[OS-BUILD PATCHv2] Revert "redhat: configs: Disable xtables and ipset"

[Phil Sutter (via Email Bridge)]

From: Phil Sutter 

Revert "redhat: configs: Disable xtables and ipset"

This reverts commit ebafea5303ae22b582590917be79c10f073d76fe.

It seems kernel-ark config is used for libvirt testing with upstream
kernels. Libvirt still requires iptables, though. So revert this for
now.

Contrary to reverted commit ebafea5303ae2, it is not sufficient to
remove the disabling config snippets as the respective enabling ones
have been moved from 'common' space to 'fedora'. Move them back.

Add the restored modules to kernel-modules-extra package instead of
kernel-modules-core.

Signed-off-by: Phil Sutter 

diff --git a/redhat/configs/ark/generic/CONFIG_BRIDGE_NETFILTER 
b/redhat/configs/ark/generic/CONFIG_BRIDGE_NETFILTER
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_BRIDGE_NETFILTER
+++ /dev/null
@@ -1 +0,0 @@
-# CONFIG_BRIDGE_NETFILTER is not set
diff --git a/redhat/configs/ark/generic/CONFIG_BRIDGE_NF_EBTABLES 
b/redhat/configs/ark/generic/CONFIG_BRIDGE_NF_EBTABLES
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_BRIDGE_NF_EBTABLES
+++ /dev/null
@@ -1,2 +0,0 @@
-# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
-# CONFIG_BRIDGE_NF_EBTABLES is not set
diff --git a/redhat/configs/ark/generic/CONFIG_IP6_NF_IPTABLES 
b/redhat/configs/ark/generic/CONFIG_IP6_NF_IPTABLES
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_IP6_NF_IPTABLES
+++ /dev/null
@@ -1,2 +0,0 @@
-# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
-# CONFIG_IP6_NF_IPTABLES is not set
diff --git a/redhat/configs/ark/generic/CONFIG_IP_NF_ARPTABLES 
b/redhat/configs/ark/generic/CONFIG_IP_NF_ARPTABLES
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_IP_NF_ARPTABLES
+++ /dev/null
@@ -1,2 +0,0 @@
-# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
-# CONFIG_IP_NF_ARPTABLES is not set
diff --git a/redhat/configs/ark/generic/CONFIG_IP_NF_IPTABLES 
b/redhat/configs/ark/generic/CONFIG_IP_NF_IPTABLES
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_IP_NF_IPTABLES
+++ /dev/null
@@ -1,2 +0,0 @@
-# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
-# CONFIG_IP_NF_IPTABLES is not set
diff --git a/redhat/configs/ark/generic/CONFIG_IP_SET 
b/redhat/configs/ark/generic/CONFIG_IP_SET
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_IP_SET
+++ /dev/null
@@ -1,2 +0,0 @@
-# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
-# CONFIG_IP_SET is not set
diff --git a/redhat/configs/ark/generic/CONFIG_NETFILTER_XTABLES 
b/redhat/configs/ark/generic/CONFIG_NETFILTER_XTABLES
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_NETFILTER_XTABLES
+++ /dev/null
@@ -1 +0,0 @@
-# CONFIG_NETFILTER_XTABLES is not set
diff --git a/redhat/configs/ark/generic/CONFIG_NFT_COMPAT 
b/redhat/configs/ark/generic/CONFIG_NFT_COMPAT
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_NFT_COMPAT
+++ /dev/null
@@ -1,2 +0,0 @@
-# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
-# CONFIG_NFT_COMPAT is not set
diff --git a/redhat/configs/ark/generic/CONFIG_NF_CONNTRACK_LABELS 
b/redhat/configs/ark/generic/CONFIG_NF_CONNTRACK_LABELS
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_NF_CONNTRACK_LABELS
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_NF_CONNTRACK_LABELS=y
diff --git a/redhat/configs/fedora/generic/CONFIG_BRIDGE_NETFILTER 
b/redhat/configs/common/generic/CONFIG_BRIDGE_NETFILTER
rename from redhat/configs/fedora/generic/CONFIG_BRIDGE_NETFILTER
rename to redhat/configs/common/generic/CONFIG_BRIDGE_NETFILTER
index blahblah..blahblah 100644
--- a/redhat/configs/fedora/generic/CONFIG_BRIDGE_NETFILTER
+++ b/redhat/configs/common/generic/CONFIG_BRIDGE_NETFILTER
diff --git a/redhat/configs/fedora/generic/CONFIG_BRIDGE_NF_EBTABLES 
b/redhat/configs/common/generic/CONFIG_BRIDGE_NF_EBTABLES
rename from redhat/configs/fedora/generic/CONFIG_BRIDGE_NF_EBTABLES
rename to redhat/configs/common/generic/CONFIG_BRIDGE_NF_EBTABLES
index blahblah..blahblah 100644
--- a/redhat/configs/fedora/generic/CONFIG_BRIDGE_NF_EBTABLES
+++ b/redhat/configs/common/generic/CONFIG_BRIDGE_NF_EBTABLES
diff --git a/redhat/configs/fedora/generic/CONFIG_IP6_NF_IPTABLES 
b/redhat/configs/common/generic/CONFIG_IP6_NF_IPTABLES
rename from redhat/configs/fedora/generic/CONFIG_IP6_NF_IPTABLES
rename to redhat/configs/common/generic/CONFIG_IP6_NF_IPTABLES
index blahblah..blahblah 100644

Re: [OS-BUILD PATCH] Revert "redhat: configs: Disable xtables and ipset"

[Phil Sutter (via Email Bridge)]

From: Phil Sutter on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2267#note_1255774113

OK, I'll respin adding the relevant modules to mod-extra.list.rhel.
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: [OS-BUILD PATCH] Revert "redhat: configs: Disable xtables and ipset"

[Phil Sutter (via Email Bridge)]

From: Phil Sutter on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2267#note_1253667037

@jtoppins_redhat firewalld does support nft backend, it's the default in RHEL9
IIRC. I guess this is mostly about libvirt migration not being complete.

Maybe moving the modules to kernel-modules-extra could be an option?
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[OS-BUILD PATCH] Revert "redhat: configs: Disable xtables and ipset"

[Phil Sutter (via Email Bridge)]

From: Phil Sutter 

Revert "redhat: configs: Disable xtables and ipset"

This reverts commit ebafea5303ae22b582590917be79c10f073d76fe.

It seems kernel-ark config is used for libvirt testing with upstream
kernels. Libvirt still requires iptables, though. So revert this for
now.

Contrary to reverted commit ebafea5303ae2, it is not sufficient to
remove the disabling config snippets as the respective enabling ones
have been moved from 'common' space to 'fedora'. Move them back.

Signed-off-by: Phil Sutter 

diff --git a/redhat/configs/ark/generic/CONFIG_BRIDGE_NETFILTER 
b/redhat/configs/ark/generic/CONFIG_BRIDGE_NETFILTER
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_BRIDGE_NETFILTER
+++ /dev/null
@@ -1 +0,0 @@
-# CONFIG_BRIDGE_NETFILTER is not set
diff --git a/redhat/configs/ark/generic/CONFIG_BRIDGE_NF_EBTABLES 
b/redhat/configs/ark/generic/CONFIG_BRIDGE_NF_EBTABLES
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_BRIDGE_NF_EBTABLES
+++ /dev/null
@@ -1,2 +0,0 @@
-# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
-# CONFIG_BRIDGE_NF_EBTABLES is not set
diff --git a/redhat/configs/ark/generic/CONFIG_IP6_NF_IPTABLES 
b/redhat/configs/ark/generic/CONFIG_IP6_NF_IPTABLES
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_IP6_NF_IPTABLES
+++ /dev/null
@@ -1,2 +0,0 @@
-# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
-# CONFIG_IP6_NF_IPTABLES is not set
diff --git a/redhat/configs/ark/generic/CONFIG_IP_NF_ARPTABLES 
b/redhat/configs/ark/generic/CONFIG_IP_NF_ARPTABLES
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_IP_NF_ARPTABLES
+++ /dev/null
@@ -1,2 +0,0 @@
-# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
-# CONFIG_IP_NF_ARPTABLES is not set
diff --git a/redhat/configs/ark/generic/CONFIG_IP_NF_IPTABLES 
b/redhat/configs/ark/generic/CONFIG_IP_NF_IPTABLES
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_IP_NF_IPTABLES
+++ /dev/null
@@ -1,2 +0,0 @@
-# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
-# CONFIG_IP_NF_IPTABLES is not set
diff --git a/redhat/configs/ark/generic/CONFIG_IP_SET 
b/redhat/configs/ark/generic/CONFIG_IP_SET
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_IP_SET
+++ /dev/null
@@ -1,2 +0,0 @@
-# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
-# CONFIG_IP_SET is not set
diff --git a/redhat/configs/ark/generic/CONFIG_NETFILTER_XTABLES 
b/redhat/configs/ark/generic/CONFIG_NETFILTER_XTABLES
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_NETFILTER_XTABLES
+++ /dev/null
@@ -1 +0,0 @@
-# CONFIG_NETFILTER_XTABLES is not set
diff --git a/redhat/configs/ark/generic/CONFIG_NFT_COMPAT 
b/redhat/configs/ark/generic/CONFIG_NFT_COMPAT
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_NFT_COMPAT
+++ /dev/null
@@ -1,2 +0,0 @@
-# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
-# CONFIG_NFT_COMPAT is not set
diff --git a/redhat/configs/ark/generic/CONFIG_NF_CONNTRACK_LABELS 
b/redhat/configs/ark/generic/CONFIG_NF_CONNTRACK_LABELS
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_NF_CONNTRACK_LABELS
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_NF_CONNTRACK_LABELS=y
diff --git a/redhat/configs/fedora/generic/CONFIG_BRIDGE_NETFILTER 
b/redhat/configs/common/generic/CONFIG_BRIDGE_NETFILTER
rename from redhat/configs/fedora/generic/CONFIG_BRIDGE_NETFILTER
rename to redhat/configs/common/generic/CONFIG_BRIDGE_NETFILTER
index blahblah..blahblah 100644
--- a/redhat/configs/fedora/generic/CONFIG_BRIDGE_NETFILTER
+++ b/redhat/configs/common/generic/CONFIG_BRIDGE_NETFILTER
diff --git a/redhat/configs/fedora/generic/CONFIG_BRIDGE_NF_EBTABLES 
b/redhat/configs/common/generic/CONFIG_BRIDGE_NF_EBTABLES
rename from redhat/configs/fedora/generic/CONFIG_BRIDGE_NF_EBTABLES
rename to redhat/configs/common/generic/CONFIG_BRIDGE_NF_EBTABLES
index blahblah..blahblah 100644
--- a/redhat/configs/fedora/generic/CONFIG_BRIDGE_NF_EBTABLES
+++ b/redhat/configs/common/generic/CONFIG_BRIDGE_NF_EBTABLES
diff --git a/redhat/configs/fedora/generic/CONFIG_IP6_NF_IPTABLES 
b/redhat/configs/common/generic/CONFIG_IP6_NF_IPTABLES
rename from redhat/configs/fedora/generic/CONFIG_IP6_NF_IPTABLES
rename to redhat/configs/common/generic/CONFIG_IP6_NF_IPTABLES
index blahblah..blahblah 100644
--- a/redhat/configs/fedora/generic/CONFIG_IP6_NF_IPTABLES
+++ 

[OS-BUILD PATCHv4 2/2] redhat: configs: Disable xtables and ipset

[Phil Sutter (via Email Bridge)]

From: Phil Sutter 

redhat: configs: Disable xtables and ipset

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1945179
Upstream Status: RHEL-only

These drivers have been deprecated with RHEL9, so with RHEL10 it is time
to remove them:

- CONFIG_BRIDGE_NF_EBTABLES
- CONFIG_IP6_NF_IPTABLES
- CONFIG_IP_NF_ARPTABLES
- CONFIG_IP_NF_IPTABLES
- CONFIG_IP_SET
- CONFIG_NFT_COMPAT

Enable previous selected symbols to reduce impact to deprecated symbols:

- CONFIG_NF_CONNTRACK_LABELS

Drop symbols not used anymore:

- CONFIG_NETFILTER_XTABLES
- CONFIG_BRIDGE_NETFILTER

diff --git a/redhat/configs/ark/generic/CONFIG_BRIDGE_NETFILTER 
b/redhat/configs/ark/generic/CONFIG_BRIDGE_NETFILTER
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/configs/ark/generic/CONFIG_BRIDGE_NETFILTER
@@ -0,0 +1 @@
+# CONFIG_BRIDGE_NETFILTER is not set
diff --git a/redhat/configs/ark/generic/CONFIG_BRIDGE_NF_EBTABLES 
b/redhat/configs/ark/generic/CONFIG_BRIDGE_NF_EBTABLES
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/configs/ark/generic/CONFIG_BRIDGE_NF_EBTABLES
@@ -0,0 +1,2 @@
+# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
+# CONFIG_BRIDGE_NF_EBTABLES is not set
diff --git a/redhat/configs/ark/generic/CONFIG_IP6_NF_IPTABLES 
b/redhat/configs/ark/generic/CONFIG_IP6_NF_IPTABLES
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/configs/ark/generic/CONFIG_IP6_NF_IPTABLES
@@ -0,0 +1,2 @@
+# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
+# CONFIG_IP6_NF_IPTABLES is not set
diff --git a/redhat/configs/ark/generic/CONFIG_IP_NF_ARPTABLES 
b/redhat/configs/ark/generic/CONFIG_IP_NF_ARPTABLES
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/configs/ark/generic/CONFIG_IP_NF_ARPTABLES
@@ -0,0 +1,2 @@
+# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
+# CONFIG_IP_NF_ARPTABLES is not set
diff --git a/redhat/configs/ark/generic/CONFIG_IP_NF_IPTABLES 
b/redhat/configs/ark/generic/CONFIG_IP_NF_IPTABLES
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/configs/ark/generic/CONFIG_IP_NF_IPTABLES
@@ -0,0 +1,2 @@
+# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
+# CONFIG_IP_NF_IPTABLES is not set
diff --git a/redhat/configs/ark/generic/CONFIG_IP_SET 
b/redhat/configs/ark/generic/CONFIG_IP_SET
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/configs/ark/generic/CONFIG_IP_SET
@@ -0,0 +1,2 @@
+# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
+# CONFIG_IP_SET is not set
diff --git a/redhat/configs/ark/generic/CONFIG_NETFILTER_XTABLES 
b/redhat/configs/ark/generic/CONFIG_NETFILTER_XTABLES
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/configs/ark/generic/CONFIG_NETFILTER_XTABLES
@@ -0,0 +1 @@
+# CONFIG_NETFILTER_XTABLES is not set
diff --git a/redhat/configs/ark/generic/CONFIG_NFT_COMPAT 
b/redhat/configs/ark/generic/CONFIG_NFT_COMPAT
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/configs/ark/generic/CONFIG_NFT_COMPAT
@@ -0,0 +1,2 @@
+# This CONFIG has been disabled in RHEL by RHEL Engineering. Please contact 
Red Hat Support for further assistance.
+# CONFIG_NFT_COMPAT is not set
diff --git a/redhat/configs/ark/generic/CONFIG_NF_CONNTRACK_LABELS 
b/redhat/configs/ark/generic/CONFIG_NF_CONNTRACK_LABELS
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/configs/ark/generic/CONFIG_NF_CONNTRACK_LABELS
@@ -0,0 +1 @@
+CONFIG_NF_CONNTRACK_LABELS=y

--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[OS-BUILD PATCHv4 0/2] netfilter: Add deprecation notices for xtables

[Phil Sutter (via Email Bridge)]

From: Phil Sutter on gitlab.com
Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1945179

Upstream Status: RHEL-only

Tested: Ported patches to RHEL8 kernel tree (applied with minor conflicts) and
tested there. I gave up building kernel-ark in brew after several attempts
with changed options, always ending up in compiler errors.

Upon loading legacy xtables table modules or the nft compat module,
print a warning.

---
 include/linux/kernel.h|   2 ++
 kernel/rh_taint.c |  16 
 redhat/configs/ark/generic/CONFIG_BRIDGE_NETFILTER|   1 +
 redhat/configs/ark/generic/CONFIG_BRIDGE_NF_EBTABLES  |   2 ++
 redhat/configs/ark/generic/CONFIG_IP6_NF_IPTABLES |   2 ++
 redhat/configs/ark/generic/CONFIG_IP_NF_ARPTABLES |   2 ++
 redhat/configs/ark/generic/CONFIG_IP_NF_IPTABLES  |   2 ++
 redhat/configs/ark/generic/CONFIG_IP_SET  |   2 ++
 redhat/configs/ark/generic/CONFIG_NETFILTER_XTABLES   |   1 +
 redhat/configs/ark/generic/CONFIG_NFT_COMPAT  |   2 ++
 redhat/configs/ark/generic/CONFIG_NF_CONNTRACK_LABELS |   1 +
 11 files changed, 33 insertions(+), 0 deletions(-)
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: [OS-BUILD PATCHv3 0/2] netfilter: Add deprecation notices for xtables

[Phil Sutter (via Email Bridge)]

From: Phil Sutter on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226#note_672685081

Cool, thanks for the review. I updated the RHEL9 MR already to face 9.0-beta
branch. Will rebase this one to only contain the first patch and a new one
disabling the relevant config symbols as discussed today.
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: [OS-BUILD PATCHv3 0/2] netfilter: Add deprecation notices for xtables

[Phil Sutter (via Email Bridge)]

From: Phil Sutter on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226#note_672504614

OK, so I created another MR for rhel9 repo, aiming at 'main' branch. Is that
correct @prarit ? Or do we really use a separate tree for beta? There is
9.0-beta but it differs only in .gitlab-ci.yml file.
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: [OS-BUILD PATCHv3 0/2] netfilter: Add deprecation notices for xtables

[Phil Sutter (via Email Bridge)]

From: Phil Sutter on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226#note_672477060

I see. So kernel-ark is collecting kernel changes for RHEL10 since RHEL9's
final rebase?
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: [OS-BUILD PATCHv3 0/2] netfilter: Add deprecation notices for xtables

[Phil Sutter (via Email Bridge)]

From: Phil Sutter on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226#note_672309013

@prarit, are you OK with the new version?
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: [OS-BUILD PATCHv3 0/2] netfilter: Add deprecation notices for xtables

[Phil Sutter (via Email Bridge)]

From: Phil Sutter on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226#note_669300506

Eric suggested to build from dist-git repo instead which actually worked
pretty well:

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39538192

I tested the kernel in 1minutetip, kernel messages are printed upon loading of
ip_tables,
ip6_tables, ip_set and nft_compat modules.
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[OS-BUILD PATCHv3 2/2] netfilter: Add deprecation notices for xtables

[Phil Sutter (via Email Bridge)]

From: Phil Sutter 

netfilter: Add deprecation notices for xtables

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1945179
Upstream Status: RHEL-only

Upon loading legacy xtables table modules or the nft compat module,
print a warning indicating deprecation status.

Signed-off-by: Phil Sutter 

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index blahblah..blahblah 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2565,6 +2565,8 @@ static int __init ebtables_init(void)
 {
int ret;
 
+   mark_driver_deprecated("ebtables");
+
ret = xt_register_target(_standard_target);
if (ret < 0)
return ret;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index blahblah..blahblah 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1623,6 +1623,8 @@ static int __init arp_tables_init(void)
 {
int ret;
 
+   mark_driver_deprecated("arptables");
+
ret = register_pernet_subsys(_tables_net_ops);
if (ret < 0)
goto err1;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index blahblah..blahblah 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1902,6 +1902,8 @@ static int __init ip_tables_init(void)
 {
int ret;
 
+   mark_driver_deprecated("iptables");
+
ret = register_pernet_subsys(_tables_net_ops);
if (ret < 0)
goto err1;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index blahblah..blahblah 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1909,6 +1909,8 @@ static int __init ip6_tables_init(void)
 {
int ret;
 
+   mark_driver_deprecated("ip6tables");
+
ret = register_pernet_subsys(_tables_net_ops);
if (ret < 0)
goto err1;
diff --git a/net/netfilter/ipset/ip_set_core.c 
b/net/netfilter/ipset/ip_set_core.c
index blahblah..blahblah 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -6,6 +6,8 @@
 
 /* Kernel module for IP set management */
 
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
 #include 
 #include 
 #include 
@@ -2362,8 +2364,11 @@ static struct pernet_operations ip_set_net_ops = {
 static int __init
 ip_set_init(void)
 {
-   int ret = register_pernet_subsys(_set_net_ops);
+   int ret;
+
+   mark_driver_deprecated("ipset");
 
+   ret = register_pernet_subsys(_set_net_ops);
if (ret) {
pr_err("ip_set: cannot register pernet_subsys.\n");
return ret;
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index blahblah..blahblah 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -5,6 +5,8 @@
  * This software has been sponsored by Sophos Astaro 
  */
 
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
 #include 
 #include 
 #include 
@@ -880,6 +882,8 @@ static int __init nft_compat_module_init(void)
 {
int ret;
 
+   mark_driver_deprecated("nft_compat");
+
ret = nft_register_expr(_match_type);
if (ret < 0)
return ret;

--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[OS-BUILD PATCHv3 0/2] netfilter: Add deprecation notices for xtables

[Phil Sutter (via Email Bridge)]

From: Phil Sutter on gitlab.com
Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1945179
Upstream Status: RHEL-only
Tested: In local VM, using instructions from BZ.

Upon loading legacy xtables table modules or the nft compat module,
print a warning suggesting nftables.

---
 include/linux/kernel.h|   2 ++
 kernel/rh_taint.c |  16 
 net/bridge/netfilter/ebtables.c   |   2 ++
 net/ipv4/netfilter/arp_tables.c   |   2 ++
 net/ipv4/netfilter/ip_tables.c|   2 ++
 net/ipv6/netfilter/ip6_tables.c   |   2 ++
 net/netfilter/ipset/ip_set_core.c |   7 ++-
 net/netfilter/nft_compat.c|   4 
 8 files changed, 36 insertions(+), 1 deletions(-)
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: [OS-BUILD PATCHv2] netfilter: Add deprecation notices for xtables

[Phil Sutter (via Email Bridge)]

From: Phil Sutter on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226#note_619443260

Forgot the SoB (as usual).
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[OS-BUILD PATCHv2] netfilter: Add deprecation notices for xtables

[Phil Sutter (via Email Bridge)]

From: Phil Sutter 

netfilter: Add deprecation notices for xtables

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1945179
Upstream Status: RHEL-only

Upon loading legacy xtables table modules or the nft compat module,
print a warning suggesting nftables.

Signed-off-by: Phil Sutter 

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index blahblah..blahblah 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2484,6 +2484,9 @@ static int __init ebtables_init(void)
 {
int ret;
 
+   pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise 
Linux,\n"
+   "please use nftables instead 
(https://red.ht/nft_your_tables)\n");
+
ret = xt_register_target(_standard_target);
if (ret < 0)
return ret;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index blahblah..blahblah 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1623,6 +1623,9 @@ static int __init arp_tables_init(void)
 {
int ret;
 
+   pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise 
Linux,\n"
+   "please use nftables instead 
(https://red.ht/nft_your_tables)\n");
+
ret = register_pernet_subsys(_tables_net_ops);
if (ret < 0)
goto err1;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index blahblah..blahblah 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1902,6 +1902,9 @@ static int __init ip_tables_init(void)
 {
int ret;
 
+   pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise 
Linux,\n"
+   "please use nftables instead 
(https://red.ht/nft_your_tables)\n");
+
ret = register_pernet_subsys(_tables_net_ops);
if (ret < 0)
goto err1;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index blahblah..blahblah 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1909,6 +1909,9 @@ static int __init ip6_tables_init(void)
 {
int ret;
 
+   pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise 
Linux,\n"
+   "please use nftables instead 
(https://red.ht/nft_your_tables)\n");
+
ret = register_pernet_subsys(_tables_net_ops);
if (ret < 0)
goto err1;
diff --git a/net/netfilter/ipset/ip_set_core.c 
b/net/netfilter/ipset/ip_set_core.c
index blahblah..blahblah 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -6,6 +6,8 @@
 
 /* Kernel module for IP set management */
 
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
 #include 
 #include 
 #include 
@@ -2362,8 +2364,12 @@ static struct pernet_operations ip_set_net_ops = {
 static int __init
 ip_set_init(void)
 {
-   int ret = register_pernet_subsys(_set_net_ops);
+   int ret;
+
+   pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise 
Linux,\n"
+   "please use nftables instead 
(https://red.ht/nft_your_tables)\n");
 
+   ret = register_pernet_subsys(_set_net_ops);
if (ret) {
pr_err("ip_set: cannot register pernet_subsys.\n");
return ret;
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index blahblah..blahblah 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -5,6 +5,8 @@
  * This software has been sponsored by Sophos Astaro 
  */
 
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
 #include 
 #include 
 #include 
@@ -882,6 +884,9 @@ static int __init nft_compat_module_init(void)
 {
int ret;
 
+   pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise 
Linux,\n"
+   "please use nftables instead 
(https://red.ht/nft_your_tables)\n");
+
ret = nft_register_expr(_match_type);
if (ret < 0)
return ret;

--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[OS-BUILD PATCH] netfilter: Add deprecation notices for xtables

[Phil Sutter (via Email Bridge)]

From: Phil Sutter 

netfilter: Add deprecation notices for xtables

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1945179
Upstream Status: RHEL-only

Upon loading legacy xtables table modules or the nft compat module,
print a warning suggesting nftables.

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index blahblah..blahblah 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2484,6 +2484,9 @@ static int __init ebtables_init(void)
 {
int ret;
 
+   pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise 
Linux,\n"
+   "please use nftables instead 
(https://red.ht/nft_your_tables)\n");
+
ret = xt_register_target(_standard_target);
if (ret < 0)
return ret;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index blahblah..blahblah 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1623,6 +1623,9 @@ static int __init arp_tables_init(void)
 {
int ret;
 
+   pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise 
Linux,\n"
+   "please use nftables instead 
(https://red.ht/nft_your_tables)\n");
+
ret = register_pernet_subsys(_tables_net_ops);
if (ret < 0)
goto err1;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index blahblah..blahblah 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1902,6 +1902,9 @@ static int __init ip_tables_init(void)
 {
int ret;
 
+   pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise 
Linux,\n"
+   "please use nftables instead 
(https://red.ht/nft_your_tables)\n");
+
ret = register_pernet_subsys(_tables_net_ops);
if (ret < 0)
goto err1;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index blahblah..blahblah 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1909,6 +1909,9 @@ static int __init ip6_tables_init(void)
 {
int ret;
 
+   pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise 
Linux,\n"
+   "please use nftables instead 
(https://red.ht/nft_your_tables)\n");
+
ret = register_pernet_subsys(_tables_net_ops);
if (ret < 0)
goto err1;
diff --git a/net/netfilter/ipset/ip_set_core.c 
b/net/netfilter/ipset/ip_set_core.c
index blahblah..blahblah 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -6,6 +6,8 @@
 
 /* Kernel module for IP set management */
 
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
 #include 
 #include 
 #include 
@@ -2362,8 +2364,12 @@ static struct pernet_operations ip_set_net_ops = {
 static int __init
 ip_set_init(void)
 {
-   int ret = register_pernet_subsys(_set_net_ops);
+   int ret;
+
+   pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise 
Linux,\n"
+   "please use nftables instead 
(https://red.ht/nft_your_tables)\n");
 
+   ret = register_pernet_subsys(_set_net_ops);
if (ret) {
pr_err("ip_set: cannot register pernet_subsys.\n");
return ret;
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index blahblah..blahblah 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -5,6 +5,8 @@
  * This software has been sponsored by Sophos Astaro 
  */
 
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
 #include 
 #include 
 #include 
@@ -882,6 +884,9 @@ static int __init nft_compat_module_init(void)
 {
int ret;
 
+   pr_warn_ratelimited("This module is deprecated in Red Hat Enterprise 
Linux,\n"
+   "please use nftables instead 
(https://red.ht/nft_your_tables)\n");
+
ret = nft_register_expr(_match_type);
if (ret < 0)
return ret;

--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1226
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure