Re: [PATCH 07/31] netfilter: ctnetlink: Support L3 protocol-filter on flush

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, May 02, 2019 at 02:56:42PM +0200, Nicolas Dichtel wrote:
> Le 02/05/2019 à 13:31, Pablo Neira Ayuso a écrit :
> > On Thu, May 02, 2019 at 09:46:42AM +0200, Florian Westphal wrote:
> >> Nicolas Dichtel <nicolas.dichtel@xxxxxxxxx> wrote:
> >>> I understand your point, but this is a regression. Ignoring a field/attribute of
> >>> a netlink message is part of the uAPI. This field exists for more than a decade
> >>> (probably two), so you cannot just use it because nobody was using it. Just see
> >>> all discussions about strict validation of netlink messages.
> >>> Moreover, the conntrack tool exists also for ages and is an official tool.
> >>
> >> FWIW I agree with Nicolas, we should restore old behaviour and flush
> >> everything when AF_INET is given.  We can add new netlink attr to
> >> restrict this.
> > 
> > Let's use nfgenmsg->version for this. This is so far set to zero. We
> > can just update userspace to set it to 1, so family is used.
> > 
> > The version field in the kernel size is ignored so far, so this should
> > be enough. So we avoid that extract netlink attribute.
>
> Why making such a hack? If any userspace app set this field (simply because it's
> not initialized), it will show up a new regression.
> What is the problem of adding another attribute?

The version field was meant to deal with this case.

It has been not unused so far because we had no good reason.



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux