Re: [PATCH v3] netfilter: nf_tables: Implement jump limit for nft_table_validate

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Shaun Brady <brady.1345@gmail.com>
Cc: netfilter-devel@vger.kernel.org, ppwaskie@kernel.org, fw@strlen.de
Subject: Re: [PATCH v3] netfilter: nf_tables: Implement jump limit for nft_table_validate
Date: Wed, 14 May 2025 10:19:12 +0200	[thread overview]
Message-ID: <aCRPkxvH5LCtc7Bi@calendula> (raw)
In-Reply-To: <20250513020856.2466270-1-brady.1345@gmail.com>

Hi,

On Mon, May 12, 2025 at 10:08:56PM -0400, Shaun Brady wrote:
[...]
> Add a new counter, total_jump_counter, to nft_ctx.  On every call to
> nft_table_validate() (rule addition time, versus packet inspection time)
> start the counter at the current sum of all jump counts in all other
> tables with the same family, as well as netdev.

What about the bridge family? If bridged frames are passed up to the
IP stack, then these hooks can have basechains with jumps too.

Maybe it is better to have a global limit for all tables, regardless
the family, in a non-init-netns?

> Increment said counter for every jump encountered during table
> validation.  If the counter ever exceeds the namespaces jump limit
> *during validation*, gracefully reject the rule with -EMLINK (the same
> behavior as exceeding NFT_JUMP_STACK_SIZE).
> 
> This allows immediate feedback to the user about a bad chain, versus the
> original idea (from the bug report) of allowing the addition to the
> table.  It keeps the in memory ruleset consistent, versus catching the
> failure during packet inspection at some unknown point in the future and
> arbitrarily denying the packet.

Agreed, I also prefer to enforce this limit from control plane.

Thanks

next prev parent reply	other threads:[~2025-05-14  8:19 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-13  2:08 [PATCH v3] netfilter: nf_tables: Implement jump limit for nft_table_validate Shaun Brady
2025-05-14  8:19 ` Pablo Neira Ayuso [this message]
2025-05-14 12:16   ` Florian Westphal
2025-05-15  1:09     ` Shaun Brady

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aCRPkxvH5LCtc7Bi@calendula \
    --to=pablo@netfilter.org \
    --cc=brady.1345@gmail.com \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=ppwaskie@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.