From: Daniel Borkmann <daniel@iogearbox.net>
To: Justin Iurman <justin.iurman@gmail.com>, kuba@kernel.org
Cc: edumazet@google.com, dsahern@kernel.org, tom@herbertland.com,
willemdebruijn.kernel@gmail.com, idosch@nvidia.com,
pabeni@redhat.com, netdev@vger.kernel.org
Subject: Re: [PATCH net] ipv6: Implement limits on extension header parsing
Date: Sat, 18 Apr 2026 14:59:07 +0200 [thread overview]
Message-ID: <d4c72730-2d74-4efe-8ede-50e3fe9658c8@iogearbox.net> (raw)
In-Reply-To: <b57f31a2-456e-4727-839a-bc2f0fb07855@gmail.com>
On 4/18/26 2:50 PM, Justin Iurman wrote:
> On 4/18/26 14:26, Daniel Borkmann wrote:
>> On 4/18/26 1:45 PM, Justin Iurman wrote:
>>> On 4/17/26 19:18, Daniel Borkmann wrote:
>> [...]
>>>> diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
>>>> index d2cd33e2698d..93f865545a7c 100644
>>>> --- a/net/ipv6/sysctl_net_ipv6.c
>>>> +++ b/net/ipv6/sysctl_net_ipv6.c
>>>> @@ -135,6 +135,14 @@ static struct ctl_table ipv6_table_template[] = {
>>>> .extra1 = SYSCTL_ZERO,
>>>> .extra2 = &flowlabel_reflect_max,
>>>> },
>>>> + {
>>>> + .procname = "max_ext_hdrs_number",
>>>> + .data = &init_net.ipv6.sysctl.max_ext_hdrs_cnt,
>>>> + .maxlen = sizeof(int),
>>>> + .mode = 0644,
>>>> + .proc_handler = proc_dointvec_minmax,
>>>> + .extra1 = SYSCTL_ONE,
>>>> + },
>>>> {
>>>> .procname = "max_dst_opts_number",
>>>> .data = &init_net.ipv6.sysctl.max_dst_opts_cnt,
>>>
>>> NACKed-by: Justin Iurman <justin.iurman@gmail.com>
>>>
>>> +1000 on the need, but NAK on the way it is done. IMO, we don't want yet-another-sysctl for that. Instead, we have (well, not yet, but it's about time) this series [1] to enforce ordering and occurrences of Extension Headers, which is based on an IETF draft [2] (FYI, draft- ietf-6man-eh-limits is dead). I think we should enforce ordering and occurrences in this code path too, instead of relying on a sysctl. Let's keep both code paths consistent.
>
> Hi Daniel,
>
>> Hm, that series [1] should probably go to net instead of net-next, but atm
>
> +1, would make sense.
>
>> hasn't moved since a month. I'd still think max_ext_hdrs_number would be
>> useful given it has less complexity also for stable, but I guess ultimately
>> up to maintainers..
>
> In the short term, I agree. What worries me is that we end up with a redundant, or even useless, sysctl once the other series is applied, which will only increase user confusion.
I'm thinking even if that series lands, and there is still odd hw out there
where the enforcement of ordering is not in place, and users might be forced
to disable net.ipv6.enforce_ext_hdr_order, then the limit would still apply
and protect them.
Cheers,
Daniel
next prev parent reply other threads:[~2026-04-18 12:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 17:18 [PATCH net] ipv6: Implement limits on extension header parsing Daniel Borkmann
2026-04-17 21:45 ` Eric Dumazet
2026-04-18 11:45 ` Justin Iurman
2026-04-18 12:26 ` Daniel Borkmann
2026-04-18 12:50 ` Justin Iurman
2026-04-18 12:59 ` Daniel Borkmann [this message]
2026-04-18 13:18 ` Justin Iurman
2026-04-18 13:15 ` Eric Dumazet
2026-04-18 13:46 ` Justin Iurman
2026-04-18 14:15 ` Justin Iurman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d4c72730-2d74-4efe-8ede-50e3fe9658c8@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=idosch@nvidia.com \
--cc=justin.iurman@gmail.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=tom@herbertland.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox