On Fri, Jun 22, 2018 at 11:53:44AM +0200, Pablo Neira Ayuso wrote: > On Fri, Jun 22, 2018 at 11:45:12AM +0200, Máté Eckl wrote: > [...] > > > if (skb->protocol != htons(ETH_P_IP)) > > > ... break verdict ... > > > > > which is actually needed for safety reasons. > > > > This is something that should appear in the eval function right? > > Also in the kernel for safety reasons. I meant the kernel eval function (which evaluates packets against rules). > > Isn't it the same as what I added there? > > This is needed because someone may use the raw kernel netlink > interface (not libnftnl / nftables) to generate an incorrect > combination such as allow IPv6 to be passed to tproxy in IPV4 mode > which may crash the kernel. > > Well, it may be just result in a packet drop, but better be safe than > sorry. The code snippet included in my previous email was also from the kernel code and it seems to provide the same check as the 'if' you suggested. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
