| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZvV7KFHXx3V30HEH@calendula>
Date: Thu, 26 Sep 2024 17:18:00 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Breno Leitao <leitao@...ian.org>
Cc: fw@...len.de, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, rbc@...a.com, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, netfilter-devel@...r.kernel.org
Subject: Re: [PATCH nf-next v5 0/2] netfilter: Make IP_NF_IPTABLES_LEGACY
selectable
On Thu, Sep 26, 2024 at 04:11:39AM -0700, Breno Leitao wrote:
> Hello Pablo,
>
> On Wed, Sep 18, 2024 at 01:21:02PM +0200, Pablo Neira Ayuso wrote:
> > Single patch to update them all should be fine.
>
> I am planning to send the following patch, please let me know if you
> have any concern before I send it:
>
> Author: Breno Leitao <leitao@...ian.org>
> Date: Thu Aug 29 02:51:02 2024 -0700
>
> netfilter: Make legacy configs user selectable
>
> This option makes legacy Netfilter Kconfig user selectable, giving users
> the option to configure iptables without enabling any other config.
LGTM, a few cosmetic nitpicks below.
> Make the following KConfig entries user selectable:
> * BRIDGE_NF_EBTABLES_LEGACY
> * IP_NF_ARPTABLES
> * IP_NF_IPTABLES_LEGACY
> * IP6_NF_IPTABLES_LEGACY
>
> Signed-off-by: Breno Leitao <leitao@...ian.org>
>
> diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
> index 104c0125e32e..b7bdb094f708 100644
> --- a/net/bridge/netfilter/Kconfig
> +++ b/net/bridge/netfilter/Kconfig
> @@ -41,7 +41,13 @@ config NF_CONNTRACK_BRIDGE
>
> # old sockopt interface and eval loop
> config BRIDGE_NF_EBTABLES_LEGACY
> - tristate
> + tristate "Legacy EBTABLES support"
> + depends on BRIDGE && NETFILTER_XTABLES
> + default n
> + help
> + Legacy ebtable packet/frame classifier.
^^^^^^^
ebtables
> + This is not needed if you are using ebtables over nftables
> + (iptables-nft).
>
> menuconfig BRIDGE_NF_EBTABLES
> tristate "Ethernet Bridge tables (ebtables) support"
> diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> index 1b991b889506..2c4d42b5bed1 100644
> --- a/net/ipv4/netfilter/Kconfig
> +++ b/net/ipv4/netfilter/Kconfig
> @@ -12,7 +12,13 @@ config NF_DEFRAG_IPV4
>
> # old sockopt interface and eval loop
> config IP_NF_IPTABLES_LEGACY
> - tristate
> + tristate "Legacy IP tables support"
> + default n
> + select NETFILTER_XTABLES
> + help
> + iptables is a legacy packet classifier.
> + This is not needed if you are using iptables over nftables
> + (iptables-nft).
>
> config NF_SOCKET_IPV4
> tristate "IPv4 socket lookup support"
> @@ -318,7 +324,13 @@ endif # IP_NF_IPTABLES
>
> # ARP tables
> config IP_NF_ARPTABLES
> - tristate
> + tristate "Legacy ARPTABLE support"
^^^^^^^^
ARPTABLES
> + depends on NETFILTER_XTABLES
> + default n
> + help
> + arptables is a legacy packet classifier.
> + This is not needed if you are using arptables over nftables
> + (iptables-nft).
>
> config NFT_COMPAT_ARP
> tristate
> diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> index f3c8e2d918e1..e087a8e97ba7 100644
> --- a/net/ipv6/netfilter/Kconfig
> +++ b/net/ipv6/netfilter/Kconfig
> @@ -8,7 +8,14 @@ menu "IPv6: Netfilter Configuration"
>
> # old sockopt interface and eval loop
> config IP6_NF_IPTABLES_LEGACY
> - tristate
> + tristate "Legacy IP6 tables support"
> + depends on INET && IPV6
> + select NETFILTER_XTABLES
> + default n
> + help
> + ip6tables is a legacy packet classifier.
> + This is not needed if you are using iptables over nftables
> + (iptables-nft).
>
> config NF_SOCKET_IPV6
> tristate "IPv6 socket lookup support"
Powered by blists - more mailing lists