[{"id":3677137,"web_url":"http://patchwork.ozlabs.org/comment/3677137/","msgid":"","list_archive_url":null,"date":"2026-04-14T11:15:49","subject":"Re: [PATCH nf] netfilter: nft_osf: restrict it to ipv6","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Pablo Neira Ayuso wrote:\n> This expression only supports for ipv4, restrict it.\n\n:-O\n\nAcked-by: Florian Westphal ","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11871-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fw1vq02cqz1yDF\n\tfor ; Tue, 14 Apr 2026 21:17:26 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id C352F305E1CC\n\tfor ; Tue, 14 Apr 2026 11:15:53 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id A3362392822;\n\tTue, 14 Apr 2026 11:15:52 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E8691DF74F\n\tfor ; Tue, 14 Apr 2026 11:15:50 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 6F8A0608DB; Tue, 14 Apr 2026 13:15:49 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776165352; cv=none;\n b=PPuD4OR15wpyYvz2vxOjO+YXKPNUg7uGNgXrJV00HfQCplg0D4Rr/UuVbDbI3pUMWuH7W2fDib0q2MX1EplLb28meCQJ2MVsbASjWZ3yPD+GVWNtgZedvhErKViN9s8nAPkZcd8LHmR497X+Ap304tGS6XzbCI2asuTIJQSQ/8w=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776165352; c=relaxed/simple;\n\tbh=iejtWqcEb1k1k8JZ3cHC8k9PKvgp2qA+M8F6SvGFQ9E=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=HTqBnBDBN2tuwN0YKeGIK9g7IY+3YuwjDm9upuEqf/bVfQZ7GGgiqza3OorsmihPWydrC/dBR9b3LIlWAcH77ThIDi0Pfrum3SbaaZAZ6TCn4Yaqnb9LO1FMEJ5jrs7RQ+i3NuuTxpMTOUrFymCDNF/N/G+malW56htwBOM8jQ8=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Tue, 14 Apr 2026 13:15:49 +0200","From":"Florian Westphal ","To":"Pablo Neira Ayuso ","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH nf] netfilter: nft_osf: restrict it to ipv6","Message-ID":"","References":"<20260414110811.6178-1-pablo@netfilter.org>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20260414110811.6178-1-pablo@netfilter.org>"}},{"id":3677154,"web_url":"http://patchwork.ozlabs.org/comment/3677154/","msgid":"<981ce550-bc53-4724-85f2-fd66d364433c@suse.de>","list_archive_url":null,"date":"2026-04-14T11:53:14","subject":"Re: [PATCH nf] netfilter: nft_osf: restrict it to ipv6","submitter":{"id":90904,"url":"http://patchwork.ozlabs.org/api/people/90904/","name":"Fernando Fernandez Mancera","email":"fmancera@suse.de"},"content":"On 4/14/26 1:08 PM, Pablo Neira Ayuso wrote:\n> This expression only supports for ipv4, restrict it.\n> \n> Fixes: b96af92d6eaf (\"netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf\")\n> Signed-off-by: Pablo Neira Ayuso \n> ---\n> net/netfilter/nft_osf.c | 6 +++++-\n> 1 file changed, 5 insertions(+), 1 deletion(-)\n> \n> diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c\n> index 1c0b493ef0a9..bdc2f6c90e2f 100644\n> --- a/net/netfilter/nft_osf.c\n> +++ b/net/netfilter/nft_osf.c\n> @@ -28,6 +28,11 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,\n> \tstruct nf_osf_data data;\n> \tstruct tcphdr _tcph;\n> \n> +\tif (nft_pf(pkt) != NFPROTO_IPV4) {\n> +\t\tregs->verdict.code = NFT_BREAK;\n> +\t\treturn;\n> +\t}\n> +\n> \tif (pkt->tprot != IPPROTO_TCP) {\n> \t\tregs->verdict.code = NFT_BREAK;\n> \t\treturn;\n> @@ -114,7 +119,6 @@ static int nft_osf_validate(const struct nft_ctx *ctx,\n> \n> \tswitch (ctx->family) {\n> \tcase NFPROTO_IPV4:\n> -\tcase NFPROTO_IPV6:\n> \tcase NFPROTO_INET:\n> \t\thooks = (1 << NF_INET_LOCAL_IN) |\n> \t\t\t(1 << NF_INET_PRE_ROUTING) |\n\nReviewed-by: Fernando Fernandez Mancera \n\nI have the feeling I should re-review everything I did 7 years ago :-)\n\nThanks!","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=fPIQPrbk;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=2cM47wTt;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=fPIQPrbk;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=2cM47wTt;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=104.64.211.4; helo=sin.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11876-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"fPIQPrbk\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"2cM47wTt\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"fPIQPrbk\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"2cM47wTt\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.130","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de","smtp-out1.suse.de;\n\tdkim=pass header.d=suse.de header.s=susede2_rsa header.b=fPIQPrbk;\n\tdkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=2cM47wTt"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org [104.64.211.4])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fw2jJ4Lnyz1y2d\n\tfor ; Tue, 14 Apr 2026 21:53:24 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id 694683014F7A\n\tfor ; Tue, 14 Apr 2026 11:53:21 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 19D093E0C7C;\n\tTue, 14 Apr 2026 11:53:19 +0000 (UTC)","from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 6FE0B3D9DB0\n\tfor ; Tue, 14 Apr 2026 11:53:17 +0000 (UTC)","from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org\n [IPv6:2a07:de40:b281:104:10:150:64:97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out1.suse.de (Postfix) with ESMTPS id 6DA9C6A8C1;\n\tTue, 14 Apr 2026 11:53:15 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 43C084B41F;\n\tTue, 14 Apr 2026 11:53:15 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid pkl+Dasq3ml6XwAAD6G6ig\n\t(envelope-from ); Tue, 14 Apr 2026 11:53:15 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776167598; cv=none;\n b=A843vvqzv2Xq0vwHyJqazhyHq8y1B/42ZFcOGH7Z0ZpNkD5+mKLqLHFmhDxO5YqWWRhUS5CgPS/OSkBCAzca4phZuX4rGVITlQ2VOI9KHUxb9bllsoT3rf9oqd7+tm+qqZgzGH//O0qCSsKlJ7g6Ls2hkWprU+BbszvUXK3vRhE=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776167598; c=relaxed/simple;\n\tbh=Ejrfq3VFhT/J0R+ccrI8LeQQfxTuDuK0frfKpDYB8Yg=;\n\th=Message-ID:Date:MIME-Version:Subject:To:References:From:\n\t In-Reply-To:Content-Type;\n b=bKYp1UymjvYnt9uSYHmdH1nfggYKMwYC3y8Lx+nzzrgb9u+GtPgYEMUqCugj0stT3ZqGMOBcOPLuUls1erT8jl2qxleD4kx7mNKUIQaJd3dfnq2l7W3Co4GJP+OZSebcZXbobK0AtK16t3Ywbe2gBUDAVKN69WkdwvpxL6UmfCo=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=fPIQPrbk;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=2cM47wTt;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=fPIQPrbk;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=2cM47wTt; arc=none smtp.client-ip=195.135.223.130","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776167595; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=4FsOkb+P87jMNviLVfjRBTOBnNows2LTl7VpPyWDw18=;\n\tb=fPIQPrbkmEfj9/lFI6dtzTGVLQcrypXnRA30AHeRK+ukMA5Qjm6fjBt9Re9zYGJw63oC+V\n\tHEx3k3tB3r0twhkD89XWZyOnkO4oWsuCtDGX5aC6NwUOGQ0CINwUm9vfayZzolfXyMghcP\n\tWPQ+wjQ31+ixg7CHl1/NaY0AP2yhF94=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776167595;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=4FsOkb+P87jMNviLVfjRBTOBnNows2LTl7VpPyWDw18=;\n\tb=2cM47wTtB1Sw9/S4JFK4RIJORHg7I15oaLTFPsSQkILozewe16LKgdppS4u6uefxYzYzeC\n\thIFNorxs6zd09ACQ==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776167595; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=4FsOkb+P87jMNviLVfjRBTOBnNows2LTl7VpPyWDw18=;\n\tb=fPIQPrbkmEfj9/lFI6dtzTGVLQcrypXnRA30AHeRK+ukMA5Qjm6fjBt9Re9zYGJw63oC+V\n\tHEx3k3tB3r0twhkD89XWZyOnkO4oWsuCtDGX5aC6NwUOGQ0CINwUm9vfayZzolfXyMghcP\n\tWPQ+wjQ31+ixg7CHl1/NaY0AP2yhF94=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776167595;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=4FsOkb+P87jMNviLVfjRBTOBnNows2LTl7VpPyWDw18=;\n\tb=2cM47wTtB1Sw9/S4JFK4RIJORHg7I15oaLTFPsSQkILozewe16LKgdppS4u6uefxYzYzeC\n\thIFNorxs6zd09ACQ=="],"Message-ID":"<981ce550-bc53-4724-85f2-fd66d364433c@suse.de>","Date":"Tue, 14 Apr 2026 13:53:14 +0200","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH nf] netfilter: nft_osf: restrict it to ipv6","To":"Pablo Neira Ayuso , netfilter-devel@vger.kernel.org","References":"<20260414110811.6178-1-pablo@netfilter.org>","Content-Language":"en-US","From":"Fernando Fernandez Mancera ","In-Reply-To":"<20260414110811.6178-1-pablo@netfilter.org>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Rspamd-Action":"no action","X-Rspamd-Server":"rspamd2.dmz-prg2.suse.org","X-Spamd-Result":"default: False [-4.51 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tR_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tMIME_GOOD(-0.10)[text/plain];\n\tMX_GOOD(-0.01)[];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tARC_NA(0.00)[];\n\tMIME_TRACE(0.00)[0:+];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tTO_DN_SOME(0.00)[];\n\tMID_RHS_MATCH_FROM(0.00)[];\n\tRCVD_TLS_ALL(0.00)[];\n\tSPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tFROM_HAS_DN(0.00)[];\n\tRCPT_COUNT_TWO(0.00)[2];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,netfilter.org:email,suse.de:dkim,suse.de:mid,suse.de:email];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tDKIM_TRACE(0.00)[suse.de:+]","X-Rspamd-Queue-Id":"6DA9C6A8C1","X-Spam-Flag":"NO","X-Spam-Score":"-4.51","X-Spam-Level":""}}]