connection tracking zones currently depend on the xtables CT target, connection tracking labels are handled via hidden dependency that gets auto-selected by the connlabel match. Make NF_CONNTRACK_LABELS a normal config knob and make both depend on either the xtables target/match or the nft conntrack expression. This allows to use conntrack labels and zones with nft-only kernel. Signed-off-by: Florian Westphal <fw@xxxxxxxxx> --- net/netfilter/Kconfig | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 0febf3e21f91..96bf21389940 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -106,7 +106,7 @@ config NF_CONNTRACK_SECMARK config NF_CONNTRACK_ZONES bool 'Connection tracking zones' depends on NETFILTER_ADVANCED - depends on NETFILTER_XT_TARGET_CT + depends on NETFILTER_XT_TARGET_CT || NFT_CT help This option enables support for connection tracking zones. Normally, each connection needs to have a unique system wide @@ -158,10 +158,12 @@ config NF_CONNTRACK_TIMESTAMP If unsure, say `N'. config NF_CONNTRACK_LABELS - bool + bool "Connection tracking labels" + depends on NETFILTER_XT_MATCH_CONNLABEL || NFT_CT help This option enables support for assigning user-defined flag bits - to connection tracking entries. It selected by the connlabel match. + to connection tracking entries. It can be used with xtables connlabel + match of the nftables ct expression. config NF_CT_PROTO_DCCP bool 'DCCP protocol connection tracking support' @@ -1153,7 +1155,6 @@ config NETFILTER_XT_MATCH_CONNBYTES config NETFILTER_XT_MATCH_CONNLABEL tristate '"connlabel" match support' - select NF_CONNTRACK_LABELS depends on NF_CONNTRACK depends on NETFILTER_ADVANCED ---help--- -- 2.16.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
