On Thu, Sep 26, 2024 at 04:11:39AM -0700, Breno Leitao wrote:
> Hello Pablo,
>
> On Wed, Sep 18, 2024 at 01:21:02PM +0200, Pablo Neira Ayuso wrote:
> > Single patch to update them all should be fine.
>
> I am planning to send the following patch, please let me know if you
> have any concern before I send it:
>
> Author: Breno Leitao <leitao@xxxxxxxxxx>
> Date: Thu Aug 29 02:51:02 2024 -0700
>
> netfilter: Make legacy configs user selectable
>
> This option makes legacy Netfilter Kconfig user selectable, giving users
> the option to configure iptables without enabling any other config.
LGTM, a few cosmetic nitpicks below.
> Make the following KConfig entries user selectable:
> * BRIDGE_NF_EBTABLES_LEGACY
> * IP_NF_ARPTABLES
> * IP_NF_IPTABLES_LEGACY
> * IP6_NF_IPTABLES_LEGACY
>
> Signed-off-by: Breno Leitao <leitao@xxxxxxxxxx>
>
> diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
> index 104c0125e32e..b7bdb094f708 100644
> --- a/net/bridge/netfilter/Kconfig
> +++ b/net/bridge/netfilter/Kconfig
> @@ -41,7 +41,13 @@ config NF_CONNTRACK_BRIDGE
>
> # old sockopt interface and eval loop
> config BRIDGE_NF_EBTABLES_LEGACY
> - tristate
> + tristate "Legacy EBTABLES support"
> + depends on BRIDGE && NETFILTER_XTABLES
> + default n
> + help
> + Legacy ebtable packet/frame classifier.
^^^^^^^
ebtables
> + This is not needed if you are using ebtables over nftables
> + (iptables-nft).
>
> menuconfig BRIDGE_NF_EBTABLES
> tristate "Ethernet Bridge tables (ebtables) support"
> diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> index 1b991b889506..2c4d42b5bed1 100644
> --- a/net/ipv4/netfilter/Kconfig
> +++ b/net/ipv4/netfilter/Kconfig
> @@ -12,7 +12,13 @@ config NF_DEFRAG_IPV4
>
> # old sockopt interface and eval loop
> config IP_NF_IPTABLES_LEGACY
> - tristate
> + tristate "Legacy IP tables support"
> + default n
> + select NETFILTER_XTABLES
> + help
> + iptables is a legacy packet classifier.
> + This is not needed if you are using iptables over nftables
> + (iptables-nft).
>
> config NF_SOCKET_IPV4
> tristate "IPv4 socket lookup support"
> @@ -318,7 +324,13 @@ endif # IP_NF_IPTABLES
>
> # ARP tables
> config IP_NF_ARPTABLES
> - tristate
> + tristate "Legacy ARPTABLE support"
^^^^^^^^
ARPTABLES
> + depends on NETFILTER_XTABLES
> + default n
> + help
> + arptables is a legacy packet classifier.
> + This is not needed if you are using arptables over nftables
> + (iptables-nft).
>
> config NFT_COMPAT_ARP
> tristate
> diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> index f3c8e2d918e1..e087a8e97ba7 100644
> --- a/net/ipv6/netfilter/Kconfig
> +++ b/net/ipv6/netfilter/Kconfig
> @@ -8,7 +8,14 @@ menu "IPv6: Netfilter Configuration"
>
> # old sockopt interface and eval loop
> config IP6_NF_IPTABLES_LEGACY
> - tristate
> + tristate "Legacy IP6 tables support"
> + depends on INET && IPV6
> + select NETFILTER_XTABLES
> + default n
> + help
> + ip6tables is a legacy packet classifier.
> + This is not needed if you are using iptables over nftables
> + (iptables-nft).
>
> config NF_SOCKET_IPV6
> tristate "IPv6 socket lookup support"
