This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving users the option to configure iptables without enabling any other config.
Signed-off-by: Breno Leitao leitao@debian.org --- net/ipv6/netfilter/Kconfig | 22 ++++++++++++---------- tools/testing/selftests/net/config | 5 +++++ 2 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index f3c8e2d918e1..dad0a50d3ef4 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig @@ -8,7 +8,13 @@ menu "IPv6: Netfilter Configuration"
# old sockopt interface and eval loop config IP6_NF_IPTABLES_LEGACY - tristate + tristate "Legacy IP6 tables support" + depends on INET && IPV6 + select NETFILTER_XTABLES + default n + help + ip6tables is a general, extensible packet identification legacy framework. + This is not needed if you are using iptables over nftables (iptables-nft).
config NF_SOCKET_IPV6 tristate "IPv6 socket lookup support" @@ -190,7 +196,7 @@ config IP6_NF_TARGET_HL config IP6_NF_FILTER tristate "Packet filtering" default m if NETFILTER_ADVANCED=n - select IP6_NF_IPTABLES_LEGACY + depends on IP6_NF_IPTABLES_LEGACY tristate help Packet filtering defines a table `filter', which has a series of @@ -227,7 +233,7 @@ config IP6_NF_TARGET_SYNPROXY config IP6_NF_MANGLE tristate "Packet mangling" default m if NETFILTER_ADVANCED=n - select IP6_NF_IPTABLES_LEGACY + depends on IP6_NF_IPTABLES_LEGACY help This option adds a `mangle' table to iptables: see the man page for iptables(8). This table is used for various packet alterations @@ -237,7 +243,7 @@ config IP6_NF_MANGLE
config IP6_NF_RAW tristate 'raw table support (required for TRACE)' - select IP6_NF_IPTABLES_LEGACY + depends on IP6_NF_IPTABLES_LEGACY help This option adds a `raw' table to ip6tables. This table is the very first in the netfilter framework and hooks in at the PREROUTING @@ -249,9 +255,7 @@ config IP6_NF_RAW # security table for MAC policy config IP6_NF_SECURITY tristate "Security table" - depends on SECURITY - depends on NETFILTER_ADVANCED - select IP6_NF_IPTABLES_LEGACY + depends on SECURITY && NETFILTER_ADVANCED && IP6_NF_IPTABLES_LEGACY help This option adds a `security' table to iptables, for use with Mandatory Access Control (MAC) policy. @@ -260,10 +264,8 @@ config IP6_NF_SECURITY
config IP6_NF_NAT tristate "ip6tables NAT support" - depends on NF_CONNTRACK - depends on NETFILTER_ADVANCED + depends on NF_CONNTRACK && NETFILTER_ADVANCED && IP6_NF_IPTABLES_LEGACY select NF_NAT - select IP6_NF_IPTABLES_LEGACY select NETFILTER_XT_NAT help This enables the `nat' table in ip6tables. This allows masquerading, diff --git a/tools/testing/selftests/net/config b/tools/testing/selftests/net/config index 90e997cfa12e..e534144c75ea 100644 --- a/tools/testing/selftests/net/config +++ b/tools/testing/selftests/net/config @@ -35,12 +35,16 @@ CONFIG_IPV6_SIT=y CONFIG_IP_DCCP=m CONFIG_NF_NAT=m CONFIG_IP6_NF_IPTABLES=m +CONFIG_IP6_NF_IPTABLES_LEGACY=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_IPTABLES_LEGACY=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_MANGLE=m +CONFIG_IP6_NF_MANGLE=m +CONFIG_IP6_NF_FILTER=m +CONFIG_IP6_NF_TARGET_REJECT=m CONFIG_IP6_NF_NAT=m CONFIG_IP6_NF_RAW=m CONFIG_IP_NF_NAT=m @@ -61,6 +65,7 @@ CONFIG_NF_TABLES=m CONFIG_NF_TABLES_IPV6=y CONFIG_NF_TABLES_IPV4=y CONFIG_NF_REJECT_IPV4=y +CONFIG_NF_REJECT_IPV6=y CONFIG_NFT_NAT=m CONFIG_NETFILTER_XT_MATCH_LENGTH=m CONFIG_NET_ACT_CSUM=m