{"id":2230131,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2230131/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260429095949.20910-1-fw@strlen.de/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.1/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260429095949.20910-1-fw@strlen.de>","date":"2026-04-29T09:59:46","name":"[nf-next] netfilter: x_tables: disable 32bit compat interface in user namespaces","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"a4d9fabeeb40d2f322ab7a68b08edf14bd163588","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/1.1/people/1025/?format=json","name":"Florian Westphal","email":"fw@strlen.de"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260429095949.20910-1-fw@strlen.de/mbox/","series":[{"id":502031,"url":"http://patchwork.ozlabs.org/api/1.1/series/502031/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=502031","date":"2026-04-29T09:59:46","name":"[nf-next] netfilter: x_tables: disable 32bit compat interface in user namespaces","version":1,"mbox":"http://patchwork.ozlabs.org/series/502031/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2230131/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2230131/checks/","tags":{},"headers":{"Return-Path":"\n <netfilter-devel+bounces-12284-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12284-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5CcY5LVJz1xqf\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 20:06:05 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 0902230FD94D\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 10:00:05 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 7D0C03C3C14;\n\tWed, 29 Apr 2026 09:59:58 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C4C575809\n\tfor <netfilter-devel@vger.kernel.org>; Wed, 29 Apr 2026 09:59:56 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 062B960331; Wed, 29 Apr 2026 11:59:53 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777456798; cv=none;\n b=ojNv8lta1a7ypyRde/HyeZIQxjPy1YXGkJ7egGTnOy9Z06ih4tq1PL54LnjxwNZlV/E+/X2YW2C2Pgpakx1WbUeD4SVoIDZmn6RpBl7suBDzBs3yQTwPrJ4RTQAXqYCa3pCJkxacdrdYD8RTpPkztPDqvAnyE0vswBUOLbc6aPs=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777456798; c=relaxed/simple;\n\tbh=rhuy/sYm+M0zYQwug0X402cIA2TyRVKh+edLoRpK3Hg=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=CPOBlAfwXJFYHU71ReLH5BVSw8qnX/XPQovdGX3zkbtC6cLsi+0RlIifu3Ay3BKe4Jg9OoHQ59yQXQpn+rGtHNBYOVRrZVjFFh1u9WEqQ7DNQ85FRb0I71o2oVNUbwTvHjks8ptACBEEZL7+CIdkbs58+jtRc1HjHoOlvO/pEMQ=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc;\n arc=none smtp.client-ip=91.216.245.30","From":"Florian Westphal <fw@strlen.de>","To":"<netfilter-devel@vger.kernel.org>","Cc":"Florian Westphal <fw@strlen.de>","Subject":"[PATCH nf-next] netfilter: x_tables: disable 32bit compat interface\n in user namespaces","Date":"Wed, 29 Apr 2026 11:59:46 +0200","Message-ID":"<20260429095949.20910-1-fw@strlen.de>","X-Mailer":"git-send-email 2.53.0","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"This feature is required to use 32bit arp/ip/ip6/ebtables binaries on\n64bit kernels.  I don't think there are many users left.\n\nSupport has been a compile-time option since 2021 and defaults to off\nsince 2023.\n\nThe XTABLES_COMPAT config option is already off in many distributions\nincluding Debian and Fedora.\n\nGive a few more months before complete removal but disable support in\nuser namespaces already.\n\nAssisted-by: Claude Code:claude-sonnet-4-6\nSigned-off-by: Florian Westphal <fw@strlen.de>\n---\n Alternatively this could be ripped out instantly, if thats\n preferred.  This provides a mix, it would still allow such\n a system to work in init userns.\n\n include/linux/netfilter/x_tables.h | 17 +++++++++++++++++\n net/bridge/netfilter/ebtables.c    |  4 ++++\n net/ipv4/netfilter/arp_tables.c    |  4 ++++\n net/ipv4/netfilter/ip_tables.c     |  4 ++++\n net/ipv6/netfilter/ip6_tables.c    |  4 ++++\n 5 files changed, 33 insertions(+)","diff":"diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h\nindex 77c778d84d4c..4c5b3eba5a6e 100644\n--- a/include/linux/netfilter/x_tables.h\n+++ b/include/linux/netfilter/x_tables.h\n@@ -524,4 +524,21 @@ int xt_compat_check_entry_offsets(const void *base, const char *elems,\n \t\t\t\t  unsigned int next_offset);\n \n #endif /* CONFIG_NETFILTER_XTABLES_COMPAT */\n+\n+static inline bool xt_compat_check(void)\n+{\n+#ifdef CONFIG_NETFILTER_XTABLES_COMPAT\n+\tif (!in_compat_syscall())\n+\t\treturn true;\n+\n+\tpr_warn_once(\"%s %s\\n\",\n+\t\t     \"xtables 32bit compat interface no longer supported\",\n+\t\t     \"in namespaces and will be removed soon.\");\n+\n+\tif (!capable(CAP_NET_ADMIN))\n+\t\treturn false;\n+#endif\n+\treturn true;\n+}\n+\n #endif /* _X_TABLES_H */\ndiff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c\nindex aea3e19875c6..92461c7e1e18 100644\n--- a/net/bridge/netfilter/ebtables.c\n+++ b/net/bridge/netfilter/ebtables.c\n@@ -2449,6 +2449,8 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)\n \tstruct ebt_table *t;\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(net->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \n@@ -2514,6 +2516,8 @@ static int do_ebt_set_ctl(struct sock *sk, int cmd, sockptr_t arg,\n \tstruct net *net = sock_net(sk);\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(net->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \ndiff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c\nindex 1cdd9c28ab2d..acb346731d89 100644\n--- a/net/ipv4/netfilter/arp_tables.c\n+++ b/net/ipv4/netfilter/arp_tables.c\n@@ -1416,6 +1416,8 @@ static int do_arpt_set_ctl(struct sock *sk, int cmd, sockptr_t arg,\n {\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \n@@ -1444,6 +1446,8 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len\n {\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \ndiff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c\nindex 23c8deff8095..e34647da90e9 100644\n--- a/net/ipv4/netfilter/ip_tables.c\n+++ b/net/ipv4/netfilter/ip_tables.c\n@@ -1622,6 +1622,8 @@ do_ipt_set_ctl(struct sock *sk, int cmd, sockptr_t arg, unsigned int len)\n {\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \n@@ -1651,6 +1653,8 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)\n {\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \ndiff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c\nindex d585ac3c1113..0c037f025210 100644\n--- a/net/ipv6/netfilter/ip6_tables.c\n+++ b/net/ipv6/netfilter/ip6_tables.c\n@@ -1631,6 +1631,8 @@ do_ip6t_set_ctl(struct sock *sk, int cmd, sockptr_t arg, unsigned int len)\n {\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \n@@ -1660,6 +1662,8 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)\n {\n \tint ret;\n \n+\tif (!xt_compat_check())\n+\t\treturn -EPERM;\n \tif (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))\n \t\treturn -EPERM;\n \n","prefixes":["nf-next"]}