* [PATCH nf 1/1] netfilter: xt_policy: fix strict mode inbound policy matching
[not found] <cover.1776141503.git.wangjiexun2025@gmail.com>
@ 2026-04-17 12:25 ` Ren Wei
2026-04-17 12:49 ` Florian Westphal
0 siblings, 1 reply; 2+ messages in thread
From: Ren Wei @ 2026-04-17 12:25 UTC (permalink / raw)
To: netfilter-devel
Cc: pablo, fw, phil, davem, edumazet, kuba, pabeni, horms, ebiederm,
yuantan098, yifanwucs, tomapufckgml, bird, wangjiexun2025, n05ec
From: Jiexun Wang <wangjiexun2025@gmail.com>
match_policy_in() walks sec_path entries from the last transform to the
first one, but strict policy matching needs to consume info->pol[] in
the same forward order as the rule layout.
Derive the strict-match policy position from the number of transforms
already consumed so that multi-element inbound rules are matched
consistently.
Fixes: df008c91f835 ("net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
net/netfilter/xt_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index cb6e8279010a..b5fa65558318 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -63,7 +63,7 @@ match_policy_in(const struct sk_buff *skb, const struct xt_policy_info *info,
return 0;
for (i = sp->len - 1; i >= 0; i--) {
- pos = strict ? i - sp->len + 1 : 0;
+ pos = strict ? sp->len - i - 1 : 0;
if (pos >= info->len)
return 0;
e = &info->pol[pos];
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH nf 1/1] netfilter: xt_policy: fix strict mode inbound policy matching
2026-04-17 12:25 ` [PATCH nf 1/1] netfilter: xt_policy: fix strict mode inbound policy matching Ren Wei
@ 2026-04-17 12:49 ` Florian Westphal
0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2026-04-17 12:49 UTC (permalink / raw)
To: Ren Wei
Cc: netfilter-devel, pablo, phil, davem, edumazet, kuba, pabeni,
horms, ebiederm, yuantan098, yifanwucs, tomapufckgml, bird,
wangjiexun2025
Ren Wei <n05ec@lzu.edu.cn> wrote:
> From: Jiexun Wang <wangjiexun2025@gmail.com>
>
> match_policy_in() walks sec_path entries from the last transform to the
> first one, but strict policy matching needs to consume info->pol[] in
> the same forward order as the rule layout.
>
> Derive the strict-match policy position from the number of transforms
> already consumed so that multi-element inbound rules are matched
> consistently.
That hints that secpaths with len > 1 do not exist, or at least
have never been used. This has always been broken.
For the patch
Acked-by: Florian Westphal <fw@strlen.de>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-17 12:49 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <cover.1776141503.git.wangjiexun2025@gmail.com>
2026-04-17 12:25 ` [PATCH nf 1/1] netfilter: xt_policy: fix strict mode inbound policy matching Ren Wei
2026-04-17 12:49 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox