[{"id":3678952,"web_url":"http://patchwork.ozlabs.org/comment/3678952/","msgid":"","list_archive_url":null,"date":"2026-04-18T07:49:22","subject":"Re: [PATCH 1/4 nf] netfilter: nft_exthdr: skip SCTP chunk evaluation\n for non-first fragments","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"Hi Fernando,\n\nOn Fri, Apr 17, 2026 at 08:34:30PM +0200, Fernando Fernandez Mancera wrote:\n> The SCTP chunk matching logic in nft_exthdr relies on SCTP common header\n> being present at the transport header offset. For fragmented packets at\n> IP level, only the first fragment would match this condition.\n> \n> The nft_exthdr could be used in a PREROUTING chain with a priority lower\n> than -400. This would bypass defragmentation. In addition, it can be use\n> in stateless environments so it should work on a environment where\n> defragmentation is not being performed at all.\n\nYes, and stateless filtering is still a valid configuration, ie.\nnf_conntrack is not loaded.\n\n> Add a check for pkt->fragoff to ensure exthdr SCTP only evaluates\n> unfragmented packets or the first fragment in the stream.\n\nI would suggest to squash the three small patches to check for\npkt->fragoff in one patch. The three expressions have been already\naround for a while (backporting the combo patch that makes the same\nlogical change should be easy) and it is basically the same logical\nchange.\n\nThanks!\n\n> Fixes: 133dc203d77d (\"netfilter: nft_exthdr: Support SCTP chunks\")\n> Signed-off-by: Fernando Fernandez Mancera \n> ---\n> net/netfilter/nft_exthdr.c | 2 +-\n> 1 file changed, 1 insertion(+), 1 deletion(-)\n> \n> diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c\n> index 7eedf4e3ae9c..8eb708bb8cff 100644\n> --- a/net/netfilter/nft_exthdr.c\n> +++ b/net/netfilter/nft_exthdr.c\n> @@ -376,7 +376,7 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,\n> \tconst struct sctp_chunkhdr *sch;\n> \tstruct sctp_chunkhdr _sch;\n> \n> -\tif (pkt->tprot != IPPROTO_SCTP)\n> +\tif (pkt->tprot != IPPROTO_SCTP || pkt->fragoff)\n> \t\tgoto err;\n> \n> \tdo {\n> -- \n> 2.53.0\n>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=CvcSpCxX;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12010-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"CvcSpCxX\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fyP8M6QWJz1yDF\n\tfor ; Sat, 18 Apr 2026 17:51:31 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 806FB30480ED\n\tfor ; Sat, 18 Apr 2026 07:49:30 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 777F635E94F;\n\tSat, 18 Apr 2026 07:49:29 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 7EE00337699;\n\tSat, 18 Apr 2026 07:49:27 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 3C68C60178;\n\tSat, 18 Apr 2026 09:49:25 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776498569; cv=none;\n b=a6PxHFgRXjCeLgGbMHDVM+Wvg2NDNd7ThD/mncDBd2uGoB2Y68X5U+1IWXj/PF4zyOk8na0XpOkDsKqS1ZsEuXCGwybA45W4UKIjEVXjtJUAG3ftdOEG7yPZyIuHO9tf1wG5mm3e3wkkzmbn0DEdw+aGYIQIxZk3y4eVC8k5+QY=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776498569; c=relaxed/simple;\n\tbh=7/3SwV8PPQTTy1DPdLQfl/SoOcXOH2LbW4rlA0GSEz0=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=jJ8sw9C2z8+8Q5ogqD6KbTcVTSWAfYior1zRfKc500DpDhwTI7fAzNaIzHXFRG6mYYAkWYB0LbRt53tT+0tcSSzN6yYdN6KKjmqkjUoxbSBDa6nM06kkiakBQnICdd+UF/M6sFBh8KipxV3b04pddgUg+NNATMZiUzK6+zfdkI4=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=CvcSpCxX; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776498565;\n\tbh=F6gZM1mZTcHdDdZO4R/IUMKvlIJ5EzGGT6JFj7rGDxA=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=CvcSpCxX/woDIPkDKzHw7o6PW+0cg5deu9zIMlRFX1DwTdD9oSGEmtrNM4GtfoUDt\n\t NY7nZi2oUpV+F/y6tmKyMDQ37fh2rs9Xre10wx/hmL94qJAGU/xWbZ7egUbyI83O2R\n\t rn3+//iw9SZ+ko41IjZjEyeYXReANr5beFfZIlQGPOX0hJa2GVSfcwv4/mQOgfSthi\n\t lQlfeY99iSqPzD6wvReuz8NPeR3N9Bn/dSxvfJ0LtuCVdS93vOOpZzRIDWVJvJ28tj\n\t KOusMfb7Vp7IL4Z4X9tbXNUaTSW90wgSydNe8LzmDa14qFQ+0uVgDP/9RRF/vdzfo3\n\t MvF3//m9VQbLA==","Date":"Sat, 18 Apr 2026 09:49:22 +0200","From":"Pablo Neira Ayuso ","To":"Fernando Fernandez Mancera ","Cc":"netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,\n\tcoreteam@netfilter.org, fw@strlen.de, phil@nwl.cc","Subject":"Re: [PATCH 1/4 nf] netfilter: nft_exthdr: skip SCTP chunk evaluation\n for non-first fragments","Message-ID":"","References":"<20260417183433.4739-1-fmancera@suse.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20260417183433.4739-1-fmancera@suse.de>"}},{"id":3678958,"web_url":"http://patchwork.ozlabs.org/comment/3678958/","msgid":"<5e162147-d182-4119-82bd-b56f0e76a44e@suse.de>","list_archive_url":null,"date":"2026-04-18T09:51:44","subject":"Re: [PATCH 1/4 nf] netfilter: nft_exthdr: skip SCTP chunk evaluation\n for non-first fragments","submitter":{"id":90904,"url":"http://patchwork.ozlabs.org/api/people/90904/","name":"Fernando Fernandez Mancera","email":"fmancera@suse.de"},"content":"On 4/18/26 9:49 AM, Pablo Neira Ayuso wrote:\n> Hi Fernando,\n> \n> On Fri, Apr 17, 2026 at 08:34:30PM +0200, Fernando Fernandez Mancera wrote:\n>> The SCTP chunk matching logic in nft_exthdr relies on SCTP common header\n>> being present at the transport header offset. For fragmented packets at\n>> IP level, only the first fragment would match this condition.\n>>\n>> The nft_exthdr could be used in a PREROUTING chain with a priority lower\n>> than -400. This would bypass defragmentation. In addition, it can be use\n>> in stateless environments so it should work on a environment where\n>> defragmentation is not being performed at all.\n> \n> Yes, and stateless filtering is still a valid configuration, ie.\n> nf_conntrack is not loaded.\n> \n>> Add a check for pkt->fragoff to ensure exthdr SCTP only evaluates\n>> unfragmented packets or the first fragment in the stream.\n> \n> I would suggest to squash the three small patches to check for\n> pkt->fragoff in one patch. The three expressions have been already\n> around for a while (backporting the combo patch that makes the same\n> logical change should be easy) and it is basically the same logical\n> change.\n> \n\nHi Pablo,\n\nThanks for the review! I am not sure about squashing them as they all \nhave different blamed commits. I find accurate fixes tag quite useful \nwhen handling backports and I guess others do too (also for stable \nkernels). Is that convincing?\n\nAnyway, not a big deal if there is a strong preference I will squash them.\n\nThanks,\nFernando.\n\n> Thanks!\n> \n>> Fixes: 133dc203d77d (\"netfilter: nft_exthdr: Support SCTP chunks\")\n>> Signed-off-by: Fernando Fernandez Mancera \n>> ---\n>> net/netfilter/nft_exthdr.c | 2 +-\n>> 1 file changed, 1 insertion(+), 1 deletion(-)\n>>\n>> diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c\n>> index 7eedf4e3ae9c..8eb708bb8cff 100644\n>> --- a/net/netfilter/nft_exthdr.c\n>> +++ b/net/netfilter/nft_exthdr.c\n>> @@ -376,7 +376,7 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,\n>> \tconst struct sctp_chunkhdr *sch;\n>> \tstruct sctp_chunkhdr _sch;\n>> \n>> -\tif (pkt->tprot != IPPROTO_SCTP)\n>> +\tif (pkt->tprot != IPPROTO_SCTP || pkt->fragoff)\n>> \t\tgoto err;\n>> \n>> \tdo {\n>> -- \n>> 2.53.0\n>>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=Wxex1cU2;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=Nt0/AstE;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=Wxex1cU2;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=Nt0/AstE;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12015-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"Wxex1cU2\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"Nt0/AstE\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"Wxex1cU2\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"Nt0/AstE\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.130","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de","smtp-out1.suse.de;\n\tdkim=pass header.d=suse.de header.s=susede2_rsa header.b=Wxex1cU2;\n\tdkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=\"Nt0/AstE\""],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fyRqW54Vgz1yDF\n\tfor ; Sat, 18 Apr 2026 19:52:07 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 97D4A302AE22\n\tfor ; Sat, 18 Apr 2026 09:52:02 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 1433F2E2DDD;\n\tSat, 18 Apr 2026 09:52:02 +0000 (UTC)","from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 6433F29BDB1\n\tfor ; Sat, 18 Apr 2026 09:52:00 +0000 (UTC)","from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org\n [IPv6:2a07:de40:b281:104:10:150:64:97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out1.suse.de (Postfix) with ESMTPS id 036746A88C;\n\tSat, 18 Apr 2026 09:51:53 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 967D8593A3;\n\tSat, 18 Apr 2026 09:51:52 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid BLVbIThU42mDegAAD6G6ig\n\t(envelope-from ); Sat, 18 Apr 2026 09:51:52 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776505921; cv=none;\n b=RIgF5qIOuHrGh+eZK4uYOS9K32DgGbzls1sW3z9SZOnUxx39Wsw/ftvqbcbHAm5rF7T1/tOVxcOljjv+BxwT9ZQbbA7w+0h0mmmVn1sHwpVVkjjhON2Q63vbEC6EN6DYhXDLYpUcC0VtsGRM0vbJpnqrEcBp2RsGNEEpR39+c6w=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776505921; c=relaxed/simple;\n\tbh=d8tp5GGO1O+eSZR4pglWOiyM0laQq+gQxbmqEwYX054=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=AdAoQqK/4QLgA4IX+yfM1EabSBQhv314fqd9DWsf/OGopqyuW+UI3yIVhjLCcHxWeP96TKz8yvOltoW6zAaQy5BzvtNGEVW8Z5XN0DF6pun7WP+myaLKQzHYVYS4XTpxhfRUsbLP98IYS/0kM+2y0EYXTRLiK0bHBk53D4vH3Os=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=Wxex1cU2;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=Nt0/AstE;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=Wxex1cU2;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=Nt0/AstE; arc=none smtp.client-ip=195.135.223.130","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776505913;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=ILc91nbKpIqZKXRZGp9ayAf2yse+/ezIxRKf0IYsI0s=;\n\tb=Wxex1cU2Ul9b09b6+BXthUADuTanrKLEXfQQI9jH7RAcM94xMNatdXZ13pxbQQ1N4cxIL4\n\tFTyQCx304OWrgj1CLLBLZRWZdFLU9miG23icGLUCGE1TwHtqv+5y+BMfda9ZvKqeE85nLe\n\tyyr2mJDs9wlt8iYYQ2vdG9yxoNjlySI=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776505913;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=ILc91nbKpIqZKXRZGp9ayAf2yse+/ezIxRKf0IYsI0s=;\n\tb=Nt0/AstEZyM8Si7jl5EzgFYCb0x4uNQxiTYx1W96jXcxX2mWltAr9DBmyswVJ1fwUlp0WK\n\tM44RZ3m3M3w8B9BA==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776505913;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=ILc91nbKpIqZKXRZGp9ayAf2yse+/ezIxRKf0IYsI0s=;\n\tb=Wxex1cU2Ul9b09b6+BXthUADuTanrKLEXfQQI9jH7RAcM94xMNatdXZ13pxbQQ1N4cxIL4\n\tFTyQCx304OWrgj1CLLBLZRWZdFLU9miG23icGLUCGE1TwHtqv+5y+BMfda9ZvKqeE85nLe\n\tyyr2mJDs9wlt8iYYQ2vdG9yxoNjlySI=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776505913;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=ILc91nbKpIqZKXRZGp9ayAf2yse+/ezIxRKf0IYsI0s=;\n\tb=Nt0/AstEZyM8Si7jl5EzgFYCb0x4uNQxiTYx1W96jXcxX2mWltAr9DBmyswVJ1fwUlp0WK\n\tM44RZ3m3M3w8B9BA=="],"Message-ID":"<5e162147-d182-4119-82bd-b56f0e76a44e@suse.de>","Date":"Sat, 18 Apr 2026 11:51:44 +0200","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH 1/4 nf] netfilter: nft_exthdr: skip SCTP chunk evaluation\n for non-first fragments","To":"Pablo Neira Ayuso ","Cc":"netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,\n coreteam@netfilter.org, fw@strlen.de, phil@nwl.cc","References":"<20260417183433.4739-1-fmancera@suse.de>\n ","Content-Language":"en-US","From":"Fernando Fernandez Mancera ","In-Reply-To":"","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Rspamd-Action":"no action","X-Rspamd-Server":"rspamd2.dmz-prg2.suse.org","X-Spamd-Result":"default: False [-4.51 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tR_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tMIME_GOOD(-0.10)[text/plain];\n\tMX_GOOD(-0.01)[];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tARC_NA(0.00)[];\n\tTO_DN_SOME(0.00)[];\n\tMIME_TRACE(0.00)[0:+];\n\tSPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from];\n\tMID_RHS_MATCH_FROM(0.00)[];\n\tRCVD_TLS_ALL(0.00)[];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tFROM_HAS_DN(0.00)[];\n\tRCPT_COUNT_FIVE(0.00)[6];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,suse.de:mid,suse.de:email,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns];\n\tDNSWL_BLOCKED(0.00)[2a07:de40:b281:104:10:150:64:97:from,2a07:de40:b281:106:10:150:64:167:received];\n\tDKIM_TRACE(0.00)[suse.de:+]","X-Rspamd-Queue-Id":"036746A88C","X-Spam-Flag":"NO","X-Spam-Score":"-4.51","X-Spam-Level":""}}]