Re: Soft lock-ups caused by iptables

Next message: Frederic Weisbecker: "Re: [PATCH v15 7/7] timers: Exclude isolated cpus from timer migration"
Previous message: Rob Herring: "Re: [PATCH v1 0/2] build full dtbs for BananaPi R3/R4(Pro)"
In reply to: Pablo Neira Ayuso: "Re: Soft lock-ups caused by iptables"
Next in thread: Pablo Neira Ayuso: "Re: Soft lock-ups caused by iptables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hamza Mahfooz

Date: Wed Nov 19 2025 - 17:29:48 EST

On Wed, Nov 19, 2025 at 03:49:57PM +0100, Phil Sutter wrote:
> Nftables ruleset validation code was refactored in v6.10 with commit
> cff3bd012a95 ("netfilter: nf_tables: prefer nft_chain_validate"). This
> is also present in v5.15.184, so in order to estimate whether a bug is
> "new" or "old", better really use old kernels not recent minor releases
> of old major ones. :)

FWIW I tried to repro this on v6.6.45 as well and it also suffers from
this issue.

>
> So, how many --jump/--goto calls does your 40k iptables dump contain? Is
> this a (penetration) test or an actual ruleset in use? While it might be
> possible to reduce the overhead involved with this chain validation,
> maybe you want to consider using ipset (or better, nftables and its
> verdict maps) to improve the ruleset in general?
>

The vast majority of rules have --jumps (see the attached file). My
reproducible setup is a stress test but we have seen something like this
in production as well. Also, I'm not opposed to the idea of trying something
more efficient but I think we should get to the bottom of what's going on
here.

BR,
Hamza

Attachment: iptables-save.gz
Description: application/gzip