lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aLYMWajRCGWVxAHk@calendula>
Date: Mon, 1 Sep 2025 23:12:57 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Jakub Kicinski <kuba@...nel.org>
Cc: Florian Westphal <fw@...len.de>, netdev@...r.kernel.org,
	Paolo Abeni <pabeni@...hat.com>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>, netfilter-devel@...r.kernel.org
Subject: Re: [PATCH net-next 5/8] netfilter: nf_tables: Introduce
 NFTA_DEVICE_PREFIX

On Mon, Sep 01, 2025 at 01:46:02PM -0700, Jakub Kicinski wrote:
> On Mon,  1 Sep 2025 10:08:39 +0200 Florian Westphal wrote:
> > This new attribute is supposed to be used instead of NFTA_DEVICE_NAME
> > for simple wildcard interface specs. It holds a NUL-terminated string
> > representing an interface name prefix to match on.
> > 
> > While kernel code to distinguish full names from prefixes in
> > NFTA_DEVICE_NAME is simpler than this solution, reusing the existing
> > attribute with different semantics leads to confusion between different
> > versions of kernel and user space though:
> > 
> > * With old kernels, wildcards submitted by user space are accepted yet
> >   silently treated as regular names.
> > * With old user space, wildcards submitted by kernel may cause crashes
> >   since libnftnl expects NUL-termination when there is none.
> > 
> > Using a distinct attribute type sanitizes these situations as the
> > receiving part detects and rejects the unexpected attribute nested in
> > *_HOOK_DEVS attributes.
> > 
> > Fixes: 6d07a289504a ("netfilter: nf_tables: Support wildcard netdev hook specs")
> 
> Why is this not targeting net? The sooner we adjust the uAPI the better.

I think there were doubts that was possible at this stage.

But I agree, it is a bit late but better fix it there.

Florian?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ