From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH net,v3 00/12] Netfilter for net
Date: Thu, 26 Mar 2026 14:16:51 +0100 [thread overview]
Message-ID: <acUxw826gEzIv8Zp@strlen.de> (raw)
In-Reply-To: <20260326125153.685915-1-pablo@netfilter.org>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> This is v3, I kept back an ipset fix and another to tigthen the xtables
> interface to reject invalid combinations with the NFPROTO_ARP family.
> They need a bit more discussion. I fixed the issues reported by AI on
> patch 9 (add #ifdef to access ct zone, update nf_conntrack_broadcast
> and patch 10 (use better Fixes: tag). Thanks!
Dropping netdev@.
I think the NFPROTO_ARP fix is legit.
If anything, we should also consider this (not even compile tested):
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 53a614a0e3cd..39446edb0d70 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -778,6 +778,20 @@ static const struct nfnetlink_subsystem nfnl_compat_subsys = {
static struct nft_expr_type nft_match_type;
+static bool is_valid_compat_family(u32 family)
+{
+ switch (family) {
+ case NFPROTO_IPV4:
+ case NFPROTO_ARP:
+ case NFPROTO_BRIDGE:
+ case NFPROTO_IPV6:
+ return true;
+ }
+
+ /* others are nftables only */
+ return false;
+}
+
static const struct nft_expr_ops *
nft_match_select_ops(const struct nft_ctx *ctx,
const struct nlattr * const tb[])
@@ -798,6 +812,9 @@ nft_match_select_ops(const struct nft_ctx *ctx,
rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
family = ctx->family;
+ if (!is_valid_compat_family(family))
+ return ERR_PTR(-EAFNOSUPPORT);
+
match = xt_request_find_match(family, mt_name, rev);
if (IS_ERR(match))
return ERR_PTR(-ENOENT);
@@ -877,6 +894,9 @@ nft_target_select_ops(const struct nft_ctx *ctx,
rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
family = ctx->family;
+ if (!is_valid_compat_family(family))
+ return ERR_PTR(-EAFNOSUPPORT);
+
if (strcmp(tg_name, XT_ERROR_TARGET) == 0 ||
strcmp(tg_name, XT_STANDARD_TARGET) == 0 ||
strcmp(tg_name, "standard") == 0)
next prev parent reply other threads:[~2026-03-26 13:17 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-26 12:51 [PATCH net,v3 00/12] Netfilter for net Pablo Neira Ayuso
2026-03-26 12:51 ` [PATCH net 01/12] netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry Pablo Neira Ayuso
2026-03-26 15:30 ` patchwork-bot+netdevbpf
2026-03-26 12:51 ` [PATCH net 02/12] selftests: netfilter: nft_concat_range.sh: add check for flush+reload bug Pablo Neira Ayuso
2026-03-26 12:51 ` [PATCH net 03/12] netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD Pablo Neira Ayuso
2026-03-26 12:51 ` [PATCH net 04/12] netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Pablo Neira Ayuso
2026-03-26 12:51 ` [PATCH net 05/12] netfilter: nft_set_rbtree: revisit array resize logic Pablo Neira Ayuso
2026-03-26 12:51 ` [PATCH net 06/12] netfilter: nf_conntrack_expect: honor expectation helper field Pablo Neira Ayuso
2026-04-30 20:58 ` Ilya Maximets
2026-05-01 10:37 ` Pablo Neira Ayuso
2026-05-04 12:19 ` Ilya Maximets
2026-05-04 23:16 ` Pablo Neira Ayuso
2026-05-04 23:40 ` Pablo Neira Ayuso
2026-05-05 11:01 ` Ilya Maximets
2026-05-05 11:26 ` Pablo Neira Ayuso
2026-05-05 11:01 ` Ilya Maximets
2026-03-26 12:51 ` [PATCH net 07/12] netfilter: nf_conntrack_expect: use expect->helper Pablo Neira Ayuso
2026-03-26 12:51 ` [PATCH net 08/12] netfilter: ctnetlink: ensure safe access to master conntrack Pablo Neira Ayuso
2026-03-26 12:51 ` [PATCH net 09/12] netfilter: nf_conntrack_expect: store netns and zone in expectation Pablo Neira Ayuso
2026-03-26 12:51 ` [PATCH net 10/12] netfilter: nf_conntrack_expect: skip expectations in other netns via proc Pablo Neira Ayuso
2026-03-26 12:51 ` [PATCH net 11/12] netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp Pablo Neira Ayuso
2026-03-26 12:51 ` [PATCH net 12/12] netfilter: ctnetlink: use netlink policy range checks Pablo Neira Ayuso
2026-03-26 13:16 ` Florian Westphal [this message]
2026-03-26 14:44 ` [PATCH net,v3 00/12] Netfilter for net Pablo Neira Ayuso
2026-03-26 14:46 ` Florian Westphal
2026-03-26 15:00 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acUxw826gEzIv8Zp@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.