On Tue, Dec 05, 2023 at 02:10:40PM +0100, Phil Sutter wrote:
> On Mon, Dec 04, 2023 at 03:05:45PM +0100, Pablo Neira Ayuso wrote:
> > On Mon, Dec 04, 2023 at 03:03:41PM +0100, Florian Westphal wrote:
> > > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > > > Validate table family when looking up for it via NFTA_TABLE_HANDLE.
> > > >
> > > > Reported-by: Xingyuan Mo <hdthky0@xxxxxxxxx>
> > > > Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects via handle")
> > > > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> > > > ---
> > > > net/netfilter/nf_tables_api.c | 5 +++--
> > > > 1 file changed, 3 insertions(+), 2 deletions(-)
> > >
> > > This changes behaviour, before this change you can do
> > >
> > > nft delete table handle 42
> > >
> > > and it will delete the table with handle 42.
> >
> > Default family is 'ip' if not specified, that is inconsistent with
> > other objects?
>
> I would say the table's handle is a complete replacement of its family
> and name, also because it's pernet-unique.
Only tables and newer kernels >= 5.15 -stable, yes.
> Though looking at the docs, we surprisingly claim to support:
>
> | delete table [<family>] handle <handle>
For consistency with existing objects, yes.
> So either we accept user space is wrong and the family value doesn't
> matter there or we artificially limit table lookup by handle to the
> given family. IMHO either way kind of breaks user space.
>
> Off-topic here, but I would prefer for all handles to be pernet-unique
> so user space could 'nft delete <whatever> handle <handle>'. Why was a
> table-unique value chosen here?
