From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, ffmancera@suse.de, brady.1345@gmail.com
Subject: Re: [PATCH nf 1/2] netfilter: nf_tables: limit maximum number of jumps/gotos per netns
Date: Tue, 28 Oct 2025 14:06:38 +0100 [thread overview]
Message-ID: <aQC_3p8Xu9-p48nV@strlen.de> (raw)
In-Reply-To: <20251027221722.183398-2-pablo@netfilter.org>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Add a new sysctl:
>
> net.netfilter.nf_tables_jump_max_netns
>
> which is 65535 by default, because iptables-nft rulesets are more likely
> to have more jumps/gotos compared to native nftables rulesets.
I have existing / real-world iptables dumps that exceed 64k :-/
I'll forward you one of them.
Seems this patch misses a reset somewhere to deal with
chains/tables being deleted:
sysctl net.netfilter.nf_tables_jumps_max_netns=256000
net.netfilter.nf_tables_jumps_max_netns = 256000
iptables-nft-restore < kubernetes-huge-may-2018.txt; echo $?
0
iptables-nft-restore < kubernetes-huge-may-2018.txt
iptables-nft-restore v1.8.11 (nf_tables):
line 52222: RULE_APPEND failed (Too many links): rule in chain KUBE-SVC-FCXG7AJXWMSO3TT5
works after 'nft flush ruleset'.
I also have a hunch that a followup patch that sepearates ip and ip6
families (since they are mutually exclusive) will be needed sooner than
later.
If even a random old iptables-dump exceeds the 64k limit I would expect
combined ip+ip6tables rulesets to be even more brittle.
next prev parent reply other threads:[~2025-10-28 13:06 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 22:17 [PATCH nf,v2 0/2] nf_tables: limit maximum number of jumps/gotos per netns Pablo Neira Ayuso
2025-10-27 22:17 ` [PATCH nf 1/2] netfilter: " Pablo Neira Ayuso
2025-10-28 13:06 ` Florian Westphal [this message]
2025-10-28 17:26 ` Pablo Neira Ayuso
2025-10-28 17:36 ` Florian Westphal
2025-10-28 14:32 ` kernel test robot
2025-10-28 14:54 ` kernel test robot
2025-10-29 4:49 ` kernel test robot
2025-10-27 22:17 ` [PATCH nf 2/2] selftests: netfilter: add test for nf_tables_jumps_max_netns sysctl Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aQC_3p8Xu9-p48nV@strlen.de \
--to=fw@strlen.de \
--cc=brady.1345@gmail.com \
--cc=ffmancera@suse.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.