On Thu, May 22, 2025 at 04:52:23PM +0200, Pablo Neira Ayuso wrote:
> The DCCP socket family has now been removed from this tree, see:
>
> 8bb3212be4b4 ("Merge branch 'net-retire-dccp-socket'")
>
> Remove connection tracking and NAT support for this protocol, this
> should not pose a problem because no DCCP traffic is expected to be seen
> on the wire.
>
> As for the code for matching on dccp header for iptables and nftables,
> mark it as deprecated and keep it in place. Ruleset restoration is an
> atomic operation. Without dccp matching support, an astray match on dccp
> could break this operation leaving your computer with no policy in
> place, so let's follow a more conservative approach for matches.
>
> Add CONFIG_NFT_EXTHDR_DCCP which is set to 'n' by default to deprecate
> dccp extension support. Similarly, label CONFIG_NETFILTER_XT_MATCH_DCCP
> as deprecated too and also set it to 'n' by default.
>
> Code to match on DCCP protocol from ebtables also remains in place, this
> is just a few checks on IPPROTO_DCCP from _check() path which is
> exercised when ruleset is loaded. There is another use of IPPROTO_DCCP
> from the _check() path in the iptables multiport match. Another check
> for IPPROTO_DCCP from the packet in the reject target is also removed.
>
> So let's schedule removal of the dccp matching for a second stage, this
> should not interfer with the dccp retirement since this is only matching
nit: interfere
> on the dccp header.
>
> Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
> Cc: Eric Dumazet <edumazet@xxxxxxxxxx>
> Cc: Jakub Kicinski <kuba@xxxxxxxxxx>
> Cc: Paolo Abeni <pabeni@xxxxxxxxxx>
> Cc: Simon Horman <horms@xxxxxxxxxx>
> Cc: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> v2: remove superfluous exception with ct expectation objects.
Reviewed-by: Simon Horman <horms@xxxxxxxxxx>
