bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH net-next 0/3] Minor managed neighbor follow-ups
@ 2021-10-13 13:21 Daniel Borkmann
  2021-10-13 13:21 ` [PATCH net-next 1/3] net, neigh: Add build-time assertion to avoid neigh->flags overflow Daniel Borkmann
                   ` (3 more replies)
  0 siblings, 4 replies; 10+ messages in thread
From: Daniel Borkmann @ 2021-10-13 13:21 UTC (permalink / raw)
  To: davem, kuba
  Cc: roopa, dsahern, m, john.fastabend, netdev, bpf, Daniel Borkmann

Minor follow-up series to address prior feedback from David and Jakub.
Patch 1 adds a build time assertion to prevent overflows when shifting
in extended flags, patch 2 is a cleanup to use NLA_POLICY_MASK instead
of open-coding invalid flags rejection and patch 3 rejects creating new
neighbors with NUD_PERMANENT & NTF_MANAGED. For details, see individual
patches. Will push out iproute2 series after that. Thanks!

Daniel Borkmann (3):
  net, neigh: Add build-time assertion to avoid neigh->flags overflow
  net, neigh: Use NLA_POLICY_MASK helper for NDA_FLAGS_EXT attribute
  net, neigh: Reject creating NUD_PERMANENT with NTF_MANAGED entries

 net/core/neighbour.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

-- 
2.27.0


^ permalink raw reply	[flat|nested] 10+ messages in thread
* [PATCH net-next 1/3] net, neigh: Add build-time assertion to avoid neigh->flags overflow
  2021-10-13 13:21 [PATCH net-next 0/3] Minor managed neighbor follow-ups Daniel Borkmann
@ 2021-10-13 13:21 ` Daniel Borkmann
  2021-10-14  3:10   ` David Ahern
  2021-10-13 13:21 ` [PATCH net-next 2/3] net, neigh: Use NLA_POLICY_MASK helper for NDA_FLAGS_EXT attribute Daniel Borkmann
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 10+ messages in thread
From: Daniel Borkmann @ 2021-10-13 13:21 UTC (permalink / raw)
  To: davem, kuba
  Cc: roopa, dsahern, m, john.fastabend, netdev, bpf, Daniel Borkmann

Currently, NDA_FLAGS_EXT flags allow a maximum of 24 bits to be used for
extended neighbor flags. These are eventually fed into neigh->flags by
shifting with NTF_EXT_SHIFT as per commit 2c611ad97a82 ("net, neigh:
Extend neigh->flags to 32 bit to allow for extensions").

If really ever needed in future, the full 32 bits from NDA_FLAGS_EXT can
be used, it would only require to move neigh->flags from u32 to u64 inside
the kernel.

Add a build-time assertion such that when extending the NTF_EXT_MASK with
new bits, we'll trigger an error once we surpass the 24th bit. This assumes
that no bit holes in new NTF_EXT_* flags will slip in from UAPI, but I
think this is reasonable to assume.

Suggested-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
 net/core/neighbour.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index eae73efa9245..4fc601f9cd06 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1940,6 +1940,9 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh,
 			NL_SET_ERR_MSG(extack, "Invalid extended flags");
 			goto out;
 		}
+		BUILD_BUG_ON(sizeof(neigh->flags) * BITS_PER_BYTE <
+			     (sizeof(ndm->ndm_flags) * BITS_PER_BYTE +
+			      hweight32(NTF_EXT_MASK)));
 		ndm_flags |= (ext << NTF_EXT_SHIFT);
 	}
 	if (ndm->ndm_ifindex) {
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread
* [PATCH net-next 2/3] net, neigh: Use NLA_POLICY_MASK helper for NDA_FLAGS_EXT attribute
  2021-10-13 13:21 [PATCH net-next 0/3] Minor managed neighbor follow-ups Daniel Borkmann
  2021-10-13 13:21 ` [PATCH net-next 1/3] net, neigh: Add build-time assertion to avoid neigh->flags overflow Daniel Borkmann
@ 2021-10-13 13:21 ` Daniel Borkmann
  2021-10-14  3:13   ` David Ahern
  2021-10-13 13:21 ` [PATCH net-next 3/3] net, neigh: Reject creating NUD_PERMANENT with NTF_MANAGED entries Daniel Borkmann
  2021-10-15  2:30 ` [PATCH net-next 0/3] Minor managed neighbor follow-ups patchwork-bot+netdevbpf
  3 siblings, 1 reply; 10+ messages in thread
From: Daniel Borkmann @ 2021-10-13 13:21 UTC (permalink / raw)
  To: davem, kuba
  Cc: roopa, dsahern, m, john.fastabend, netdev, bpf, Daniel Borkmann

Instead of open-coding a check for invalid bits in NTF_EXT_MASK, we can just
use the NLA_POLICY_MASK() helper instead, and simplify NDA_FLAGS_EXT sanity
check this way.

Suggested-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
 net/core/neighbour.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 4fc601f9cd06..922b9ed0fe76 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1834,7 +1834,7 @@ const struct nla_policy nda_policy[NDA_MAX+1] = {
 	[NDA_MASTER]		= { .type = NLA_U32 },
 	[NDA_PROTOCOL]		= { .type = NLA_U8 },
 	[NDA_NH_ID]		= { .type = NLA_U32 },
-	[NDA_FLAGS_EXT]		= { .type = NLA_U32 },
+	[NDA_FLAGS_EXT]		= NLA_POLICY_MASK(NLA_U32, NTF_EXT_MASK),
 	[NDA_FDB_EXT_ATTRS]	= { .type = NLA_NESTED },
 };
 
@@ -1936,10 +1936,6 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh,
 	if (tb[NDA_FLAGS_EXT]) {
 		u32 ext = nla_get_u32(tb[NDA_FLAGS_EXT]);
 
-		if (ext & ~NTF_EXT_MASK) {
-			NL_SET_ERR_MSG(extack, "Invalid extended flags");
-			goto out;
-		}
 		BUILD_BUG_ON(sizeof(neigh->flags) * BITS_PER_BYTE <
 			     (sizeof(ndm->ndm_flags) * BITS_PER_BYTE +
 			      hweight32(NTF_EXT_MASK)));
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread
* [PATCH net-next 3/3] net, neigh: Reject creating NUD_PERMANENT with NTF_MANAGED entries
  2021-10-13 13:21 [PATCH net-next 0/3] Minor managed neighbor follow-ups Daniel Borkmann
  2021-10-13 13:21 ` [PATCH net-next 1/3] net, neigh: Add build-time assertion to avoid neigh->flags overflow Daniel Borkmann
  2021-10-13 13:21 ` [PATCH net-next 2/3] net, neigh: Use NLA_POLICY_MASK helper for NDA_FLAGS_EXT attribute Daniel Borkmann
@ 2021-10-13 13:21 ` Daniel Borkmann
  2021-10-14  3:11   ` David Ahern
  2021-10-15  2:30 ` [PATCH net-next 0/3] Minor managed neighbor follow-ups patchwork-bot+netdevbpf
  3 siblings, 1 reply; 10+ messages in thread
From: Daniel Borkmann @ 2021-10-13 13:21 UTC (permalink / raw)
  To: davem, kuba
  Cc: roopa, dsahern, m, john.fastabend, netdev, bpf, Daniel Borkmann

The combination of NUD_PERMANENT + NTF_MANAGED is not supported and does
not make sense either given the former indicates a static/fixed neighbor
entry whereas the latter a dynamically resolved one. While it is possible
to transition from one over to the other, we should however reject such
creation attempts.

Fixes: 7482e3841d52 ("net, neigh: Add NTF_MANAGED flag for managed neighbor entries")
Suggested-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
 net/core/neighbour.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 922b9ed0fe76..47931c8be04b 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1999,15 +1999,20 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh,
 
 	neigh = neigh_lookup(tbl, dst, dev);
 	if (neigh == NULL) {
-		bool exempt_from_gc;
+		bool ndm_permanent  = ndm->ndm_state & NUD_PERMANENT;
+		bool exempt_from_gc = ndm_permanent ||
+				      ndm_flags & NTF_EXT_LEARNED;
 
 		if (!(nlh->nlmsg_flags & NLM_F_CREATE)) {
 			err = -ENOENT;
 			goto out;
 		}
+		if (ndm_permanent && (ndm_flags & NTF_MANAGED)) {
+			NL_SET_ERR_MSG(extack, "Invalid NTF_* flag for permanent entry");
+			err = -EINVAL;
+			goto out;
+		}
 
-		exempt_from_gc = ndm->ndm_state & NUD_PERMANENT ||
-				 ndm_flags & NTF_EXT_LEARNED;
 		neigh = ___neigh_create(tbl, dst, dev,
 					ndm_flags &
 					(NTF_EXT_LEARNED | NTF_MANAGED),
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread
* Re: [PATCH net-next 1/3] net, neigh: Add build-time assertion to avoid neigh->flags overflow
  2021-10-13 13:21 ` [PATCH net-next 1/3] net, neigh: Add build-time assertion to avoid neigh->flags overflow Daniel Borkmann
@ 2021-10-14  3:10   ` David Ahern
  0 siblings, 0 replies; 10+ messages in thread
From: David Ahern @ 2021-10-14  3:10 UTC (permalink / raw)
  To: Daniel Borkmann, davem, kuba
  Cc: roopa, dsahern, m, john.fastabend, netdev, bpf

On 10/13/21 7:21 AM, Daniel Borkmann wrote:
> Currently, NDA_FLAGS_EXT flags allow a maximum of 24 bits to be used for
> extended neighbor flags. These are eventually fed into neigh->flags by
> shifting with NTF_EXT_SHIFT as per commit 2c611ad97a82 ("net, neigh:
> Extend neigh->flags to 32 bit to allow for extensions").
> 
> If really ever needed in future, the full 32 bits from NDA_FLAGS_EXT can
> be used, it would only require to move neigh->flags from u32 to u64 inside
> the kernel.
> 
> Add a build-time assertion such that when extending the NTF_EXT_MASK with
> new bits, we'll trigger an error once we surpass the 24th bit. This assumes
> that no bit holes in new NTF_EXT_* flags will slip in from UAPI, but I
> think this is reasonable to assume.
> 
> Suggested-by: David Ahern <dsahern@kernel.org>
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> ---
>  net/core/neighbour.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
> index eae73efa9245..4fc601f9cd06 100644
> --- a/net/core/neighbour.c
> +++ b/net/core/neighbour.c
> @@ -1940,6 +1940,9 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh,
>  			NL_SET_ERR_MSG(extack, "Invalid extended flags");
>  			goto out;
>  		}
> +		BUILD_BUG_ON(sizeof(neigh->flags) * BITS_PER_BYTE <
> +			     (sizeof(ndm->ndm_flags) * BITS_PER_BYTE +
> +			      hweight32(NTF_EXT_MASK)));
>  		ndm_flags |= (ext << NTF_EXT_SHIFT);
>  	}
>  	if (ndm->ndm_ifindex) {
> 

Reviewed-by: David Ahern <dsahern@kernel.org>


^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH net-next 3/3] net, neigh: Reject creating NUD_PERMANENT with NTF_MANAGED entries
  2021-10-13 13:21 ` [PATCH net-next 3/3] net, neigh: Reject creating NUD_PERMANENT with NTF_MANAGED entries Daniel Borkmann
@ 2021-10-14  3:11   ` David Ahern
  0 siblings, 0 replies; 10+ messages in thread
From: David Ahern @ 2021-10-14  3:11 UTC (permalink / raw)
  To: Daniel Borkmann, davem, kuba
  Cc: roopa, dsahern, m, john.fastabend, netdev, bpf

On 10/13/21 7:21 AM, Daniel Borkmann wrote:
> The combination of NUD_PERMANENT + NTF_MANAGED is not supported and does
> not make sense either given the former indicates a static/fixed neighbor
> entry whereas the latter a dynamically resolved one. While it is possible
> to transition from one over to the other, we should however reject such
> creation attempts.
> 
> Fixes: 7482e3841d52 ("net, neigh: Add NTF_MANAGED flag for managed neighbor entries")
> Suggested-by: David Ahern <dsahern@kernel.org>
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> ---
>  net/core/neighbour.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 

Reviewed-by: David Ahern <dsahern@kernel.org>



^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH net-next 2/3] net, neigh: Use NLA_POLICY_MASK helper for NDA_FLAGS_EXT attribute
  2021-10-13 13:21 ` [PATCH net-next 2/3] net, neigh: Use NLA_POLICY_MASK helper for NDA_FLAGS_EXT attribute Daniel Borkmann
@ 2021-10-14  3:13   ` David Ahern
  2021-10-14  8:10     ` Daniel Borkmann
  0 siblings, 1 reply; 10+ messages in thread
From: David Ahern @ 2021-10-14  3:13 UTC (permalink / raw)
  To: Daniel Borkmann, davem, kuba
  Cc: roopa, dsahern, m, john.fastabend, netdev, bpf

On 10/13/21 7:21 AM, Daniel Borkmann wrote:
> Instead of open-coding a check for invalid bits in NTF_EXT_MASK, we can just
> use the NLA_POLICY_MASK() helper instead, and simplify NDA_FLAGS_EXT sanity
> check this way.
> 
> Suggested-by: Jakub Kicinski <kuba@kernel.org>
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> ---
>  net/core/neighbour.c | 6 +-----
>  1 file changed, 1 insertion(+), 5 deletions(-)
> 
> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
> index 4fc601f9cd06..922b9ed0fe76 100644
> --- a/net/core/neighbour.c
> +++ b/net/core/neighbour.c
> @@ -1834,7 +1834,7 @@ const struct nla_policy nda_policy[NDA_MAX+1] = {
>  	[NDA_MASTER]		= { .type = NLA_U32 },
>  	[NDA_PROTOCOL]		= { .type = NLA_U8 },
>  	[NDA_NH_ID]		= { .type = NLA_U32 },
> -	[NDA_FLAGS_EXT]		= { .type = NLA_U32 },
> +	[NDA_FLAGS_EXT]		= NLA_POLICY_MASK(NLA_U32, NTF_EXT_MASK),
>  	[NDA_FDB_EXT_ATTRS]	= { .type = NLA_NESTED },
>  };
>  
> @@ -1936,10 +1936,6 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh,
>  	if (tb[NDA_FLAGS_EXT]) {
>  		u32 ext = nla_get_u32(tb[NDA_FLAGS_EXT]);
>  
> -		if (ext & ~NTF_EXT_MASK) {
> -			NL_SET_ERR_MSG(extack, "Invalid extended flags");
> -			goto out;
> -		}
>  		BUILD_BUG_ON(sizeof(neigh->flags) * BITS_PER_BYTE <
>  			     (sizeof(ndm->ndm_flags) * BITS_PER_BYTE +
>  			      hweight32(NTF_EXT_MASK)));
> 

I get that NLA_POLICY_MASK wants to standardize the logic, but the
generic extack message "reserved bit set" is less useful than the one here.

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH net-next 2/3] net, neigh: Use NLA_POLICY_MASK helper for NDA_FLAGS_EXT attribute
  2021-10-14  3:13   ` David Ahern
@ 2021-10-14  8:10     ` Daniel Borkmann
  2021-10-14 14:02       ` Jakub Kicinski
  0 siblings, 1 reply; 10+ messages in thread
From: Daniel Borkmann @ 2021-10-14  8:10 UTC (permalink / raw)
  To: David Ahern, davem, kuba; +Cc: roopa, dsahern, m, john.fastabend, netdev, bpf

On 10/14/21 5:13 AM, David Ahern wrote:
> On 10/13/21 7:21 AM, Daniel Borkmann wrote:
>> Instead of open-coding a check for invalid bits in NTF_EXT_MASK, we can just
>> use the NLA_POLICY_MASK() helper instead, and simplify NDA_FLAGS_EXT sanity
>> check this way.
>>
>> Suggested-by: Jakub Kicinski <kuba@kernel.org>
>> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
>> ---
>>   net/core/neighbour.c | 6 +-----
>>   1 file changed, 1 insertion(+), 5 deletions(-)
>>
>> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
>> index 4fc601f9cd06..922b9ed0fe76 100644
>> --- a/net/core/neighbour.c
>> +++ b/net/core/neighbour.c
>> @@ -1834,7 +1834,7 @@ const struct nla_policy nda_policy[NDA_MAX+1] = {
>>   	[NDA_MASTER]		= { .type = NLA_U32 },
>>   	[NDA_PROTOCOL]		= { .type = NLA_U8 },
>>   	[NDA_NH_ID]		= { .type = NLA_U32 },
>> -	[NDA_FLAGS_EXT]		= { .type = NLA_U32 },
>> +	[NDA_FLAGS_EXT]		= NLA_POLICY_MASK(NLA_U32, NTF_EXT_MASK),
>>   	[NDA_FDB_EXT_ATTRS]	= { .type = NLA_NESTED },
>>   };
>>   
>> @@ -1936,10 +1936,6 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh,
>>   	if (tb[NDA_FLAGS_EXT]) {
>>   		u32 ext = nla_get_u32(tb[NDA_FLAGS_EXT]);
>>   
>> -		if (ext & ~NTF_EXT_MASK) {
>> -			NL_SET_ERR_MSG(extack, "Invalid extended flags");
>> -			goto out;
>> -		}
>>   		BUILD_BUG_ON(sizeof(neigh->flags) * BITS_PER_BYTE <
>>   			     (sizeof(ndm->ndm_flags) * BITS_PER_BYTE +
>>   			      hweight32(NTF_EXT_MASK)));
>>
> 
> I get that NLA_POLICY_MASK wants to standardize the logic, but the
> generic extack message "reserved bit set" is less useful than the one here.

If the expectation/recommendation is that NLA_POLICY_MASK() should be used, then
it would probably make sense for NLA_POLICY_MASK() itself to improve. For example,
NLA_POLICY_MASK() could perhaps take an optional error string which it should
return via extack rather than the standard "reserved bit set" one or such.. on
the other hand, I see that NL_SET_ERR_MSG_ATTR() already points out the affected
attribute via setting extack->bad_attr, so it be sufficient to figure out that it's
about reserved bits inside NDA_FLAGS_EXT given this is propagated back to user
space via NLMSGERR_ATTR_OFFS.

Thanks,
Daniel

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH net-next 2/3] net, neigh: Use NLA_POLICY_MASK helper for NDA_FLAGS_EXT attribute
  2021-10-14  8:10     ` Daniel Borkmann
@ 2021-10-14 14:02       ` Jakub Kicinski
  0 siblings, 0 replies; 10+ messages in thread
From: Jakub Kicinski @ 2021-10-14 14:02 UTC (permalink / raw)
  To: Daniel Borkmann
  Cc: David Ahern, davem, roopa, dsahern, m, john.fastabend, netdev, bpf

On Thu, 14 Oct 2021 10:10:18 +0200 Daniel Borkmann wrote:
> On 10/14/21 5:13 AM, David Ahern wrote:
> > On 10/13/21 7:21 AM, Daniel Borkmann wrote:  
> >> Instead of open-coding a check for invalid bits in NTF_EXT_MASK, we can just
> >> use the NLA_POLICY_MASK() helper instead, and simplify NDA_FLAGS_EXT sanity
> >> check this way.
> >>
> >> Suggested-by: Jakub Kicinski <kuba@kernel.org>
> >> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> >> ---
> >>   net/core/neighbour.c | 6 +-----
> >>   1 file changed, 1 insertion(+), 5 deletions(-)
> >>
> >> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
> >> index 4fc601f9cd06..922b9ed0fe76 100644
> >> --- a/net/core/neighbour.c
> >> +++ b/net/core/neighbour.c
> >> @@ -1834,7 +1834,7 @@ const struct nla_policy nda_policy[NDA_MAX+1] = {
> >>   	[NDA_MASTER]		= { .type = NLA_U32 },
> >>   	[NDA_PROTOCOL]		= { .type = NLA_U8 },
> >>   	[NDA_NH_ID]		= { .type = NLA_U32 },
> >> -	[NDA_FLAGS_EXT]		= { .type = NLA_U32 },
> >> +	[NDA_FLAGS_EXT]		= NLA_POLICY_MASK(NLA_U32, NTF_EXT_MASK),
> >>   	[NDA_FDB_EXT_ATTRS]	= { .type = NLA_NESTED },
> >>   };
> >>   
> >> @@ -1936,10 +1936,6 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh,
> >>   	if (tb[NDA_FLAGS_EXT]) {
> >>   		u32 ext = nla_get_u32(tb[NDA_FLAGS_EXT]);
> >>   
> >> -		if (ext & ~NTF_EXT_MASK) {
> >> -			NL_SET_ERR_MSG(extack, "Invalid extended flags");
> >> -			goto out;
> >> -		}
> >>   		BUILD_BUG_ON(sizeof(neigh->flags) * BITS_PER_BYTE <
> >>   			     (sizeof(ndm->ndm_flags) * BITS_PER_BYTE +
> >>   			      hweight32(NTF_EXT_MASK)));
> >>  
> > 
> > I get that NLA_POLICY_MASK wants to standardize the logic, but the
> > generic extack message "reserved bit set" is less useful than the one here.  
> 
> If the expectation/recommendation is that NLA_POLICY_MASK() should be used, then
> it would probably make sense for NLA_POLICY_MASK() itself to improve. For example,
> NLA_POLICY_MASK() could perhaps take an optional error string which it should
> return via extack rather than the standard "reserved bit set" one or such.. on
> the other hand, I see that NL_SET_ERR_MSG_ATTR() already points out the affected
> attribute via setting extack->bad_attr, so it be sufficient to figure out that it's
> about reserved bits inside NDA_FLAGS_EXT given this is propagated back to user
> space via NLMSGERR_ATTR_OFFS.

My larger point is that the ability to dump policy and inspect it in
user space is an important part of the modern netlink paradigm. When
RTNL is extended appropriately it'll be good if the policies are
expressed the right way.

Fingers-on-the-keyboard-eyes-on-the-screen user friendliness is
important but IMHO code that can be built on top of these interfaces 
is more important.

I think the patch is good as is.

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH net-next 0/3] Minor managed neighbor follow-ups
  2021-10-13 13:21 [PATCH net-next 0/3] Minor managed neighbor follow-ups Daniel Borkmann
                   ` (2 preceding siblings ...)
  2021-10-13 13:21 ` [PATCH net-next 3/3] net, neigh: Reject creating NUD_PERMANENT with NTF_MANAGED entries Daniel Borkmann
@ 2021-10-15  2:30 ` patchwork-bot+netdevbpf
  3 siblings, 0 replies; 10+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-10-15  2:30 UTC (permalink / raw)
  To: Daniel Borkmann
  Cc: davem, kuba, roopa, dsahern, m, john.fastabend, netdev, bpf

Hello:

This series was applied to netdev/net-next.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 13 Oct 2021 15:21:37 +0200 you wrote:
> Minor follow-up series to address prior feedback from David and Jakub.
> Patch 1 adds a build time assertion to prevent overflows when shifting
> in extended flags, patch 2 is a cleanup to use NLA_POLICY_MASK instead
> of open-coding invalid flags rejection and patch 3 rejects creating new
> neighbors with NUD_PERMANENT & NTF_MANAGED. For details, see individual
> patches. Will push out iproute2 series after that. Thanks!
> 
> [...]

Here is the summary with links:
  - [net-next,1/3] net, neigh: Add build-time assertion to avoid neigh->flags overflow
    https://git.kernel.org/netdev/net-next/c/507c2f1d2936
  - [net-next,2/3] net, neigh: Use NLA_POLICY_MASK helper for NDA_FLAGS_EXT attribute
    https://git.kernel.org/netdev/net-next/c/c8e80c1169b2
  - [net-next,3/3] net, neigh: Reject creating NUD_PERMANENT with NTF_MANAGED entries
    https://git.kernel.org/netdev/net-next/c/30fc7efa38f2

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 10+ messages in thread
end of thread, other threads:[~2021-10-15  2:30 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-13 13:21 [PATCH net-next 0/3] Minor managed neighbor follow-ups Daniel Borkmann
2021-10-13 13:21 ` [PATCH net-next 1/3] net, neigh: Add build-time assertion to avoid neigh->flags overflow Daniel Borkmann
2021-10-14  3:10   ` David Ahern
2021-10-13 13:21 ` [PATCH net-next 2/3] net, neigh: Use NLA_POLICY_MASK helper for NDA_FLAGS_EXT attribute Daniel Borkmann
2021-10-14  3:13   ` David Ahern
2021-10-14  8:10     ` Daniel Borkmann
2021-10-14 14:02       ` Jakub Kicinski
2021-10-13 13:21 ` [PATCH net-next 3/3] net, neigh: Reject creating NUD_PERMANENT with NTF_MANAGED entries Daniel Borkmann
2021-10-14  3:11   ` David Ahern
2021-10-15  2:30 ` [PATCH net-next 0/3] Minor managed neighbor follow-ups patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).