On Thu, Jun 28, 2018 at 12:05:17PM +0200, Pablo Neira Ayuso wrote: > On Wed, Jun 27, 2018 at 11:58:29PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > On Mon, Jun 18, 2018 at 03:12:51PM +0200, Máté Eckl wrote: > > > > - NFT_SOCKET selected NF_SOCKET based on the wrong criterion. > > > > IPV6 itself does not guarantee that ipv6 functionality is available in nft. > > > > - NETFILTER_XT_MATCH_SOCKET now selects NF_SOCKET > > > > NF_SOCKET is not good for anything alone, so dependency is inapproproiate. > > Probably we can remove NF_SOCKET description too, so this is not > shown. I mean, now that we'll go for "select". > > > > > Signed-off-by: Máté Eckl <ecklm94@xxxxxxxxx> > > > > --- > > > > net/netfilter/Kconfig | 6 +++--- > > > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > > > > > diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig > > > > index dbd7d1fad277..8abcefb8b418 100644 > > > > --- a/net/netfilter/Kconfig > > > > +++ b/net/netfilter/Kconfig > > > > @@ -626,7 +626,7 @@ config NFT_SOCKET > > > > tristate "Netfilter nf_tables socket match support" > > > > depends on IPV6 || IPV6=n > > > > select NF_SOCKET_IPV4 > > > > - select NF_SOCKET_IPV6 if IPV6 > > > > + select NF_SOCKET_IPV6 if NF_TABLES_IPV6 > > > > > > Are you sure this is needed? I mean, I can see other spots in > > > net/netfilter/Kconfig following the same approach. > > > > Its not needed but its a good idea. > > No point in autoselecting NF_SOCKET_IPV6 in case there is no ipv6 > > nftables support. Yes, it was more of a clarification than a fix, I'll amend the title. > > Thanks for explaining. > > Then, we can probably switch other "if IPV6" dependencies in the > Kconfig file I think, in a single patch. Ok, I'll look after similar cases. This seems to be useful for XT_* and NFT modules as they both have a separate IPV6 support modules (NF_TABLES_IPV6 and IP6_NF_IPTABLES). As we already do this: are those IPV6 || IPV6=n dependencies really meaningful? It is always true. If they are, they might also be updated to NF_TABLES_IPV6 || NF_TABLES_IPV6=n and similar with IP6_NF_IPTABLES, don't you think? > Probably this can be done in two separated patches? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
