On Thu, May 02, 2019 at 09:46:42AM +0200, Florian Westphal wrote: > Nicolas Dichtel <nicolas.dichtel@xxxxxxxxx> wrote: > > I understand your point, but this is a regression. Ignoring a field/attribute of > > a netlink message is part of the uAPI. This field exists for more than a decade > > (probably two), so you cannot just use it because nobody was using it. Just see > > all discussions about strict validation of netlink messages. > > Moreover, the conntrack tool exists also for ages and is an official tool. > > FWIW I agree with Nicolas, we should restore old behaviour and flush > everything when AF_INET is given. We can add new netlink attr to > restrict this. Let's use nfgenmsg->version for this. This is so far set to zero. We can just update userspace to set it to 1, so family is used. The version field in the kernel size is ignored so far, so this should be enough. So we avoid that extract netlink attribute.