[{"id":3679508,"web_url":"http://patchwork.ozlabs.org/comment/3679508/","msgid":"<aeZoiqyPFP0NJkz9@strlen.de>","list_archive_url":null,"date":"2026-04-20T17:55:22","subject":"Re: [PATCH nf] netfilter: nft_compat: run checkentry() from .validate","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n> Several matches and one target check that the hook is correct from\n> checkentry(), however, the basechain is only available from\n> nft_table_validate().\n> \n> This patch calls checkentry() for matches and targets from the\n> nft_compat expression .validate path for the following matches/target:\n\nI worry that this is fragile.  Not all ->checkentry callbacks are pure.\nSome create /proc entries or bump reference counts.\n\n\n> +\t\tif (!strcmp(target->name, \"TCPMSS\")) {\n\nThis is missing \"SET\".","headers":{"Return-Path":"\n <netfilter-devel+bounces-12077-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12077-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fztX41MmBz1yD4\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 03:58:44 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 4ED08305AE3C\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 17:55:34 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 859033A3E68;\n\tMon, 20 Apr 2026 17:55:32 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 495AC37996B\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 20 Apr 2026 17:55:30 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 49D53601F4; Mon, 20 Apr 2026 19:55:28 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776707732; cv=none;\n b=GVpk74wXhN8RX0HiLUs3vdfR+7GpKb6xtVeEiLnWgPNyRjTph8/JaanRQ7uGD5kCz/ySyvV6oiWqanXEtNekJXazLCr08vzflxxNN+lD3V8iAIjG3flDJ2k+lggzZLswPwDmhJgxxBPfYqxVIWzZ5p1VzyioVaHhDsPbH1Oa4jE=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776707732; c=relaxed/simple;\n\tbh=Ov4raWtZkR9mHDcUlzBI8qgAyMkPv6QtNwSU5x5r1QE=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=lK7AYpq59AwZX6A31/nUtUBQUn3vZTuGQhMMG/hnuBqh5G2f4UXMO2OfWFUxH9v1c2ObdfQDJr08QDk1od0YkiOBXvfhDrErlMy/Kyv2yRzWkwKajrAuBqxfzxoDgJSmvbvVpXvCF5hSgU2pa8K82t6FdBe53aLOCVPA3HuczKA=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Mon, 20 Apr 2026 19:55:22 +0200","From":"Florian Westphal <fw@strlen.de>","To":"Pablo Neira Ayuso <pablo@netfilter.org>","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH nf] netfilter: nft_compat: run checkentry() from .validate","Message-ID":"<aeZoiqyPFP0NJkz9@strlen.de>","References":"<20260420174227.13087-1-pablo@netfilter.org>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20260420174227.13087-1-pablo@netfilter.org>"}},{"id":3679509,"web_url":"http://patchwork.ozlabs.org/comment/3679509/","msgid":"<aeZpj9r368paudyZ@chamomile>","list_archive_url":null,"date":"2026-04-20T17:59:43","subject":"Re: [PATCH nf] netfilter: nft_compat: run checkentry() from .validate","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Mon, Apr 20, 2026 at 07:55:22PM +0200, Florian Westphal wrote:\n> Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n> > Several matches and one target check that the hook is correct from\n> > checkentry(), however, the basechain is only available from\n> > nft_table_validate().\n> > \n> > This patch calls checkentry() for matches and targets from the\n> > nft_compat expression .validate path for the following matches/target:\n> \n> I worry that this is fragile.  Not all ->checkentry callbacks are pure.\n> Some create /proc entries or bump reference counts.\n\nxt_set does bump the reference count. This calls xt.destroy to restore it.\nI am only calling them for the list of expression you mentioned.\n\n> > +\t\tif (!strcmp(target->name, \"TCPMSS\")) {\n> \n> This is missing \"SET\".\n\nI can add this.","headers":{"Return-Path":"\n <netfilter-devel+bounces-12078-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=HVd1+u0Q;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12078-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"HVd1+u0Q\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fztZf2GKhz1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 04:00:58 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 4875B301FAA2\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 17:59:51 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 4AA453A7F41;\n\tMon, 20 Apr 2026 17:59:50 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 95B62336EC0\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 20 Apr 2026 17:59:48 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id DE9E260251;\n\tMon, 20 Apr 2026 19:59:46 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776707989; cv=none;\n b=t4IGfLcdN3w4AkdOr2aDLZHduE9aJkf0uOJxzg6PYw5yN6ZJSvy/bbPqG6SvAK0s1m5taLsv58+5I/UK0OoB9dso+OgZyDyQjYG6brsy1rMlCRNQ/lZd8vbWwUH23LpNCFwbaxflfIGuw1XJhCqGosDpuZ4Depc4yZMsZoGTtlI=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776707989; c=relaxed/simple;\n\tbh=n+MoRSBLbQcDX5EnPfdSzCcHI594EAszfh1XJtzcbfk=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=tCOABgJtFkib7B4wxlJZ9Xm8eqEoc/89NAeTuxaD4q8xDDRcNeDmzaWr7DNIX5RCKKW+PZ8PRY9QVBQYBdTpW2BCA2/tUdvF02vt+aKuCl2YIGSARVFFi3XTIowdV9EQMla99whXFzu7oR4yr4AZOeH5MhoEDB4OXQzJh4cyXIc=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=HVd1+u0Q; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776707987;\n\tbh=b9r5tKZxpj2XvGdc3uUVQj5hcoi+n4W1An6UVwPgDnQ=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=HVd1+u0Qifkw5cWg3Db4SjCqg6vQngY6qYL3OtqXx/67a6nv6a6fNENDdlAqmIvIg\n\t QrqGNrE6CCpHFyokF12odpBOhKKhO6RqRIi8VgzqVDFRJ9Bm2Sby76+fsc3ekQUlt5\n\t 3GX8EGj1k53P+r1RJpueuGMd69yFz3kQgIoI46XzLp3wTeTprWnbb31H+roN0h95s+\n\t zQtsjwdSQz6jLs56fNmlplNnbF7vzC/2l+NCaklwsCmHoq3cVNYQTaWK/aVSfh9FK5\n\t NQZ3SJx2DQ4317sfXWKCXbQAvn2vejQRTlvbeHZykjYMjOkugy7eToDthLy4Qs5lZg\n\t 8xlvJM/oACrlA==","Date":"Mon, 20 Apr 2026 19:59:43 +0200","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"Florian Westphal <fw@strlen.de>","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH nf] netfilter: nft_compat: run checkentry() from .validate","Message-ID":"<aeZpj9r368paudyZ@chamomile>","References":"<20260420174227.13087-1-pablo@netfilter.org>\n <aeZoiqyPFP0NJkz9@strlen.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<aeZoiqyPFP0NJkz9@strlen.de>"}},{"id":3679524,"web_url":"http://patchwork.ozlabs.org/comment/3679524/","msgid":"<aeZunt0QSt2EdFdF@strlen.de>","list_archive_url":null,"date":"2026-04-20T18:21:18","subject":"Re: [PATCH nf] netfilter: nft_compat: run checkentry() from .validate","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n> On Mon, Apr 20, 2026 at 07:55:22PM +0200, Florian Westphal wrote:\n> > Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n> > > Several matches and one target check that the hook is correct from\n> > > checkentry(), however, the basechain is only available from\n> > > nft_table_validate().\n> > > \n> > > This patch calls checkentry() for matches and targets from the\n> > > nft_compat expression .validate path for the following matches/target:\n> > \n> > I worry that this is fragile.  Not all ->checkentry callbacks are pure.\n> > Some create /proc entries or bump reference counts.\n> \n> xt_set does bump the reference count. This calls xt.destroy to restore it.\n> I am only calling them for the list of expression you mentioned.\n\nI worry this will lead to trouble later, e.g. info->priv = kmalloc( ...)\n-> memory leak.\n\nBut OK, at least there is a test case in iptables.git for this.","headers":{"Return-Path":"\n <netfilter-devel+bounces-12080-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12080-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzv2V3Y9pz1yGs\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 04:21:38 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 92735301AB98\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 18:21:24 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 6B2253ACF1E;\n\tMon, 20 Apr 2026 18:21:23 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 5483D3AB289\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 20 Apr 2026 18:21:21 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 39EB560490; Mon, 20 Apr 2026 20:21:19 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776709283; cv=none;\n b=rOvqkq9stqK5Ezvkn3PLZvefc5WizUbyPctspUSUvWhXuDzT/KuDVn3WD/xSvgy39GyUBbIs52tIzvdzYgMViY3irRvLZ6zV4q9mNxzA77aTvVm4q1SJJ03fGXBGctlwvihyqg4avWGnX17Wvpe3OCA0EZ3dnwelYK8Zg3D3Bi0=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776709283; c=relaxed/simple;\n\tbh=xMYV6wYqLCqVFmQwUw/HfDr23EZJpVF/nfd8qhEY9Tk=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=GbMQHPWpZSejwRexOLyFPiwtBNvBZYr7RXPy2HMPtNkWL/fUqmhsckw0FxVuFYPhjrFezueW0vVPDd3FUEYVqNXy0KnF6tgCAC4KUZ9Roi9Y49GAw5xPHP7cuiHhLKCzF+SPoHhwJL9V8JnqOzqD26ZW5PVBkQycUVUU/bVLEAs=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Mon, 20 Apr 2026 20:21:18 +0200","From":"Florian Westphal <fw@strlen.de>","To":"Pablo Neira Ayuso <pablo@netfilter.org>","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH nf] netfilter: nft_compat: run checkentry() from .validate","Message-ID":"<aeZunt0QSt2EdFdF@strlen.de>","References":"<20260420174227.13087-1-pablo@netfilter.org>\n <aeZoiqyPFP0NJkz9@strlen.de>\n <aeZpj9r368paudyZ@chamomile>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<aeZpj9r368paudyZ@chamomile>"}},{"id":3679531,"web_url":"http://patchwork.ozlabs.org/comment/3679531/","msgid":"<aeZ0_GvXUnOJPSJ3@chamomile>","list_archive_url":null,"date":"2026-04-20T18:48:28","subject":"Re: [PATCH nf] netfilter: nft_compat: run checkentry() from .validate","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Mon, Apr 20, 2026 at 08:21:18PM +0200, Florian Westphal wrote:\n> Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n> > On Mon, Apr 20, 2026 at 07:55:22PM +0200, Florian Westphal wrote:\n> > > Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n> > > > Several matches and one target check that the hook is correct from\n> > > > checkentry(), however, the basechain is only available from\n> > > > nft_table_validate().\n> > > > \n> > > > This patch calls checkentry() for matches and targets from the\n> > > > nft_compat expression .validate path for the following matches/target:\n> > > \n> > > I worry that this is fragile.  Not all ->checkentry callbacks are pure.\n> > > Some create /proc entries or bump reference counts.\n> > \n> > xt_set does bump the reference count. This calls xt.destroy to restore it.\n> > I am only calling them for the list of expression you mentioned.\n> \n> I worry this will lead to trouble later, e.g. info->priv = kmalloc( ...)\n> -> memory leak.\n\nIf someone needs to cover for more extensions, they will have to\nupdate the list of extensions covered by the strcmp() check on the\nextension name.\n\n> But OK, at least there is a test case in iptables.git for this.\n\nYes.\n\nYour approach duplicates .checkentry in some way, you have to make\nsure what your .validate and .checkentry perform the same check, ie.\nthey are in sync.\n\nThe approach proposed in this patch is not universal, because\ncheckentry() is a place where many things happen as you suggested\n(/proc entries being registered, reference count being bumped,i\nkmalloc...).\n\nIf this needs to be generalized further, maybe checkentry() needs to\nextended to improve integration with nftables.","headers":{"Return-Path":"\n <netfilter-devel+bounces-12081-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=m6+QHDW3;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12081-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"m6+QHDW3\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzvdk0Rhmz1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 04:48:41 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 623A63019168\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 18:48:39 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id BD5063AEF59;\n\tMon, 20 Apr 2026 18:48:36 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 300063921DB\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 20 Apr 2026 18:48:34 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id B28016026D;\n\tMon, 20 Apr 2026 20:48:31 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776710916; cv=none;\n b=OKV3LhBPssvYCSHp8aVBomisGm+o2mzDviOHYPi0oSFlA7zFz8dRZiFGflF2qX/1EL0ZLywoH6CMyF+6VChR5WQIlKmH2eBA3t1aW+5kFhowPK4mXrx39bC5mMpy7KlO0wEAZnJsADei2cYxwci9HUq+zvQ4aI4ADMBtcdqCSv4=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776710916; c=relaxed/simple;\n\tbh=ojzYu7rkiLvAJPgxuGTTUiEvcbG5Gey2uNO73L4Wf7M=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=ot4h/6r6IQKPegSOlrSapPLx/YgQSvBzVlcDC4YzOdibHp1UIqo+OYKtIqA33bz656FqUJd23WJvwBoQn3fwbwtAAlK8Q/WsMM2bCPdpwo4GxYeTNXU2geyVD1xGFW0gUQ1MIH1HA4Wy4xrzV0z3WysgXeJs+QyisdVV2d4RdoU=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=m6+QHDW3; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776710911;\n\tbh=C8oUBm8Kyh0PQVVuSfwGS+I2OmhSYQC7ihQAZvVh9Dc=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=m6+QHDW3RYMPVM1E3bH2eBF0nPy+X+6W2nWcaWOKOw5Y2XBzlC18hilDxho2OUdeG\n\t 7FBfMt7EoGwo2n04dORdWulqp9cH+DkqIcMHOr1PkSL3o4688jVyuqsADdGrqQZrKG\n\t Hr9YMtuVtee9YIqYxB61Xfp6naPZi7m04xGuzkbb6Kb671B6kQ78hb0ERTdLwnzn9m\n\t qVQe746rheW4+tID77Wav/9h9YMH8dqjtCC7HwV7KWjSsBNRR2I8p9j4zj9Z74d5TU\n\t 5ksqfT0+vO0SoITh18OPQOQSjBbE1LA4Ok77i5KAizR4zFzUhaO3HE4X5eWegQhV9Y\n\t DGlMNvXW365QQ==","Date":"Mon, 20 Apr 2026 20:48:28 +0200","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"Florian Westphal <fw@strlen.de>","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH nf] netfilter: nft_compat: run checkentry() from .validate","Message-ID":"<aeZ0_GvXUnOJPSJ3@chamomile>","References":"<20260420174227.13087-1-pablo@netfilter.org>\n <aeZoiqyPFP0NJkz9@strlen.de>\n <aeZpj9r368paudyZ@chamomile>\n <aeZunt0QSt2EdFdF@strlen.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<aeZunt0QSt2EdFdF@strlen.de>"}},{"id":3679532,"web_url":"http://patchwork.ozlabs.org/comment/3679532/","msgid":"<aeZ2H8ghe3Ddcn9u@strlen.de>","list_archive_url":null,"date":"2026-04-20T18:53:19","subject":"Re: [PATCH nf] netfilter: nft_compat: run checkentry() from .validate","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n> Your approach duplicates .checkentry in some way, you have to make\n> sure what your .validate and .checkentry perform the same check, ie.\n> they are in sync.\n\nThats why I updated the affected .checkentry functions to use\nthe validate functions internally -- to make sure the code is called\neven for classic iptables.\n\n> If this needs to be generalized further, maybe checkentry() needs to\n> extended to improve integration with nftables.\n\nI hope not.  But I don't care, if you prefer your patch then so be it.\n\nI just find it sad we duplicate efforts all the time.","headers":{"Return-Path":"\n <netfilter-devel+bounces-12086-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12086-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzvlB6GCrz1yD4\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 04:53:26 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 0F160301982F\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 18:53:25 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 1B8E53B47C2;\n\tMon, 20 Apr 2026 18:53:24 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 367E23A5E81\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 20 Apr 2026 18:53:22 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 872B760490; Mon, 20 Apr 2026 20:53:20 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776711203; cv=none;\n b=g+H/ta7Hj4taugzeKB1OGCaX5akojoCi7+8b5PqiyGl24oCnszY2hjtSafx3ogrULH1wfVpX3NAIC1JZumzWNI0CvyL2vuXANh0E5//ic7dJuuPhOgxip5eVOqYO4UfmS5kvPtwT+gMGsuf6zmyIF4XYtYfcFVVUvkXjzLeYXcg=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776711203; c=relaxed/simple;\n\tbh=ZxLVVjNsnzSh6sdHnDEYU/AfC0EVdm5zrYlgO/bD0/Q=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=UqFNdbAz8VScx5N9xyo/0chesm6cTB8IPGm7EfHIdhDUOA4HY6Sdq5LpiNfmGt1MrAAbcgynUjIHBR0ZomoFxj1NK3zuaMXA812ubWuGjmxx26GmDNqe+1nmZ1cxNz/vfzcUqkz3ecOUBFMHQDc8OJ58MIALCqZN2PVgQQS9q04=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Mon, 20 Apr 2026 20:53:19 +0200","From":"Florian Westphal <fw@strlen.de>","To":"Pablo Neira Ayuso <pablo@netfilter.org>","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH nf] netfilter: nft_compat: run checkentry() from .validate","Message-ID":"<aeZ2H8ghe3Ddcn9u@strlen.de>","References":"<20260420174227.13087-1-pablo@netfilter.org>\n <aeZoiqyPFP0NJkz9@strlen.de>\n <aeZpj9r368paudyZ@chamomile>\n <aeZunt0QSt2EdFdF@strlen.de>\n <aeZ0_GvXUnOJPSJ3@chamomile>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<aeZ0_GvXUnOJPSJ3@chamomile>"}},{"id":3679535,"web_url":"http://patchwork.ozlabs.org/comment/3679535/","msgid":"<aeZ5VYC0cxxVYQ4_@chamomile>","list_archive_url":null,"date":"2026-04-20T19:07:01","subject":"Re: [PATCH nf] netfilter: nft_compat: run checkentry() from .validate","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Mon, Apr 20, 2026 at 08:53:19PM +0200, Florian Westphal wrote:\n> Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n> > Your approach duplicates .checkentry in some way, you have to make\n> > sure what your .validate and .checkentry perform the same check, ie.\n> > they are in sync.\n> \n> Thats why I updated the affected .checkentry functions to use\n> the validate functions internally -- to make sure the code is called\n> even for classic iptables.\n> \n> > If this needs to be generalized further, maybe checkentry() needs to\n> > extended to improve integration with nftables.\n> \n> I hope not.  But I don't care, if you prefer your patch then so be it.\n\nI can toss this patch if you prefer, I will post it complete then\ndecide what to do.\n\n> I just find it sad we duplicate efforts all the time.\n\nI thought I could provide a more self-contained approach for this\nnft_compat specific bug.","headers":{"Return-Path":"\n <netfilter-devel+bounces-12087-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=E/Y8YaMa;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12087-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"E/Y8YaMa\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzw6n5BSwz1yHB\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 05:10:25 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 4C8293035266\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 19:07:09 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id A2745379ED6;\n\tMon, 20 Apr 2026 19:07:08 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 12696383C82\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 20 Apr 2026 19:07:05 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 1635460180;\n\tMon, 20 Apr 2026 21:07:04 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776712027; cv=none;\n b=gXsaeIs9bo/dUG+GcmaifvaBzJQlpOaFcZEVC8kvAlP9TVxjqY08G5ayFAE/ABtoT5fube2YshvT8+otVPztF+m9MMUhIM94vyf5Gyb8T6qtz5XhoRtQSq46trzSi63lQu2g1iXESXA+REeeTFrCnyHyk6XeSwRRCN+giAQ3FKU=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776712027; c=relaxed/simple;\n\tbh=F9+dTYu+EazAQoSXhVZH7rj/z/CisEZPiNZKW0e7iG8=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=FtnOgTGT7H9fYWEqRn3caqMFJ+xw82T82PKFrjCub0yDSBdtveqJlxIjAMm20uqfJiYhx6Wz2x4qBBDY3xWrdZdGsBjBOFCehie1KUgLOd/jszOive4ndBQdJzzRDLq1xpNA67riUzZGMqTtpE0mxs0N8WJpL+AbEa93062bwCI=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=E/Y8YaMa; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776712024;\n\tbh=jmhkzg2lAwutHpq2MKp5lP2mADtXf+Px4I5BolkCzog=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=E/Y8YaMaHLyiOHBZpbNnuyC0QVQ6zxcsgM8Bk0tDZgcwmdcZeNLUS1Ixv76Ghr5Q9\n\t lvJ+5qXy9fBLpkygKZtvl+sxOmj8ZxKxvmofo73tnY27C1U4vFZNv87zzRZMQo8RH1\n\t p6qi20ldbYAqxPUs4oO6YlQdTXqmSherk+MlzDZjiyRe4Hgay2kQ3kiXujVXBQnVV4\n\t 3BcTXCU7oYkXOWCXNvOO3Iy6CuEpKsXYtkiacf4QoQ+kDZFt/fPMC3q3C9xd4hioRi\n\t hPV+FlPlj/JhlOH89loJHY8QlmUVecXRdMpzZ/FCAzpxy0Vxb8UTZxgiiRe1RySWtr\n\t ROUGR9/PhMkOQ==","Date":"Mon, 20 Apr 2026 21:07:01 +0200","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"Florian Westphal <fw@strlen.de>","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH nf] netfilter: nft_compat: run checkentry() from .validate","Message-ID":"<aeZ5VYC0cxxVYQ4_@chamomile>","References":"<20260420174227.13087-1-pablo@netfilter.org>\n <aeZoiqyPFP0NJkz9@strlen.de>\n <aeZpj9r368paudyZ@chamomile>\n <aeZunt0QSt2EdFdF@strlen.de>\n <aeZ0_GvXUnOJPSJ3@chamomile>\n <aeZ2H8ghe3Ddcn9u@strlen.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<aeZ2H8ghe3Ddcn9u@strlen.de>"}}]