From: Sabrina Dubroca <sd@queasysnail.net>
To: Donald Hunter <donald.hunter@gmail.com>,
Jakub Kicinski <kuba@kernel.org>,
Antonio Quartulli <antonio@openvpn.net>
Cc: netdev@vger.kernel.org, "David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Ralf Lici <ralf@mandelbit.com>
Subject: Re: [PATCH net 2/3] ovpn: explicitly reject netlink attr PEER_LOCAL_PORT in CMD_PEER_NEW/SET
Date: Thu, 3 Jul 2025 15:07:51 +0200 [thread overview]
Message-ID: <aGaApy-muPmgfGtR@krikkit> (raw)
In-Reply-To: <20250703114513.18071-3-antonio@openvpn.net>
2025-07-03, 13:45:11 +0200, Antonio Quartulli wrote:
> The OVPN_A_PEER_LOCAL_PORT is designed to be a read-only attribute
> that ovpn sends back to userspace to show the local port being used
> to talk to that specific peer.
Seems like we'd want NLA_REJECT in the nla_policy instead of
NLA_POLICY_MIN, but my quick grepping in ynl and specs doesn't show
anything like that. Donald/Jakub, does it already exist? If not, does
it seem possible to extend the specs and ynl with something like:
name: local-port
type: reject(u16)
or maybe:
name: local-port
type: u16
checks:
reject: true
(or maybe "read-only", and I don't know if yaml tolerates
"checks:\n reject" without the ": true". we can bikeshed the syntax
later :))
> However, we forgot to reject it when parsing CMD_PEER_NEW/SET messages.
Right :( Also a bunch of others: OVPN_A_PEER_SOCKET_NETNSID, all the
packets/bytes stats.
> This is not a critical issue because the incoming value is just
> ignored, but it may fool userspace which expects some change in
> behaviour.
>
> Explicitly error out and send back a message if OVPN_A_PEER_LOCAL_PORT
> is specified in a CMD_PEER_NEW/SET message.
>
> Reported-by: Ralf Lici <ralf@mandelbit.com>
> Closes: https://github.com/OpenVPN/ovpn-net-next/issues/19
> Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Either way I'm ok with this patch.
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
--
Sabrina
next prev parent reply other threads:[~2025-07-03 13:07 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-03 11:45 [PATCH net 0/3] pull request: ovpn for net 2025-07-03 Antonio Quartulli
2025-07-03 11:45 ` [PATCH net 1/3] ovpn: propagate socket mark to skb in UDP Antonio Quartulli
2025-07-03 14:02 ` Sabrina Dubroca
2025-07-03 11:45 ` [PATCH net 2/3] ovpn: explicitly reject netlink attr PEER_LOCAL_PORT in CMD_PEER_NEW/SET Antonio Quartulli
2025-07-03 13:07 ` Sabrina Dubroca [this message]
2025-07-07 21:48 ` Jakub Kicinski
2025-07-08 10:20 ` Sabrina Dubroca
2025-07-08 14:47 ` Jakub Kicinski
2025-07-13 20:04 ` Antonio Quartulli
2025-07-14 14:56 ` Jakub Kicinski
2025-07-15 14:36 ` Antonio Quartulli
2025-07-15 15:06 ` Jakub Kicinski
2025-07-15 15:08 ` Antonio Quartulli
2025-07-03 11:45 ` [PATCH net 3/3] ovpn: reset GSO metadata after decapsulation Antonio Quartulli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aGaApy-muPmgfGtR@krikkit \
--to=sd@queasysnail.net \
--cc=antonio@openvpn.net \
--cc=davem@davemloft.net \
--cc=donald.hunter@gmail.com \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=ralf@mandelbit.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.