Re: [linux-yocto] [kernel-cache][PATCH 1/1] netfilter: update notrack->ct

Fri, 30 Jun 2023 03:05:39 -0700 

I finally had a closer look at this, and yes, the code
backing this feature has been removed, but it continues
to exist as an option in the kernel (otherwise the audit
tools would have alerted me).

That depreciated option is already selecting CT on our
behalf.

Given that we've had it around for so long, rather than
removing it, I'd prefer to explicitly set it to "is not set"
so the tools will be able to pickup mismatches if any
remaining references are around.

I'd be happy to take a v2 of the patch with that change.

Bruce

In message: [kernel-cache][PATCH 1/1] netfilter: update notrack->ct
on 28/06/2023 eero.aalto...@vaisala.com wrote:

> From: Eero Aaltonen <eero.aalto...@vaisala.com>
> 
> xt_NOTRACK was removed in linux-stable commit
> 965505015beccc4ec900798070165875b8e8dccf
> 
> included in Linux 3.7.1 and has been superseded by xt_CT.
> 
> Signed-off-by: Eero Aaltonen <eero.aalto...@vaisala.com>
> ---
>  features/netfilter/netfilter.cfg | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/features/netfilter/netfilter.cfg 
> b/features/netfilter/netfilter.cfg
> index 4e8d1bb6..c581afd4 100644
> --- a/features/netfilter/netfilter.cfg
> +++ b/features/netfilter/netfilter.cfg
> @@ -29,13 +29,13 @@ CONFIG_NF_CT_NETLINK=m
>  CONFIG_NETFILTER_XTABLES=m
>  CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
>  CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
> +CONFIG_NETFILTER_XT_TARGET_CT=m
>  CONFIG_NETFILTER_XT_TARGET_DSCP=m
>  CONFIG_NETFILTER_XT_TARGET_HL=m
>  CONFIG_NETFILTER_XT_TARGET_LOG=m
>  CONFIG_NETFILTER_XT_TARGET_MARK=m
>  CONFIG_NETFILTER_XT_TARGET_NFLOG=m
>  CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
> -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
>  CONFIG_NETFILTER_XT_TARGET_TRACE=m
>  CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
>  CONFIG_NETFILTER_XT_MATCH_COMMENT=m
> -- 
> 2.25.1
> 

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12838): 
https://lists.yoctoproject.org/g/linux-yocto/message/12838
Mute This Topic: https://lists.yoctoproject.org/mt/99828130/21656
Group Owner: linux-yocto+ow...@lists.yoctoproject.org
Unsubscribe: 
https://lists.yoctoproject.org/g/linux-yocto/leave/6687884/21656/624485779/xyzzy
 [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to