From: Phil Sutter psutter@redhat.com

netfilter: Add deprecation notices for xtables

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1945179 Upstream Status: RHEL-only

Upon loading legacy xtables table modules or the nft compat module, print a warning suggesting nftables.

Signed-off-by: Phil Sutter psutter@redhat.com

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index blahblah..blahblah 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -2484,6 +2484,9 @@ static int __init ebtables_init(void) { int ret;

+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise Linux,\n" + "please use nftables instead (https://red.ht/nft_your_tables)%5Cn"); + ret = xt_register_target(&ebt_standard_target); if (ret < 0) return ret; diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index blahblah..blahblah 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -1623,6 +1623,9 @@ static int __init arp_tables_init(void) { int ret;

+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise Linux,\n" + "please use nftables instead (https://red.ht/nft_your_tables)%5Cn"); + ret = register_pernet_subsys(&arp_tables_net_ops); if (ret < 0) goto err1; diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index blahblah..blahblah 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -1902,6 +1902,9 @@ static int __init ip_tables_init(void) { int ret;

+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise Linux,\n" + "please use nftables instead (https://red.ht/nft_your_tables)%5Cn"); + ret = register_pernet_subsys(&ip_tables_net_ops); if (ret < 0) goto err1; diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index blahblah..blahblah 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -1909,6 +1909,9 @@ static int __init ip6_tables_init(void) { int ret;

+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise Linux,\n" + "please use nftables instead (https://red.ht/nft_your_tables)%5Cn"); + ret = register_pernet_subsys(&ip6_tables_net_ops); if (ret < 0) goto err1; diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index blahblah..blahblah 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c @@ -6,6 +6,8 @@

/* Kernel module for IP set management */

+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + #include <linux/init.h> #include <linux/module.h> #include <linux/moduleparam.h> @@ -2362,8 +2364,12 @@ static struct pernet_operations ip_set_net_ops = { static int __init ip_set_init(void) { - int ret = register_pernet_subsys(&ip_set_net_ops); + int ret; + + pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise Linux,\n" + "please use nftables instead (https://red.ht/nft_your_tables)%5Cn");

+ ret = register_pernet_subsys(&ip_set_net_ops); if (ret) { pr_err("ip_set: cannot register pernet_subsys.\n"); return ret; diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c index blahblah..blahblah 100644 --- a/net/netfilter/nft_compat.c +++ b/net/netfilter/nft_compat.c @@ -5,6 +5,8 @@ * This software has been sponsored by Sophos Astaro http://www.sophos.com */

+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + #include <linux/kernel.h> #include <linux/init.h> #include <linux/module.h> @@ -882,6 +884,9 @@ static int __init nft_compat_module_init(void) { int ret;

+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise Linux,\n" + "please use nftables instead (https://red.ht/nft_your_tables)%5Cn"); + ret = nft_register_expr(&nft_match_type); if (ret < 0) return ret;

-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226