| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 2 May 2019 13:31:51 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Florian Westphal <fw@...len.de>
Cc: Nicolas Dichtel <nicolas.dichtel@...nd.com>,
Kristian Evensen <kristian.evensen@...il.com>,
Netfilter Development Mailing list
<netfilter-devel@...r.kernel.org>,
David Miller <davem@...emloft.net>,
Network Development <netdev@...r.kernel.org>
Subject: Re: [PATCH 07/31] netfilter: ctnetlink: Support L3 protocol-filter
on flush
On Thu, May 02, 2019 at 09:46:42AM +0200, Florian Westphal wrote:
> Nicolas Dichtel <nicolas.dichtel@...nd.com> wrote:
> > I understand your point, but this is a regression. Ignoring a field/attribute of
> > a netlink message is part of the uAPI. This field exists for more than a decade
> > (probably two), so you cannot just use it because nobody was using it. Just see
> > all discussions about strict validation of netlink messages.
> > Moreover, the conntrack tool exists also for ages and is an official tool.
>
> FWIW I agree with Nicolas, we should restore old behaviour and flush
> everything when AF_INET is given. We can add new netlink attr to
> restrict this.
Let's use nfgenmsg->version for this. This is so far set to zero. We
can just update userspace to set it to 1, so family is used.
The version field in the kernel size is ignored so far, so this should
be enough. So we avoid that extract netlink attribute.
Powered by blists - more mailing lists