| Message ID | 20190321220504.7642-1-johannes@sipsolutions.net |
|---|---|
| Headers | show
Return-Path: <netdev-owner@vger.kernel.org> X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=sipsolutions.net Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 44QLSW5gMQz9s6w for <patchwork-incoming-netdev@ozlabs.org>; Fri, 22 Mar 2019 09:05:15 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726609AbfCUWFN (ORCPT <rfc822;patchwork-incoming-netdev@ozlabs.org>); Thu, 21 Mar 2019 18:05:13 -0400 Received: from s3.sipsolutions.net ([144.76.43.62]:36134 "EHLO sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726370AbfCUWFN (ORCPT <rfc822;netdev@vger.kernel.org>); Thu, 21 Mar 2019 18:05:13 -0400 Received: by sipsolutions.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92-RC5) (envelope-from <johannes@sipsolutions.net>) id 1h75oF-0003U2-BV; Thu, 21 Mar 2019 23:05:11 +0100 From: Johannes Berg <johannes@sipsolutions.net> To: netdev@vger.kernel.org Cc: David Ahern <dsa@cumulusnetworks.com> Subject: [RFC 0/7] netlink/genetlink: stricter parsing Date: Thu, 21 Mar 2019 23:04:58 +0100 Message-Id: <20190321220504.7642-1-johannes@sipsolutions.net> X-Mailer: git-send-email 2.17.2 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: <netdev.vger.kernel.org> X-Mailing-List: netdev@vger.kernel.org |
| Series |
netlink/genetlink: stricter parsing
|
expand
|
It seems that everytime David and I meet, we have further ideas for netlink ;-) This time, we talked about attribute parsing and making policy parsing (even) stricter. I'm not entirely happy with this patchset, due to the mistake David made when he added the strict parsing. At that time, the strict parsing *should* have extended to all the attributes, in the way that I'm doing it here with the strict_start_type (in the last patch). The reason I'm still not happy with this is that it seems to me that even for *existing* attributes, we should apply the strict checks for *new* commands. So, in effect, I think we should have strict parsing command attribute attribute message old old - - old new X - new * X X However, what we get with these patches, is only strict parsing command attribute attribute message old old - - old new X - new old - (!) X new new X X Note the marked difference. I see two ways to fix this now: 1) Replace all existing usage of *_strict() calls again with the regular ones, and change the *_strict() calls to pass strict through to the validate_nla() function. This would be sort of a regression since all things that are actually strict now would no longer be. I think that would even be an API break. 2) Add another level of "very_strict" to use in new commands, which then passes the strict through to validate_nla(). This probably means we want to pass the "strictness" as an enum argument instead. I'll take a shot at this later. Further ideas we discussed: * Have ways to expose the policies to userspace, with generic netlink that's easy, with others perhaps not quite so easy; this would allow userspace to discover what the kernel supports. * Validate messages created by the kernel against the policy, for debug purposes. This is a bit harder because the policy is sometimes not even symmetric (input and output have different data), but that could be managed (e.g. have a list of override policy entries) and it'd help us validate things too. johannes