From: Florian Westphal <fw@strlen.de>
To: Jakub Kicinski <kuba@kernel.org>
Cc: netdev@vger.kernel.org, Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
netfilter-devel@vger.kernel.org, pablo@netfilter.org
Subject: Re: [PATCH net-next 00/11] netfilter: updates for net-next
Date: Sun, 12 Apr 2026 18:54:49 +0200 [thread overview]
Message-ID: <advOUl92VLlqaiCJ@strlen.de> (raw)
In-Reply-To: <20260412094049.7b01dd7b@kernel.org>
Jakub Kicinski <kuba@kernel.org> wrote:
> On Fri, 10 Apr 2026 13:23:41 +0200 Florian Westphal wrote:
> > 1-3) IPVS updates from Julian Anastasov to enhance visibility into
> > IPVS internal state by exposing hash size, load factor etc and
> > allows userspace to tune the load factor used for resizing hash
> > tables.
>
> Someone should take a look at the Sashiko reports for those, please?
https://sashiko.dev/#/patchset/20260410112352.23599-1-fw%40strlen.de
Sorry Pablo I am dumping this on you. Already wasted 3h on saturday
on LLM crap 8-(
---------
Could this trigger the DEBUG_NET_WARN_ON_ONCE() inside skb_mac_header_len()?
If a user program sends a verdict containing the NFQA_L2HDR attribute for a
packet where the MAC header is not set, it seems this code would call
skb_mac_header_len() without first checking skb_mac_header_was_set(entry->skb).
---------
And thus a new era of cargo cult programming will be born.
Because I have no idea how on earth PF_BRIDGE packets cannot have
a mac header attached to them.
Do I add this check as LLM overlord demands?
-------------
Is it safe to access the IP header here without ensuring the packet length
is sufficient and the header is in the linear data area?
Looking at the surrounding code in nft_fwd_neigh_eval(),
skb_try_make_writable() is called with sizeof(*iph), which is 20 bytes. At
the netdev hook, skb->data points to the MAC header, meaning the 20 bytes
only covers the Ethernet header and the first 6 bytes of the IP header.
Should this code use pskb_may_pull() or skb_ensure_writable() with an
offset that accounts for skb_network_offset(skb) + sizeof(*iph) before
dereferencing iph->ttl to avoid out-of-bounds accesses?
-------------
Dunno. Existing code does that.
next prev parent reply other threads:[~2026-04-12 16:54 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-10 11:23 [PATCH net-next 00/11] netfilter: updates for net-next Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 01/11] ipvs: show the current conn_tab size to users Florian Westphal
2026-04-12 18:00 ` patchwork-bot+netdevbpf
2026-04-10 11:23 ` [PATCH net-next 02/11] ipvs: add ip_vs_status info Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 03/11] ipvs: add conn_lfactor and svc_lfactor sysctl vars Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 04/11] netfilter: x_physdev: reject empty or not-nul terminated device names Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 05/11] netfilter: nfnetlink: prefer skb_mac_header helpers Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 06/11] netfilter: xt_HL: add pr_fmt and checkentry validation Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 07/11] netfilter: xt_socket: enable defrag after all other checks Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 08/11] netfilter: conntrack: remove UDP-Lite conntrack support Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 09/11] netfilter: x_tables: Avoid a couple -Wflex-array-member-not-at-end warnings Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 10/11] netfilter: nft_fwd_netdev: check ttl/hl before forwarding Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 11/11] netfilter: require Ethernet MAC header before using eth_hdr() Florian Westphal
2026-04-12 16:40 ` [PATCH net-next 00/11] netfilter: updates for net-next Jakub Kicinski
2026-04-12 16:54 ` Florian Westphal [this message]
2026-04-12 17:17 ` Florian Westphal
2026-04-12 18:58 ` Pablo Neira Ayuso
2026-04-12 17:53 ` Jakub Kicinski
2026-04-12 18:07 ` Julian Anastasov
-- strict thread matches above, loose matches on Subject: below --
2026-02-05 11:08 Florian Westphal
2026-02-06 12:41 ` Florian Westphal
2024-11-06 23:46 [PATCH net-next 00/11] Netfilter " Pablo Neira Ayuso
2024-11-07 0:19 ` Jakub Kicinski
2024-11-07 7:08 ` Florian Westphal
2024-11-07 20:48 ` Jakub Kicinski
2024-11-07 21:07 ` Florian Westphal
2024-11-07 21:09 ` Eric Dumazet
2022-05-19 22:01 Pablo Neira Ayuso
2022-04-11 10:27 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=advOUl92VLlqaiCJ@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.