| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aKXV_3J4iDkhQ06R@strlen.de> Date: Wed, 20 Aug 2025 16:04:47 +0200 From: Florian Westphal <fw@...len.de> To: Pablo Neira Ayuso <pablo@...filter.org> Cc: netdev@...r.kernel.org, Paolo Abeni <pabeni@...hat.com>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, netfilter-devel@...r.kernel.org Subject: Re: [PATCH net] netfilter: nf_reject: don't leak dst refcount for loopback packets Pablo Neira Ayuso <pablo@...filter.org> wrote: > > > Instead of checking hook just check if the skb already has a route > > > attached to it. > > > > Quick question: does inconditional route lookup work for br_netfilter? > > Never mind, it should be fine, the fake dst get attached to the skb. Good point, this changes behaviour for br_netfilter case, we no longer call nf_reject_fill_skb_dst() then due to the fake dst. I don't think br_netfilter is supposed to do anything (iptables -j REJECT doesn't work in PRE_ROUTING), and we should not encourage use of br_netfilter with nftables. What about adding a followup patch, targetting nf, that adds: if (hook == NF_INET_PRE_ROUTING && nf_bridge_info_exists(oldskb)) return; ? After all, there is no guarantee that we have the needed routing info on a bridge in the first place.
Powered by blists - more mailing lists