1/6] net: Simplify tautological CONFIG_INET/CONFIG_IPV6 guards
Date: Wed,  1 Apr 2026 08:44:15 +0100
Message-ID: <20260401074509.1897527-2-dwmw2@infradead.org>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20260401074509.1897527-1-dwmw2@infradead.org>
References: <20260401074509.1897527-1-dwmw2@infradead.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: David Woodhouse <dwmw2@infradead.org>
X-SRS-Rewrite: SMTP reverse-path rewritten from <dwmw2@infradead.org> by
 desiato.infradead.org. See http://www.infradead.org/rpr.html
Content-Type: text/plain; charset="utf-8"

From: David Woodhouse <dwmw@amazon.co.uk>

CONFIG_IPV6 depends on CONFIG_INET, so:
 - 'IS_ENABLED(CONFIG_INET) && IS_ENABLED(CONFIG_IPV6)' simplifies
   to just 'IS_ENABLED(CONFIG_IPV6)'
 - 'IS_ENABLED(CONFIG_INET) || IS_ENABLED(CONFIG_IPV6)' simplifies
   to just 'IS_ENABLED(CONFIG_INET)'

No functional change.

Signed-off-by: David Woodhouse (Kiro) <dwmw@amazon.co.uk>
---
 drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c       | 6 +++---
 drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.h       | 2 +-
 drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c | 2 +-
 drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c   | 2 +-
 net/core/filter.c                                         | 2 +-
 net/core/secure_seq.c                                     | 2 +-
 6 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/=
net/ethernet/mellanox/mlx5/core/en/tc_tun.c
index a14f216048cd..889dc1785772 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
@@ -439,7 +439,7 @@ int mlx5e_tc_tun_update_header_ipv4(struct mlx5e_priv *=
priv,
 	return err;
 }
=20
-#if IS_ENABLED(CONFIG_INET) && IS_ENABLED(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IPV6)
 static int mlx5e_route_lookup_ipv6_get(struct mlx5e_priv *priv,
 				       struct net_device *dev,
 				       struct mlx5e_tc_tun_route_attr *attr)
@@ -727,7 +727,7 @@ int mlx5e_tc_tun_route_lookup(struct mlx5e_priv *priv,
 		attr.fl.fl4.daddr =3D esw_attr->rx_tun_attr->src_ip.v4;
 		err =3D mlx5e_route_lookup_ipv4_get(priv, filter_dev, &attr);
 	}
-#if IS_ENABLED(CONFIG_INET) && IS_ENABLED(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IPV6)
 	else if (flow_attr->tun_ip_version =3D=3D 6) {
 		/* Addresses are swapped for decap */
 		attr.fl.fl6.saddr =3D esw_attr->rx_tun_attr->dst_ip.v6;
@@ -762,7 +762,7 @@ int mlx5e_tc_tun_route_lookup(struct mlx5e_priv *priv,
 out:
 	if (flow_attr->tun_ip_version =3D=3D 4)
 		mlx5e_route_lookup_ipv4_put(&attr);
-#if IS_ENABLED(CONFIG_INET) && IS_ENABLED(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IPV6)
 	else if (flow_attr->tun_ip_version =3D=3D 6)
 		mlx5e_route_lookup_ipv6_put(&attr);
 #endif
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.h b/drivers/=
net/ethernet/mellanox/mlx5/core/en/tc_tun.h
index 6873c1201803..f3c0e2d0f388 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.h
@@ -73,7 +73,7 @@ int mlx5e_tc_tun_update_header_ipv4(struct mlx5e_priv *pr=
iv,
 				    struct net_device *mirred_dev,
 				    struct mlx5e_encap_entry *e);
=20
-#if IS_ENABLED(CONFIG_INET) && IS_ENABLED(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IPV6)
 int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv,
 				    struct net_device *mirred_dev,
 				    struct mlx5e_encap_entry *e);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c b/dr=
ivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
index bfd401bee9e8..b2973e8a7df8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
@@ -104,7 +104,7 @@ int mlx5e_tc_set_attr_rx_tun(struct mlx5e_tc_flow *flow,
 		if (!tun_attr->dst_ip.v4 || !tun_attr->src_ip.v4)
 			return 0;
 	}
-#if IS_ENABLED(CONFIG_INET) && IS_ENABLED(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IPV6)
 	else if (ip_version =3D=3D 6) {
 		int ipv6_size =3D MLX5_FLD_SZ_BYTES(ipv6_layout, ipv6);
=20
diff --git a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c b/driv=
ers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
index 0cef0e2b85d0..5eb47e1a8d5e 100644
--- a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
+++ b/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
@@ -814,7 +814,7 @@ void nfp_tunnel_request_route_v6(struct nfp_app *app, s=
truct sk_buff *skb)
 	flow.daddr =3D payload->ipv6_addr;
 	flow.flowi6_proto =3D IPPROTO_UDP;
=20
-#if IS_ENABLED(CONFIG_INET) && IS_ENABLED(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IPV6)
 	dst =3D ipv6_stub->ipv6_dst_lookup_flow(dev_net(netdev), NULL, &flow,
 					      NULL);
 	if (IS_ERR(dst))
diff --git a/net/core/filter.c b/net/core/filter.c
index 78b548158fb0..ad71ceefcb5e 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -6083,7 +6083,7 @@ static const struct bpf_func_proto bpf_skb_get_xfrm_s=
tate_proto =3D {
 };
 #endif
=20
-#if IS_ENABLED(CONFIG_INET) || IS_ENABLED(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_INET)
 static int bpf_fib_set_fwd_params(struct bpf_fib_lookup *params, u32 mtu)
 {
 	params->h_vlan_TCI =3D 0;
diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c
index 6a6f2cda5aae..4de049635db0 100644
--- a/net/core/secure_seq.c
+++ b/net/core/secure_seq.c
@@ -15,7 +15,7 @@
 #include <linux/siphash.h>
 #include <net/secure_seq.h>
=20
-#if IS_ENABLED(CONFIG_IPV6) || IS_ENABLED(CONFIG_INET)
+#if IS_ENABLED(CONFIG_INET)
 #include <linux/in6.h>
 #include <net/tcp.h>
=20
--=20
2.51.0
From nobody Wed Apr  1 22:37:18 2026
Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9133238643E;
	Wed,  1 Apr 2026 07:45:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=90.155.92.199
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775029546; cv=none;
 b=dCRrc8gmOT4oXHzxmVgOMVteIpES5/nAUSlGXVDJftgaw3atZ5cyaY5C/WYe6dvqODhl+F95/LJgloSzl+Z196khTuX0Gs0OT3tRPJYc6tIzSdQ+HyxWP0cu2YPLdsMeZtl8mpdL89yTvqzXO68D2Z7fjK4gfKJ+xxzJjApb5Os=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775029546; c=relaxed/simple;
	bh=9R+JVXf4BtoLSJ29Oe17bA2hZ9tUe54L63YtyNAu4Ys=;
	h=From:To:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=h7fCMqQODH0kLX20RoRiiU3N6lgvb0cK63XmpibI8IrSbAxEkyGiHFXowjAgSfBtmAcYHIlDEaamuuaUp75gdf9DOS11qdQXxWDvDPEgzO2hJaGQayRFbDljn/Skmczki330V5gpWPdCx4pRwojLodYRKjHF5Kpk6zrvU7VnzWU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=infradead.org;
 spf=none smtp.mailfrom=desiato.srs.infradead.org;
 dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org
 header.b=cGXZEtGH; arc=none smtp.client-ip=90.155.92.199
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=infradead.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=desiato.srs.infradead.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org
 header.b="cGXZEtGH"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding:
	Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:To:
	From:Reply-To:Cc:Content-ID:Content-Description;
	bh=5iG19Rn9VazMkVS9llniL6PBW1JOyaflEHOOD98tRZo=; b=cGXZEtGHD9fH3O9CZN4XP5sxfi
	H8mHOXi9NQOmDZi4ip1Y6phk85JdqIAuKBx+xqD+WQReEjlWnndfUL9yz3LdeD4sCBOas46aF6W7I
	bcK3LJaLrEDUmYK/7fg7uR0BRH2pbgTxQ+v5yl8oq1vkTYgnLYVTxyv/FeydxPJBssY88jdSgioW1
	z/wT7xqPFDUMM4Dl+GgRna90n+n9hKzCX0Dl3jB1kbs1WJj/8I/LUPqb2AVjuUjpFAPdQxAK1Qbdf
	DA9oYeheAcq/IUqUFSNZDQ4DHMmZs7leRaYMlDeIgUiYAuD9OTc1d7rGbKsGbXvAbd4nM7pX41kUC
	poZKL3SA==;
Received: from [2001:8b0:10b:1::425] (helo=i7.infradead.org)
	by desiato.infradead.org with esmtpsa (Exim 4.98.2 #2 (Red Hat Linux))
	id 1w7qGN-0000000HLQN-0BwS;
	Wed, 01 Apr 2026 07:45:19 +0000
Received: from dwoodhou by i7.infradead.org with local (Exim 4.98.2 #2 (Red
 Hat Linux))
	id 1w7qGM-00000007xe8-1pgr;
	Wed, 01 Apr 2026 08:45:18 +0100
From: David Woodhouse <dwmw2@infradead.org>
To: Saeed Mahameed <saeedm@nvidia.com>,
	Leon Romanovsky <leon@kernel.org>,
	Tariq Toukan <tariqt@nvidia.com>,
	Mark Bloch <mbloch@nvidia.com>,
	Andrew Lunn <andrew+netdev@lunn.ch>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	Nikolay Aleksandrov <razor@blackwall.org>,
	Ido Schimmel <idosch@nvidia.com>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Daniel Borkmann <daniel@iogearbox.net>,
	John Fastabend <john.fastabend@gmail.com>,
	Stanislav Fomichev <sdf@fomichev.me>,
	Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Song Liu <song@kernel.org>,
	Yonghong Song <yonghong.song@linux.dev>,
	KP Singh <kpsingh@kernel.org>,
	Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	Willem de Bruijn <willemb@google.com>,
	David Ahern <dsahern@kernel.org>,
	Neal Cardwell <ncardwell@google.com>,
	Johannes Berg <johannes@sipsolutions.net>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Florian Westphal <fw@strlen.de>,
	Phil Sutter <phil@nwl.cc>,
	Guillaume Nault <gnault@redhat.com>,
	David Woodhouse <dwmw@amazon.co.uk>,
	Kees Cook <kees@kernel.org>,
	Alexei Lazar <alazar@nvidia.com>,
	Gal Pressman <gal@nvidia.com>,
	Paul Moore <paul@paul-moore.com>,
	netdev@vger.kernel.org,
	linux-rdma@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	oss-drivers@corigine.com,
	bridge@lists.linux.dev,
	bpf@vger.kernel.org,
	linux-wireless@vger.kernel.org,
	netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org,
	torvalds@linux-foundation.org,
	jon.maddog.hall@gmail.com
Subject: [PATCH 2/6] net: Add CONFIG_LEGACY_IP option
Date: Wed,  1 Apr 2026 08:44:16 +0100
Message-ID: <20260401074509.1897527-3-dwmw2@infradead.org>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20260401074509.1897527-1-dwmw2@infradead.org>
References: <20260401074509.1897527-1-dwmw2@infradead.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Sender: David Woodhouse <dwmw2@infradead.org>
X-SRS-Rewrite: SMTP reverse-path rewritten from <dwmw2@infradead.org> by
 desiato.infradead.org. See http://www.infradead.org/rpr.html

From: David Woodhouse <dwmw@amazon.co.uk>

Add a new CONFIG_LEGACY_IP boolean option under CONFIG_INET that will
gate Legacy IP functionality. When disabled, the kernel will not
register the AF_INET socket family, IPv4 packet handler, ARP, or IPv4
routing, while the shared TCP/UDP/INET socket infrastructure remains
available for IPv6.

This is the first step toward making Legacy IP optional. The option
defaults to y and currently has no effect =E2=80=94 subsequent patches will=
 use
it to guard IPv4 entry points.

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
---
 net/ipv4/Kconfig | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index df922f9f5289..aef2c5349e62 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -2,6 +2,17 @@
 #
 # IP configuration
 #
+config LEGACY_IP
+	bool "The IPv4 protocol (Legacy IP)"
+	help
+	  Support for IP version 4 (IPv4).
+
+	  Legacy IP is the protocol used by the early ARPANET, before IPv6
+	  was standardised in the final decade of the 1900s. It should only
+	  be necessary these days to interoperate with legacy networks.
+
+	  If unsure, say N.
+
 config IP_MULTICAST
 	bool "IP: multicasting"
 	help
--=20
2.51.0

From nobody Wed Apr  1 22:37:18 2026
Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7955639936F;
	Wed,  1 Apr 2026 07:45:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=90.155.92.199
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775029551; cv=none;
 b=QStxo3oX22odQeZUxJUqej3TKP6nKvsheTL722f3WlV5u3PPMatXiqt7qNmdzSdVFIkWPPfy6we2vHsrFwzWqO+616JAFCCjOmvgN6/jTH+vKIBbdvDOd3Q02C3Pap5jM5FEie5Lm1R00RekRW9yu1bxeuao7CZhIjctJnQlWZ4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775029551; c=relaxed/simple;
	bh=+tR2lkGhY7EMKxIv9XlfDa5D+Kafii4siVw1srfeq1Y=;
	h=From:To:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=X0JuGKPmSa1LGWrvJIkwGnVqqDsyermBI/0eNFSBgUIOeI/VWso4r2I8pTyny0QzwTRcKp0t8PH2JRxt4PfV8nrElkIAi47/bM+0abWaTRxyv+a7VcwucG69hlnW39hBIm0FfIjbQ+qJKe16bVMiplAVsZsVfPcMPCbo+JLvSUM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=infradead.org;
 spf=none smtp.mailfrom=desiato.srs.infradead.org;
 dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org
 header.b=XmZ0vjW/; arc=none smtp.client-ip=90.155.92.199
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=infradead.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=desiato.srs.infradead.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org
 header.b="XmZ0vjW/"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding:
	MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:To:From:Reply-To:
	Cc:Content-Type:Content-ID:Content-Description;
	bh=rUPZcZvnz7m4wObN0nRKDSPdiuPMBaSG6sDNy+wfNnY=; b=XmZ0vjW/LAOkBb5O+5LmfCk5YI
	n8C7/YEH/1OL7qrT9tmUxRH1AvhkSP1DC33BAFZa/XLf4jRDI2N3NZqjWHOn+7sUESjIM1aasCgA4
	JBIzZF6GADalqzb484AmGNw/yymN7DMeWwDe63XCJwHL4+6jeB8/s2BCmtK9Y9DjhZl2LXE2exenv
	5UNcjFFLrHczGy9tgX4x9RLKNa0chk+2fuONLjXfVSiQoITjn3ij5WJNeyhuBO28yKyWy0KYFAtDd
	34i6caZsumKmuoFkoLuH0sqvSRVFs3CPszxsTh9RD6P2LkTvTFD/fIbqcapt5G6lIiaqPKWm+nVz3
	HfXKpo5Q==;
Received: from [2001:8b0:10b:1::425] (helo=i7.infradead.org)
	by desiato.infradead.org with esmtpsa (Exim 4.98.2 #2 (Red Hat Linux))
	id 1w7qGN-0000000HLQQ-0Bmv;
	Wed, 01 Apr 2026 07:45:19 +0000
Received: from dwoodhou by i7.infradead.org with local (Exim 4.98.2 #2 (Red
 Hat Linux))
	id 1w7qGM-00000007xeB-26NS;
	Wed, 01 Apr 2026 08:45:18 +0100
From: David Woodhouse <dwmw2@infradead.org>
To: Saeed Mahameed <saeedm@nvidia.com>,
	Leon Romanovsky <leon@kernel.org>,
	Tariq Toukan <tariqt@nvidia.com>,
	Mark Bloch <mbloch@nvidia.com>,
	Andrew Lunn <andrew+netdev@lunn.ch>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	Nikolay Aleksandrov <razor@blackwall.org>,
	Ido Schimmel <idosch@nvidia.com>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Daniel Borkmann <daniel@iogearbox.net>,
	John Fastabend <john.fastabend@gmail.com>,
	Stanislav Fomichev <sdf@fomichev.me>,
	Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Song Liu <song@kernel.org>,
	Yonghong Song <yonghong.song@linux.dev>,
	KP Singh <kpsingh@kernel.org>,
	Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	Willem de Bruijn <willemb@google.com>,
	David Ahern <dsahern@kernel.org>,
	Neal Cardwell <ncardwell@google.com>,
	Johannes Berg <johannes@sipsolutions.net>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Florian Westphal <fw@strlen.de>,
	Phil Sutter <phil@nwl.cc>,
	Guillaume Nault <gnault@redhat.com>,
	David Woodhouse <dwmw@amazon.co.uk>,
	Kees Cook <kees@kernel.org>,
	Alexei Lazar <alazar@nvidia.com>,
	Gal Pressman <gal@nvidia.com>,
	Paul Moore <paul@paul-moore.com>,
	netdev@vger.kernel.org,
	linux-rdma@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	oss-drivers@corigine.com,
	bridge@lists.linux.dev,
	bpf@vger.kernel.org,
	linux-wireless@vger.kernel.org,
	netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org,
	torvalds@linux-foundation.org,
	jon.maddog.hall@gmail.com
Subject: [PATCH 3/6] net: Guard Legacy IP entry points with CONFIG_LEGACY_IP
Date: Wed,  1 Apr 2026 08:44:17 +0100
Message-ID: <20260401074509.1897527-4-dwmw2@infradead.org>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20260401074509.1897527-1-dwmw2@infradead.org>
References: <20260401074509.1897527-1-dwmw2@infradead.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: David Woodhouse <dwmw2@infradead.org>
X-SRS-Rewrite: SMTP reverse-path rewritten from <dwmw2@infradead.org> by
 desiato.infradead.org. See http://www.infradead.org/rpr.html
Content-Type: text/plain; charset="utf-8"

From: David Woodhouse <dwmw@amazon.co.uk>

Wrap the IPv4-specific registrations in inet_init() with
CONFIG_LEGACY_IP guards. When LEGACY_IP is disabled, the kernel
will not:
 - Register the AF_INET socket family
 - Register the ETH_P_IP packet handler (ip_rcv)
 - Initialize ARP, ICMP, IGMP, or IPv4 routing
 - Register IPv4 protocol handlers (TCP/UDP/ICMP over IPv4)
 - Initialize IPv4 multicast routing, proc entries, or fragmentation

The shared INET infrastructure (tcp_prot, udp_prot, tcp_init, etc.)
remains initialized for use by IPv6.

Also update INDIRECT_CALL_INET to not use ip_rcv/ip_list_rcv as
direct call targets when LEGACY_IP is disabled, avoiding a link-time
reference to functions that will eventually be compiled out.

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
---
 include/linux/indirect_call_wrapper.h |  4 +++-
 net/ipv4/af_inet.c                    | 20 +++++++++++++-----
 net/ipv4/devinet.c                    |  2 ++
 net/ipv4/route.c                      |  1 -
 net/ipv4/tcp_ipv4.c                   | 30 ++++++++++++++-------------
 5 files changed, 36 insertions(+), 21 deletions(-)

diff --git a/include/linux/indirect_call_wrapper.h b/include/linux/indirect=
_call_wrapper.h
index dc272b514a01..25a3873da462 100644
--- a/include/linux/indirect_call_wrapper.h
+++ b/include/linux/indirect_call_wrapper.h
@@ -57,9 +57,11 @@
  * builtin, this macro simplify dealing with indirect calls with only ipv4=
/ipv6
  * alternatives
  */
-#if IS_BUILTIN(CONFIG_IPV6)
+#if IS_BUILTIN(CONFIG_IPV6) && IS_ENABLED(CONFIG_LEGACY_IP)
 #define INDIRECT_CALL_INET(f, f2, f1, ...) \
 	INDIRECT_CALL_2(f, f2, f1, __VA_ARGS__)
+#elif IS_BUILTIN(CONFIG_IPV6)
+#define INDIRECT_CALL_INET(f, f2, f1, ...) INDIRECT_CALL_1(f, f2, __VA_ARG=
S__)
 #elif IS_ENABLED(CONFIG_INET)
 #define INDIRECT_CALL_INET(f, f2, f1, ...) INDIRECT_CALL_1(f, f1, __VA_ARG=
S__)
 #else
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index c7731e300a44..dc358faa1647 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1922,7 +1922,15 @@ static int __init inet_init(void)
 	/*
 	 *	Tell SOCKET that we are alive...
 	 */
+	/* Initialize the socket-side protocol switch tables. */
+	for (r =3D &inetsw[0]; r < &inetsw[SOCK_MAX]; ++r)
+		INIT_LIST_HEAD(r);
+
+#ifdef CONFIG_XFRM
+	xfrm_init();
+#endif
=20
+#ifdef CONFIG_LEGACY_IP
 	(void)sock_register(&inet_family_ops);
=20
 #ifdef CONFIG_SYSCTL
@@ -1957,10 +1965,6 @@ static int __init inet_init(void)
 		pr_crit("%s: Cannot add IGMP protocol\n", __func__);
 #endif
=20
-	/* Register the socket-side information for inet_create. */
-	for (r =3D &inetsw[0]; r < &inetsw[SOCK_MAX]; ++r)
-		INIT_LIST_HEAD(r);
-
 	for (q =3D inetsw_array; q < &inetsw_array[INETSW_ARRAY_LEN]; ++q)
 		inet_register_protosw(q);
=20
@@ -1975,6 +1979,7 @@ static int __init inet_init(void)
 	 */
=20
 	ip_init();
+#endif /* CONFIG_LEGACY_IP */
=20
 	/* Initialise per-cpu ipv4 mibs */
 	if (init_ipv4_mibs())
@@ -1987,7 +1992,8 @@ static int __init inet_init(void)
 	udp_init();
=20
 	/* Add UDP-Lite (RFC 3828) */
-	udplite4_register();
+	if (IS_ENABLED(CONFIG_LEGACY_IP))
+		udplite4_register();
=20
 	raw_init();
=20
@@ -1997,6 +2003,7 @@ static int __init inet_init(void)
 	 *	Set the ICMP layer up
 	 */
=20
+#ifdef CONFIG_LEGACY_IP
 	if (icmp_init() < 0)
 		panic("Failed to create the ICMP control socket.\n");
=20
@@ -2007,10 +2014,12 @@ static int __init inet_init(void)
 	if (ip_mr_init())
 		pr_crit("%s: Cannot init ipv4 mroute\n", __func__);
 #endif
+#endif /* CONFIG_LEGACY_IP */
=20
 	if (init_inet_pernet_ops())
 		pr_crit("%s: Cannot init ipv4 inet pernet ops\n", __func__);
=20
+#ifdef CONFIG_LEGACY_IP
 	ipv4_proc_init();
=20
 	ipfrag_init();
@@ -2018,6 +2027,7 @@ static int __init inet_init(void)
 	dev_add_pack(&ip_packet_type);
=20
 	ip_tunnel_core_init();
+#endif /* CONFIG_LEGACY_IP */
=20
 	rc =3D 0;
 out:
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 537bb6c315d2..9b9db10e5db2 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -348,7 +348,9 @@ static int __init inet_blackhole_dev_init(void)
=20
 	return PTR_ERR_OR_ZERO(in_dev);
 }
+#ifdef CONFIG_LEGACY_IP
 late_initcall(inet_blackhole_dev_init);
+#endif
=20
 int inet_addr_onlink(struct in_device *in_dev, __be32 a, __be32 b)
 {
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 463236e0dc2d..125614f552c7 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -3773,7 +3773,6 @@ int __init ip_rt_init(void)
 	if (ip_rt_proc_init())
 		pr_err("Unable to create route proc files\n");
 #ifdef CONFIG_XFRM
-	xfrm_init();
 	xfrm4_init();
 #endif
 	rtnl_register_many(ip_rt_rtnl_msg_handlers);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index c7b2463c2e25..7660bd45aac7 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -3717,25 +3717,27 @@ static void __init bpf_iter_register(void)
=20
 void __init tcp_v4_init(void)
 {
-	int cpu, res;
+	if (IS_ENABLED(CONFIG_LEGACY_IP)) {
+		int cpu, res;
=20
-	for_each_possible_cpu(cpu) {
-		struct sock *sk;
+		for_each_possible_cpu(cpu) {
+			struct sock *sk;
=20
-		res =3D inet_ctl_sock_create(&sk, PF_INET, SOCK_RAW,
-					   IPPROTO_TCP, &init_net);
-		if (res)
-			panic("Failed to create the TCP control socket.\n");
-		sock_set_flag(sk, SOCK_USE_WRITE_QUEUE);
+			res =3D inet_ctl_sock_create(&sk, PF_INET, SOCK_RAW,
+						   IPPROTO_TCP, &init_net);
+			if (res)
+				panic("Failed to create the TCP control socket.\n");
+			sock_set_flag(sk, SOCK_USE_WRITE_QUEUE);
=20
-		/* Please enforce IP_DF and IPID=3D=3D0 for RST and
-		 * ACK sent in SYN-RECV and TIME-WAIT state.
-		 */
-		inet_sk(sk)->pmtudisc =3D IP_PMTUDISC_DO;
+			/* Please enforce IP_DF and IPID=3D=3D0 for RST and
+			 * ACK sent in SYN-RECV and TIME-WAIT state.
+			 */
+			inet_sk(sk)->pmtudisc =3D IP_PMTUDISC_DO;
=20
-		sk->sk_clockid =3D CLOCK_MONOTONIC;
+			sk->sk_clockid =3D CLOCK_MONOTONIC;
=20
-		per_cpu(ipv4_tcp_sk.sock, cpu) =3D sk;
+			per_cpu(ipv4_tcp_sk.sock, cpu) =3D sk;
+		}
 	}
 	if (register_pernet_subsys(&tcp_sk_ops))
 		panic("Failed to create the TCP control socket.\n");
--=20
2.51.0
From nobody Wed Apr  1 22:37:18 2026
Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9144B389470;
	Wed,  1 Apr 2026 07:45:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=90.155.92.199
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775029547; cv=none;
 b=N8P7FIWVLlONEjgcpcbUHJjvfje34QRDPoO5hLPHEeTWd9fAOYt7OrG1twCPLQ3FqbpZvEIudK6CmTM9R6DbB8OLlHLafuKu/uvEyZU8GTsPOElXYGC0+TwqjHddzZP6S8/bPxgUM6xC6+RIJ4OOuu14B4eS0wJmoMpTaRSntXE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775029547; c=relaxed/simple;
	bh=fz1vVpZ+XixTWvLK2fUSSSwxU2g035/t57UleVQMxCs=;
	h=From:To:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=dun3n6+MRi9b6AZk2qp5D5SOrbFlO6a4XIXqtoSmuKvX2GaVKdha/ZTwlypZnOGqyftnh+6Iv9NQXNxfX0l5Qj9WQvdWDj6tuEkGMnhqzIe3FMpve7oOxkE2fe3KN2ET9kgnTtDfb3zCULWoj3JV75aIaUqGnKWF1X2RDui0FJM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=infradead.org;
 spf=none smtp.mailfrom=desiato.srs.infradead.org;
 dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org
 header.b=QnCIxoUy; arc=none smtp.client-ip=90.155.92.199
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=infradead.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=desiato.srs.infradead.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org
 header.b="QnCIxoUy"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding:
	Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:To:
	From:Reply-To:Cc:Content-ID:Content-Description;
	bh=7U4Yiy0/CwnvZWt3C0BtwDa2Bz5Q5jm510x17jkSpQk=; b=QnCIxoUyOmPrAkseFjcccD4s1i
	JKfLE7Jom17QlfF7S1IPYullmh2F3/ktBNXwJtxAGsOTgDCOiJWXNBKrEVRZ7iSEc36uqowLb3S7S
	BV99jdHasZRiZk8U5OleuPJgXdXYle1tJH1CZy4rg4gBT9EPLs2Ahr0cAKXcgZFRfJ05SDokSHTfN
	jXPrhzGgoWmGQJy+kbKGacztvzPAG0VZY7QODBlz2dhxkauyvny4QYD1Sn93zFjoRwz7rtxIeRSFT
	/5vAOJQYyW6nfO9WESy0lFzuia8lcNbI1r3pmzzQ440e2a0h03XVEvkS4BGy8eJMOxAk8Vd/9wfQn
	N1CDYbUQ==;
Received: from [2001:8b0:10b:1::425] (helo=i7.infradead.org)
	by desiato.infradead.org with esmtpsa (Exim 4.98.2 #2 (Red Hat Linux))
	id 1w7qGN-0000000HLQR-0Bwg;
	Wed, 01 Apr 2026 07:45:19 +0000
Received: from dwoodhou by i7.infradead.org with local (Exim 4.98.2 #2 (Red
 Hat Linux))
	id 1w7qGM-00000007xeH-2STV;
	Wed, 01 Apr 2026 08:45:18 +0100
From: David Woodhouse <dwmw2@infradead.org>
To: Saeed Mahameed <saeedm@nvidia.com>,
	Leon Romanovsky <leon@kernel.org>,
	Tariq Toukan <tariqt@nvidia.com>,
	Mark Bloch <mbloch@nvidia.com>,
	Andrew Lunn <andrew+netdev@lunn.ch>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	Nikolay Aleksandrov <razor@blackwall.org>,
	Ido Schimmel <idosch@nvidia.com>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Daniel Borkmann <daniel@iogearbox.net>,
	John Fastabend <john.fastabend@gmail.com>,
	Stanislav Fomichev <sdf@fomichev.me>,
	Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Song Liu <song@kernel.org>,
	Yonghong Song <yonghong.song@linux.dev>,
	KP Singh <kpsingh@kernel.org>,
	Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	Willem de Bruijn <willemb@google.com>,
	David Ahern <dsahern@kernel.org>,
	Neal Cardwell <ncardwell@google.com>,
	Johannes Berg <johannes@sipsolutions.net>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Florian Westphal <fw@strlen.de>,
	Phil Sutter <phil@nwl.cc>,
	Guillaume Nault <gnault@redhat.com>,
	David Woodhouse <dwmw@amazon.co.uk>,
	Kees Cook <kees@kernel.org>,
	Alexei Lazar <alazar@nvidia.com>,
	Gal Pressman <gal@nvidia.com>,
	Paul Moore <paul@paul-moore.com>,
	netdev@vger.kernel.org,
	linux-rdma@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	oss-drivers@corigine.com,
	bridge@lists.linux.dev,
	bpf@vger.kernel.org,
	linux-wireless@vger.kernel.org,
	netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org,
	torvalds@linux-foundation.org,
	jon.maddog.hall@gmail.com
Subject: [PATCH 4/6] net: Make IPv4-only Kconfig options depend on LEGACY_IP
Date: Wed,  1 Apr 2026 08:44:18 +0100
Message-ID: <20260401074509.1897527-5-dwmw2@infradead.org>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20260401074509.1897527-1-dwmw2@infradead.org>
References: <20260401074509.1897527-1-dwmw2@infradead.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Sender: David Woodhouse <dwmw2@infradead.org>
X-SRS-Rewrite: SMTP reverse-path rewritten from <dwmw2@infradead.org> by
 desiato.infradead.org. See http://www.infradead.org/rpr.html

From: David Woodhouse <dwmw@amazon.co.uk>

Add 'depends on LEGACY_IP' to Kconfig options that are purely
IPv4-specific, so they are automatically disabled when LEGACY_IP=3Dn.

IPv4-only options gated:
 - IP_MULTICAST, IP_ADVANCED_ROUTER, IP_FIB_TRIE_STATS,
   IP_MULTIPLE_TABLES, IP_ROUTE_MULTIPATH, IP_ROUTE_VERBOSE,
   IP_ROUTE_CLASSID =E2=80=94 IPv4 routing features
 - IP_PNP (and children DHCP/BOOTP/RARP) =E2=80=94 IPv4 autoconfiguration
 - NET_IPIP, NET_IPGRE_DEMUX, NET_IPGRE, NET_IPGRE_BROADCAST =E2=80=94 IPv4
   tunnels
 - IP_MROUTE_COMMON, IP_MROUTE, IP_MROUTE_MULTIPLE_TABLES,
   IP_PIMSM_V1, IP_PIMSM_V2 =E2=80=94 IPv4 multicast routing
 - NET_IPVTI, NET_FOU_IP_TUNNELS =E2=80=94 IPv4 VTI and FOU tunnels
 - INET_AH, INET_ESP, INET_ESP_OFFLOAD, INET_ESPINTCP,
   INET_IPCOMP =E2=80=94 IPv4 IPsec (IPv6 has separate INET6_* options)
 - INET_XFRM_TUNNEL, INET_TUNNEL =E2=80=94 IPv4 tunnel infrastructure

Options intentionally left ungated (shared with IPv6):
 - SYN_COOKIES, NET_IP_TUNNEL, NET_UDP_TUNNEL, NET_FOU
 - INET_TABLE_PERTURB_ORDER, INET_DIAG and children
 - TCP_CONG_*, DEFAULT_TCP_CONG, TCP_SIGPOOL, TCP_AO, TCP_MD5SIG

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
---
 net/ipv4/Kconfig | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index aef2c5349e62..03b5ba75c3cf 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -15,6 +15,7 @@ config LEGACY_IP
=20
 config IP_MULTICAST
 	bool "IP: multicasting"
+	depends on LEGACY_IP
 	help
 	  This is code for addressing several networked computers at once,
 	  enlarging your kernel by about 2 KB. You need multicasting if you
@@ -25,6 +26,7 @@ config IP_MULTICAST
=20
 config IP_ADVANCED_ROUTER
 	bool "IP: advanced router"
+	depends on LEGACY_IP
 	help
 	  If you intend to run your Linux box mostly as a router, i.e. as a
 	  computer that forwards and redistributes network packets, say Y; you
@@ -66,6 +68,7 @@ config IP_ADVANCED_ROUTER
=20
 config IP_FIB_TRIE_STATS
 	bool "FIB TRIE statistics"
+	depends on LEGACY_IP
 	depends on IP_ADVANCED_ROUTER
 	help
 	  Keep track of statistics on structure of FIB TRIE table.
@@ -73,6 +76,7 @@ config IP_FIB_TRIE_STATS
=20
 config IP_MULTIPLE_TABLES
 	bool "IP: policy routing"
+	depends on LEGACY_IP
 	depends on IP_ADVANCED_ROUTER
 	select FIB_RULES
 	help
@@ -90,6 +94,7 @@ config IP_MULTIPLE_TABLES
=20
 config IP_ROUTE_MULTIPATH
 	bool "IP: equal cost multipath"
+	depends on LEGACY_IP
 	depends on IP_ADVANCED_ROUTER
 	help
 	  Normally, the routing tables specify a single action to be taken in
@@ -102,6 +107,7 @@ config IP_ROUTE_MULTIPATH
=20
 config IP_ROUTE_VERBOSE
 	bool "IP: verbose route monitoring"
+	depends on LEGACY_IP
 	depends on IP_ADVANCED_ROUTER
 	help
 	  If you say Y here, which is recommended, then the kernel will print
@@ -113,9 +119,11 @@ config IP_ROUTE_VERBOSE
=20
 config IP_ROUTE_CLASSID
 	bool
+	depends on LEGACY_IP
=20
 config IP_PNP
 	bool "IP: kernel level autoconfiguration"
+	depends on LEGACY_IP
 	help
 	  This enables automatic configuration of IP addresses of devices and
 	  of the routing table during kernel boot, based on either information
@@ -172,6 +180,7 @@ config IP_PNP_RARP
=20
 config NET_IPIP
 	tristate "IP: tunneling"
+	depends on LEGACY_IP
 	select INET_TUNNEL
 	select NET_IP_TUNNEL
 	help
@@ -190,6 +199,7 @@ config NET_IPIP
=20
 config NET_IPGRE_DEMUX
 	tristate "IP: GRE demultiplexer"
+	depends on LEGACY_IP
 	help
 	  This is helper module to demultiplex GRE packets on GRE version field c=
riteria.
 	  Required by ip_gre and pptp modules.
@@ -202,6 +212,7 @@ config NET_IP_TUNNEL
=20
 config NET_IPGRE
 	tristate "IP: GRE tunnels over IP"
+	depends on LEGACY_IP
 	depends on (IPV6 || IPV6=3Dn) && NET_IPGRE_DEMUX
 	select NET_IP_TUNNEL
 	help
@@ -217,6 +228,7 @@ config NET_IPGRE
=20
 config NET_IPGRE_BROADCAST
 	bool "IP: broadcast GRE over IP"
+	depends on LEGACY_IP
 	depends on IP_MULTICAST && NET_IPGRE
 	help
 	  One application of GRE/IP is to construct a broadcast WAN (Wide Area
@@ -226,10 +238,12 @@ config NET_IPGRE_BROADCAST
=20
 config IP_MROUTE_COMMON
 	bool
+	depends on LEGACY_IP
 	depends on IP_MROUTE || IPV6_MROUTE
=20
 config IP_MROUTE
 	bool "IP: multicast routing"
+	depends on LEGACY_IP
 	depends on IP_MULTICAST
 	select IP_MROUTE_COMMON
 	help
@@ -242,6 +256,7 @@ config IP_MROUTE
=20
 config IP_MROUTE_MULTIPLE_TABLES
 	bool "IP: multicast policy routing"
+	depends on LEGACY_IP
 	depends on IP_MROUTE && IP_ADVANCED_ROUTER
 	select FIB_RULES
 	help
@@ -256,6 +271,7 @@ config IP_MROUTE_MULTIPLE_TABLES
=20
 config IP_PIMSM_V1
 	bool "IP: PIM-SM version 1 support"
+	depends on LEGACY_IP
 	depends on IP_MROUTE
 	help
 	  Kernel side support for Sparse Mode PIM (Protocol Independent
@@ -269,6 +285,7 @@ config IP_PIMSM_V1
=20
 config IP_PIMSM_V2
 	bool "IP: PIM-SM version 2 support"
+	depends on LEGACY_IP
 	depends on IP_MROUTE
 	help
 	  Kernel side support for Sparse Mode PIM version 2. In order to use
@@ -314,6 +331,7 @@ config SYN_COOKIES
=20
 config NET_IPVTI
 	tristate "Virtual (secure) IP: tunneling"
+	depends on LEGACY_IP
 	depends on IPV6 || IPV6=3Dn
 	select INET_TUNNEL
 	select NET_IP_TUNNEL
@@ -341,6 +359,7 @@ config NET_FOU
=20
 config NET_FOU_IP_TUNNELS
 	bool "IP: FOU encapsulation of IP tunnels"
+	depends on LEGACY_IP
 	depends on NET_IPIP || NET_IPGRE || IPV6_SIT
 	select NET_FOU
 	help
@@ -350,6 +369,7 @@ config NET_FOU_IP_TUNNELS
=20
 config INET_AH
 	tristate "IP: AH transformation"
+	depends on LEGACY_IP
 	select XFRM_AH
 	help
 	  Support for IPsec AH (Authentication Header).
@@ -365,6 +385,7 @@ config INET_AH
=20
 config INET_ESP
 	tristate "IP: ESP transformation"
+	depends on LEGACY_IP
 	select XFRM_ESP
 	help
 	  Support for IPsec ESP (Encapsulating Security Payload).
@@ -380,6 +401,7 @@ config INET_ESP
=20
 config INET_ESP_OFFLOAD
 	tristate "IP: ESP transformation offload"
+	depends on LEGACY_IP
 	depends on INET_ESP
 	select XFRM_OFFLOAD
 	default n
@@ -393,6 +415,7 @@ config INET_ESP_OFFLOAD
=20
 config INET_ESPINTCP
 	bool "IP: ESP in TCP encapsulation (RFC 8229)"
+	depends on LEGACY_IP
 	depends on XFRM && INET_ESP
 	select STREAM_PARSER
 	select NET_SOCK_MSG
@@ -405,6 +428,7 @@ config INET_ESPINTCP
=20
 config INET_IPCOMP
 	tristate "IP: IPComp transformation"
+	depends on LEGACY_IP
 	select INET_XFRM_TUNNEL
 	select XFRM_IPCOMP
 	help
@@ -425,11 +449,13 @@ config INET_TABLE_PERTURB_ORDER
=20
 config INET_XFRM_TUNNEL
 	tristate
+	depends on LEGACY_IP
 	select INET_TUNNEL
 	default n
=20
 config INET_TUNNEL
 	tristate
+	depends on LEGACY_IP
 	default n
=20
 config INET_DIAG
--=20
2.51.0

From nobody Wed Apr  1 22:37:18 2026
Received: from casper.infradead.org (casper.infradead.org [90.155.50.34])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA86338A2BE;
	Wed,  1 Apr 2026 07:45:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=90.155.50.34
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775029550; cv=none;
 b=Z6bHQ81uw1i/gM5bR2E1SirY/sogUn3g7X/+/vMwd5SqRZBVBM5N/stBVrmE7VFNathS3ev+HPbQmFxnK2os04IJWyBCONljQ/Pc6qBxhPYhC42SSaMcz8SWkyBoCkeH3ySdfQhGoGbfJI6M1Uih5gyzonxNwb1TyLDNXV0Ohik=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775029550; c=relaxed/simple;
	bh=rXA64fn6y56PibOyI9IkFgYw3RfBJKBTSkxUiNBk0fg=;
	h=From:To:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=bFTQ22hYND0eoMexycJGRNYvoIP5I6aHr9r6TUPC1BfMOflw9pE2kMTB3w719zTuUadSPqbijlNHvbyBOw2yfcw0mIwOp5DjoYFGrzDos0tjsQN8K+S8qmBSCCVTLBIYF/g9p6yXAMJ559YrH4zOHpkGS2laf6udKbxzOa67Zyc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=infradead.org;
 spf=none smtp.mailfrom=casper.srs.infradead.org;
 dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org
 header.b=IKoGyQZr; arc=none smtp.client-ip=90.155.50.34
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=infradead.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=casper.srs.infradead.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org
 header.b="IKoGyQZr"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=casper.20170209; h=Sender:Content-Transfer-Encoding:
	MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:To:From:Reply-To:
	Cc:Content-Type:Content-ID:Content-Description;
	bh=pISmS11V1tQprFst6l/klCiCb/4SA1I27pPJorGm5gg=; b=IKoGyQZrkoZMy+DdfIsGPzhp0f
	KsIQdc38aM7WkyiOFbPySG9hwJzfNFlal9JXYEWJnbzwgdeh/WsfWiBQfnKxXyVWjEKC3JnIn1wCS
	XLH6oP6mkrblKJheY/uUD63e5eaEz3K5D/eByo/0O+mHJB+zeTTHvB69OKxY58EqDBJCB7a8N9Nta
	6DxzwcmeiCL8m04LDqLpPO3KNROO5rmNBrfJbFnZLPDswK9grm3HKuCAtJ3rSy2DWpH52TSGMz8ss
	gUPg2JoI4zG+A3IFRw9/IshiTVLa2XNTriAS+LQGPeDZVsm65nqSkr+qsXqvaeI8j2Vy4tlcJjAbS
	hyDMrxrA==;
Received: from [2001:8b0:10b:1::425] (helo=i7.infradead.org)
	by casper.infradead.org with esmtpsa (Exim 4.98.2 #2 (Red Hat Linux))
	id 1w7qGM-0000000A0NP-419U;
	Wed, 01 Apr 2026 07:45:19 +0000
Received: from dwoodhou by i7.infradead.org with local (Exim 4.98.2 #2 (Red
 Hat Linux))
	id 1w7qGM-00000007xeL-2p8k;
	Wed, 01 Apr 2026 08:45:18 +0100
From: David Woodhouse <dwmw2@infradead.org>
To: Saeed Mahameed <saeedm@nvidia.com>,
	Leon Romanovsky <leon@kernel.org>,
	Tariq Toukan <tariqt@nvidia.com>,
	Mark Bloch <mbloch@nvidia.com>,
	Andrew Lunn <andrew+netdev@lunn.ch>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	Nikolay Aleksandrov <razor@blackwall.org>,
	Ido Schimmel <idosch@nvidia.com>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Daniel Borkmann <daniel@iogearbox.net>,
	John Fastabend <john.fastabend@gmail.com>,
	Stanislav Fomichev <sdf@fomichev.me>,
	Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Song Liu <song@kernel.org>,
	Yonghong Song <yonghong.song@linux.dev>,
	KP Singh <kpsingh@kernel.org>,
	Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	Willem de Bruijn <willemb@google.com>,
	David Ahern <dsahern@kernel.org>,
	Neal Cardwell <ncardwell@google.com>,
	Johannes Berg <johannes@sipsolutions.net>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Florian Westphal <fw@strlen.de>,
	Phil Sutter <phil@nwl.cc>,
	Guillaume Nault <gnault@redhat.com>,
	David Woodhouse <dwmw@amazon.co.uk>,
	Kees Cook <kees@kernel.org>,
	Alexei Lazar <alazar@nvidia.com>,
	Gal Pressman <gal@nvidia.com>,
	Paul Moore <paul@paul-moore.com>,
	netdev@vger.kernel.org,
	linux-rdma@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	oss-drivers@corigine.com,
	bridge@lists.linux.dev,
	bpf@vger.kernel.org,
	linux-wireless@vger.kernel.org,
	netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org,
	torvalds@linux-foundation.org,
	jon.maddog.hall@gmail.com
Subject: [PATCH 5/6] net: Change CONFIG_INET to CONFIG_LEGACY_IP for IPv4-only
 code
Date: Wed,  1 Apr 2026 08:44:19 +0100
Message-ID: <20260401074509.1897527-6-dwmw2@infradead.org>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20260401074509.1897527-1-dwmw2@infradead.org>
References: <20260401074509.1897527-1-dwmw2@infradead.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: David Woodhouse <dwmw2@infradead.org>
X-SRS-Rewrite: SMTP reverse-path rewritten from <dwmw2@infradead.org> by
 casper.infradead.org. See http://www.infradead.org/rpr.html
Content-Type: text/plain; charset="utf-8"

From: David Woodhouse <dwmw@amazon.co.uk>

Several functions guarded by CONFIG_INET are actually IPv4-specific
and should be gated by CONFIG_LEGACY_IP instead:

 - bpf_out_neigh_v4(): BPF IPv4 neighbour output helper
 - bpf_ipv4_fib_lookup(): BPF IPv4 FIB lookup
 - case AF_INET in bpf_xdp_fib_lookup/bpf_skb_fib_lookup switch
 - br_arp_send(): bridge ARP proxy (ARP is IPv4-only)

This allows the compiler to eliminate these functions when
LEGACY_IP=3Dn.

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
---
 net/bridge/br_arp_nd_proxy.c    |  2 +-
 net/bridge/br_private.h         |  8 ++++++++
 net/core/filter.c               | 10 +++++-----
 net/core/sock.c                 |  2 +-
 net/mac80211/main.c             | 10 +++++-----
 net/netfilter/nfnetlink_queue.c |  2 +-
 6 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/net/bridge/br_arp_nd_proxy.c b/net/bridge/br_arp_nd_proxy.c
index 1e2b51769eec..e056fa0cd1fe 100644
--- a/net/bridge/br_arp_nd_proxy.c
+++ b/net/bridge/br_arp_nd_proxy.c
@@ -39,7 +39,7 @@ void br_recalculate_neigh_suppress_enabled(struct net_bri=
dge *br)
 	br_opt_toggle(br, BROPT_NEIGH_SUPPRESS_ENABLED, neigh_suppress);
 }
=20
-#if IS_ENABLED(CONFIG_INET)
+#if IS_ENABLED(CONFIG_LEGACY_IP)
 static void br_arp_send(struct net_bridge *br, struct net_bridge_port *p,
 			struct net_device *dev, __be32 dest_ip, __be32 src_ip,
 			const unsigned char *dest_hw,
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 9b55d38ea9ed..28131fa0a7c5 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -2347,8 +2347,16 @@ static inline void br_switchdev_init(struct net_brid=
ge *br)
=20
 /* br_arp_nd_proxy.c */
 void br_recalculate_neigh_suppress_enabled(struct net_bridge *br);
+#if IS_ENABLED(CONFIG_LEGACY_IP)
 void br_do_proxy_suppress_arp(struct sk_buff *skb, struct net_bridge *br,
 			      u16 vid, struct net_bridge_port *p);
+#else
+static inline void br_do_proxy_suppress_arp(struct sk_buff *skb,
+					    struct net_bridge *br,
+					    u16 vid, struct net_bridge_port *p)
+{
+}
+#endif
 void br_do_suppress_nd(struct sk_buff *skb, struct net_bridge *br,
 		       u16 vid, struct net_bridge_port *p, struct nd_msg *msg);
 struct nd_msg *br_is_nd_neigh_msg(const struct sk_buff *skb, struct nd_msg=
 *m);
diff --git a/net/core/filter.c b/net/core/filter.c
index ad71ceefcb5e..ef99bd9fddd6 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2310,7 +2310,7 @@ static int __bpf_redirect_neigh_v6(struct sk_buff *sk=
b, struct net_device *dev,
 }
 #endif /* CONFIG_IPV6 */
=20
-#if IS_ENABLED(CONFIG_INET)
+#if IS_ENABLED(CONFIG_LEGACY_IP)
 static int bpf_out_neigh_v4(struct net *net, struct sk_buff *skb,
 			    struct net_device *dev, struct bpf_nh_params *nh)
 {
@@ -2419,7 +2419,7 @@ static int __bpf_redirect_neigh_v4(struct sk_buff *sk=
b, struct net_device *dev,
 	kfree_skb(skb);
 	return NET_XMIT_DROP;
 }
-#endif /* CONFIG_INET */
+#endif /* CONFIG_LEGACY_IP */
=20
 static int __bpf_redirect_neigh(struct sk_buff *skb, struct net_device *de=
v,
 				struct bpf_nh_params *nh)
@@ -6095,7 +6095,7 @@ static int bpf_fib_set_fwd_params(struct bpf_fib_look=
up *params, u32 mtu)
 }
 #endif
=20
-#if IS_ENABLED(CONFIG_INET)
+#if IS_ENABLED(CONFIG_LEGACY_IP)
 static int bpf_ipv4_fib_lookup(struct net *net, struct bpf_fib_lookup *par=
ams,
 			       u32 flags, bool check_mtu)
 {
@@ -6390,7 +6390,7 @@ BPF_CALL_4(bpf_xdp_fib_lookup, struct xdp_buff *, ctx,
 		return -EINVAL;
=20
 	switch (params->family) {
-#if IS_ENABLED(CONFIG_INET)
+#if IS_ENABLED(CONFIG_LEGACY_IP)
 	case AF_INET:
 		return bpf_ipv4_fib_lookup(dev_net(ctx->rxq->dev), params,
 					   flags, true);
@@ -6431,7 +6431,7 @@ BPF_CALL_4(bpf_skb_fib_lookup, struct sk_buff *, skb,
 		check_mtu =3D true;
=20
 	switch (params->family) {
-#if IS_ENABLED(CONFIG_INET)
+#if IS_ENABLED(CONFIG_LEGACY_IP)
 	case AF_INET:
 		rc =3D bpf_ipv4_fib_lookup(net, params, flags, check_mtu);
 		break;
diff --git a/net/core/sock.c b/net/core/sock.c
index 5976100a9d55..6b2914702a38 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -4267,7 +4267,7 @@ int sock_load_diag_module(int family, int protocol)
 				      NETLINK_SOCK_DIAG, family);
 	}
=20
-#ifdef CONFIG_INET
+#ifdef CONFIG_LEGACY_IP
 	if (family =3D=3D AF_INET &&
 	    protocol !=3D IPPROTO_RAW &&
 	    protocol < MAX_INET_PROTOS &&
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 616f86b1a7e4..7c1bbbb2c5c7 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -558,7 +558,7 @@ void ieee80211_restart_hw(struct ieee80211_hw *hw)
 }
 EXPORT_SYMBOL(ieee80211_restart_hw);
=20
-#ifdef CONFIG_INET
+#ifdef CONFIG_LEGACY_IP
 static int ieee80211_ifa_changed(struct notifier_block *nb,
 				 unsigned long data, void *arg)
 {
@@ -1624,7 +1624,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
 	wiphy_unlock(hw->wiphy);
 	rtnl_unlock();
=20
-#ifdef CONFIG_INET
+#ifdef CONFIG_LEGACY_IP
 	local->ifa_notifier.notifier_call =3D ieee80211_ifa_changed;
 	result =3D register_inetaddr_notifier(&local->ifa_notifier);
 	if (result)
@@ -1642,11 +1642,11 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
=20
 #if IS_ENABLED(CONFIG_IPV6)
  fail_ifa6:
-#ifdef CONFIG_INET
+#ifdef CONFIG_LEGACY_IP
 	unregister_inetaddr_notifier(&local->ifa_notifier);
 #endif
 #endif
-#if defined(CONFIG_INET) || defined(CONFIG_IPV6)
+#if defined(CONFIG_LEGACY_IP) || defined(CONFIG_IPV6)
  fail_ifa:
 #endif
 	wiphy_unregister(local->hw.wiphy);
@@ -1673,7 +1673,7 @@ void ieee80211_unregister_hw(struct ieee80211_hw *hw)
 	tasklet_kill(&local->tx_pending_tasklet);
 	tasklet_kill(&local->tasklet);
=20
-#ifdef CONFIG_INET
+#ifdef CONFIG_LEGACY_IP
 	unregister_inetaddr_notifier(&local->ifa_notifier);
 #endif
 #if IS_ENABLED(CONFIG_IPV6)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queu=
e.c
index 47f7f62906e2..e453fdb2254c 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -339,7 +339,7 @@ static struct nf_hook_entries *nf_hook_entries_head(con=
st struct net *net, u8 pf
=20
 static int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry =
*entry)
 {
-#ifdef CONFIG_INET
+#ifdef CONFIG_LEGACY_IP
 	const struct ip_rt_info *rt_info =3D nf_queue_entry_reroute(entry);
=20
 	if (entry->state.hook =3D=3D NF_INET_LOCAL_OUT) {
--=20
2.51.0
From nobody Wed Apr  1 22:37:18 2026
Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E702B35E936;
	Wed,  1 Apr 2026 07:45:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=90.155.92.199
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775029547; cv=none;
 b=NQ++2YkEVUvJxdfNb8+aDqCgpjoJumppJXjSj4Wzg0jIPjs4STQMz/4knnWFwcAnpp+f1spxlVZmdisID6BKOsghdFhyJh1c6MpuVZnXUzeCOrgcdWzfR+bkYm0Vgh2EOG1vAtctQWu6PaJRs2IhhL9utEX/dzuBeHV35WWcv0Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775029547; c=relaxed/simple;
	bh=kApfysLmil/v0Oj2JmnKLBK0dorCkw228crfG1s8AD0=;
	h=From:To:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Xpes9io5/H/23AXuW3XYrkaIxb2kXso3Qv/alnLwHoAEtSUgbo8guJbFlAoQMYeV/fcc+vv3IwMdIMwr8rzMQYC54nzznCGJm85Zjy/9KwPZczQKWFvqNNGezIYE4yAkRnLIM7orkcH9CspWxkwwpOatgdUjyxrmS60zVneIe3Y=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=infradead.org;
 spf=none smtp.mailfrom=desiato.srs.infradead.org;
 dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org
 header.b=ICgU3kYI; arc=none smtp.client-ip=90.155.92.199
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=infradead.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=desiato.srs.infradead.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org
 header.b="ICgU3kYI"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding:
	MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:To:From:Reply-To:
	Cc:Content-Type:Content-ID:Content-Description;
	bh=TjlEaZufkIfdPkUMCDh5SD89kPYTqyaHCXw8Muwc4Dk=; b=ICgU3kYIYD7TcubUA2flzaCQ0/
	Y1xq8IIwcHVpeuRBs2Sk5bzpKgsAJH4Ach8Tt1JHYt4wh0jYcY6e+SATwyK4RcZ/7221wQ27l1y2E
	O3cgTAk/OztH7NNk72E5Bf2RwSS34DSuaYUnyizucHQyG/+WmOWj1vdkACs6nq4qlMsZGSsEfWGNS
	hXSAVX0fEOkaA99zZ9kqYN6yxmdUYCJQkEtOxNFaQ7BJhkHkfggNP9lw9mMGOfHK6IUONyvssH4Q0
	9gZpb8pHebi9BTlNi6Yopj0pLSCVCcKonmuA4rkAb/dLverJuSQ9UZS7Ic1Jul4M9LMCBmkEXo8vL
	C49g96Qw==;
Received: from [2001:8b0:10b:1::425] (helo=i7.infradead.org)
	by desiato.infradead.org with esmtpsa (Exim 4.98.2 #2 (Red Hat Linux))
	id 1w7qGN-0000000HLQS-0BKX;
	Wed, 01 Apr 2026 07:45:19 +0000
Received: from dwoodhou by i7.infradead.org with local (Exim 4.98.2 #2 (Red
 Hat Linux))
	id 1w7qGM-00000007xeP-3Bbt;
	Wed, 01 Apr 2026 08:45:18 +0100
From: David Woodhouse <dwmw2@infradead.org>
To: Saeed Mahameed <saeedm@nvidia.com>,
	Leon Romanovsky <leon@kernel.org>,
	Tariq Toukan <tariqt@nvidia.com>,
	Mark Bloch <mbloch@nvidia.com>,
	Andrew Lunn <andrew+netdev@lunn.ch>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	Nikolay Aleksandrov <razor@blackwall.org>,
	Ido Schimmel <idosch@nvidia.com>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Daniel Borkmann <daniel@iogearbox.net>,
	John Fastabend <john.fastabend@gmail.com>,
	Stanislav Fomichev <sdf@fomichev.me>,
	Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Song Liu <song@kernel.org>,
	Yonghong Song <yonghong.song@linux.dev>,
	KP Singh <kpsingh@kernel.org>,
	Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	Willem de Bruijn <willemb@google.com>,
	David Ahern <dsahern@kernel.org>,
	Neal Cardwell <ncardwell@google.com>,
	Johannes Berg <johannes@sipsolutions.net>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Florian Westphal <fw@strlen.de>,
	Phil Sutter <phil@nwl.cc>,
	Guillaume Nault <gnault@redhat.com>,
	David Woodhouse <dwmw@amazon.co.uk>,
	Kees Cook <kees@kernel.org>,
	Alexei Lazar <alazar@nvidia.com>,
	Gal Pressman <gal@nvidia.com>,
	Paul Moore <paul@paul-moore.com>,
	netdev@vger.kernel.org,
	linux-rdma@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	oss-drivers@corigine.com,
	bridge@lists.linux.dev,
	bpf@vger.kernel.org,
	linux-wireless@vger.kernel.org,
	netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org,
	torvalds@linux-foundation.org,
	jon.maddog.hall@gmail.com
Subject: [PATCH 6/6] net: Warn when processes listen on AF_INET sockets
Date: Wed,  1 Apr 2026 08:44:20 +0100
Message-ID: <20260401074509.1897527-7-dwmw2@infradead.org>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20260401074509.1897527-1-dwmw2@infradead.org>
References: <20260401074509.1897527-1-dwmw2@infradead.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: David Woodhouse <dwmw2@infradead.org>
X-SRS-Rewrite: SMTP reverse-path rewritten from <dwmw2@infradead.org> by
 desiato.infradead.org. See http://www.infradead.org/rpr.html
Content-Type: text/plain; charset="utf-8"

From: David Woodhouse <dwmw@amazon.co.uk>

There is no need to listen on AF_INET sockets; a modern application can
listen on IPv6 (without IPV6_V6ONLY) and will accept connections from
the 20th century via IPv4-mapped addresses (::ffff:x.x.x.x) on the IPv6
socket.

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
---
 net/ipv4/af_inet.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index dc358faa1647..3838782a8437 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -240,6 +240,9 @@ int inet_listen(struct socket *sock, int backlog)
 	struct sock *sk =3D sock->sk;
 	int err =3D -EINVAL;
=20
+	pr_warn_once("process '%s' (pid %d) is listening on an AF_INET socket. Co=
nsider using AF_INET6 with IPV6_V6ONLY=3D0 instead.\n",
+		     current->comm, task_pid_nr(current));
+
 	lock_sock(sk);
=20
 	if (sock->state !=3D SS_UNCONNECTED || sock->type !=3D SOCK_STREAM)
--=20
2.51.0