From: Florian Westphal <fw@strlen.de>
To: Keno Fischer <keno@juliahub.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
netfilter-devel@vger.kernel.org, linux-kernel@vger.kernel.org,
Phil Sutter <phil@nwl.cc>
Subject: Re: [PATCH] netfilter: Consistently use NFPROTO_, not AF_
Date: Thu, 9 Oct 2025 11:58:30 +0200 [thread overview]
Message-ID: <aOeHRv_z-aBFQd4U@strlen.de> (raw)
In-Reply-To: <aOcfvmjCTVkUxMYX@juliacomputing.com>
Keno Fischer <keno@juliahub.com> wrote:
> The uapi headers document `nfgen_family` as `AF_*`. However,
> this hasn't been technically true since 7e9c6eeb, which switched
> the interpretation of this field to `NFPROTO_*`.
> This is value-compatible on AF_INET (though note that this is
> NFPROTO_IPV4, *not* NFPROTO_INET), AF_INET6, AF_IPV6 and AF_DECnet,
> and AF_BRIDGE, but has since grown additional values.
> Now, because of the value compatibility between AF_ and
> NFPROTO_, it doesn't matter too much, but to the extent that
> the uapi headers constitute interface documentation, it can be
> misleading. For example, some userspace tooling, such as wireshark
> will print AF_UNIX for netlink packets that have an NFPROTO_INET
> family set. I will submit a patch for this downstream, but I wanted
> to cleanup the kernel side also. To that end, change the comment in
> the UAPI header and audit uses of AF_* in the netfilter code and
> switch them to NFPROTO_ unless calling non-netfilter APIs.
I'm not sold on this patch, lots of code churn for little gain.
> diff --git a/include/uapi/linux/netfilter/nfnetlink.h b/include/uapi/linux/netfilter/nfnetlink.h
> index 6cd58cd2a6f0..9d7fe3daf327 100644
> --- a/include/uapi/linux/netfilter/nfnetlink.h
> +++ b/include/uapi/linux/netfilter/nfnetlink.h
> @@ -32,7 +32,7 @@ enum nfnetlink_groups {
> /* General form of address family dependent message.
> */
> struct nfgenmsg {
> - __u8 nfgen_family; /* AF_xxx */
> + __u8 nfgen_family; /* NFPROTO_xxx */
> __u8 version; /* nfnetlink version */
> __be16 res_id; /* resource id */
> };
Maybe just chase down comments like this and leave the rest alone?
> @@ -690,7 +690,7 @@ module_param_call(hashsize, nf_conntrack_set_hashsize, param_get_uint,
> &nf_conntrack_htable_size, 0600);
>
> MODULE_ALIAS("ip_conntrack");
> -MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET));
> -MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET6));
> +MODULE_ALIAS("nf_conntrack-" __stringify(NFPROTO_IPV4));
> +MODULE_ALIAS("nf_conntrack-" __stringify(NFPROTO_IPV6));
This breaks module autloading aliases, __stringify needs a define not enum:
alias: nf_conntrack-NFPROTO_IPV6
alias: nf_conntrack-NFPROTO_IPV4
... this NFPROTO_IPV6 should not be there, this needs to be kept as
alias: nf_conntrack-10
alias: nf_conntrack-2
prev parent reply other threads:[~2025-10-09 9:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-09 2:41 [PATCH] netfilter: Consistently use NFPROTO_, not AF_ Keno Fischer
2025-10-09 9:58 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aOeHRv_z-aBFQd4U@strlen.de \
--to=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=keno@juliahub.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.