]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d88d1ad) | patch
netfilter: allow to turn off xtables compat layer
authorFlorian Westphal <fw@strlen.de>
Mon, 26 Apr 2021 10:14:40 +0000 (12:14 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 26 Apr 2021 16:16:56 +0000 (18:16 +0200)
commitea3c5749a24ace0ae0fbc9f9d1c21f1c22b7be93
tree02aaee18c39de580c05dc3bb186a3e642200b81dtree | snapshot
parentd88d1ad250454d1d18efd644b3b38c742cb8a16ccommit | diff
netfilter: allow to turn off xtables compat layer

The compat layer needs to parse untrusted input (the ruleset)
to translate it to a 64bit compatible format.

We had a number of bugs in this department in the past, so allow users
to turn this feature off.

Add CONFIG_NETFILTER_XTABLES_COMPAT kconfig knob and make it default to y
to keep existing behaviour.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
15 files changed:
include/linux/netfilter/x_tables.h diff | blob | history
include/linux/netfilter_arp/arp_tables.h diff | blob | history
include/linux/netfilter_ipv4/ip_tables.h diff | blob | history
include/linux/netfilter_ipv6/ip6_tables.h diff | blob | history
net/bridge/netfilter/ebt_limit.c diff | blob | history
net/bridge/netfilter/ebt_mark.c diff | blob | history
net/bridge/netfilter/ebt_mark_m.c diff | blob | history
net/bridge/netfilter/ebtables.c diff | blob | history
net/ipv4/netfilter/arp_tables.c diff | blob | history
net/ipv4/netfilter/ip_tables.c diff | blob | history
net/ipv4/netfilter/ipt_CLUSTERIP.c diff | blob | history
net/ipv6/netfilter/ip6_tables.c diff | blob | history
net/netfilter/Kconfig diff | blob | history
net/netfilter/x_tables.c diff | blob | history
net/netfilter/xt_limit.c diff | blob | history
Linux Kernel Source Tree.