| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Zto4WmXldf6KzeQO@calendula> Date: Fri, 6 Sep 2024 01:01:46 +0200 From: Pablo Neira Ayuso <pablo@...filter.org> To: Breno Leitao <leitao@...ian.org> Cc: fw@...len.de, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, Jozsef Kadlecsik <kadlec@...filter.org>, David Ahern <dsahern@...nel.org>, rbc@...a.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, netfilter-devel@...r.kernel.org, "open list:NETFILTER" <coreteam@...filter.org> Subject: Re: [PATCH nf-next v4 1/2] netfilter: Make IP6_NF_IPTABLES_LEGACY selectable Hi, On Thu, Aug 29, 2024 at 09:16:54AM -0700, Breno Leitao wrote: > This option makes IP6_NF_IPTABLES_LEGACY user selectable, giving > users the option to configure iptables without enabling any other > config. IUC this is to allow to compile iptables core built-in while allowing extensions to be compiled as module? What is exactly the combination you are trying to achieve which is not possible with the current toggle? Florian's motivation to add this knob is to allow to compile kernels without iptables-legacy support. One more comment below. > Signed-off-by: Breno Leitao <leitao@...ian.org> > --- > net/ipv6/netfilter/Kconfig | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig > index f3c8e2d918e1..cbe88cc5b897 100644 > --- a/net/ipv6/netfilter/Kconfig > +++ b/net/ipv6/netfilter/Kconfig > @@ -8,7 +8,13 @@ menu "IPv6: Netfilter Configuration" > > # old sockopt interface and eval loop > config IP6_NF_IPTABLES_LEGACY > - tristate > + tristate "Legacy IP6 tables support" > + depends on INET && IPV6 > + select NETFILTER_XTABLES > + default n > + help > + ip6tables is a general, extensible packet identification legacy framework. "packet classification" is generally the more appropriate and widely used term for firewalls. Maybe simply reword this description to ... ip6tables is a legacy packet classification. > + This is not needed if you are using iptables over nftables (iptables-nft). > > config NF_SOCKET_IPV6 > tristate "IPv6 socket lookup support" > -- > 2.43.5 >
Powered by blists - more mailing lists