Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > both already have > > > > select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES > > > > But its not enough; its possible to have > > CONFIG_NF_DEFRAG_IPV6=m > > CONFIG_IP6_NF_IPTABLES=m > > CONFIG_NETFILTER_XT_TARGET_TPROXY=y > > CONFIG_NETFILTER_XT_MATCH_SOCKET=y > > > > Which doesn't work as socket/tproxy references symbols > > from ipv6 defrag. > > > > cannot add > > depends on (NF_DEFRAG_IPV6 || NF_DEFRAG_IPV6=n) > > since thats a recursive dependency. > > > > Adding a dependency to have m/y depend on IP6_NF_IPTABLES > > status appears to do the right thing but its not correct > > because it also disallows DEFRAG=y, TPROXY=m (which is fine). > > > > AFAICS this dependency issue has always existed since ipv6 > > support was added to tproxy. > > Not your fault, this Kconfig games that we already have to resolve the > IPv6 dependencies are a mess. We should consider splitting this two in > ipt_/ip6t_ modules, but that's just large change just to resolve this. I'll look into a better way to fix it for -next. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
