On Monday 2021-04-26 12:14, Florian Westphal wrote:
>The compat layer needs to parse untrusted input (the ruleset)
>to translate it to a 64bit compatible format.
>
>We had a number of bugs in this department in the past, so allow users
>to turn this feature off.
>
>+++ b/include/linux/netfilter/x_tables.h
>@@ -158,7 +158,7 @@ struct xt_match {
>
> /* Called when entry of this type deleted. */
> void (*destroy)(const struct xt_mtdtor_param *);
>-#ifdef CONFIG_COMPAT
>+#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
> /* Called when userspace align differs from kernel space one */
> void (*compat_from_user)(void *dst, const void *src);
> int (*compat_to_user)(void __user *dst, const void *src);
There are not a lot of '\.compat_to_user' instaces anymore. It would appear we
managed to throw out most of the flexing structs over the past 15 years.
Perhaps the remaining one (struct xt_rateinfo) could be respecified
as a v1, with the plan to ditch the v0.
Then the entire xtables_compat code could go as well.
