Re: [PATCH nf] netfilter: nf_tables: limit maximum number of jumps/gotos per netns

Linux Netfilter development
 help / color / mirror / Atom feed

From: Shaun Brady <brady.1345@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, fw@strlen.de, fmancera@suse.de
Subject: Re: [PATCH nf] netfilter: nf_tables: limit maximum number of jumps/gotos per netns
Date: Fri, 24 Oct 2025 10:38:30 -0400	[thread overview]
Message-ID: <aPuPZoal-mS20tzD@fedora> (raw)
In-Reply-To: <20251021234039.2505-1-pablo@netfilter.org>

On Wed, Oct 22, 2025 at 01:40:39AM +0200, Pablo Neira Ayuso wrote:
> This is set from the init_netns via:
> 
>    net.netfilter.nf_tables_jump_max_netns
> 
> which is 65536 by default.
> 
> According to Shawn Brady: "The compile time limit of 65536 was chosen to
> account for any normal use case, and when this value (and associated
> stressing loop table) was tested against a 1CPU/256MB machine, the
> system remained functional."

Hey, thanks for the call out.  Assuming a v2, the spelling is "Shaun
Brady".

> After the commit phase, jump_count[0] is set to jump_count[1] if it is
> >= 0. Otherwise, in case of abort, jump_count[1] is reset to -1 to
> prepare for handling the next batch.
> 

Oh, I like this change.  While I believe my old patch series behaved
correctly, this seems safer/more straight forward.

Would it make sense to name two separate variables something like
jump_count_pre/_post for clarity or will that cause packing issues?

I had a heck of a time getting the requested torture test to walk over
the abort code path with an existing rule set.  I'm interested in
learning more about abort states from your tests.

Thanks!

SB

     prev parent reply	other threads:[~2025-10-24 14:38 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-21 23:40 [PATCH nf] netfilter: nf_tables: limit maximum number of jumps/gotos per netns Pablo Neira Ayuso
2025-10-23 13:51 ` Florian Westphal
2025-10-24 14:38 ` Shaun Brady [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aPuPZoal-mS20tzD@fedora \
    --to=brady.1345@gmail.com \
    --cc=fmancera@suse.de \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox