connection tracking zones currently depend on the xtables CT target,
connection tracking labels are handled via hidden dependency that gets
auto-selected by the connlabel match.
Make NF_CONNTRACK_LABELS a normal config knob and make both depend on
either the xtables target/match or the nft conntrack expression.
This allows to use conntrack labels and zones with nft-only kernel.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/Kconfig | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 0febf3e21f91..96bf21389940 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -106,7 +106,7 @@ config NF_CONNTRACK_SECMARK
config NF_CONNTRACK_ZONES
bool 'Connection tracking zones'
depends on NETFILTER_ADVANCED
- depends on NETFILTER_XT_TARGET_CT
+ depends on NETFILTER_XT_TARGET_CT || NFT_CT
help
This option enables support for connection tracking zones.
Normally, each connection needs to have a unique system wide
@@ -158,10 +158,12 @@ config NF_CONNTRACK_TIMESTAMP
If unsure, say `N'.
config NF_CONNTRACK_LABELS
- bool
+ bool "Connection tracking labels"
+ depends on NETFILTER_XT_MATCH_CONNLABEL || NFT_CT
help
This option enables support for assigning user-defined flag bits
- to connection tracking entries. It selected by the connlabel match.
+ to connection tracking entries. It can be used with xtables connlabel
+ match of the nftables ct expression.
config NF_CT_PROTO_DCCP
bool 'DCCP protocol connection tracking support'
@@ -1153,7 +1155,6 @@ config NETFILTER_XT_MATCH_CONNBYTES
config NETFILTER_XT_MATCH_CONNLABEL
tristate '"connlabel" match support'
- select NF_CONNTRACK_LABELS
depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
---help---
--
2.16.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
