Hi, On Tue, Oct 15, 2019 at 05:53:46PM +0200, Pablo Neira Ayuso wrote: > On Tue, Oct 15, 2019 at 04:16:56PM +0200, Phil Sutter wrote: > > By calling nftnl_set_set(), any data size checks are effectively > > bypassed. Better call nftnl_set_set_data() directly, passing the real > > size for validation. > > > > Signed-off-by: Phil Sutter <phil@xxxxxx> > > Acked-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > > Probably attribute((deprecated)) is better so we don't forget. Anyway, > we can probably nuke this function in the next release. But if we drop it, we break ABI, no? Sadly, nftables use(d) the symbol, so we would break older nftables versions with the new libnftnl release. Should I send a v2 setting attribute((deprecated))? I think it's worth doing it. Thanks, Phil