netfilter: allow to turn off xtables compat layer

The compat layer needs to parse untrusted input (the ruleset) to translate it to a 64bit compatible format. We had a number of bugs in this department in the past, so allow users to turn this feature off. Add CONFIG_NETFILTER_XTABLES_COMPAT kconfig knob and make it default to y to keep existing behaviour. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2021-04-26 12:14:40 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2021-04-26 18:16:56 +0200
commit: 47a6959fa331fe892a4fc3b48ca08e92045c6bda (patch)
tree: 02aaee18c39de580c05dc3bb186a3e642200b81d /include/linux/netfilter_ipv4
parent: netfilter: nfnetlink: consolidate callback types (diff)
download: linux-dev-47a6959fa331fe892a4fc3b48ca08e92045c6bda.tar.xz
linux-dev-47a6959fa331fe892a4fc3b48ca08e92045c6bda.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 0fdab3246ef5..8d09bfe850dc 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -67,7 +67,7 @@ extern unsigned int ipt_do_table(struct sk_buff *skb,
 				 const struct nf_hook_state *state,
 				 struct xt_table *table);
 
-#ifdef CONFIG_COMPAT
+#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
 #include <net/compat.h>
 
 struct compat_ipt_entry {
author	Florian Westphal <fw@strlen.de>	2021-04-26 12:14:40 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2021-04-26 18:16:56 +0200
commit	47a6959fa331fe892a4fc3b48ca08e92045c6bda (patch)
tree	02aaee18c39de580c05dc3bb186a3e642200b81d /include/linux/netfilter_ipv4
parent	netfilter: nfnetlink: consolidate callback types (diff)
download	linux-dev-47a6959fa331fe892a4fc3b48ca08e92045c6bda.tar.xz linux-dev-47a6959fa331fe892a4fc3b48ca08e92045c6bda.zip