diff mbox series

[net-next,01/11] netfilter: Make legacy configs user selectable

Message ID 20241106234625.168468-2-pablo@netfilter.org (mailing list archive)
State Accepted
Commit 6c959fd5e17387201dba3619b2e6af213939a0a7
Delegated to: Netdev Maintainers
Headers show
Series [net-next,01/11] netfilter: Make legacy configs user selectable | expand

Checks

Context Check Description
netdev/series_format success Pull request is its own cover letter
netdev/tree_selection success Clearly marked for net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 3 this patch: 3
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 7 maintainers not CCed: horms@kernel.org kadlec@netfilter.org razor@blackwall.org coreteam@netfilter.org bridge@lists.linux.dev roopa@nvidia.com dsahern@kernel.org
netdev/build_clang success Errors and warnings before: 4 this patch: 4
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 8 this patch: 8
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 57 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest fail net-next-2024-11-07--03-00 (tests: 786)

Commit Message

Pablo Neira Ayuso Nov. 6, 2024, 11:46 p.m. UTC 
From: Breno Leitao <leitao@debian.org>

This option makes legacy Netfilter Kconfig user selectable, giving users
the option to configure iptables without enabling any other config.

Make the following KConfig entries user selectable:
 * BRIDGE_NF_EBTABLES_LEGACY
 * IP_NF_ARPTABLES
 * IP_NF_IPTABLES_LEGACY
 * IP6_NF_IPTABLES_LEGACY

Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/bridge/netfilter/Kconfig |  8 +++++++-
 net/ipv4/netfilter/Kconfig   | 16 ++++++++++++++--
 net/ipv6/netfilter/Kconfig   |  9 ++++++++-
 3 files changed, 29 insertions(+), 4 deletions(-)

Comments

patchwork-bot+netdevbpf@kernel.org Nov. 7, 2024, noon UTC | #1 
Hello:

This series was applied to netdev/net-next.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Thu,  7 Nov 2024 00:46:15 +0100 you wrote:
> From: Breno Leitao <leitao@debian.org>
> 
> This option makes legacy Netfilter Kconfig user selectable, giving users
> the option to configure iptables without enabling any other config.
> 
> Make the following KConfig entries user selectable:
>  * BRIDGE_NF_EBTABLES_LEGACY
>  * IP_NF_ARPTABLES
>  * IP_NF_IPTABLES_LEGACY
>  * IP6_NF_IPTABLES_LEGACY
> 
> [...]

Here is the summary with links:
  - [net-next,01/11] netfilter: Make legacy configs user selectable
    https://git.kernel.org/netdev/net-next/c/6c959fd5e173
  - [net-next,02/11] netfilter: nf_tables: Fix percpu address space issues in nf_tables_api.c
    https://git.kernel.org/netdev/net-next/c/0741f5559354
  - [net-next,03/11] netfilter: nf_tables: replace deprecated strncpy with strscpy_pad
    https://git.kernel.org/netdev/net-next/c/544dded8cb63
  - [net-next,04/11] netfilter: nf_tables: prefer nft_trans_elem_alloc helper
    https://git.kernel.org/netdev/net-next/c/08e52cccae11
  - [net-next,05/11] netfilter: nf_tables: avoid false-positive lockdep splat on rule deletion
    https://git.kernel.org/netdev/net-next/c/9adbb4198bf6
  - [net-next,06/11] netfilter: nf_tables: avoid false-positive lockdep splats with sets
    https://git.kernel.org/netdev/net-next/c/8f5f3786dba7
  - [net-next,07/11] netfilter: nf_tables: avoid false-positive lockdep splats with flowtables
    https://git.kernel.org/netdev/net-next/c/b3e8f29d6b45
  - [net-next,08/11] netfilter: nf_tables: avoid false-positive lockdep splats in set walker
    https://git.kernel.org/netdev/net-next/c/28b7a6b84c0a
  - [net-next,09/11] netfilter: nf_tables: avoid false-positive lockdep splats with basechain hook
    https://git.kernel.org/netdev/net-next/c/3567146b94af
  - [net-next,10/11] netfilter: nf_tables: must hold rcu read lock while iterating expression type list
    https://git.kernel.org/netdev/net-next/c/ee666a541ed9
  - [net-next,11/11] netfilter: nf_tables: must hold rcu read lock while iterating object type list
    https://git.kernel.org/netdev/net-next/c/cddc04275f95

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 104c0125e32e..f16bbbbb9481 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -41,7 +41,13 @@  config NF_CONNTRACK_BRIDGE
 
 # old sockopt interface and eval loop
 config BRIDGE_NF_EBTABLES_LEGACY
-	tristate
+	tristate "Legacy EBTABLES support"
+	depends on BRIDGE && NETFILTER_XTABLES
+	default n
+	help
+	 Legacy ebtables packet/frame classifier.
+	 This is not needed if you are using ebtables over nftables
+	 (iptables-nft).
 
 menuconfig BRIDGE_NF_EBTABLES
 	tristate "Ethernet Bridge tables (ebtables) support"
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 1b991b889506..ef8009281da5 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -12,7 +12,13 @@  config NF_DEFRAG_IPV4
 
 # old sockopt interface and eval loop
 config IP_NF_IPTABLES_LEGACY
-	tristate
+	tristate "Legacy IP tables support"
+	default	n
+	select NETFILTER_XTABLES
+	help
+	  iptables is a legacy packet classifier.
+	  This is not needed if you are using iptables over nftables
+	  (iptables-nft).
 
 config NF_SOCKET_IPV4
 	tristate "IPv4 socket lookup support"
@@ -318,7 +324,13 @@  endif # IP_NF_IPTABLES
 
 # ARP tables
 config IP_NF_ARPTABLES
-	tristate
+	tristate "Legacy ARPTABLES support"
+	depends on NETFILTER_XTABLES
+	default n
+	help
+	  arptables is a legacy packet classifier.
+	  This is not needed if you are using arptables over nftables
+	  (iptables-nft).
 
 config NFT_COMPAT_ARP
 	tristate
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index f3c8e2d918e1..e087a8e97ba7 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -8,7 +8,14 @@  menu "IPv6: Netfilter Configuration"
 
 # old sockopt interface and eval loop
 config IP6_NF_IPTABLES_LEGACY
-	tristate
+	tristate "Legacy IP6 tables support"
+	depends on INET && IPV6
+	select NETFILTER_XTABLES
+	default n
+	help
+	  ip6tables is a legacy packet classifier.
+	  This is not needed if you are using iptables over nftables
+	  (iptables-nft).
 
 config NF_SOCKET_IPV6
 	tristate "IPv6 socket lookup support"