On Mon, Dec 04, 2023 at 03:05:45PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Dec 04, 2023 at 03:03:41PM +0100, Florian Westphal wrote:
> > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > > Validate table family when looking up for it via NFTA_TABLE_HANDLE.
> > >
> > > Reported-by: Xingyuan Mo <hdthky0@xxxxxxxxx>
> > > Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects via handle")
> > > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> > > ---
> > > net/netfilter/nf_tables_api.c | 5 +++--
> > > 1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > This changes behaviour, before this change you can do
> >
> > nft delete table handle 42
> >
> > and it will delete the table with handle 42.
>
> Default family is 'ip' if not specified, that is inconsistent with
> other objects?
I would say the table's handle is a complete replacement of its family
and name, also because it's pernet-unique. Though looking at the docs,
we surprisingly claim to support:
| delete table [<family>] handle <handle>
So either we accept user space is wrong and the family value doesn't
matter there or we artificially limit table lookup by handle to the
given family. IMHO either way kind of breaks user space.
Off-topic here, but I would prefer for all handles to be pernet-unique
so user space could 'nft delete <whatever> handle <handle>'. Why was a
table-unique value chosen here?
Cheers, Phil
