Re: Soft lock-ups caused by iptables

Next message: Nickolay Goppen: "Re: [PATCH v2 1/3] arm64: dts: qcom: sdm630/660: Add CDSP-related nodes"
Previous message: Hal Feng: "RE: [PATCH v2 0/8] Add support for StarFive VisionFive 2 Lite board"
In reply to: Florian Westphal: "Re: Soft lock-ups caused by iptables"
Next in thread: Hamza Mahfooz: "Re: Soft lock-ups caused by iptables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Phil Sutter

Date: Thu Nov 20 2025 - 06:23:06 EST

On Thu, Nov 20, 2025 at 10:34:46AM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > > > Yes, but you also need to annotate the type of the last base chain origin,
> > > > else you might skip validation of 'chain foo' because its depth value says its
> > > > fine but new caller is coming from filter, not nat, and chain foo had
> > > > masquerade expression.
> >
> > You could also have chains being called from different levels.
>
> But thats not an issue. If you see a jump from c1 to c2, and c2
> has been validated for a level of 5, then you need to revalidate
> only if c1->depth >= 5.
>
> Do you see any issue with this? (it still lacks annotation for
> the calling basechains type, so this cannot be applied as-is):

Assuming that we don't allow jumps from one family to another, we may
get by with two bitfields which validate callbacks fill: One for base
chain types and one for hooks.

The current family would still be validated inside the callback, but
nft_chain_validate_dependency() and nft_chain_validate_hooks() called
once (I think) for each base chain after collecting. The callbacks could
also return void and leave the hooks bitmask zeroed to signal "invalid
family".

> netfilter: nf_tables: avoid chain re-validation if possible

Thanks, Phil