lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 4 Aug 2022 02:11:17 +0200
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     Paolo Abeni <pabeni@...hat.com>, Vlad Buslov <vladbu@...dia.com>,
        Oz Shlomo <ozsh@...dia.com>, kuba@...nel.org,
        davem@...emloft.net, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [GIT PULL] Networking for 6.0

On Wed, Aug 03, 2022 at 04:52:32PM -0700, Linus Torvalds wrote:
> On Wed, Aug 3, 2022 at 3:15 AM Paolo Abeni <pabeni@...hat.com> wrote:
> >
> >   git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git tags/net-next-6.0
> 
> Hmm. Another thing I note about this.
> 
> It adds a new NF_FLOW_TABLE_PROCFS option, and that one has two problems:
> 
>  - it is 'default y'. Why?
>
>  - it has 'depends on PROC_FS' etc, but guess what it does *not*
> depend on? NF_FLOW_TABLE itself.

For these two questions, this new Kconfig toggle was copied from:

 config NF_CONNTRACK_PROCFS
        bool "Supply CT list in procfs (OBSOLETE)"
        default y
        depends on PROC_FS

which is under:

 if NF_CONNTRACK

but the copy and paste was missing this.

> So not only does this new code try to enable itself by default, which
> is a no-no. We do "default y" if it's an old feature that got split
> out as a config option, or if it's something that everybody *really*
> should have, but I don't see that being the case here.
> 
> But it also asks the user that question even when the user doesn't
> even have NF_FLOW_TABLE at all. Which seems entirely crazy.
> 
> Am I missing something? Because it looks *completely* broken.
> 
> I've said this before, and I'll say this again: our kernel config is
> hard on users as-is, and we really shouldn't make it worse by making
> it ask invalid questions or have invalid defaults.

Completely agree. Patch:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20220804000843.86722-1-pablo@netfilter.org/

Thanks for reviewing.


Powered by blists - more mailing lists