[{"id":3677599,"web_url":"http://patchwork.ozlabs.org/comment/3677599/","msgid":"","list_archive_url":null,"date":"2026-04-15T11:18:08","subject":"Re: [PATCH nf] netfilter: xtables: restrict several matches to ipv4\n and ipv6","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Pablo Neira Ayuso wrote:\n> diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c\n> index 6df485f4403d..130ebe5d1c43 100644\n> --- a/net/netfilter/xt_realm.c\n> +++ b/net/netfilter/xt_realm.c\n> @@ -27,24 +27,35 @@ realm_mt(const struct sk_buff *skb, struct xt_action_param *par)\n> \treturn (info->id == (dst->tclassid & info->mask)) ^ info->invert;\n> }\n> \n> -static struct xt_match realm_mt_reg __read_mostly = {\n> -\t.name\t\t= \"realm\",\n> -\t.match\t\t= realm_mt,\n> -\t.matchsize\t= sizeof(struct xt_realm_info),\n> -\t.hooks\t\t= (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) |\n> -\t\t\t (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN),\n> -\t.family\t\t= NFPROTO_UNSPEC,\n> -\t.me\t\t= THIS_MODULE\n> +static struct xt_match realm_mt_reg[] __read_mostly = {\n> +\t{\n> +\t\t.name\t\t= \"realm\",\n> +\t\t.match\t\t= realm_mt,\n> +\t\t.matchsize\t= sizeof(struct xt_realm_info),\n> +\t\t.hooks\t\t= (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) |\n> +\t\t\t\t (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN),\n> +\t\t.family\t\t= NFPROTO_IPV4,\n> +\t\t.me\t\t= THIS_MODULE\n> +\t},\n> +\t{\n> +\t\t.name\t\t= \"realm\",\n> +\t\t.match\t\t= realm_mt,\n> +\t\t.matchsize\t= sizeof(struct xt_realm_info),\n> +\t\t.hooks\t\t= (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) |\n> +\t\t\t\t (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN),\n> +\t\t.family\t\t= NFPROTO_IPV6,\n> +\t\t.me\t\t= THIS_MODULE\n> +\t}\n> };\n\nIs this for possible users of ip6tables ... -t realm?\nAFAICS dst->tclassid is never populated for ipv6, so while its possible\nto use it from ip6tables I don't think it can match.\n\nI don't object to this change of course. I just wonder why this was\never changed from ipt_realm to xt in the first place.\n\nIt was done as part of 2e4e6a17af35 (\"[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables\").","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11915-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwdzn4jjcz1yCv\n\tfor ; Wed, 15 Apr 2026 21:23:01 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 3E5B6302F3A9\n\tfor ; Wed, 15 Apr 2026 11:18:20 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 658F2364032;\n\tWed, 15 Apr 2026 11:18:19 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id F16DC3431F5\n\tfor ; Wed, 15 Apr 2026 11:18:16 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 4370760301; Wed, 15 Apr 2026 13:18:09 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776251899; cv=none;\n b=o95xE0JIbTLZMMJftAiWvX8c3CksqA3bEANNY1nJarFyyELlAsr1GRJqW1TrivBVw3PtMTP+Mj4F2dMs7pILlD8Wb4pl+DgidAB4IRXQAXrMprR+T8nhXb+ctgK31yT/wXthgQc6D2Lu0ZUNDlkCek2JlFZNcLH/S7RltlRRD+g=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776251899; c=relaxed/simple;\n\tbh=P+Jw8/E+tS9DngxbFW2iGbGLNvi6zHb2/8k+y+rVxuk=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=dWlh2zV+ajF0f0Iwy5BON9JNn+qdNjKl+WdkcitpAhWDRvhFWwFmyfvMwF/f/RTZCu0Tqt25cy50sB/ahapt8R10ib+E4LTinmPvlMKMoNvdrPPno1rRa3zOjVSBpwCnlFTPEpcerjEZVfou1Z2aWMapBCInCT+GyrefXD4/dX0=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Wed, 15 Apr 2026 13:18:08 +0200","From":"Florian Westphal ","To":"Pablo Neira Ayuso ","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH nf] netfilter: xtables: restrict several matches to ipv4\n and ipv6","Message-ID":"","References":"<20260415104707.55946-1-pablo@netfilter.org>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20260415104707.55946-1-pablo@netfilter.org>"}},{"id":3677601,"web_url":"http://patchwork.ozlabs.org/comment/3677601/","msgid":"","list_archive_url":null,"date":"2026-04-15T11:20:13","subject":"Re: [PATCH nf] netfilter: xtables: restrict several matches to ipv4\n and ipv6","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Wed, Apr 15, 2026 at 01:18:08PM +0200, Florian Westphal wrote:\n> Pablo Neira Ayuso wrote:\n> > diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c\n> > index 6df485f4403d..130ebe5d1c43 100644\n> > --- a/net/netfilter/xt_realm.c\n> > +++ b/net/netfilter/xt_realm.c\n> > @@ -27,24 +27,35 @@ realm_mt(const struct sk_buff *skb, struct xt_action_param *par)\n> > \treturn (info->id == (dst->tclassid & info->mask)) ^ info->invert;\n> > }\n> > \n> > -static struct xt_match realm_mt_reg __read_mostly = {\n> > -\t.name\t\t= \"realm\",\n> > -\t.match\t\t= realm_mt,\n> > -\t.matchsize\t= sizeof(struct xt_realm_info),\n> > -\t.hooks\t\t= (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) |\n> > -\t\t\t (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN),\n> > -\t.family\t\t= NFPROTO_UNSPEC,\n> > -\t.me\t\t= THIS_MODULE\n> > +static struct xt_match realm_mt_reg[] __read_mostly = {\n> > +\t{\n> > +\t\t.name\t\t= \"realm\",\n> > +\t\t.match\t\t= realm_mt,\n> > +\t\t.matchsize\t= sizeof(struct xt_realm_info),\n> > +\t\t.hooks\t\t= (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) |\n> > +\t\t\t\t (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN),\n> > +\t\t.family\t\t= NFPROTO_IPV4,\n> > +\t\t.me\t\t= THIS_MODULE\n> > +\t},\n> > +\t{\n> > +\t\t.name\t\t= \"realm\",\n> > +\t\t.match\t\t= realm_mt,\n> > +\t\t.matchsize\t= sizeof(struct xt_realm_info),\n> > +\t\t.hooks\t\t= (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) |\n> > +\t\t\t\t (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN),\n> > +\t\t.family\t\t= NFPROTO_IPV6,\n> > +\t\t.me\t\t= THIS_MODULE\n> > +\t}\n> > };\n> \n> Is this for possible users of ip6tables ... -t realm?\n> AFAICS dst->tclassid is never populated for ipv6, so while its possible\n> to use it from ip6tables I don't think it can match.\n> \n> I don't object to this change of course. I just wonder why this was\n> ever changed from ipt_realm to xt in the first place.\n\nPatch description is quite terse...\n\nI can just restrict realm to IPv4 only, sending v2.\n\n> It was done as part of 2e4e6a17af35 (\"[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables\").","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=oxXD90Tt;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11916-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"oxXD90Tt\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwf2y1l5rz1yHM\n\tfor ; Wed, 15 Apr 2026 21:25:46 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id E9411306E5FA\n\tfor ; Wed, 15 Apr 2026 11:20:20 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id EA5F5364032;\n\tWed, 15 Apr 2026 11:20:19 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 26A64244694\n\tfor ; Wed, 15 Apr 2026 11:20:17 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 5357C6017D;\n\tWed, 15 Apr 2026 13:20:16 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776252019; cv=none;\n b=EyTNfaLaA0TrmJes4dXmDiSzS6/dsioStQpLea0Rq1p0hmCD/5FuanDW1Q0WaxE1G5L6JK3h/IpOmGPnCIZ61fcHTq9B30uxMxeBjCtIv6Su+jpy4G0tacj1+XhfYKqktANQGgj2ZVvjSNRBZj0YdxUCjdSarXo1DSY9ynqJ1YA=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776252019; c=relaxed/simple;\n\tbh=66U9xelc7BvW75jK12YiPdcvEcVywVteNOldO8jSmpc=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=u/2C2891peGKJLtryLjXPeKsRxCl4AZKIrcweD0crjjG9BsdcWVz40ZdTFRxptueZw1kPA1Q0bYPMGXELKA6Kcp+B/ESTf6hw8MOyxDn7/OFTBGws6phxGHtTQnwmeL9l2jctwCbbSQgw2mhLgigiKR8MsE0dW3TsBjIIs7tIAI=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=oxXD90Tt; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776252016;\n\tbh=EC2PmFpE70GJVSm6/W6erBhz5GPQ+lseUqVQEi6EQ1s=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=oxXD90TtdEaB14XH9ZT2VPORaBsWOHN2mU29hEo442sxiPWYRLslNxnAs03JS0dDs\n\t 0ExcyxoeiTwNphh6/UGrzK2+NLuz4z3mMsAzsBxqYNeGV7+RsqEC1J2TGNLOE6xGpm\n\t KJRVjju0fpi7kn3HMCZWU+Fa6qYoB0s7f12xXX+BUWl9TNnQ5P2pM4VSAzBfDWrPNL\n\t MIcvgTnh4PR/mFUL7Gcb4JEP1S8qe57w+HlLIf5mJr6nysu6zZwC2Tu4Rvy6G8OK8U\n\t xn68g4QDNvBkje6MJtQjETHv5MHRU1d5UNTpWbZYmVVf65hSb3xGaXPYHRcFFfO2W5\n\t DTV0kNNWSu78A==","Date":"Wed, 15 Apr 2026 13:20:13 +0200","From":"Pablo Neira Ayuso ","To":"Florian Westphal ","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH nf] netfilter: xtables: restrict several matches to ipv4\n and ipv6","Message-ID":"","References":"<20260415104707.55946-1-pablo@netfilter.org>\n ","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":""}}]