Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2230131/?format=api
{ "id": 2230131, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2230131/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260429095949.20910-1-fw@strlen.de/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/1.1/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260429095949.20910-1-fw@strlen.de>", "date": "2026-04-29T09:59:46", "name": "[nf-next] netfilter: x_tables: disable 32bit compat interface in user namespaces", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "a4d9fabeeb40d2f322ab7a68b08edf14bd163588", "submitter": { "id": 1025, "url": "http://patchwork.ozlabs.org/api/1.1/people/1025/?format=api", "name": "Florian Westphal", "email": "fw@strlen.de" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260429095949.20910-1-fw@strlen.de/mbox/", "series": [ { "id": 502031, "url": "http://patchwork.ozlabs.org/api/1.1/series/502031/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=502031", "date": "2026-04-29T09:59:46", "name": "[nf-next] netfilter: x_tables: disable 32bit compat interface in user namespaces", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/502031/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2230131/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2230131/checks/", "tags": {}, "headers": { "Return-Path": "\n <netfilter-devel+bounces-12284-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12284-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30", "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc" ], "Received": [ "from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5CcY5LVJz1xqf\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 20:06:05 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 0902230FD94D\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 10:00:05 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 7D0C03C3C14;\n\tWed, 29 Apr 2026 09:59:58 +0000 (UTC)", "from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C4C575809\n\tfor <netfilter-devel@vger.kernel.org>; Wed, 29 Apr 2026 09:59:56 +0000 (UTC)", "by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 062B960331; Wed, 29 Apr 2026 11:59:53 +0200 (CEST)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777456798; cv=none;\n b=ojNv8lta1a7ypyRde/HyeZIQxjPy1YXGkJ7egGTnOy9Z06ih4tq1PL54LnjxwNZlV/E+/X2YW2C2Pgpakx1WbUeD4SVoIDZmn6RpBl7suBDzBs3yQTwPrJ4RTQAXqYCa3pCJkxacdrdYD8RTpPkztPDqvAnyE0vswBUOLbc6aPs=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777456798; c=relaxed/simple;\n\tbh=rhuy/sYm+M0zYQwug0X402cIA2TyRVKh+edLoRpK3Hg=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=CPOBlAfwXJFYHU71ReLH5BVSw8qnX/XPQovdGX3zkbtC6cLsi+0RlIifu3Ay3BKe4Jg9OoHQ59yQXQpn+rGtHNBYOVRrZVjFFh1u9WEqQ7DNQ85FRb0I71o2oVNUbwTvHjks8ptACBEEZL7+CIdkbs58+jtRc1HjHoOlvO/pEMQ=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc;\n arc=none smtp.client-ip=91.216.245.30", "From": "Florian Westphal <fw@strlen.de>", "To": "<netfilter-devel@vger.kernel.org>", "Cc": "Florian Westphal <fw@strlen.de>", "Subject": "[PATCH nf-next] netfilter: x_tables: disable 32bit compat interface\n in user namespaces", "Date": "Wed, 29 Apr 2026 11:59:46 +0200", "Message-ID": "<20260429095949.20910-1-fw@strlen.de>", "X-Mailer": "git-send-email 2.53.0", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "This feature is required to use 32bit arp/ip/ip6/ebtables binaries on\n64bit kernels. I don't think there are many users left.\n\nSupport has been a compile-time option since 2021 and defaults to off\nsince 2023.\n\nThe XTABLES_COMPAT config option is already off in many distributions\nincluding Debian and Fedora.\n\nGive a few more months before complete removal but disable support in\nuser namespaces already.\n\nAssisted-by: Claude Code:claude-sonnet-4-6\nSigned-off-by: Florian Westphal <fw@strlen.de>\n---\n Alternatively this could be ripped out instantly, if thats\n preferred. This provides a mix, it would still allow such\n a system to work in init userns.\n\n include/linux/netfilter/x_tables.h | 17 +++++++++++++++++\n net/bridge/netfilter/ebtables.c | 4 ++++\n net/ipv4/netfilter/arp_tables.c | 4 ++++\n net/ipv4/netfilter/ip_tables.c | 4 ++++\n net/ipv6/netfilter/ip6_tables.c | 4 ++++\n 5 files changed, 33 insertions(+)", "diff": "diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h\nindex 77c778d84d4c..4c5b3eba5a6e 100644\n--- a/include/linux/netfilter/x_tables.h\n+++ b/include/linux/netfilter/x_tables.h\n@@ -524,4 +524,21 @@ int xt_compat_check_entry_offsets(const void *base, const char *elems,\n \t\t\t\t unsigned int next_offset);\n \n #endif /* CONFIG_NETFILTER_XTABLES_COMPAT */\n+\n+static inline bool xt_compat_check(void)\n+{\n+#ifdef CONFIG_NETFILTER_XTABLES_COMPAT\n+\tif (!in_compat_syscall())\n+\t\treturn true;\n+\n+\tpr_warn_once(\"%s %s\\n\",\n+\t\t \"xtables 32bit compat interface no longer supported\",\n+\t\t \"in namespaces and will be removed soon.\");\n+\n+\tif (!capable(CAP_NET_ADMIN))\n+\t\treturn false;\n+#endif\n+\treturn true;\n+}\n+\n #endif /* _X_TABLES_H */\ndiff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c\nindex aea3e19875c6..92461c7e1e18 100644\n--- a/net/bridge/netfilter/ebtables.c\n+++ b/net/bridge/netfilter/ebtables.c\n@@ -2449,6 +2449,8 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)\n \tstruct ebt_table *t;\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(net->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \n@@ -2514,6 +2516,8 @@ static int do_ebt_set_ctl(struct sock *sk, int cmd, sockptr_t arg,\n \tstruct net *net = sock_net(sk);\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(net->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \ndiff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c\nindex 1cdd9c28ab2d..acb346731d89 100644\n--- a/net/ipv4/netfilter/arp_tables.c\n+++ b/net/ipv4/netfilter/arp_tables.c\n@@ -1416,6 +1416,8 @@ static int do_arpt_set_ctl(struct sock *sk, int cmd, sockptr_t arg,\n {\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \n@@ -1444,6 +1446,8 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len\n {\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \ndiff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c\nindex 23c8deff8095..e34647da90e9 100644\n--- a/net/ipv4/netfilter/ip_tables.c\n+++ b/net/ipv4/netfilter/ip_tables.c\n@@ -1622,6 +1622,8 @@ do_ipt_set_ctl(struct sock *sk, int cmd, sockptr_t arg, unsigned int len)\n {\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \n@@ -1651,6 +1653,8 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)\n {\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \ndiff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c\nindex d585ac3c1113..0c037f025210 100644\n--- a/net/ipv6/netfilter/ip6_tables.c\n+++ b/net/ipv6/netfilter/ip6_tables.c\n@@ -1631,6 +1631,8 @@ do_ip6t_set_ctl(struct sock *sk, int cmd, sockptr_t arg, unsigned int len)\n {\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \n@@ -1660,6 +1662,8 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)\n {\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \n", "prefixes": [ "nf-next" ] }