From: Florian Westphal <fw@strlen.de>
To: "Levin, Alexander" <alexander.levin@verizon.com>
Cc: Florian Westphal <fw@strlen.de>,
"pablo@netfilter.org" <pablo@netfilter.org>,
"netfilter-devel@vger.kernel.org"
<netfilter-devel@vger.kernel.org>,
"stable@kernel.org" <stable@kernel.org>
Subject: Re: [PATCH -stable 4.1.y] netfilter: x_tables: speed up jump target validation
Date: Tue, 2 Aug 2016 21:51:03 +0200 [thread overview]
Message-ID: <20160802195103.GA31209@breakpoint.cc> (raw)
In-Reply-To: <124e6257-749b-6561-b706-15e02fb356b4@verizon.com>
Levin, Alexander <alexander.levin@verizon.com> wrote:
> On 08/01/2016 02:38 PM, Florian Westphal wrote:
> > [ Upstream commit f4dc77713f8016d2e8a3295e1c9c53a21f296def ]
> >
> > The dummy ruleset I used to test the original validation change was broken,
> > most rules were unreachable and were not tested by mark_source_chains().
> >
> > In some cases rulesets that used to load in a few seconds now require
> > several minutes.
> >
> > sample ruleset that shows the behaviour:
> >
> > echo "*filter"
> > for i in $(seq 0 100000);do
> > printf ":chain_%06x - [0:0]\n" $i
> > done
> > for i in $(seq 0 100000);do
> > printf -- "-A INPUT -j chain_%06x\n" $i
> > printf -- "-A INPUT -j chain_%06x\n" $i
> > printf -- "-A INPUT -j chain_%06x\n" $i
> > done
> > echo COMMIT
> >
> > [ pipe result into iptables-restore ]
> >
> > This ruleset will be about 74mbyte in size, with ~500k searches
> > though all 500k[1] rule entries. iptables-restore will take forever
> > (gave up after 10 minutes)
> >
> > Instead of always searching the entire blob for a match, fill an
> > array with the start offsets of every single ipt_entry struct,
> > then do a binary search to check if the jump target is present or not.
> >
> > After this change ruleset restore times get again close to what one
> > gets when reverting 36472341017529e (~3 seconds on my workstation).
> >
> > [1] every user-defined rule gets an implicit RETURN, so we get
> > 300k jumps + 100k userchains + 100k returns -> 500k rule entries
> >
> > Fixes: 36472341017529e ("netfilter: x_tables: validate targets of jumps")
> > Reported-by: Jeff Wu <wujiafu@gmail.com>
> > Tested-by: Jeff Wu <wujiafu@gmail.com>
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
>
> Hi Florian,
>
> This patch doesn't seem to apply on 4.1, does it have any dependencies
> that don't currently exist in the tree?
I tried to apply it on top of c3ed55b836cff71 (4.1.29) and
git-am worked without issues.
What is the problem?
next prev parent reply other threads:[~2016-08-02 19:51 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-01 18:38 [stable, xtables] fix validation of jumps Florian Westphal
2016-08-01 18:38 ` [PATCH -stable 3.12.y] netfilter: x_tables: speed up jump target validation Florian Westphal
2016-08-01 18:38 ` [PATCH -stable 3.14.y] " Florian Westphal
2016-08-01 18:38 ` [PATCH -stable 3.18.y] " Florian Westphal
2016-08-01 18:38 ` [PATCH -stable 4.1.y] " Florian Westphal
2016-08-02 18:26 ` Levin, Alexander
2016-08-02 19:51 ` Florian Westphal [this message]
2016-08-03 12:24 ` Levin, Alexander
2016-08-01 18:38 ` [PATCH -stable 4.4.y] " Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160802195103.GA31209@breakpoint.cc \
--to=fw@strlen.de \
--cc=alexander.levin@verizon.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.