From: Sabrina Dubroca <sd@queasysnail.net>
To: netdev@vger.kernel.org
Cc: Sabrina Dubroca <sd@queasysnail.net>
Subject: [PATCH net-next v2 00/13] macsec: replace custom netlink attribute checks with policy-level checks
Date: Tue, 26 Aug 2025 15:16:18 +0200 [thread overview]
Message-ID: <cover.1756202772.git.sd@queasysnail.net> (raw)
We can simplify attribute validation a lot by describing the accepted
ranges more precisely in the policies, using NLA_POLICY_MAX etc.
Some of the checks still need to be done later on, because the
attribute length and acceptable range can vary based on values that
can't be known when the policy is validated (cipher suite determines
the key length and valid ICV length, presence of XPN changes the PN
length, detection of duplicate SCIs or ANs, etc).
As a bonus, we get a few extack messages from the policy
validation. I'll add extack to the rest of the checks (mostly in the
genl commands) in an future series.
v2: remove no-longer-unused csid variable (thanks Jakub)
rebase on top of net-next
use NLA_UINT for PN
v1: https://lore.kernel.org/netdev/cover.1664379352.git.sd@queasysnail.net/
Sabrina Dubroca (13):
macsec: replace custom checks on MACSEC_SA_ATTR_AN with NLA_POLICY_MAX
macsec: replace custom checks on MACSEC_*_ATTR_ACTIVE with
NLA_POLICY_MAX
macsec: replace custom checks on MACSEC_SA_ATTR_SALT with
NLA_POLICY_EXACT_LEN
macsec: replace custom checks on MACSEC_SA_ATTR_KEYID with
NLA_POLICY_EXACT_LEN
macsec: use NLA_POLICY_MAX_LEN for MACSEC_SA_ATTR_KEY
macsec: use NLA_UINT for MACSEC_SA_ATTR_PN
macsec: remove validate_add_rxsc
macsec: add NLA_POLICY_MAX for MACSEC_OFFLOAD_ATTR_TYPE and
IFLA_MACSEC_OFFLOAD
macsec: replace custom checks on IFLA_MACSEC_ICV_LEN with
NLA_POLICY_RANGE
macsec: use NLA_POLICY_VALIDATE_FN to validate
IFLA_MACSEC_CIPHER_SUITE
macsec: validate IFLA_MACSEC_VALIDATION with NLA_POLICY_MAX
macsec: replace custom checks for IFLA_MACSEC_* flags with
NLA_POLICY_MAX
macsec: replace custom check on IFLA_MACSEC_ENCODING_SA with
NLA_POLICY_MAX
drivers/net/macsec.c | 173 ++++++++++---------------------------------
1 file changed, 38 insertions(+), 135 deletions(-)
--
2.50.0
next reply other threads:[~2025-08-26 13:16 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-26 13:16 Sabrina Dubroca [this message]
2025-08-26 13:16 ` [PATCH net-next v2 01/13] macsec: replace custom checks on MACSEC_SA_ATTR_AN with NLA_POLICY_MAX Sabrina Dubroca
2025-08-27 16:53 ` Simon Horman
2025-08-26 13:16 ` [PATCH net-next v2 02/13] macsec: replace custom checks on MACSEC_*_ATTR_ACTIVE " Sabrina Dubroca
2025-08-27 16:53 ` Simon Horman
2025-08-26 13:16 ` [PATCH net-next v2 03/13] macsec: replace custom checks on MACSEC_SA_ATTR_SALT with NLA_POLICY_EXACT_LEN Sabrina Dubroca
2025-08-27 16:54 ` Simon Horman
2025-08-26 13:16 ` [PATCH net-next v2 04/13] macsec: replace custom checks on MACSEC_SA_ATTR_KEYID " Sabrina Dubroca
2025-08-27 16:54 ` Simon Horman
2025-08-26 13:16 ` [PATCH net-next v2 05/13] macsec: use NLA_POLICY_MAX_LEN for MACSEC_SA_ATTR_KEY Sabrina Dubroca
2025-08-27 16:54 ` Simon Horman
2025-08-26 13:16 ` [PATCH net-next v2 06/13] macsec: use NLA_UINT for MACSEC_SA_ATTR_PN Sabrina Dubroca
2025-08-27 16:54 ` Simon Horman
2025-08-28 1:54 ` Jakub Kicinski
2025-08-28 1:55 ` Jakub Kicinski
2025-08-28 14:25 ` Sabrina Dubroca
2025-08-28 14:31 ` Jakub Kicinski
2025-08-26 13:16 ` [PATCH net-next v2 07/13] macsec: remove validate_add_rxsc Sabrina Dubroca
2025-08-27 16:55 ` Simon Horman
2025-08-26 13:16 ` [PATCH net-next v2 08/13] macsec: add NLA_POLICY_MAX for MACSEC_OFFLOAD_ATTR_TYPE and IFLA_MACSEC_OFFLOAD Sabrina Dubroca
2025-08-27 16:55 ` Simon Horman
2025-08-28 1:51 ` Jakub Kicinski
2025-08-28 12:15 ` Sabrina Dubroca
2025-08-26 13:16 ` [PATCH net-next v2 09/13] macsec: replace custom checks on IFLA_MACSEC_ICV_LEN with NLA_POLICY_RANGE Sabrina Dubroca
2025-08-27 16:55 ` Simon Horman
2025-08-26 13:16 ` [PATCH net-next v2 10/13] macsec: use NLA_POLICY_VALIDATE_FN to validate IFLA_MACSEC_CIPHER_SUITE Sabrina Dubroca
2025-08-27 16:56 ` Simon Horman
2025-08-26 13:16 ` [PATCH net-next v2 11/13] macsec: validate IFLA_MACSEC_VALIDATION with NLA_POLICY_MAX Sabrina Dubroca
2025-08-27 16:56 ` Simon Horman
2025-08-26 13:16 ` [PATCH net-next v2 12/13] macsec: replace custom checks for IFLA_MACSEC_* flags " Sabrina Dubroca
2025-08-27 16:57 ` Simon Horman
2025-08-26 13:16 ` [PATCH net-next v2 13/13] macsec: replace custom check on IFLA_MACSEC_ENCODING_SA " Sabrina Dubroca
2025-08-27 16:57 ` Simon Horman
2025-08-28 2:00 ` [PATCH net-next v2 00/13] macsec: replace custom netlink attribute checks with policy-level checks patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1756202772.git.sd@queasysnail.net \
--to=sd@queasysnail.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.