4:53 a.m.
From: Phil Sutter <psutter(a)redhat.com>
netfilter: Add deprecation notices for xtables
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1945179
Upstream Status: RHEL-only
Upon loading legacy xtables table modules or the nft compat module,
print a warning suggesting nftables.
Signed-off-by: Phil Sutter <psutter(a)redhat.com>
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index blahblah..blahblah 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2484,6 +2484,9 @@ static int __init ebtables_init(void)
{
int ret;
+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise
Linux,\n"
+ "please use nftables instead (https://red.ht/nft_your_tables)\n");
+
ret = xt_register_target(&ebt_standard_target);
if (ret < 0)
return ret;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index blahblah..blahblah 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1623,6 +1623,9 @@ static int __init arp_tables_init(void)
{
int ret;
+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise
Linux,\n"
+ "please use nftables instead (https://red.ht/nft_your_tables)\n");
+
ret = register_pernet_subsys(&arp_tables_net_ops);
if (ret < 0)
goto err1;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index blahblah..blahblah 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1902,6 +1902,9 @@ static int __init ip_tables_init(void)
{
int ret;
+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise
Linux,\n"
+ "please use nftables instead (https://red.ht/nft_your_tables)\n");
+
ret = register_pernet_subsys(&ip_tables_net_ops);
if (ret < 0)
goto err1;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index blahblah..blahblah 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1909,6 +1909,9 @@ static int __init ip6_tables_init(void)
{
int ret;
+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise
Linux,\n"
+ "please use nftables instead (https://red.ht/nft_your_tables)\n");
+
ret = register_pernet_subsys(&ip6_tables_net_ops);
if (ret < 0)
goto err1;
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index blahblah..blahblah 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -6,6 +6,8 @@
/* Kernel module for IP set management */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
#include <linux/init.h>
#include <linux/module.h>
#include <linux/moduleparam.h>
@@ -2362,8 +2364,12 @@ static struct pernet_operations ip_set_net_ops = {
static int __init
ip_set_init(void)
{
- int ret = register_pernet_subsys(&ip_set_net_ops);
+ int ret;
+
+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise
Linux,\n"
+ "please use nftables instead (https://red.ht/nft_your_tables)\n");
+ ret = register_pernet_subsys(&ip_set_net_ops);
if (ret) {
pr_err("ip_set: cannot register pernet_subsys.\n");
return ret;
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index blahblah..blahblah 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -5,6 +5,8 @@
* This software has been sponsored by Sophos Astaro <http://www.sophos.com>
*/
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
@@ -882,6 +884,9 @@ static int __init nft_compat_module_init(void)
{
int ret;
+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise
Linux,\n"
+ "please use nftables instead (https://red.ht/nft_your_tables)\n");
+
ret = nft_register_expr(&nft_match_type);
if (ret < 0)
return ret;
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226
4:55 a.m.
From: Phil Sutter on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226#note_6194...
Forgot the SoB (as usual).
9:56 a.m.
From: Don Zickus on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226#note_6197...
@psutter1 - Can you wrap this change with CONFIG_RHEL_DIFFERENCES so that it
doesn't affect Fedora?
10:09 a.m.
From: Jarod Wilson on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226#note_6240...
Acked-by: Jarod Wilson <jarod(a)redhat.com>
(via approve button)
11:14 a.m.
From: Don Zickus on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226#note_6241...
Turning this into a blocking comment for now until the patch is wrapped with
CONFIG_RHEL_DIFFERENCES.
@ptalbert, @prarit - did this work right?
11:50 a.m.
From: Prarit Bhargava on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226#note_6303...
@psutter1, reach out to revers about marking this as unsupported. We're
making some changes in this area and there some additional steps that need to
be taken.
You should not be explicitly calling out the deprecation this way. Take a
look at mark_driver_unsupported() in the kernel.
3:53 a.m.
From: Patrick Talbert on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226#note_6626...
Closing this for now with a plan to repost later.
965
days inactive
1017
days old
kernel@lists.fedoraproject.org
6 comments
5 participants
participants (5)
-
Don Zickus (via Email Bridge) -
Jarod Wilson (via Email Bridge)
-
Patrick Talbert (via Email Bridge)
-
Phil Sutter (via Email Bridge)
-
Prarit Bhargava (via Email Bridge)