netfilter: Make legacy configs user selectable

This option makes legacy Netfilter Kconfig user selectable, giving users
the option to configure iptables without enabling any other config.

Make the following KConfig entries user selectable:
 * BRIDGE_NF_EBTABLES_LEGACY
 * IP_NF_ARPTABLES
 * IP_NF_IPTABLES_LEGACY
 * IP6_NF_IPTABLES_LEGACY

Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 104c0125e32e8251b35b24e8424a2457b5661c32..f16bbbbb94817638c54ec6de588ad8df3145b70f 100644 (file)
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -41,7 +41,13 @@ config NF_CONNTRACK_BRIDGE
 
 # old sockopt interface and eval loop
 config BRIDGE_NF_EBTABLES_LEGACY
-       tristate
+       tristate "Legacy EBTABLES support"
+       depends on BRIDGE && NETFILTER_XTABLES
+       default n
+       help
+        Legacy ebtables packet/frame classifier.
+        This is not needed if you are using ebtables over nftables
+        (iptables-nft).
 
 menuconfig BRIDGE_NF_EBTABLES
        tristate "Ethernet Bridge tables (ebtables) support"

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 1b991b889506a9929980e6c91a493d976a7de0ed..ef8009281da5cfecc8c0a98a5803aba5f6cee07a 100644 (file)
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -12,7 +12,13 @@ config NF_DEFRAG_IPV4
 
 # old sockopt interface and eval loop
 config IP_NF_IPTABLES_LEGACY
-       tristate
+       tristate "Legacy IP tables support"
+       default n
+       select NETFILTER_XTABLES
+       help
+         iptables is a legacy packet classifier.
+         This is not needed if you are using iptables over nftables
+         (iptables-nft).
 
 config NF_SOCKET_IPV4
        tristate "IPv4 socket lookup support"
@@ -318,7 +324,13 @@ endif # IP_NF_IPTABLES
 
 # ARP tables
 config IP_NF_ARPTABLES
-       tristate
+       tristate "Legacy ARPTABLES support"
+       depends on NETFILTER_XTABLES
+       default n
+       help
+         arptables is a legacy packet classifier.
+         This is not needed if you are using arptables over nftables
+         (iptables-nft).
 
 config NFT_COMPAT_ARP
        tristate

diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index f3c8e2d918e1336d8906569d185fdf5ca8878c29..e087a8e97ba78b50a161caab55af8dd69b08b7dc 100644 (file)
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -8,7 +8,14 @@ menu "IPv6: Netfilter Configuration"
 
 # old sockopt interface and eval loop
 config IP6_NF_IPTABLES_LEGACY
-       tristate
+       tristate "Legacy IP6 tables support"
+       depends on INET && IPV6
+       select NETFILTER_XTABLES
+       default n
+       help
+         ip6tables is a legacy packet classifier.
+         This is not needed if you are using iptables over nftables
+         (iptables-nft).
 
 config NF_SOCKET_IPV6
        tristate "IPv6 socket lookup support"