Hi, On Thu, Aug 29, 2024 at 09:16:54AM -0700, Breno Leitao wrote: > This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving > users the option to configure iptables without enabling any other > config. IUC this is to allow to compile iptables core built-in while allowing extensions to be compiled as module? What is exactly the combination you are trying to achieve which is not possible with the current toggle? Florian's motivation to add this knob is to allow to compile kernels without iptables-legacy support. One more comment below. > Signed-off-by: Breno Leitao <leitao@xxxxxxxxxx> > --- > net/ipv6/netfilter/Kconfig | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig > index f3c8e2d918e1..cbe88cc5b897 100644 > --- a/net/ipv6/netfilter/Kconfig > +++ b/net/ipv6/netfilter/Kconfig > @@ -8,7 +8,13 @@ menu "IPv6: Netfilter Configuration" > > # old sockopt interface and eval loop > config IP6_NF_IPTABLES_LEGACY > - tristate > + tristate "Legacy IP6 tables support" > + depends on INET && IPV6 > + select NETFILTER_XTABLES > + default n > + help > + ip6tables is a general, extensible packet identification legacy framework. "packet classification" is generally the more appropriate and widely used term for firewalls. Maybe simply reword this description to ... ip6tables is a legacy packet classification. > + This is not needed if you are using iptables over nftables (iptables-nft). > > config NF_SOCKET_IPV6 > tristate "IPv6 socket lookup support" > -- > 2.43.5 >
