lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20191217213904.sqvvg7ljiibdt3xi@salvia>
Date:   Tue, 17 Dec 2019 22:39:04 +0100
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     Simon Horman <simon.horman@...ronome.com>
Cc:     Xin Long <lucien.xin@...il.com>,
        network dev <netdev@...r.kernel.org>,
        netfilter-devel@...r.kernel.org, davem <davem@...emloft.net>
Subject: Re: [PATCH nf-next 1/7] netfilter: nft_tunnel: parse ERSPAN_VERSION
 attr as u8

Hi Simon,

On Fri, Dec 13, 2019 at 10:30:26AM +0100, Simon Horman wrote:
> On Tue, Dec 10, 2019 at 12:05:15PM +0800, Xin Long wrote:
> > On Tue, Dec 10, 2019 at 4:03 AM Simon Horman <simon.horman@...ronome.com> wrote:
> > >
> > > Hi Xin,
> > >
> > > On Sun, Dec 08, 2019 at 12:41:31PM +0800, Xin Long wrote:
> > > > To keep consistent with ipgre_policy, it's better to parse
> > > > ERSPAN_VERSION attr as u8, as it does in act_tunnel_key,
> > > > cls_flower and ip_tunnel_core.
> > > >
> > > > Signed-off-by: Xin Long <lucien.xin@...il.com>
> > > > ---
> > > >  net/netfilter/nft_tunnel.c | 5 +++--
> > > >  1 file changed, 3 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> > > > index 3d4c2ae..f76cd7d 100644
> > > > --- a/net/netfilter/nft_tunnel.c
> > > > +++ b/net/netfilter/nft_tunnel.c
> > > > @@ -248,8 +248,9 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr,
> > > >  }
> > > >
> > > >  static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = {
> > > > +     [NFTA_TUNNEL_KEY_ERSPAN_VERSION]        = { .type = NLA_U8 },
> > > >       [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX]       = { .type = NLA_U32 },
> > > > -     [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 },
> > > > +     [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR]         = { .type = NLA_U8 },
> > > >       [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID]        = { .type = NLA_U8 },
> > > >  };
> > > >
> > > > @@ -266,7 +267,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr,
> > > >       if (err < 0)
> > > >               return err;
> > > >
> > > > -     version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]));
> > > > +     version = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]);
> > >
> > > I have concerns about this change and backwards-compatibility with existing
> > > users of this UAPI. Likewise, with other changes to the encoding of existing
> > > attributes elsewhere in this series.
> >
> > userspace(nftables/libnftnl) is not ready for nft_tunnel, I don't
> > think there will be any backwards-compatibility issue.
> > 
> > Pablo?
> 
> Thanks, I'm happy to defer to Pablo on this question.

I agree with Xin. This uapi is not in good shape and there is no
upstream userspace code for this, no nftables support for this yet.
In this particular case I'm inclined to fix uapi, better sooner than
never.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ