| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250821074726.7cc3f294@kernel.org> Date: Thu, 21 Aug 2025 07:47:26 -0700 From: Jakub Kicinski <kuba@...nel.org> To: Pablo Neira Ayuso <pablo@...filter.org> Cc: Florian Westphal <fw@...len.de>, netdev@...r.kernel.org, Paolo Abeni <pabeni@...hat.com>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, netfilter-devel@...r.kernel.org Subject: Re: [PATCH net] netfilter: nf_reject: don't leak dst refcount for loopback packets On Wed, 20 Aug 2025 16:04:47 +0200 Florian Westphal wrote: > > > Quick question: does inconditional route lookup work for br_netfilter? > > > > Never mind, it should be fine, the fake dst get attached to the skb. > > Good point, this changes behaviour for br_netfilter case, we no > longer call nf_reject_fill_skb_dst() then due to the fake dst. > > I don't think br_netfilter is supposed to do anything (iptables > -j REJECT doesn't work in PRE_ROUTING), and we should not encourage > use of br_netfilter with nftables. > > What about adding a followup patch, targetting nf, that adds: > > if (hook == NF_INET_PRE_ROUTING && nf_bridge_info_exists(oldskb)) > return; > > ? > > After all, there is no guarantee that we have the needed routing > info on a bridge in the first place. Pablo, are you okay with that plan? Would be great to ship this to Linus and therefore net-next today, given the checks recently added there..
Powered by blists - more mailing lists