All of lore.kernel.org
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Marino Dzalto <marino.dzalto@gmail.com>
Cc: fw@strlen.de, jacob.e.keller@intel.com,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] netfilter: xt_HL: add pr_fmt and checkentry validation
Date: Tue, 21 Apr 2026 13:56:21 +0200	[thread overview]
Message-ID: <aedl5SY8M6LtFxa2@chamomile> (raw)
In-Reply-To: <20260403205907.92749-1-marino.dzalto@gmail.com>

On Fri, Apr 03, 2026 at 10:59:07PM +0200, Marino Dzalto wrote:
> Add pr_fmt to prefix log messages with the module name for
> easier debugging in dmesg.
> 
> Add checkentry functions for IPv4 (ttl_mt_check) and IPv6
> (hl_mt6_check) to validate the match mode at rule registration
> time, rejecting invalid modes with -EINVAL.
> 
> Signed-off-by: Marino Dzalto <marino.dzalto@gmail.com>
> ---

BTW, please use "nf-next" as target tree for this.

And use _ratelimited as suggested by the AI reviewer.

Send us a v4, thanks

> v3: Remove mention of NULL checks from commit message, as they
>     were never part of the original code.
> v2: Remove NULL checks for skb as suggested by Florian Westphal
>     (skb is guaranteed non-NULL by netfilter core). Move mode
>     validation to checkentry functions instead of match function,
>     also as suggested by Florian Westphal.
> ---
>  net/netfilter/xt_hl.c | 27 +++++++++++++++++++++++++++
>  1 file changed, 27 insertions(+)
> 
> diff --git a/net/netfilter/xt_hl.c b/net/netfilter/xt_hl.c
> index c1a70f8f0441..4a12a757ecbf 100644
> --- a/net/netfilter/xt_hl.c
> +++ b/net/netfilter/xt_hl.c
> @@ -6,6 +6,7 @@
>   * Hop Limit matching module
>   * (C) 2001-2002 Maciej Soltysiak <solt@dns.toxicfilms.tv>
>   */
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>  
>  #include <linux/ip.h>
>  #include <linux/ipv6.h>
> @@ -22,6 +23,18 @@ MODULE_LICENSE("GPL");
>  MODULE_ALIAS("ipt_ttl");
>  MODULE_ALIAS("ip6t_hl");
>  
> +static int ttl_mt_check(const struct xt_mtchk_param *par)
> +{
> +	const struct ipt_ttl_info *info = par->matchinfo;
> +
> +	if (info->mode > IPT_TTL_GT) {
> +		pr_err("Unknown TTL match mode: %d\n", info->mode);
> +		return -EINVAL;
> +	}
> +
> +	return 0;
> +}
> +
>  static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par)
>  {
>  	const struct ipt_ttl_info *info = par->matchinfo;
> @@ -41,6 +54,18 @@ static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par)
>  	return false;
>  }
>  
> +static int hl_mt6_check(const struct xt_mtchk_param *par)
> +{
> +	const struct ip6t_hl_info *info = par->matchinfo;
> +
> +	if (info->mode > IP6T_HL_GT) {
> +		pr_err("Unknown Hop Limit match mode: %d\n", info->mode);
> +		return -EINVAL;
> +	}
> +
> +	return 0;
> +}
> +
>  static bool hl_mt6(const struct sk_buff *skb, struct xt_action_param *par)
>  {
>  	const struct ip6t_hl_info *info = par->matchinfo;
> @@ -65,6 +90,7 @@ static struct xt_match hl_mt_reg[] __read_mostly = {
>  		.name       = "ttl",
>  		.revision   = 0,
>  		.family     = NFPROTO_IPV4,
> +		.checkentry = ttl_mt_check,
>  		.match      = ttl_mt,
>  		.matchsize  = sizeof(struct ipt_ttl_info),
>  		.me         = THIS_MODULE,
> @@ -73,6 +99,7 @@ static struct xt_match hl_mt_reg[] __read_mostly = {
>  		.name       = "hl",
>  		.revision   = 0,
>  		.family     = NFPROTO_IPV6,
> +		.checkentry = hl_mt6_check,
>  		.match      = hl_mt6,
>  		.matchsize  = sizeof(struct ip6t_hl_info),
>  		.me         = THIS_MODULE,
> -- 
> 2.50.1 (Apple Git-155)
> 

      reply	other threads:[~2026-04-21 11:56 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-03 20:59 [PATCH v3] netfilter: xt_HL: add pr_fmt and checkentry validation Marino Dzalto
2026-04-21 11:56 ` Pablo Neira Ayuso [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aedl5SY8M6LtFxa2@chamomile \
    --to=pablo@netfilter.org \
    --cc=coreteam@netfilter.org \
    --cc=fw@strlen.de \
    --cc=jacob.e.keller@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marino.dzalto@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.