lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 28 Apr 2019 14:21:38 +0800
From:   Hangbin Liu <>
To:     David Ahern <>
        Mateusz Bajorski <>,
        Thomas Haller <>
Subject: Why should we add duplicate rules without NLM_F_EXCL?

Hi David, Mateusz,

Kernel commit 153380ec4b9b ("fib_rules: Added NLM_F_EXCL support to
fib_nl_newrule") added a check and return -EEXIST if the rule is already
exist. With it the ip rule works as expected now.

But without NLM_F_EXCL people still could add duplicate rules. the result
looks like:

# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
100000: from lookup 5
100000: from lookup 5

The two same rules looks unreasonable. Do you know if there is a use case
that need this?

So how about just return directly if user add a exactally same rule, as if
we did an update, like:

diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index ffbb827723a2..c49b752ea7eb 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -756,9 +756,9 @@ int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh,
        if (err)
                goto errout;

-       if ((nlh->nlmsg_flags & NLM_F_EXCL) &&
-           rule_exists(ops, frh, tb, rule)) {
-               err = -EEXIST;
+       if (rule_exists(ops, frh, tb, rule)) {
+               if (nlh->nlmsg_flags & NLM_F_EXCL)
+                       err = -EEXIST;
                goto errout_free;

What do you think?


Powered by blists - more mailing lists