| Message ID | 20240829161656.832208-2-leitao@debian.org (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | netfilter: Make IP_NF_IPTABLES_LEGACY selectable | expand |
Breno Leitao <leitao@debian.org> wrote: > This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving > users the option to configure iptables without enabling any other > config. I don't get it. IP(6)_NF_IPTABLES_LEGACY without iptable_filter, mangle etc. is useless, rules get attached to basechains that get registered by the iptable_{mangle,filter,nat,...} modules, i.e. those that "select IP(6)_NF_IPTABLES_LEGACY". The old get/setsockopt UAPI is useless without them, iptables -L, -A, etc. won't work. What am I missing? I'm fine with this because this is needed anyway to allow disabling the get/setsockopt api (needs the 'depends on' changes though) later, but this change is a mystery to me.
Hello Florian, On Thu, Aug 29, 2024 at 06:25:12PM +0200, Florian Westphal wrote: > Breno Leitao <leitao@debian.org> wrote: > > This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving > > users the option to configure iptables without enabling any other > > config. > > I don't get it. > > IP(6)_NF_IPTABLES_LEGACY without iptable_filter, mangle etc. > is useless, Correct. We need to have iptable_filter, mangle, etc available. I would like to have ip6_tables as built-in (IP(6)_NF_IPTABLES_LEGACY=y), all the other tables built as modules. So, I am used to a configure similar to the following (before a9525c7f6219c ("netfilter: xtables: allow xtables-nft only builds")) CONFIG_IP6_NF_IPTABLES=y CONFIG_IP6_NF_MANGLE=m CONFIG_IP6_NF_RAW=m ... After a9525c7f6219c ("netfilter: xtables: allow xtables-nft only builds"), the same configuration is not possible anymore, because CONFIG_IP6_NF_IPTABLES is not user selectable anymore, thus, in order to set it as built-in (=y), I need to set the tables as =y. Sorry for not being clear before, and thanks for reviewing it. --breno
Breno Leitao <leitao@debian.org> wrote: > Hello Florian, > > On Thu, Aug 29, 2024 at 06:25:12PM +0200, Florian Westphal wrote: > > Breno Leitao <leitao@debian.org> wrote: > > > This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving > > > users the option to configure iptables without enabling any other > > > config. > > > > I don't get it. > > > > IP(6)_NF_IPTABLES_LEGACY without iptable_filter, mangle etc. > > is useless, > > Correct. We need to have iptable_filter, mangle, etc available. > > I would like to have ip6_tables as built-in > (IP(6)_NF_IPTABLES_LEGACY=y), all the other tables built as modules. > > So, I am used to a configure similar to the following (before > a9525c7f6219c ("netfilter: xtables: allow xtables-nft only builds")) > > CONFIG_IP6_NF_IPTABLES=y > CONFIG_IP6_NF_MANGLE=m > CONFIG_IP6_NF_RAW=m > ... > > After a9525c7f6219c ("netfilter: xtables: allow xtables-nft only > builds"), the same configuration is not possible anymore, because > CONFIG_IP6_NF_IPTABLES is not user selectable anymore, thus, in order to > set it as built-in (=y), I need to set the tables as =y. Good, I was worried there was a functional regression here, but this is more "matter of taste" then. I thunk patch is fine, I will try to add the relevant depends-on change some time in the near future.
Hello Florian, On Fri, Aug 30, 2024 at 03:13:01PM +0200, Florian Westphal wrote: > > After a9525c7f6219c ("netfilter: xtables: allow xtables-nft only > > builds"), the same configuration is not possible anymore, because > > CONFIG_IP6_NF_IPTABLES is not user selectable anymore, thus, in order to > > set it as built-in (=y), I need to set the tables as =y. > > Good, I was worried there was a functional regression here, but > this is more "matter of taste" then. > > I thunk patch is fine, I will try to add the relevant > depends-on change some time in the near future. I am more than happy to do it, if you wish. I just want to decouple both changes from each other.
Breno Leitao <leitao@debian.org> wrote: > > I thunk patch is fine, I will try to add the relevant > > depends-on change some time in the near future. > > I am more than happy to do it, if you wish. I just want to decouple both > changes from each other. Ah, that makes sense to me. The "depends" change would be good to have, see https://lore.kernel.org/netfilter-devel/20240813183202.GA13864@breakpoint.cc/ (TL;DR: PREEMPT_RT requirements would need more surgery in old x_tables infra)
Hi, On Thu, Aug 29, 2024 at 09:16:54AM -0700, Breno Leitao wrote: > This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving > users the option to configure iptables without enabling any other > config. IUC this is to allow to compile iptables core built-in while allowing extensions to be compiled as module? What is exactly the combination you are trying to achieve which is not possible with the current toggle? Florian's motivation to add this knob is to allow to compile kernels without iptables-legacy support. One more comment below. > Signed-off-by: Breno Leitao <leitao@debian.org> > --- > net/ipv6/netfilter/Kconfig | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig > index f3c8e2d918e1..cbe88cc5b897 100644 > --- a/net/ipv6/netfilter/Kconfig > +++ b/net/ipv6/netfilter/Kconfig > @@ -8,7 +8,13 @@ menu "IPv6: Netfilter Configuration" > > # old sockopt interface and eval loop > config IP6_NF_IPTABLES_LEGACY > - tristate > + tristate "Legacy IP6 tables support" > + depends on INET && IPV6 > + select NETFILTER_XTABLES > + default n > + help > + ip6tables is a general, extensible packet identification legacy framework. "packet classification" is generally the more appropriate and widely used term for firewalls. Maybe simply reword this description to ... ip6tables is a legacy packet classification. > + This is not needed if you are using iptables over nftables (iptables-nft). > > config NF_SOCKET_IPV6 > tristate "IPv6 socket lookup support" > -- > 2.43.5 >
Hello Pablom On Fri, Sep 06, 2024 at 01:01:46AM +0200, Pablo Neira Ayuso wrote: > On Thu, Aug 29, 2024 at 09:16:54AM -0700, Breno Leitao wrote: > > This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving > > users the option to configure iptables without enabling any other > > config. > > IUC this is to allow to compile iptables core built-in while allowing > extensions to be compiled as module? What is exactly the combination > you are trying to achieve which is not possible with the current > toggle? Correct. iptable core is built-in, and any extension is a module. > Florian's motivation to add this knob is to allow to compile kernels > without iptables-legacy support. Correct, and this continue to be an option. This change only introduces you the option to set the core as built-in or module, independent of the extensions. > > Signed-off-by: Breno Leitao <leitao@debian.org> > > --- > > net/ipv6/netfilter/Kconfig | 8 +++++++- > > 1 file changed, 7 insertions(+), 1 deletion(-) > > > > diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig > > index f3c8e2d918e1..cbe88cc5b897 100644 > > --- a/net/ipv6/netfilter/Kconfig > > +++ b/net/ipv6/netfilter/Kconfig > > @@ -8,7 +8,13 @@ menu "IPv6: Netfilter Configuration" > > > > # old sockopt interface and eval loop > > config IP6_NF_IPTABLES_LEGACY > > - tristate > > + tristate "Legacy IP6 tables support" > > + depends on INET && IPV6 > > + select NETFILTER_XTABLES > > + default n > > + help > > + ip6tables is a general, extensible packet identification legacy framework. > > "packet classification" is generally the more appropriate and widely > used term for firewalls. > > Maybe simply reword this description to ... > > ip6tables is a legacy packet classification. Sure, I will send an updated version with this change. Thanks!
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index f3c8e2d918e1..cbe88cc5b897 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig @@ -8,7 +8,13 @@ menu "IPv6: Netfilter Configuration" # old sockopt interface and eval loop config IP6_NF_IPTABLES_LEGACY - tristate + tristate "Legacy IP6 tables support" + depends on INET && IPV6 + select NETFILTER_XTABLES + default n + help + ip6tables is a general, extensible packet identification legacy framework. + This is not needed if you are using iptables over nftables (iptables-nft). config NF_SOCKET_IPV6 tristate "IPv6 socket lookup support"
This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving users the option to configure iptables without enabling any other config. Signed-off-by: Breno Leitao <leitao@debian.org> --- net/ipv6/netfilter/Kconfig | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)