In some cases module selects depend on IPV6, but this means that they select another module even if eg. NF_TABLES_IPV6 is not set in which case the selected module is useless due to the lack of IPv6 nf_tables functionality. The same applies for IP6_NF_IPTABLES and iptables. Joint work with: Arnd Bermann <arnd@xxxxxxxx> Signed-off-by: Máté Eckl <ecklm94@xxxxxxxxx> --- v2: squashes (with some refinement) the following patches: - netfilter: Kconfig: Change select dependencies from IPV6 to NF_TABLES_IPV6 and IP6_NF_IPTABLES (https://patchwork.ozlabs.org/patch/936305/) - netfilter: fix NETFILTER_XT_TARGET_TEE dependencies (https://patchwork.ozlabs.org/patch/940460/) - netfilter: xt_tee: fix calling nf_dup_ipv6 (https://patchwork.ozlabs.org/patch/941374/) - netfilter: NFT_SOCKET don't use NF_SOCKET_IPV6 without NF_TABLES_IPV6 (https://patchwork.ozlabs.org/patch/941696/) Now nothing that is specific to nftables or xtables uses CONFIG_IPV6 as a compile-time criterion. $ find net/{,ipv6}/netfilter -name "*.[hc]" -exec grep --color -H "CONFIG_IPV6" {} \; net//netfilter/nf_conntrack_proto.c:#if IS_ENABLED(CONFIG_IPV6) net//netfilter/nf_conntrack_proto.c:#if IS_ENABLED(CONFIG_IPV6) net//netfilter/nf_conntrack_proto.c:#if IS_ENABLED(CONFIG_IPV6) net//netfilter/nf_conntrack_proto.c:#if IS_ENABLED(CONFIG_IPV6) net//netfilter/nf_conntrack_proto.c:#endif /* CONFIG_IPV6 */ net//netfilter/nf_conntrack_proto.c:#if IS_ENABLED(CONFIG_IPV6) net//netfilter/nf_conntrack_proto.c:#if IS_ENABLED(CONFIG_IPV6) net//netfilter/nf_conntrack_proto.c:#if IS_ENABLED(CONFIG_IPV6) net//netfilter/nf_conntrack_core.c:#if IS_ENABLED(CONFIG_IPV6) net//netfilter/nf_conntrack_core.c:#if IS_ENABLED(CONFIG_IPV6) Nothing that is specific to nftables or iptables use 'select <module> if IPV6. net/netfilter/Kconfig | 6 +++--- net/netfilter/nft_socket.c | 4 ++-- net/netfilter/xt_TEE.c | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index f5866eb6911b..6c65d756e603 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -628,7 +628,7 @@ config NFT_SOCKET tristate "Netfilter nf_tables socket match support" depends on IPV6 || IPV6=n select NF_SOCKET_IPV4 - select NF_SOCKET_IPV6 if IPV6 + select NF_SOCKET_IPV6 if NF_TABLES_IPV6 help This option allows matching for the presence or absence of a corresponding socket and its attributes. @@ -894,7 +894,7 @@ config NETFILTER_XT_TARGET_LOG tristate "LOG target support" select NF_LOG_COMMON select NF_LOG_IPV4 - select NF_LOG_IPV6 if IPV6 + select NF_LOG_IPV6 if IP6_NF_IPTABLES default m if NETFILTER_ADVANCED=n help This option adds a `LOG' target, which allows you to create rules in @@ -986,7 +986,7 @@ config NETFILTER_XT_TARGET_TEE depends on IPV6 || IPV6=n depends on !NF_CONNTRACK || NF_CONNTRACK select NF_DUP_IPV4 - select NF_DUP_IPV6 if IPV6 + select NF_DUP_IPV6 if IP6_NF_IPTABLES ---help--- This option adds a "TEE" target with which a packet can be cloned and this clone be rerouted to another nexthop. diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c index 74e1b3bd6954..70e2690afc72 100644 --- a/net/netfilter/nft_socket.c +++ b/net/netfilter/nft_socket.c @@ -28,7 +28,7 @@ static void nft_socket_eval(const struct nft_expr *expr, case NFPROTO_IPV4: sk = nf_sk_lookup_slow_v4(nft_net(pkt), skb, nft_in(pkt)); break; -#if IS_ENABLED(CONFIG_NF_SOCKET_IPV6) +#if IS_ENABLED(CONFIG_NF_TABLES_IPV6) case NFPROTO_IPV6: sk = nf_sk_lookup_slow_v6(nft_net(pkt), skb, nft_in(pkt)); break; @@ -74,7 +74,7 @@ static int nft_socket_init(const struct nft_ctx *ctx, switch(ctx->family) { case NFPROTO_IPV4: -#if IS_ENABLED(CONFIG_NF_SOCKET_IPV6) +#if IS_ENABLED(CONFIG_NF_TABLES_IPV6) case NFPROTO_IPV6: #endif case NFPROTO_INET: diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c index 475957cfcf50..0d0d68c989df 100644 --- a/net/netfilter/xt_TEE.c +++ b/net/netfilter/xt_TEE.c @@ -38,7 +38,7 @@ tee_tg4(struct sk_buff *skb, const struct xt_action_param *par) return XT_CONTINUE; } -#if IS_ENABLED(CONFIG_IPV6) +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) static unsigned int tee_tg6(struct sk_buff *skb, const struct xt_action_param *par) { @@ -141,7 +141,7 @@ static struct xt_target tee_tg_reg[] __read_mostly = { .destroy = tee_tg_destroy, .me = THIS_MODULE, }, -#if IS_ENABLED(CONFIG_IPV6) +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) { .name = "TEE", .revision = 1, -- ecklm -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
