diff options
author | Florian Westphal <fw@strlen.de> | 2021-04-26 12:14:40 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-04-26 18:16:56 +0200 |
commit | 47a6959fa331fe892a4fc3b48ca08e92045c6bda (patch) | |
tree | 02aaee18c39de580c05dc3bb186a3e642200b81d /net/bridge/netfilter/ebt_limit.c | |
parent | 50f2db9e368f73ecbbaa92da365183fa953aaba7 (diff) | |
download | linux-stable-47a6959fa331fe892a4fc3b48ca08e92045c6bda.tar.gz linux-stable-47a6959fa331fe892a4fc3b48ca08e92045c6bda.tar.bz2 linux-stable-47a6959fa331fe892a4fc3b48ca08e92045c6bda.zip |
netfilter: allow to turn off xtables compat layer
The compat layer needs to parse untrusted input (the ruleset)
to translate it to a 64bit compatible format.
We had a number of bugs in this department in the past, so allow users
to turn this feature off.
Add CONFIG_NETFILTER_XTABLES_COMPAT kconfig knob and make it default to y
to keep existing behaviour.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/bridge/netfilter/ebt_limit.c')
-rw-r--r-- | net/bridge/netfilter/ebt_limit.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c index fa199556e122..e16183bd1bb8 100644 --- a/net/bridge/netfilter/ebt_limit.c +++ b/net/bridge/netfilter/ebt_limit.c @@ -87,7 +87,7 @@ static int ebt_limit_mt_check(const struct xt_mtchk_param *par) } -#ifdef CONFIG_COMPAT +#ifdef CONFIG_NETFILTER_XTABLES_COMPAT /* * no conversion function needed -- * only avg/burst have meaningful values in userspace. @@ -107,7 +107,7 @@ static struct xt_match ebt_limit_mt_reg __read_mostly = { .checkentry = ebt_limit_mt_check, .matchsize = sizeof(struct ebt_limit_info), .usersize = offsetof(struct ebt_limit_info, prev), -#ifdef CONFIG_COMPAT +#ifdef CONFIG_NETFILTER_XTABLES_COMPAT .compatsize = sizeof(struct ebt_compat_limit_info), #endif .me = THIS_MODULE, |