From: Florian Westphal <fw@strlen.de>
To: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next] netfilter: nf_tables: avoid chain re-validation if possible
Date: Sat, 29 Nov 2025 02:32:15 +0100 [thread overview]
Message-ID: <aSpNHzxDh-nN7GRX@strlen.de> (raw)
In-Reply-To: <20251129012211.GA29847@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net>
Hamza Mahfooz <hamzamahfooz@linux.microsoft.com> wrote:
> The issue is reproducible with this version of the patch applied, unless
> I make the following change:
>
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 1cf9f0aa1f49..a7b415c53df6 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -4145,14 +4145,8 @@ int nft_chain_validate(const struct nft_ctx *ctx, struct nft_chain *chain)
> if (ctx->level == NFT_JUMP_STACK_SIZE)
> return -EMLINK;
>
> - if (ctx->level > 0) {
> - /* jumps to base chains are not allowed. */
> - if (nft_is_base_chain(chain))
> - return -ELOOP;
> -
> - if (nft_chain_vstate_valid(ctx, chain))
> - return 0;
> - }
> + if (ctx->level && nft_chain_vstate_valid(ctx, chain))
> + return 0;
Looks like a placebo change to me?
Also, the nft_is_base_chain(chain) check is required.
> It is also worth noting that I'm still seeing the cpu usage spike up to
> 100% for a couple of seconds (attributed to an iptables process) with
> this version of the patch (even with the above change), while the
> previous rendition seemd to have resolved that.
The previous version makes illegal shortcuts (as in, not validating
when it has to), it cannot be applied.
That said, I have flagged this patch as deferred anyway, there are too
many conflicting changes flying around.
I'll resubmit in a few weeks when -next opens up again.
next prev parent reply other threads:[~2025-11-29 1:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-26 11:47 [PATCH nf-next] netfilter: nf_tables: avoid chain re-validation if possible Florian Westphal
2025-11-29 1:22 ` Hamza Mahfooz
2025-11-29 1:32 ` Florian Westphal [this message]
2025-12-01 19:48 ` Hamza Mahfooz
2025-12-01 21:57 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aSpNHzxDh-nN7GRX@strlen.de \
--to=fw@strlen.de \
--cc=hamzamahfooz@linux.microsoft.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).