On Tue, Mar 25, 2014 at 09:41:31AM +0100, Pablo Neira Ayuso wrote: > On Tue, Mar 25, 2014 at 09:37:24AM +0200, Tomasz Bursztyka wrote: > > Hi Pablo, > > > > >I sent you a patch, I think it's better if we fix this from > > >kernel-space. > > > > I think it's also good if we check the length when parsing, as Giuseppe did. > > Then it reduce the overhead: the error is detected way before we > > process anything through netlink. > > This is an error case, I don't think we should focus on reducing > overhead in those scenarios. Just to extend this. I prefer this limit is also set in kernelspace so in case we ever remove it, we won't have to wait until a new nft userspace tool version is released. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
