From: Florian Westphal <fw@strlen.de>
To: Shaun Brady <brady.1345@gmail.com>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org, ppwaskie@kernel.org
Subject: Re: [PATCH] netfilter: nf_tables: Implement jump limit for nft_table_validate
Date: Wed, 23 Apr 2025 12:52:14 +0200 [thread overview]
Message-ID: <20250423105214.GA6910@breakpoint.cc> (raw)
In-Reply-To: <CAKwNus-LzHUdN91umsmm6f0PNUr1jYaSR3BSdcSvYsydk7HygA@mail.gmail.com>
Shaun Brady <brady.1345@gmail.com> wrote:
> > Furthermore, the largest ruleset I have archived here (iptables-save
> > kubernetes ruleset dump) has 27k jumps (many who are mutually exclusive
> > and user-defined chains that are always terminal), but nf_tables_api.c
> > lacks the ability to detect either of these cases).
> >
> > With the proposed change, the ruleset won't load anymore.
>
> Much of my testing was omitted from the commit message. 8192 was
> chosen as to what seemed significantly above normal usage; I was way
> off.
8k is brain damaged^W^W very high for nftables thanks to the existence of
verdict maps. The problem is iptables(-nft) and its linear rules.
> What I did observe was that machines (both big and small) start
> to act up around 16M. Would it ease minds to simply increase this to
> something like 4M or 8M?
What about going with 64k and NOT applying that limit in the init_netns?
The rationale would be that if you have the priviliges to ramp up the
limitation threshold that limit doesn't exist in practice anyway.
> > Possible solutions to soften the impact/breakage potential:
> > - make the sysctl only affect non-init-net namespaces.
> > - make the sysctl only affect non-init-user-ns owned namespaces.
>
> I may be misunderstanding how limiting control to (only) non-init-*
> namespaces would help. It certainly would keep a namespace from taking
> the whole system down, but it would leave the original problem of
> being able to create the deadly jump configuration purely in the
> init-net.
Sure, but why do you need to protect init_net?
> Maybe protecting from a namespace is more fruitful than an
> operator making mistakes (the initial revisions intent).
I don't see how you can make such rulesets on accident.
> > - Add the obseved total jump count to the table structure
> > Then, when validating, do not start from 0 but from the sum
> > of the total jump count of all registered tables in the same family.
> > netdev family will need to be counted unconditionally.
>
> I had not considered one could spread the problem across multiple
> tables (even if you can't jump between them). This is a good insight,
> and I will account for this.
Thanks!
prev parent reply other threads:[~2025-04-23 10:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-22 0:16 [PATCH] netfilter: nf_tables: Implement jump limit for nft_table_validate Shaun Brady
2025-04-22 5:44 ` Florian Westphal
2025-04-23 4:22 ` Shaun Brady
2025-04-23 10:52 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250423105214.GA6910@breakpoint.cc \
--to=fw@strlen.de \
--cc=brady.1345@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=ppwaskie@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.