On Fri, Jun 21, 2019 at 03:01:13PM +0200, Fernando Fernandez Mancera wrote:
> Hi Pablo, comments below.
>
> On 6/20/19 4:10 PM, Pablo Neira Ayuso wrote:
> > On Wed, Jun 19, 2019 at 08:06:54PM +0200, Fernando Fernandez Mancera wrote:
> > [...]
> >> diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c
> >> new file mode 100644
> >> index 000000000000..3ef7f1dc50be
> >> --- /dev/null
> >> +++ b/net/netfilter/nft_synproxy.c
> >> @@ -0,0 +1,327 @@
> >> +// SPDX-License-Identifier: GPL-2.0
> >> +
[...]
> >> +
> >> +static void nft_synproxy_destroy(const struct nft_ctx *ctx,
> >> + const struct nft_expr *expr)
> >> +{
> >> + struct synproxy_net *snet = synproxy_pernet(ctx->net);
> >> +
> >> + switch (ctx->family) {
> >> + case NFPROTO_IPV4:
> >> + nf_synproxy_ipv4_fini(snet, ctx->net);
> >> + break;
> >> +#if IS_ENABLED(IPV6)
> >
> > This should be CONFIG_IPV6, right?
> >
>
> Yes, but I think we should check CONFIG_NF_TABLES_IPV6 instead. What do
> you think?
I think nf_synproxy_ipv6 does not depend on CONFIG_NF_TABLES_IPV6.
This infrastructure is used by iptables, which should not have any
superfluous dependency.
So I'm inclined to place a CONFIG_IPV6 dependency there.
