From: Pablo Neira Ayuso Date: Wed, 15 Apr 2026 11:12:36 +0000 (+0200) Subject: netfilter: allow nfnetlink built-in only X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d4349ba9872d0c97a31fb2a18789297731061e88;p=thirdparty%2Flinux.git netfilter: allow nfnetlink built-in only Netfilter has its own netlink multiplexer, initially only a few subsystem were using it, most notably conntrack, queue and log, later in time nf_tables. These days it is the control plane of preference. Just remove modular support for this, allow it built-in only. Signed-off-by: Pablo Neira Ayuso Reviewed-by: Fernando Fernandez Mancera Signed-off-by: Florian Westphal --- diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index f71ff98eb5d0..665f8008cc4b 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -22,7 +22,7 @@ config NETFILTER_SKIP_EGRESS def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB) config NETFILTER_NETLINK - tristate + bool config NETFILTER_FAMILY_BRIDGE bool diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index f0751ca302c6..6bf74d488a29 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile @@ -1,5 +1,6 @@ # SPDX-License-Identifier: GPL-2.0 netfilter-objs := core.o nf_log.o nf_queue.o nf_sockopt.o utils.o +netfilter-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o nf_conntrack-y := nf_conntrack_core.o nf_conntrack_standalone.o nf_conntrack_expect.o nf_conntrack_helper.o \ nf_conntrack_proto.o nf_conntrack_proto_generic.o nf_conntrack_proto_tcp.o nf_conntrack_proto_udp.o \ @@ -23,7 +24,6 @@ endif obj-$(CONFIG_NETFILTER) = netfilter.o obj-$(CONFIG_NETFILTER_BPF_LINK) += nf_bpf_link.o -obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o obj-$(CONFIG_NETFILTER_NETLINK_ACCT) += nfnetlink_acct.o obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o