diff options
| author | Florian Westphal <fw@strlen.de> | 2026-04-25 15:00:50 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2026-05-24 22:55:37 +0200 |
| commit | ec1806a730a1c0b3d68a7f9afe81514fb0dd7991 (patch) | |
| tree | feb60a3f214d1648ae4bcfded55651fc594a84b0 /include/linux | |
| parent | c0aa5f13826dcb035bec3d6b252e6b2020fa5f88 (diff) | |
netfilter: x_tables: disable 32bit compat interface in user namespaces
This feature is required to use 32bit arp/ip/ip6/ebtables binaries on
64bit kernels. I don't think there are many users left.
Support has been a compile-time option since 2021 and defaults to off
since 2023.
The XTABLES_COMPAT config option is already off in many distributions
including Debian and Fedora.
Give a few more months before complete removal but disable support in
user namespaces already.
Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/netfilter/x_tables.h | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 5a1c5c336fa4..20d70dddbe50 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -534,4 +534,21 @@ int xt_compat_check_entry_offsets(const void *base, const char *elems, unsigned int next_offset); #endif /* CONFIG_NETFILTER_XTABLES_COMPAT */ + +static inline bool xt_compat_check(void) +{ +#ifdef CONFIG_NETFILTER_XTABLES_COMPAT + if (!in_compat_syscall()) + return true; + + pr_warn_once("%s %s\n", + "xtables 32bit compat interface no longer supported", + "in namespaces and will be removed soon."); + + if (!capable(CAP_NET_ADMIN)) + return false; +#endif + return true; +} + #endif /* _X_TABLES_H */ |