From: Florian Westphal <fw@strlen.de>
To: Jakub Kicinski <kuba@kernel.org>
Cc: netdev@vger.kernel.org, Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
netfilter-devel@vger.kernel.org, pablo@netfilter.org
Subject: Re: [PATCH net-next 00/11] netfilter: updates for net-next
Date: Sun, 12 Apr 2026 18:54:49 +0200 [thread overview]
Message-ID: <advOUl92VLlqaiCJ@strlen.de> (raw)
In-Reply-To: <20260412094049.7b01dd7b@kernel.org>
Jakub Kicinski <kuba@kernel.org> wrote:
> On Fri, 10 Apr 2026 13:23:41 +0200 Florian Westphal wrote:
> > 1-3) IPVS updates from Julian Anastasov to enhance visibility into
> > IPVS internal state by exposing hash size, load factor etc and
> > allows userspace to tune the load factor used for resizing hash
> > tables.
>
> Someone should take a look at the Sashiko reports for those, please?
https://sashiko.dev/#/patchset/20260410112352.23599-1-fw%40strlen.de
Sorry Pablo I am dumping this on you. Already wasted 3h on saturday
on LLM crap 8-(
---------
Could this trigger the DEBUG_NET_WARN_ON_ONCE() inside skb_mac_header_len()?
If a user program sends a verdict containing the NFQA_L2HDR attribute for a
packet where the MAC header is not set, it seems this code would call
skb_mac_header_len() without first checking skb_mac_header_was_set(entry->skb).
---------
And thus a new era of cargo cult programming will be born.
Because I have no idea how on earth PF_BRIDGE packets cannot have
a mac header attached to them.
Do I add this check as LLM overlord demands?
-------------
Is it safe to access the IP header here without ensuring the packet length
is sufficient and the header is in the linear data area?
Looking at the surrounding code in nft_fwd_neigh_eval(),
skb_try_make_writable() is called with sizeof(*iph), which is 20 bytes. At
the netdev hook, skb->data points to the MAC header, meaning the 20 bytes
only covers the Ethernet header and the first 6 bytes of the IP header.
Should this code use pskb_may_pull() or skb_ensure_writable() with an
offset that accounts for skb_network_offset(skb) + sizeof(*iph) before
dereferencing iph->ttl to avoid out-of-bounds accesses?
-------------
Dunno. Existing code does that.
next prev parent reply other threads:[~2026-04-12 16:54 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-10 11:23 [PATCH net-next 00/11] netfilter: updates for net-next Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 01/11] ipvs: show the current conn_tab size to users Florian Westphal
2026-04-12 18:00 ` patchwork-bot+netdevbpf
2026-04-10 11:23 ` [PATCH net-next 02/11] ipvs: add ip_vs_status info Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 03/11] ipvs: add conn_lfactor and svc_lfactor sysctl vars Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 04/11] netfilter: x_physdev: reject empty or not-nul terminated device names Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 05/11] netfilter: nfnetlink: prefer skb_mac_header helpers Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 06/11] netfilter: xt_HL: add pr_fmt and checkentry validation Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 07/11] netfilter: xt_socket: enable defrag after all other checks Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 08/11] netfilter: conntrack: remove UDP-Lite conntrack support Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 09/11] netfilter: x_tables: Avoid a couple -Wflex-array-member-not-at-end warnings Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 10/11] netfilter: nft_fwd_netdev: check ttl/hl before forwarding Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 11/11] netfilter: require Ethernet MAC header before using eth_hdr() Florian Westphal
2026-04-12 16:40 ` [PATCH net-next 00/11] netfilter: updates for net-next Jakub Kicinski
2026-04-12 16:54 ` Florian Westphal [this message]
2026-04-12 17:17 ` Florian Westphal
2026-04-12 18:58 ` Pablo Neira Ayuso
2026-04-12 17:53 ` Jakub Kicinski
2026-04-12 18:07 ` Julian Anastasov
-- strict thread matches above, loose matches on Subject: below --
2026-02-05 11:08 Florian Westphal
2026-02-06 12:41 ` Florian Westphal
2024-11-06 23:46 [PATCH net-next 00/11] Netfilter " Pablo Neira Ayuso
2024-11-07 0:19 ` Jakub Kicinski
2024-11-07 7:08 ` Florian Westphal
2024-11-07 20:48 ` Jakub Kicinski
2024-11-07 21:07 ` Florian Westphal
2024-11-07 21:09 ` Eric Dumazet
2022-05-19 22:01 Pablo Neira Ayuso
2022-04-11 10:27 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=advOUl92VLlqaiCJ@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox