lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 29 Apr 2019 17:39:44 +0200
From:   Nicolas Dichtel <>
To:     Pablo Neira Ayuso <>
        Kristian Evensen <>,,
Subject: Re: [PATCH 07/31] netfilter: ctnetlink: Support L3 protocol-filter on

Le 29/04/2019 à 17:23, Pablo Neira Ayuso a écrit :
> On Mon, Apr 29, 2019 at 04:53:38PM +0200, Nicolas Dichtel wrote:
>> Le 26/04/2019 à 21:25, Pablo Neira Ayuso a écrit :
>>> On Thu, Apr 25, 2019 at 05:41:45PM +0200, Nicolas Dichtel wrote:
>>>> Le 25/04/2019 à 12:07, Nicolas Dichtel a écrit :
>>>> [snip]
>>>>> In fact, the conntrack tool set by default the family to AF_INET and forbid to
>>>>> set the family to something else (the '-f' option is not allowed for the command
>>>>> 'flush').
>>>> 'conntrack -D -f ipv6' will do the job, but this is still a regression.
>>> You mean, before this patch, flush was ignoring the family, and after
>>> Kristian's patch, it forces you to use NFPROTO_UNSPEC to achieve the
>>> same thing, right?
>> Before the patch, flush was ignoring the family, and after the patch, the flush
>> takes care of the family.
>> The conntrack tool has always set the family to AF_INET by default, thus, since
>> this patch, only ipv4 conntracks are flushed with 'conntrack -F':
> Thanks for explaining, what fix would you propose for this?
The least bad fix I see is adding a new attribute, something like
CTA_FLUSH_FAMILY, to be used by the flush filter (and ignoring struct
nfgenmsg->nfgen_family in this flush filter).
The drawback is that it will break the (relatively new) users of this feature
(the patch has been pushed in v4.20).


Powered by blists - more mailing lists