Re: [PATCH nf 1/2] netfilter: nf_tables: limit maximum number of jumps/gotos per netns

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Tue, Oct 28, 2025 at 02:06:38PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > Add a new sysctl:
> > 
> >    net.netfilter.nf_tables_jump_max_netns
> > 
> > which is 65535 by default, because iptables-nft rulesets are more likely
> > to have more jumps/gotos compared to native nftables rulesets.

iptables needs higher value, while nftables with vmaps could set a
much lower value, because vmap counts as a single immediate jump.

> I have existing / real-world iptables dumps that exceed 64k :-/

OK, so k8s can load this ruleset inside userns (because netns can
still rise this value). But your concern is the default value, right?

I can extract from that iptables k8 ruleset a good default value.

> I'll forward you one of them.

Yes, you passed me this huge ruleset.

> Seems this patch misses a reset somewhere to deal with
> chains/tables being deleted:
> 
> sysctl net.netfilter.nf_tables_jumps_max_netns=256000
> net.netfilter.nf_tables_jumps_max_netns = 256000
> iptables-nft-restore < kubernetes-huge-may-2018.txt; echo $?
> 0
> iptables-nft-restore < kubernetes-huge-may-2018.txt
> iptables-nft-restore v1.8.11 (nf_tables):
> line 52222: RULE_APPEND failed (Too many links): rule in chain KUBE-SVC-FCXG7AJXWMSO3TT5

Ah I see, let me have a look, it is missing deleted tables, yes.

> works after 'nft flush ruleset'.
> 
> I also have a hunch that a followup patch that sepearates ip and ip6
> families (since they are mutually exclusive) will be needed sooner than
> later.

I can take look, you mean:

- IPv4 count => count jumps in all table except ipv6.
- IPv6 count => count jumps in all table except ipv4.

Here, IIRC, I needed ~8 million jumps (_not_ net jump counts in the
rule, I mean number of jumps according to nft_jump_count_check()) in
the input chain to see softlockup with KASAN+KMEMLEAK.

256k is still far from 8 million.

> If even a random old iptables-dump exceeds the 64k limit I would expect
> combined ip+ip6tables rulesets to be even more brittle.

Yes, the problem here to set this default value is iptables,
nftables can set it very small, but iptables needs a large one.

I guess native nftables users can safely shrink the default value we
are going to set here.