| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 28 Apr 2019 14:21:38 +0800
From: Hangbin Liu <liuhangbin@...il.com>
To: David Ahern <dsa@...ulusnetworks.com>
Cc: netdev@...r.kernel.org,
Mateusz Bajorski <mateusz.bajorski@...ia.com>,
Thomas Haller <thaller@...hat.com>
Subject: Why should we add duplicate rules without NLM_F_EXCL?
Hi David, Mateusz,
Kernel commit 153380ec4b9b ("fib_rules: Added NLM_F_EXCL support to
fib_nl_newrule") added a check and return -EEXIST if the rule is already
exist. With it the ip rule works as expected now.
But without NLM_F_EXCL people still could add duplicate rules. the result
looks like:
# ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
100000: from 192.168.7.5 lookup 5
100000: from 192.168.7.5 lookup 5
The two same rules looks unreasonable. Do you know if there is a use case
that need this?
So how about just return directly if user add a exactally same rule, as if
we did an update, like:
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index ffbb827723a2..c49b752ea7eb 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -756,9 +756,9 @@ int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh,
if (err)
goto errout;
- if ((nlh->nlmsg_flags & NLM_F_EXCL) &&
- rule_exists(ops, frh, tb, rule)) {
- err = -EEXIST;
+ if (rule_exists(ops, frh, tb, rule)) {
+ if (nlh->nlmsg_flags & NLM_F_EXCL)
+ err = -EEXIST;
goto errout_free;
}
What do you think?
Thanks
Hangbin
Powered by blists - more mailing lists