From patchwork Fri Aug 23 17:48:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Breno Leitao X-Patchwork-Id: 13775643 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 49BBA191F6B; Fri, 23 Aug 2024 17:49:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724435351; cv=none; b=NbeK3pGVhGFPW4Uv9okbasNs9YF6niNpWzoevEPsG8d2YBN+/tg6SSts8+9nvAmMnLgJ7BQMOU1wyOXBQL+5Kliiz/TKj5toQS1Y+5Wp2uPMby+NlZWrdL005DalOXgb0++iVNrymXDS1urstsfp/C/zo1dcOPa2p7telB3cY+g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724435351; c=relaxed/simple; bh=JPmeRkWYY+2KSVJkCOMkvdV8p0irCIdkXP4F6YkIbGY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iJs2Am78K0iRRfzg1daVXhkemxFwjLpLcd8c0NCXaCOrtskbvvqv1OYkGG3DhHEqNSg49FGLihxGCZbThanq8EJPWLFx4oauK4EsIyGWklc5XiKCA/hEnhUlSu138UutuadnI98+QJHPJqultfJQIrtOAihZujQpAhpWyHeq3Hw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.208.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ed1-f45.google.com with SMTP id 4fb4d7f45d1cf-5bf068aebe5so3175974a12.0; Fri, 23 Aug 2024 10:49:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724435348; x=1725040148; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BqD598LxBlFmt2MsNr5Mid1xXVOmt4wJxiSrQp9nSW0=; b=draMBGaGxo6QlWwr1c/ed/NEpjCZK5EpR02U8MsGP0l4+z2tBiezSFkXRA1Gz6A35M KZ0yScjwYixE0NbhVOTPOCEX9jeEtZGnnTXi7XST+AsR8yT7mY8BNUCPyn9kYpA0CQ81 //mDuzSCZS8oM4otZCBM3lVu/laY5oHjQGtVftSgueu5zNrsFQXlb2G+dFZyPDCe3ZCY BelkShARrvLxJyLHUeiN46tHj5R9regOQGZZAFIpDyOm6Mw/xsF6PPz7UXAyoI8GFlZm wetF9LU5LWWCRXyA0ZkyasYtMsNemsQVopI/FYO5nr5CNDA4FRxTszaJPXzwZG4Cx/Bv C2wA== X-Forwarded-Encrypted: i=1; AJvYcCU5rEk4OtKH/P6gxePZ5hS8waSY9qrH522ddcE6JO7Yv3dGhWv7GjtgkIHp8P43WTln6ZFUIXKJorOCxEB1odNo@vger.kernel.org, AJvYcCUt3voe2AQDbK3S99LPP08j6+zvVCgYjVOUbiEUf6n3bxd/tNTmkxhyS1YArmbGUq3YgtcVFxsjuLtD2PQ=@vger.kernel.org, AJvYcCWEXxa53Ruerzvo5J8BmDNO/Ef6XZAnIwPN3ivI7sQY8jIw/l/FcEMZ5+KyNZYA3+SEjKoRLYgn@vger.kernel.org, AJvYcCWLNQpW/KNoKI3isreXxHzIfdZ631PCAK5rPcH3ozAHqOGlvPum4vgX/H4j0ukolsU1jd44emFmynvYPh73V/vs@vger.kernel.org X-Gm-Message-State: AOJu0Yx+DXZ9+BT/vZKq4ZHmrJFOKzykF7NadD635C0iqYhPAnv2Th3v npkt1T5KtWRfRR3bZh7pAwcimwo0pQB8aZHvucVjpILfmApK6tdf X-Google-Smtp-Source: AGHT+IGsCED+/krMzoX0Z0slfJR2jMjGjilqafqsebtwBtUuFyPsekLUBr0kXzc7SSXxd6+vTjkgCw== X-Received: by 2002:a05:6402:27cd:b0:5be:f4fe:5345 with SMTP id 4fb4d7f45d1cf-5c0891a1f0cmr1780942a12.24.1724435346999; Fri, 23 Aug 2024 10:49:06 -0700 (PDT) Received: from localhost (fwdproxy-lla-011.fbsv.net. [2a03:2880:30ff:b::face:b00c]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5c04a3ead3esm2468053a12.46.2024.08.23.10.49.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 Aug 2024 10:49:06 -0700 (PDT) From: Breno Leitao To: fw@strlen.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, Pablo Neira Ayuso , Jozsef Kadlecsik , David Ahern , Shuah Khan Cc: rbc@meta.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org (open list:NETFILTER), coreteam@netfilter.org (open list:NETFILTER), linux-kselftest@vger.kernel.org (open list:KERNEL SELFTEST FRAMEWORK) Subject: [PATCH nf-next v2 1/2] netfilter: Make IP_NF_IPTABLES_LEGACY selectable Date: Fri, 23 Aug 2024 10:48:52 -0700 Message-ID: <20240823174855.3052334-2-leitao@debian.org> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20240823174855.3052334-1-leitao@debian.org> References: <20240823174855.3052334-1-leitao@debian.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org This option makes IP_NF_IPTABLES_LEGACY user selectable, giving users the option to configure iptables without enabling any other config. Suggested-by: Florian Westphal Signed-off-by: Breno Leitao --- net/ipv4/netfilter/Kconfig | 19 +++++++++++-------- tools/testing/selftests/net/config | 1 + 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 1b991b889506..a06c1903183f 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig @@ -12,7 +12,12 @@ config NF_DEFRAG_IPV4 # old sockopt interface and eval loop config IP_NF_IPTABLES_LEGACY - tristate + tristate "Legacy IP tables support" + default n + select NETFILTER_XTABLES + help + iptables is a general, extensible packet identification legacy framework. + This is not needed if you are using iptables over nftables (iptables-nft). config NF_SOCKET_IPV4 tristate "IPv4 socket lookup support" @@ -177,7 +182,7 @@ config IP_NF_MATCH_TTL config IP_NF_FILTER tristate "Packet filtering" default m if NETFILTER_ADVANCED=n - select IP_NF_IPTABLES_LEGACY + depends on IP_NF_IPTABLES_LEGACY help Packet filtering defines a table `filter', which has a series of rules for simple packet filtering at local input, forwarding and @@ -217,7 +222,7 @@ config IP_NF_NAT default m if NETFILTER_ADVANCED=n select NF_NAT select NETFILTER_XT_NAT - select IP_NF_IPTABLES_LEGACY + depends on IP_NF_IPTABLES_LEGACY help This enables the `nat' table in iptables. This allows masquerading, port forwarding and other forms of full Network Address Port @@ -258,7 +263,7 @@ endif # IP_NF_NAT config IP_NF_MANGLE tristate "Packet mangling" default m if NETFILTER_ADVANCED=n - select IP_NF_IPTABLES_LEGACY + depends on IP_NF_IPTABLES_LEGACY help This option adds a `mangle' table to iptables: see the man page for iptables(8). This table is used for various packet alterations @@ -293,7 +298,7 @@ config IP_NF_TARGET_TTL # raw + specific targets config IP_NF_RAW tristate 'raw table support (required for NOTRACK/TRACE)' - select IP_NF_IPTABLES_LEGACY + depends on IP_NF_IPTABLES_LEGACY help This option adds a `raw' table to iptables. This table is the very first in the netfilter framework and hooks in at the PREROUTING @@ -305,9 +310,7 @@ config IP_NF_RAW # security table for MAC policy config IP_NF_SECURITY tristate "Security table" - depends on SECURITY - depends on NETFILTER_ADVANCED - select IP_NF_IPTABLES_LEGACY + depends on SECURITY && NETFILTER_ADVANCED && IP_NF_IPTABLES_LEGACY help This option adds a `security' table to iptables, for use with Mandatory Access Control (MAC) policy. diff --git a/tools/testing/selftests/net/config b/tools/testing/selftests/net/config index 5b9baf708950..784e2965896a 100644 --- a/tools/testing/selftests/net/config +++ b/tools/testing/selftests/net/config @@ -35,6 +35,7 @@ CONFIG_IP_DCCP=m CONFIG_NF_NAT=m CONFIG_IP6_NF_IPTABLES=m CONFIG_IP_NF_IPTABLES=m +CONFIG_IP_NF_IPTABLES_LEGACY=m CONFIG_IP6_NF_NAT=m CONFIG_IP6_NF_RAW=m CONFIG_IP_NF_NAT=m From patchwork Fri Aug 23 17:48:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Breno Leitao X-Patchwork-Id: 13775644 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4FDBD1922D5; Fri, 23 Aug 2024 17:49:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724435353; cv=none; b=ut0O5WrXJFVMsgWsjMCcbvZJiFO39vW0ABQGFr0QhIpTxIiRvK5dX3IlU3Qr1JOsI60lXeTGWlMMd6evVPog+hC/lwIi2PvzjP6S+6mBRXMiY/oPzAuX0Oju0Z7lk+9lHw2OWgqKhfj5oOMh4i+p54JTQHYKIe65b+xOntysWBA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724435353; c=relaxed/simple; bh=6j5Z2GLBTYlWHUK6CmfBaeaSi0as9+i6bBlu69vy3ls=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=C07h2yzM2fz6cu+DWJn8OVrtaeKIxJLsW4CqQV4YfVRGdTKMTsy7n73Lt3gKTy3gjhMnKf9M/rYjkZdWG6InFiXSJ+IXBsf/ixG8PQiB6LOCs9kdmPAjQRVeWeRvA9Clfqz38tho2p4fX3es3ai9ECimiiXal77yWhEz7NYw3Io= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.218.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-a86b46c4831so1255566b.1; Fri, 23 Aug 2024 10:49:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724435349; x=1725040149; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=szDQdcdN7BMvS+OUeXjzJL68Ac7ZIZYOcJVX3rjfiPU=; b=pm7aGfkxJ5VF8p943FpF0tUtNn2luv9vp1gZHd0svhP7hYXPzJV4VipaA/vdhhGgEp kax+fHYJnzKBrOtg/DutsFhQTDB9d9p7C8Jh6irykO6EE9DgHUPOwj5HPMAlNPtAcaaD lAeIpTIfZnLLJ40MeO5QkRTxVETVysTj+yzc5KM1qLRONJFSUqlMVLq8v2yuOe0R92VP TEqkGxAhIoUsdtvhSgpFVgprIqcdDKspVCGgOUECBrs8dX89fH+bhMrCjnBYybYWpGDD +K6K1YWugrL/SE5NTvynKDhzowwQO/7J7YQJYTWQ4yN0vh4Jt5zwT60aWji7Sr1G44MC DrbQ== X-Forwarded-Encrypted: i=1; AJvYcCVFJzYwTjvWy0rRIK3ynfKpqOQmIH68kGYF4V0GrHw+1SwDPDLgF1c1U7mPyYgYxXB/jApoUeqjXVmnWDrSY18x@vger.kernel.org, AJvYcCVJU8CAYAvq9554JTdKPoiJCmJH04e79M3U1GwyGg0kzudkhTw2eTVzuPFhOKR2zd9RjsoP5eE4xQU7mD7HfM7p@vger.kernel.org, AJvYcCX6TVXcTmYMohTGU5SraY6FFgTFOoYL2vnAXYIs3GFU2WgnYsDWbzQjumOHmxkrEs7AnqxN/7uF@vger.kernel.org, AJvYcCXE1LkpBIwR/oPqH/+R/T2pjCKJozjS+8Rl/lgFTfn+Dz32g+/LS4usHjwMgn323lo0Eib07tTPZiWnIJU=@vger.kernel.org X-Gm-Message-State: AOJu0YxR2E6tJW3NWGdObGqS4PM5m01dDVgq09BzCERmbS/LzTx8wlk+ 90mbBOt/PrjpMGubEIGtKwRO8MXhEOCHu6/VUhP1QMKEcYznDedwXgV7Rw== X-Google-Smtp-Source: AGHT+IGmnmh75QaC2pg0Pj5gbc6jCVy46lhWLPnQKudTsIRNwaTOH3VYiMBs19afUg2CN6P5y/vHVA== X-Received: by 2002:a17:907:724d:b0:a86:86d7:2890 with SMTP id a640c23a62f3a-a86a54d1af0mr219004366b.50.1724435349090; Fri, 23 Aug 2024 10:49:09 -0700 (PDT) Received: from localhost (fwdproxy-lla-001.fbsv.net. [2a03:2880:30ff:1::face:b00c]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a868f4f62f1sm288840966b.218.2024.08.23.10.49.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 Aug 2024 10:49:08 -0700 (PDT) From: Breno Leitao To: fw@strlen.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, Pablo Neira Ayuso , Jozsef Kadlecsik , David Ahern , Shuah Khan Cc: rbc@meta.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org (open list:NETFILTER), coreteam@netfilter.org (open list:NETFILTER), linux-kselftest@vger.kernel.org (open list:KERNEL SELFTEST FRAMEWORK) Subject: [PATCH nf-next v2 2/2] netfilter: Make IP6_NF_IPTABLES_LEGACY selectable Date: Fri, 23 Aug 2024 10:48:53 -0700 Message-ID: <20240823174855.3052334-3-leitao@debian.org> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20240823174855.3052334-1-leitao@debian.org> References: <20240823174855.3052334-1-leitao@debian.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving users the option to configure iptables without enabling any other config. Signed-off-by: Breno Leitao --- net/ipv6/netfilter/Kconfig | 22 ++++++++++++---------- tools/testing/selftests/net/config | 1 + 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index f3c8e2d918e1..dad0a50d3ef4 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig @@ -8,7 +8,13 @@ menu "IPv6: Netfilter Configuration" # old sockopt interface and eval loop config IP6_NF_IPTABLES_LEGACY - tristate + tristate "Legacy IP6 tables support" + depends on INET && IPV6 + select NETFILTER_XTABLES + default n + help + ip6tables is a general, extensible packet identification legacy framework. + This is not needed if you are using iptables over nftables (iptables-nft). config NF_SOCKET_IPV6 tristate "IPv6 socket lookup support" @@ -190,7 +196,7 @@ config IP6_NF_TARGET_HL config IP6_NF_FILTER tristate "Packet filtering" default m if NETFILTER_ADVANCED=n - select IP6_NF_IPTABLES_LEGACY + depends on IP6_NF_IPTABLES_LEGACY tristate help Packet filtering defines a table `filter', which has a series of @@ -227,7 +233,7 @@ config IP6_NF_TARGET_SYNPROXY config IP6_NF_MANGLE tristate "Packet mangling" default m if NETFILTER_ADVANCED=n - select IP6_NF_IPTABLES_LEGACY + depends on IP6_NF_IPTABLES_LEGACY help This option adds a `mangle' table to iptables: see the man page for iptables(8). This table is used for various packet alterations @@ -237,7 +243,7 @@ config IP6_NF_MANGLE config IP6_NF_RAW tristate 'raw table support (required for TRACE)' - select IP6_NF_IPTABLES_LEGACY + depends on IP6_NF_IPTABLES_LEGACY help This option adds a `raw' table to ip6tables. This table is the very first in the netfilter framework and hooks in at the PREROUTING @@ -249,9 +255,7 @@ config IP6_NF_RAW # security table for MAC policy config IP6_NF_SECURITY tristate "Security table" - depends on SECURITY - depends on NETFILTER_ADVANCED - select IP6_NF_IPTABLES_LEGACY + depends on SECURITY && NETFILTER_ADVANCED && IP6_NF_IPTABLES_LEGACY help This option adds a `security' table to iptables, for use with Mandatory Access Control (MAC) policy. @@ -260,10 +264,8 @@ config IP6_NF_SECURITY config IP6_NF_NAT tristate "ip6tables NAT support" - depends on NF_CONNTRACK - depends on NETFILTER_ADVANCED + depends on NF_CONNTRACK && NETFILTER_ADVANCED && IP6_NF_IPTABLES_LEGACY select NF_NAT - select IP6_NF_IPTABLES_LEGACY select NETFILTER_XT_NAT help This enables the `nat' table in ip6tables. This allows masquerading, diff --git a/tools/testing/selftests/net/config b/tools/testing/selftests/net/config index 784e2965896a..32e04837084e 100644 --- a/tools/testing/selftests/net/config +++ b/tools/testing/selftests/net/config @@ -34,6 +34,7 @@ CONFIG_IPV6_SIT=y CONFIG_IP_DCCP=m CONFIG_NF_NAT=m CONFIG_IP6_NF_IPTABLES=m +CONFIG_IP6_NF_IPTABLES_LEGACY=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_IPTABLES_LEGACY=m CONFIG_IP6_NF_NAT=m