Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp8966270ybi; Tue, 23 Jul 2019 19:04:49 -0700 (PDT) X-Google-Smtp-Source: APXvYqy5azi2ZmN40qFUqHJEZ3UrNbi0b3lN1+GLE8JOoc4DdmI1NRnsblPeNM9J3PEkQYRaxuDX X-Received: by 2002:aa7:86cc:: with SMTP id h12mr701719pfo.2.1563933889746; Tue, 23 Jul 2019 19:04:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563933889; cv=none; d=google.com; s=arc-20160816; b=pMt2JAthmRiLFMZrc4Z3kQdL19BWeRwbT0HSvEnipPcWYSM2mOGq5U1/scmUD1TVln SalWszbMQNBJqbWfhul9o2Po8yy84FI7Fzq4K8TBgTg/GjnaEa2WF8Mmxyts5fYIDVHq zqjz1fr0bJAyuyXwSQGK7ee+qUNfkzrIBo5DL/1DzRy3fpWuf+UL7t8H+zcoX4xhm8C/ nSXwAt0JZ9FR6DzSq7U+13tl/Xe0di5qZmKnFxhFcNb0FgRsSdCTreY1WywU7Qoax1vB thug0PEAE3dJA4wyYKF1YWJg4cE/UKFM+Veh1Opntq2vrW4ih+QNSxyU0sB6gYK+R2lp FK2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=JE+FVe1BFjPa9y2icLfb+8dNCvgksSZXEJgKJF83CoI=; b=HyYMVHnUM7ojC7esVzFj+qLVY8+27cdnt2oWuAPumElh61GMNeI6e1MCVTBbLB3+Bi DxZY9WZ/e2PANVnnG4Hdw0Gzn3IK2ZKf27HBS9Ojzj+XGyd7iMt2ZteHilgRWJo8YUpo BT0hrSs1LAne0dVHkr8Rw6tO/X6Ce5vnfe/dEz8jWemBmQ56c0mvf5sfNYOtVWhkqfoX Fd5dEyBrRNH7rnM6kb8TFAavSNocUODVzvr4hICBXvXAEigqkF0FAMoI/EBHHOYkILLP hKpohfjgJ+IsmC2XpbUcTonJVwSG3uw+rH44/TFwsxbXtOC1spdVI5YjHRPQi+UivK1G D0vQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u71si14262878pgd.279.2019.07.23.19.04.33; Tue, 23 Jul 2019 19:04:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733263AbfGWSSA (ORCPT + 99 others); Tue, 23 Jul 2019 14:18:00 -0400 Received: from s3.sipsolutions.net ([144.76.43.62]:60744 "EHLO sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726989AbfGWSSA (ORCPT ); Tue, 23 Jul 2019 14:18:00 -0400 Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1hpzMD-0003HF-HK; Tue, 23 Jul 2019 20:17:49 +0200 Message-ID: <5f6c264c75f3ffe6c2cbcab2d174ad2c4c4c0bd6.camel@sipsolutions.net> Subject: Re: [PATCH net-next v2 3/3] netlink: add validation of NLA_F_NESTED flag From: Johannes Berg To: Stephen Hemminger , Michal Kubecek Cc: "David S. Miller" , netdev@vger.kernel.org, David Ahern , linux-kernel@vger.kernel.org Date: Tue, 23 Jul 2019 20:17:47 +0200 In-Reply-To: <20190723110206.4cb1f6b1@hermes.lan> (sfid-20190723_200215_305541_DF26DFA5) References: <6b6ead21c5d8436470b82ab40355f6bd7dbbf14b.1556806084.git.mkubecek@suse.cz> <20190723110206.4cb1f6b1@hermes.lan> (sfid-20190723_200215_305541_DF26DFA5) Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.30.5 (3.30.5-1.fc29) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2019-07-23 at 11:02 -0700, Stephen Hemminger wrote: > > There are some cases where netlink related to IPv4 does not send nested > flag. You risk breaking older iproute2 and other tools being used on newer > kernel. I.e this patch may break binary compatibility. Have you tried running > with this on a very old distro (like Redhat Linux 9)? There are *tons* of places where this (and other things) wasn't done right, but the validation is only added for * all attributes on _new operations_ (that old userspace couldn't have been using since they're introduced after this patch) * _new attributes_ (dito, if the policy 'strict start' is filled) johannes