[{"id":3678718,"web_url":"http://patchwork.ozlabs.org/comment/3678718/","msgid":"<aeIsSl26ZZJZ1n7U@strlen.de>","list_archive_url":null,"date":"2026-04-17T12:49:14","subject":"Re: [PATCH nf 1/1] netfilter: xt_policy: fix strict mode inbound\n policy matching","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Ren Wei <n05ec@lzu.edu.cn> wrote:\n> From: Jiexun Wang <wangjiexun2025@gmail.com>\n> \n> match_policy_in() walks sec_path entries from the last transform to the\n> first one, but strict policy matching needs to consume info->pol[] in\n> the same forward order as the rule layout.\n> \n> Derive the strict-match policy position from the number of transforms\n> already consumed so that multi-element inbound rules are matched\n> consistently.\n\nThat hints that secpaths with len > 1 do not exist, or at least\nhave never been used.  This has always been broken.\n\nFor the patch\n\nAcked-by: Florian Westphal <fw@strlen.de>","headers":{"Return-Path":"\n <netfilter-devel+bounces-12000-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12000-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxvvL5mCfz1yDF\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 17 Apr 2026 22:53:34 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 2793F30821F9\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 17 Apr 2026 12:49:20 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 82D9038A72D;\n\tFri, 17 Apr 2026 12:49:19 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 4823A2D5923\n\tfor <netfilter-devel@vger.kernel.org>; Fri, 17 Apr 2026 12:49:17 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid EC18460640; Fri, 17 Apr 2026 14:49:14 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776430159; cv=none;\n b=QTixVA1dN30/G6yiAe2WjAKPy6ETxDFSa6VWHFLTSDYaqmezMrA5NdqEb/jicnKIP933ML+CIP56sRXJS2iYvuowKThMnBSs6zOligNaNHmmTif7DyE1L4UFWjhLeqI6mC1Y8pKdx5r3tCqvLIJ9xjCw0E+boeXqckZeSjGOg78=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776430159; c=relaxed/simple;\n\tbh=rNgEHZbFc3zKt0mvwzF6iqtexFRd5porjihrs2W26Xg=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=U62ryGLgQ4x6Uhg52Y0qJyZOOzn2hzDS7pYpdL3DBbxiMps1wWAn7d2V6DbQ5h9YuI0Wfl9Bxau5mAs9l9xRE/xCsw/SzfDljKqxve/g+hDMQQ9g4vcD0ySp5c7Zu6RnzilX1kPVwpEfXzwyDnydpqv/nCkUhk0RNTkwiHJb9AQ=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Fri, 17 Apr 2026 14:49:14 +0200","From":"Florian Westphal <fw@strlen.de>","To":"Ren Wei <n05ec@lzu.edu.cn>","Cc":"netfilter-devel@vger.kernel.org, pablo@netfilter.org, phil@nwl.cc,\n\tdavem@davemloft.net, edumazet@google.com, kuba@kernel.org,\n\tpabeni@redhat.com, horms@kernel.org, ebiederm@xmission.com,\n\tyuantan098@gmail.com, yifanwucs@gmail.com, tomapufckgml@gmail.com,\n\tbird@lzu.edu.cn, wangjiexun2025@gmail.com","Subject":"Re: [PATCH nf 1/1] netfilter: xt_policy: fix strict mode inbound\n policy matching","Message-ID":"<aeIsSl26ZZJZ1n7U@strlen.de>","References":"<cover.1776141503.git.wangjiexun2025@gmail.com>\n <85a95e0ef783ed8f5f4a787138cca22f995d8056.1776141503.git.wangjiexun2025@gmail.com>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"\n <85a95e0ef783ed8f5f4a787138cca22f995d8056.1776141503.git.wangjiexun2025@gmail.com>"}}]