Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-106884

[redhat] New configs in net/netfilter

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Undefined Undefined
    • eln
    • None
    • kernel / Networking
    • None
    • rhel-net-core
    • None
    • False
    • Hide

      None

      Show
      None
    • None

      Hi,

      As part of the ongoing rebase effort, the following configuration
      options need to be reviewed.

      As a reminder, the ARK configuration flow involves moving unreviewed
      configuration options from the pending directory to the ark directory.
      In the diff below, options are removed from the pending directory and
      added to the ark hierarchy. The final options that need to be ACKed
      are the files that are being added to the ark hierarchy.

      If the value for a file that is added should be changed, please reply
      with a better option.

      ~~~
      Symbol: NETFILTER_XTABLES_LEGACY [=n]
      Type : bool
      Defined at net/netfilter/Kconfig:761
      Prompt: Netfilter legacy tables support
      Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NETFILTER_XTABLES [=y] && !PREEMPT_RT [=n]
      Location:
      -> Networking support (NET [=y])
      -> Networking options
      -> Network packet filtering framework (Netfilter) (NETFILTER [=y])
      -> Core Netfilter Configuration
      -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])
      -> Netfilter legacy tables support (NETFILTER_XTABLES_LEGACY [=n])

      ~~~
      Commit: 9fce66583f06 (netfilter: Exclude LEGACY TABLES on PREEMPT_RT.)

      ~~~
      Symbol: NETFILTER_XT_NAT [=n]
      Type : tristate
      Defined at net/netfilter/Kconfig:988
      Prompt: "SNAT and DNAT" targets support
      Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NETFILTER_XTABLES [=y] && NF_NAT [=m]
      Location:
      -> Networking support (NET [=y])
      -> Networking options
      -> Network packet filtering framework (Netfilter) (NETFILTER [=y])
      -> Core Netfilter Configuration
      -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])
      -> "SNAT and DNAT" targets support (NETFILTER_XT_NAT [=n])
      Selected by [n]:

      • IP_NF_NAT [=n] && NET [=y] && INET [=y] && NETFILTER [=y] && IP_NF_IPTABLES [=m] && NF_CONNTRACK [=m] && IP_NF_IPTABLES_LEGACY [=n]
      • IP6_NF_NAT [=n] && NET [=y] && INET [=y] && IPV6 [=y] && NETFILTER [=y] && IP6_NF_IPTABLES [=m] && NF_CONNTRACK [=m] && NETFILTER_ADVANCED [=y] && IP6_NF_IPTABLES_LEGACY [=n]

      ~~~
      Commit: 84a59ca55f69 (netfilter: add explicit Kconfig for NETFILTER_XT_NAT)

      ~~~
      Symbol: NETFILTER_XT_TARGET_HL [=n]
      Type : tristate
      Defined at net/netfilter/Kconfig:903
      Prompt: "HL" hoplimit target support
      Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NETFILTER_XTABLES [=y] && (IP_NF_MANGLE [=n] || IP6_NF_MANGLE [=n] || NFT_COMPAT [=m]) && NETFILTER_ADVANCED [=y]
      Location:
      -> Networking support (NET [=y])
      -> Networking options
      -> Network packet filtering framework (Netfilter) (NETFILTER [=y])
      -> Core Netfilter Configuration
      -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])
      -> "HL" hoplimit target support (NETFILTER_XT_TARGET_HL [=n])
      Selected by [n]:

      • IP_NF_TARGET_TTL [=n] && NET [=y] && INET [=y] && NETFILTER [=y] && IP_NF_IPTABLES [=m] && NETFILTER_ADVANCED [=y] && IP_NF_MANGLE [=n]
      • IP6_NF_TARGET_HL [=n] && NET [=y] && INET [=y] && IPV6 [=y] && NETFILTER [=y] && IP6_NF_IPTABLES [=m] && NETFILTER_ADVANCED [=y] && IP6_NF_MANGLE [=n]

      ~~~
      Commit: 563d36eb3fb2 (netfilter: Combine ipt_TTL and ip6t_HL source)

      ~~~
      Symbol: NETFILTER_XT_TARGET_MASQUERADE [=n]
      Type : tristate
      Defined at net/netfilter/Kconfig:1057
      Prompt: MASQUERADE target support
      Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NETFILTER_XTABLES [=y] && NF_NAT [=m]
      Location:
      -> Networking support (NET [=y])
      -> Networking options
      -> Network packet filtering framework (Netfilter) (NETFILTER [=y])
      -> Core Netfilter Configuration
      -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])
      -> MASQUERADE target support (NETFILTER_XT_TARGET_MASQUERADE [=n])
      Selects: NF_NAT_MASQUERADE [=y]
      Selected by [n]:

      • IP_NF_TARGET_MASQUERADE [=n] && NET [=y] && INET [=y] && NETFILTER [=y] && IP_NF_IPTABLES [=m] && IP_NF_NAT [=n]
      • IP6_NF_TARGET_MASQUERADE [=n] && NET [=y] && INET [=y] && IPV6 [=y] && NETFILTER [=y] && IP6_NF_IPTABLES [=m] && IP6_NF_NAT [=n]

      ~~~
      Commit: adf82accc5f5 (netfilter: x_tables: merge ip and ipv6 masquerade modules)

      ~~~
      Symbol: NETFILTER_XT_TARGET_NETMAP [=n]
      Type : tristate
      Defined at net/netfilter/Kconfig:996
      Prompt: "NETMAP" target support
      Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NETFILTER_XTABLES [=y] && NF_NAT [=m]
      Location:
      -> Networking support (NET [=y])
      -> Networking options
      -> Network packet filtering framework (Netfilter) (NETFILTER [=y])
      -> Core Netfilter Configuration
      -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])
      -> "NETMAP" target support (NETFILTER_XT_TARGET_NETMAP [=n])
      Selected by [n]:

      • IP_NF_TARGET_NETMAP [=n] && NET [=y] && INET [=y] && NETFILTER [=y] && IP_NF_IPTABLES [=m] && IP_NF_NAT [=n] && NETFILTER_ADVANCED [=y]

      ~~~
      Commit: b3d54b3e406b (netfilter: combine ipt_NETMAP and ip6t_NETMAP)

      ~~~
      Symbol: NETFILTER_XT_TARGET_REDIRECT [=n]
      Type : tristate
      Defined at net/netfilter/Kconfig:1045
      Prompt: REDIRECT target support
      Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NETFILTER_XTABLES [=y] && NF_NAT [=m]
      Location:
      -> Networking support (NET [=y])
      -> Networking options
      -> Network packet filtering framework (Netfilter) (NETFILTER [=y])
      -> Core Netfilter Configuration
      -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])
      -> REDIRECT target support (NETFILTER_XT_TARGET_REDIRECT [=n])
      Selects: NF_NAT_REDIRECT [=y]
      Selected by [n]:

      • IP_NF_TARGET_REDIRECT [=n] && NET [=y] && INET [=y] && NETFILTER [=y] && IP_NF_IPTABLES [=m] && IP_NF_NAT [=n] && NETFILTER_ADVANCED [=y]

      ~~~
      Commit: 2cbc78a29e76 (netfilter: combine ipt_REDIRECT and ip6t_REDIRECT)

      ~~~
      Symbol: NFT_EXTHDR_DCCP [=n]
      Type : bool
      Defined at net/netfilter/Kconfig:509
      Prompt: Netfilter nf_tables exthdr DCCP support (DEPRECATED)
      Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NF_TABLES [=m]
      Location:
      -> Networking support (NET [=y])
      -> Networking options
      -> Network packet filtering framework (Netfilter) (NETFILTER [=y])
      -> Core Netfilter Configuration
      -> Netfilter nf_tables support (NF_TABLES [=m])
      -> Netfilter nf_tables exthdr DCCP support (DEPRECATED) (NFT_EXTHDR_DCCP [=n])

      ~~~
      Commit: fd72f265bb00 (netfilter: conntrack: remove DCCP protocol support)

      See Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/4047

              nst-kernel-bugs nst-kernel-bugs
              gitlab-jira Gitlab-jira-bot Gitlab-redhat
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: