From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, ffmancera@suse.de, brady.1345@gmail.com
Subject: Re: [PATCH nf 1/2] netfilter: nf_tables: limit maximum number of jumps/gotos per netns
Date: Tue, 28 Oct 2025 18:36:16 +0100 [thread overview]
Message-ID: <aQD_EJJPB4WtHld3@strlen.de> (raw)
In-Reply-To: <aQD8vKn0O5iNuxif@calendula>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> iptables needs higher value, while nftables with vmaps could set a
> much lower value, because vmap counts as a single immediate jump.
Agreed. nftables can use something like 100 :-)
> > I have existing / real-world iptables dumps that exceed 64k :-/
>
> OK, so k8s can load this ruleset inside userns (because netns can
> still rise this value). But your concern is the default value, right?
Yes, exactly. If you have a system that runs iptables-restore on
startup then after kernel update that might fail.
I see that init_net is exempted from any limits and thats a good choice.
I'm concerned about containers here.
> I can take look, you mean:
>
> - IPv4 count => count jumps in all table except ipv6.
> - IPv6 count => count jumps in all table except ipv4.
Yes, exactly. That should remove a bit of pressure to
use a super-large default value.
> Here, IIRC, I needed ~8 million jumps (_not_ net jump counts in the
> rule, I mean number of jumps according to nft_jump_count_check()) in
> the input chain to see softlockup with KASAN+KMEMLEAK.
>
> 256k is still far from 8 million.
Agreed.
> > If even a random old iptables-dump exceeds the 64k limit I would expect
> > combined ip+ip6tables rulesets to be even more brittle.
>
> Yes, the problem here to set this default value is iptables,
> nftables can set it very small, but iptables needs a large one.
Right.
> I guess native nftables users can safely shrink the default value we
> are going to set here.
Yes, absolutely. nft --omptimize could eventually yell at users when
it sees too many jumps :)
next prev parent reply other threads:[~2025-10-28 17:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 22:17 [PATCH nf,v2 0/2] nf_tables: limit maximum number of jumps/gotos per netns Pablo Neira Ayuso
2025-10-27 22:17 ` [PATCH nf 1/2] netfilter: " Pablo Neira Ayuso
2025-10-28 13:06 ` Florian Westphal
2025-10-28 17:26 ` Pablo Neira Ayuso
2025-10-28 17:36 ` Florian Westphal [this message]
2025-10-28 14:32 ` kernel test robot
2025-10-28 14:54 ` kernel test robot
2025-10-29 4:49 ` kernel test robot
2025-10-27 22:17 ` [PATCH nf 2/2] selftests: netfilter: add test for nf_tables_jumps_max_netns sysctl Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aQD_EJJPB4WtHld3@strlen.de \
--to=fw@strlen.de \
--cc=brady.1345@gmail.com \
--cc=ffmancera@suse.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.