lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260112125432.61218-1-lukas.bulwahn@redhat.com>
Date: Mon, 12 Jan 2026 13:54:26 +0100
From: Lukas Bulwahn <lbulwahn@...hat.com>
To: "David S . Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>,
	Paolo Abeni <pabeni@...hat.com>,
	Simon Horman <horms@...nel.org>,
	Pablo Neira Ayuso <pablo@...filter.org>,
	Florian Westphal <fw@...len.de>,
	Phil Sutter <phil@....cc>,
	David Ahern <dsahern@...nel.org>,
	netdev@...r.kernel.org,
	netfilter-devel@...r.kernel.org,
	coreteam@...filter.org
Cc: Geert Uytterhoeven <geert@...ux-m68k.org>,
	Paul Walmsley <pjw@...nel.org>,
	Palmer Dabbelt <palmer@...belt.com>,
	Albert Ou <aou@...s.berkeley.edu>,
	Alexandre Ghiti <alex@...ti.fr>,
	Heiko Carstens <hca@...ux.ibm.com>,
	Vasily Gorbik <gor@...ux.ibm.com>,
	Alexander Gordeev <agordeev@...ux.ibm.com>,
	Christian Borntraeger <borntraeger@...ux.ibm.com>,
	Sven Schnelle <svens@...ux.ibm.com>,
	linux-riscv@...ts.infradead.org,
	linux-m68k@...ts.linux-m68k.org,
	linux-s390@...r.kernel.org,
	kernel-janitors@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Lukas Bulwahn <lukas.bulwahn@...hat.com>
Subject: [RFC PATCH 0/5] net: make config options NF_LOG_{ARP,IPV4,IPV6} transitional

Hi,

This RFC patch series makes the config options NF_LOG_{ARP,IPV4,IPV6}
transitional. Recently, Kees Cook added a feature to kconfig to assist
transitioning deprecated config options. Here is a first RFC patch to apply
this feature for NF_LOG_{ARP,IPV4,IPV6}.

The plan is to mark all deprecated config options in net transitional, and
update the kernel configurations in the kernel tree to not use those
transitional config options. Then we leave these transitional config
options for a year or two to allow users that only update from one LTS to
the next to see that these config options are deprecated. After such a
grace period, we can finally drop these transitional config options.

This patch series is the manifestation of that plan for the three
deprecated options NF_LOG_{ARP,IPV4,IPV6}. If there is general agreement
that this is how deprecated config options are to be handled, then please
apply the patches 1 and 2 to the net-next tree.

Note that for the time being, as there is no dedicated kernel-wide Kconfig
file for collecting transitional config options right now, so simply adding
them at the end of the net/Kconfig file seems the best choice for now. 

The patches 3, 4 and 5 are added here to understand the complete treewide
change to transition the deprecated config options; I expect the patches
3, 4 and 5 to be applied by the corresponding arch maintainers, though.
Note that all patches in this series can be applied independently from each
other without causing any regression, i.e., if any patch 2 to 5 is applied
without patch 1, the resulting kernel configurations still enable the same
functionality as before as well as with patch 1 applied.

Once the general approach and patches are accepted, I plan to send some
further patch series to transition more net config options. My current
investigation identified that these further config options in net can be
transitioned:

  IP_NF_MATCH_ECN -> NETFILTER_XT_MATCH_ECN
  IP_NF_MATCH_TTL -> NETFILTER_XT_MATCH_HL
  IP_NF_TARGET_MASQUERADE -> NETFILTER_XT_TARGET_MASQUERADE
  IP_NF_TARGET_NETMAP -> NETFILTER_XT_TARGET_NETMAP
  IP_NF_TARGET_REDIRECT -> NETFILTER_XT_TARGET_REDIRECT
  IP_NF_TARGET_TTL -> NETFILTER_XT_TARGET_HL
  NETFILTER_XT_TARGET_CONNMARK -> NETFILTER_XT_CONNMARK
  NETFILTER_XT_TARGET_MARK -> NETFILTER_XT_MARK


Lukas


Lukas Bulwahn (5):
  net: make configs NF_LOG_{ARP,IPV4,IPV6} transitional
  selftests: net: replace deprecated NF_LOG configs by NF_LOG_SYSLOG
  m68k: defconfig: replace deprecated NF_LOG configs by NF_LOG_SYSLOG
  riscv: defconfig: replace deprecated NF_LOG configs by NF_LOG_SYSLOG
  s390/configs: replace deprecated NF_LOG configs by NF_LOG_SYSLOG

 arch/m68k/configs/amiga_defconfig            |  3 +--
 arch/m68k/configs/apollo_defconfig           |  3 +--
 arch/m68k/configs/atari_defconfig            |  3 +--
 arch/m68k/configs/bvme6000_defconfig         |  3 +--
 arch/m68k/configs/hp300_defconfig            |  3 +--
 arch/m68k/configs/mac_defconfig              |  3 +--
 arch/m68k/configs/multi_defconfig            |  3 +--
 arch/m68k/configs/mvme147_defconfig          |  3 +--
 arch/m68k/configs/mvme16x_defconfig          |  3 +--
 arch/m68k/configs/q40_defconfig              |  3 +--
 arch/m68k/configs/sun3_defconfig             |  3 +--
 arch/m68k/configs/sun3x_defconfig            |  3 +--
 arch/riscv/configs/defconfig                 |  4 +---
 arch/s390/configs/debug_defconfig            |  2 +-
 arch/s390/configs/defconfig                  |  2 +-
 net/Kconfig                                  | 21 ++++++++++++++++++++
 net/ipv4/netfilter/Kconfig                   | 16 ---------------
 net/ipv6/netfilter/Kconfig                   |  8 --------
 net/netfilter/Kconfig                        |  1 +
 tools/testing/selftests/net/netfilter/config |  3 +--
 20 files changed, 38 insertions(+), 55 deletions(-)

-- 
2.52.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ