From: Phil Sutter <psutter(a)redhat.com>
netfilter: Add deprecation notices for xtables
Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1945179
Upstream Status: RHEL-only
Upon loading legacy xtables table modules or the nft compat module,
print a warning suggesting nftables.
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index blahblah..blahblah 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2484,6 +2484,9 @@ static int __init ebtables_init(void)
{
int ret;
+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise
Linux,\n"
+ "please use nftables instead (
https://red.ht/nft_your_tables)\n");
+
ret = xt_register_target(&ebt_standard_target);
if (ret < 0)
return ret;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index blahblah..blahblah 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1623,6 +1623,9 @@ static int __init arp_tables_init(void)
{
int ret;
+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise
Linux,\n"
+ "please use nftables instead (
https://red.ht/nft_your_tables)\n");
+
ret = register_pernet_subsys(&arp_tables_net_ops);
if (ret < 0)
goto err1;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index blahblah..blahblah 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1902,6 +1902,9 @@ static int __init ip_tables_init(void)
{
int ret;
+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise
Linux,\n"
+ "please use nftables instead (
https://red.ht/nft_your_tables)\n");
+
ret = register_pernet_subsys(&ip_tables_net_ops);
if (ret < 0)
goto err1;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index blahblah..blahblah 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1909,6 +1909,9 @@ static int __init ip6_tables_init(void)
{
int ret;
+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise
Linux,\n"
+ "please use nftables instead (
https://red.ht/nft_your_tables)\n");
+
ret = register_pernet_subsys(&ip6_tables_net_ops);
if (ret < 0)
goto err1;
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index blahblah..blahblah 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -6,6 +6,8 @@
/* Kernel module for IP set management */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
#include <linux/init.h>
#include <linux/module.h>
#include <linux/moduleparam.h>
@@ -2362,8 +2364,12 @@ static struct pernet_operations ip_set_net_ops = {
static int __init
ip_set_init(void)
{
- int ret = register_pernet_subsys(&ip_set_net_ops);
+ int ret;
+
+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise
Linux,\n"
+ "please use nftables instead (
https://red.ht/nft_your_tables)\n");
+ ret = register_pernet_subsys(&ip_set_net_ops);
if (ret) {
pr_err("ip_set: cannot register pernet_subsys.\n");
return ret;
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index blahblah..blahblah 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -5,6 +5,8 @@
* This software has been sponsored by Sophos Astaro <
http://www.sophos.com>
*/
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
@@ -882,6 +884,9 @@ static int __init nft_compat_module_init(void)
{
int ret;
+ pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise
Linux,\n"
+ "please use nftables instead (
https://red.ht/nft_your_tables)\n");
+
ret = nft_register_expr(&nft_match_type);
if (ret < 0)
return ret;
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226