Re: [PATCH nf-next 1/7] netfilter: nft_tunnel: parse ERSPAN_VERSION attr as u8

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Tue, 17 Dec 2019 22:39:04 +0100

Hi Simon,

On Fri, Dec 13, 2019 at 10:30:26AM +0100, Simon Horman wrote:
> On Tue, Dec 10, 2019 at 12:05:15PM +0800, Xin Long wrote:
> > On Tue, Dec 10, 2019 at 4:03 AM Simon Horman <simon.horman@xxxxxxxxxxxxx> wrote:
> > >
> > > Hi Xin,
> > >
> > > On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote:
> > > > To keep consistent with ipgre_policy, it's better to parse
> > > > ERSPAN_VERSION attr as u8, as it does in act_tunnel_key,
> > > > cls_flower and ip_tunnel_core.
> > > >
> > > > Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx>
> > > > ---
> > > >  net/netfilter/nft_tunnel.c | 5 +++--
> > > >  1 file changed, 3 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> > > > index 3d4c2ae..f76cd7d 100644
> > > > --- a/net/netfilter/nft_tunnel.c
> > > > +++ b/net/netfilter/nft_tunnel.c
> > > > @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr,
> > > >  }
> > > >
> > > >  static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = {
> > > > +     [NFTA_TUNNEL_KEY_ERSPAN_VERSION]        = { .type = NLA_U8 },
> > > >       [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX]       = { .type = NLA_U32 },
> > > > -     [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 },
> > > > +     [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR]         = { .type = NLA_U8 },
> > > >       [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID]        = { .type = NLA_U8 },
> > > >  };
> > > >
> > > > @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr,
> > > >       if (err < 0)
> > > >               return err;
> > > >
> > > > -     version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]));
> > > > +     version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]);
> > >
> > > I have concerns about this change and backwards-compatibility with existing
> > > users of this UAPI. Likewise, with other changes to the encoding of existing
> > > attributes elsewhere in this series.
> >
> > userspace(nftables/libnftnl) is not ready for nft_tunnel, I don't
> > think there will be any backwards-compatibility issue.
> > 
> > Pablo?
> 
> Thanks, I'm happy to defer to Pablo on this question.

I agree with Xin. This uapi is not in good shape and there is no
upstream userspace code for this, no nftables support for this yet.
In this particular case I'm inclined to fix uapi, better sooner than
never.

Thanks.