From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [RFC nf 0/2] netfilter: add restrictions/validations for packet rewrites
Date: Thu, 4 Jun 2026 00:42:23 +0200 [thread overview]
Message-ID: <aiCtz2nBZL1Q-gmL@chamomile> (raw)
In-Reply-To: <aiCrpdgRNCC7LkaA@chamomile>
On Thu, Jun 04, 2026 at 12:33:13AM +0200, Pablo Neira Ayuso wrote:
> Hi Florian,
>
> On Wed, May 27, 2026 at 02:11:42PM +0200, Florian Westphal wrote:
> > This is a followup to the recent patch that disabled packet manipulation
> > via nfqueue or nft_payload in user namespaces.
> >
> > This adds additional *restrictions*.
> > For nfqueue, do minimal header checks in case userspace provides payload
> > replacement data.
> >
> > For nft_payload, restrict the offset/length combinations.
> >
> > Several of these checks could be done at rule insertion time (i.e.
> > control plane).
> > Risk is that this may cause ruleset load failures for existing rulesets.
> > With this change such writes are silently skipped and packet passes
> > unchanged.
> >
> > Restriction is added for link and network bases only.
> >
> > Open questions:
> > - target tree: nf or nf-next?
> >
> > - should there be an immediate followup ('patch 3') that reverts
> > the userns restrictions again?
> >
> > - should nft_payload reject those requests it can validate there from
> > the control plane?
>
> Ideally, better from control plane.
>
> If anyone is breaking with ilegals field, they should come here to
> explain? Data plane validation might look safer ... but it will just
> drop packets and it will take a bit more time to the user to debug.
>
> But your approach is more conservative, it just leave the packet
> untouch, so it is basically ignoring the invalid mangling.
Hm. Actually, it is harder than it seems to do this from control plane
because dscp needs to deal with bitwise to ensure that ihl and version
are not modified.
next prev parent reply other threads:[~2026-06-03 22:42 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-27 12:11 [RFC nf 0/2] netfilter: add restrictions/validations for packet rewrites Florian Westphal
2026-05-27 12:11 ` [RFC nf 1/2] netfilter: nfnetlink_queue: restrict writes to network header Florian Westphal
2026-05-27 12:11 ` [RFC nf 2/2] netfilter: nftables: restrict linklayer and network header writes Florian Westphal
2026-06-03 22:33 ` [RFC nf 0/2] netfilter: add restrictions/validations for packet rewrites Pablo Neira Ayuso
2026-06-03 22:42 ` Pablo Neira Ayuso [this message]
2026-06-03 23:11 ` Florian Westphal
2026-06-04 6:17 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aiCtz2nBZL1Q-gmL@chamomile \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.