netfilter: allow to turn off xtables compat layer

The compat layer needs to parse untrusted input (the ruleset) to translate it to a 64bit compatible format. We had a number of bugs in this department in the past, so allow users to turn this feature off. Add CONFIG_NETFILTER_XTABLES_COMPAT kconfig knob and make it default to y to keep existing behaviour. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2021-04-26 12:14:40 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2021-04-26 18:16:56 +0200
commit: 47a6959fa331fe892a4fc3b48ca08e92045c6bda (patch)
tree: 02aaee18c39de580c05dc3bb186a3e642200b81d /net/netfilter/Kconfig
parent: 50f2db9e368f73ecbbaa92da365183fa953aaba7 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index fcd8682704c4..56a2531a3402 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -728,6 +728,16 @@ config NETFILTER_XTABLES
 
 if NETFILTER_XTABLES
 
+config NETFILTER_XTABLES_COMPAT
+	bool "Netfilter Xtables 32bit support"
+	depends on COMPAT
+	default y
+	help
+	   This option provides a translation layer to run 32bit arp,ip(6),ebtables
+	   binaries on 64bit kernels.
+
+	   If unsure, say N.
+
 comment "Xtables combined modules"
 
 config NETFILTER_XT_MARK
author	Florian Westphal <fw@strlen.de>	2021-04-26 12:14:40 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2021-04-26 18:16:56 +0200
commit	47a6959fa331fe892a4fc3b48ca08e92045c6bda (patch)
tree	02aaee18c39de580c05dc3bb186a3e642200b81d /net/netfilter/Kconfig
parent	50f2db9e368f73ecbbaa92da365183fa953aaba7 (diff)