Commit c38eb297 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds 



Its now possible to build a kernel that has no support for the classic
xtables get/setsockopt interfaces and builtin tables.

In this case, we have CONFIG_IP6_NF_MANGLE=n and
CONFIG_IP_NF_ARPTABLES=n.

For optstript, the ipv6 code is so small that we can enable it if
netfilter ipv6 support exists. For mark, check if either classic
arptables or NFT_ARP_COMPAT is set.

Fixes: a9525c7f ("netfilter: xtables: allow xtables-nft only builds")
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent d31c1caf

net/netfilter/xt_TCPOPTSTRIP.c

+2 −2
Original line number Diff line number Diff line
@@ -91,7 +91,7 @@ tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par) 
	return tcpoptstrip_mangle_packet(skb, par, ip_hdrlen(skb));

}



#if IS_ENABLED(CONFIG_IP6_NF_MANGLE)

#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)

static unsigned int

tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_action_param *par)

{
@@ -119,7 +119,7 @@ static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = { 
		.targetsize = sizeof(struct xt_tcpoptstrip_target_info),

		.me         = THIS_MODULE,

	},

#if IS_ENABLED(CONFIG_IP6_NF_MANGLE)

#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)

	{

		.name       = "TCPOPTSTRIP",

		.family     = NFPROTO_IPV6,

net/netfilter/xt_mark.c

+1 −1
Original line number Diff line number Diff line
@@ -48,7 +48,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = { 
		.targetsize     = sizeof(struct xt_mark_tginfo2),

		.me             = THIS_MODULE,

	},

#if IS_ENABLED(CONFIG_IP_NF_ARPTABLES)

#if IS_ENABLED(CONFIG_IP_NF_ARPTABLES) || IS_ENABLED(CONFIG_NFT_COMPAT_ARP)

	{

		.name           = "MARK",

		.revision       = 2,