From: Florian Westphal on gitlab.com Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2823
Disable DCCP conntrack and the old iptables-32-bit-compat interface in all configurations.
Set CONFIG_NETFILTER_NETLINK_HOOK=m in all configurations (only enabled in rhel so far)
and disable CONFIG_NF_CT_PROTO_DCCP and CONFIG_NETFILTER_XTABLES_COMPAT
in all configurations.
Signed-off-by: Florian Westphal fwestpha@redhat.com
--- redhat/configs/rhel/generic/CONFIG_NETFILTER_NETLINK_HOOK => redhat/configs/common/generic/CONFIG_NETFILTER_NETLINK_HOOK | 0 redhat/configs/rhel/generic/CONFIG_NETFILTER_XTABLES_COMPAT => redhat/configs/common/generic/CONFIG_NETFILTER_XTABLES_COMPAT | 0 redhat/configs/common/generic/CONFIG_NF_CT_PROTO_DCCP | 2 +- redhat/configs/fedora/generic/CONFIG_NETFILTER_NETLINK_HOOK | 1 - redhat/configs/fedora/generic/CONFIG_NETFILTER_XTABLES_COMPAT | 1 - 5 files changed, 1 insertions(+), 3 deletions(-)
From: Florian Westphal fwestpha@redhat.com
configs: enable netfilter_netlink_hook in fedora too
Already enabled in RHEL, so move this to common.
This is required to make nft userspace "list hooks" command functional.
It will display the hook pipeline, i.e., this is an introspection feature.
Signed-off-by: Florian Westphal fwestpha@redhat.com
diff --git a/redhat/configs/rhel/generic/CONFIG_NETFILTER_NETLINK_HOOK b/redhat/configs/common/generic/CONFIG_NETFILTER_NETLINK_HOOK rename from redhat/configs/rhel/generic/CONFIG_NETFILTER_NETLINK_HOOK rename to redhat/configs/common/generic/CONFIG_NETFILTER_NETLINK_HOOK index blahblah..blahblah 100644 --- a/redhat/configs/rhel/generic/CONFIG_NETFILTER_NETLINK_HOOK +++ b/redhat/configs/common/generic/CONFIG_NETFILTER_NETLINK_HOOK diff --git a/redhat/configs/fedora/generic/CONFIG_NETFILTER_NETLINK_HOOK b/redhat/configs/fedora/generic/CONFIG_NETFILTER_NETLINK_HOOK deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/configs/fedora/generic/CONFIG_NETFILTER_NETLINK_HOOK +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_NETFILTER_NETLINK_HOOK is not set
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2823
From: Florian Westphal fwestpha@redhat.com
redhat: disable dccp conntrack support
DCCP is already disabled in RHEL.
Judging from activity on the upstream development mailing list and the "syszkaller" dccp related reports there are no real users of this protocol.
Disable dccp conntrack support. We've had use-after-free and out-of-bounds acesses (now fixed) in this code in the past, its clear that this is only "used" by fuzzers.
Signed-off-by: Florian Westphal fwestpha@redhat.com
diff --git a/redhat/configs/common/generic/CONFIG_NF_CT_PROTO_DCCP b/redhat/configs/common/generic/CONFIG_NF_CT_PROTO_DCCP index blahblah..blahblah 100644 --- a/redhat/configs/common/generic/CONFIG_NF_CT_PROTO_DCCP +++ b/redhat/configs/common/generic/CONFIG_NF_CT_PROTO_DCCP @@ -1 +1 @@ -CONFIG_NF_CT_PROTO_DCCP=y +# CONFIG_NF_CT_PROTO_DCCP is not set
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2823
From: Florian Westphal fwestpha@redhat.com
redhat: disable iptables-legacy compatibility layer
Already disabled in RHEL, also disable this in Fedora. This means 32bit iptables binaries do not work anymore on 64 bit kernels.
This doesn't affect 64bit binaries in any way.
Signed-off-by: Florian Westphal fwestpha@redhat.com
diff --git a/redhat/configs/rhel/generic/CONFIG_NETFILTER_XTABLES_COMPAT b/redhat/configs/common/generic/CONFIG_NETFILTER_XTABLES_COMPAT rename from redhat/configs/rhel/generic/CONFIG_NETFILTER_XTABLES_COMPAT rename to redhat/configs/common/generic/CONFIG_NETFILTER_XTABLES_COMPAT index blahblah..blahblah 100644 --- a/redhat/configs/rhel/generic/CONFIG_NETFILTER_XTABLES_COMPAT +++ b/redhat/configs/common/generic/CONFIG_NETFILTER_XTABLES_COMPAT diff --git a/redhat/configs/fedora/generic/CONFIG_NETFILTER_XTABLES_COMPAT b/redhat/configs/fedora/generic/CONFIG_NETFILTER_XTABLES_COMPAT deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/configs/fedora/generic/CONFIG_NETFILTER_XTABLES_COMPAT +++ /dev/null @@ -1 +0,0 @@ -CONFIG_NETFILTER_XTABLES_COMPAT=y
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2823
From: Colin Walters (Red Hat) on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2823#note_1739124...
Today, podman (really https://github.com/containers/netavark/ ) still uses these compat interfaces...I'm a little surprised that there's no "can run a container" gating here on MRs.
I think we need to more formally track dependencies of these iptables interfaces before we can remove them.
(To be clear I am not sure this is the MR that caused this behavior, but it's my best guess)
kernel@lists.fedoraproject.org