lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250603081434.GY1484967@horms.kernel.org>
Date: Tue, 3 Jun 2025 09:14:34 +0100
From: Simon Horman <horms@...nel.org>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: netfilter-devel@...r.kernel.org, davem@...emloft.net,
	netdev@...r.kernel.org, kuba@...nel.org, pabeni@...hat.com,
	edumazet@...gle.com, fw@...len.de, kuniyu@...zon.com
Subject: Re: [PATCH nf-next,v2] netfilter: conntrack: remove DCCP protocol
 support

On Thu, May 22, 2025 at 04:52:23PM +0200, Pablo Neira Ayuso wrote:
> The DCCP socket family has now been removed from this tree, see:
> 
>   8bb3212be4b4 ("Merge branch 'net-retire-dccp-socket'")
> 
> Remove connection tracking and NAT support for this protocol, this
> should not pose a problem because no DCCP traffic is expected to be seen
> on the wire.
> 
> As for the code for matching on dccp header for iptables and nftables,
> mark it as deprecated and keep it in place. Ruleset restoration is an
> atomic operation. Without dccp matching support, an astray match on dccp
> could break this operation leaving your computer with no policy in
> place, so let's follow a more conservative approach for matches.
> 
> Add CONFIG_NFT_EXTHDR_DCCP which is set to 'n' by default to deprecate
> dccp extension support. Similarly, label CONFIG_NETFILTER_XT_MATCH_DCCP
> as deprecated too and also set it to 'n' by default.
> 
> Code to match on DCCP protocol from ebtables also remains in place, this
> is just a few checks on IPPROTO_DCCP from _check() path which is
> exercised when ruleset is loaded. There is another use of IPPROTO_DCCP
> from the _check() path in the iptables multiport match. Another check
> for IPPROTO_DCCP from the packet in the reject target is also removed.
> 
> So let's schedule removal of the dccp matching for a second stage, this
> should not interfer with the dccp retirement since this is only matching

nit: interfere

> on the dccp header.
> 
> Cc: "David S. Miller" <davem@...emloft.net>
> Cc: Eric Dumazet <edumazet@...gle.com>
> Cc: Jakub Kicinski <kuba@...nel.org>
> Cc: Paolo Abeni <pabeni@...hat.com>
> Cc: Simon Horman <horms@...nel.org>
> Cc: Kuniyuki Iwashima <kuniyu@...zon.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
> ---
> v2: remove superfluous exception with ct expectation objects.

Reviewed-by: Simon Horman <horms@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ