Re: Soft lock-ups caused by iptables

Next message: Namhyung Kim: "Re: [PATCH v5 1/3] perf stat: Read tool events last"
Previous message: Stephen Boyd: "Re: [PATCH 1/4] dt-bindings: clock: imx95: add PCIE and USB PHY clk"
In reply to: Florian Westphal: "Re: Soft lock-ups caused by iptables"
Next in thread: Pablo Neira Ayuso: "Re: Soft lock-ups caused by iptables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Phil Sutter

Date: Wed Nov 19 2025 - 13:12:45 EST

On Wed, Nov 19, 2025 at 04:58:46PM +0100, Florian Westphal wrote:
> Phil Sutter <phil@xxxxxx> wrote:
> > On nftables side, maybe we could annotate chains with a depth value once
> > validated to skip digging into them again when revisiting from another
> > jump?
>
> Yes, but you also need to annotate the type of the last base chain origin,
> else you might skip validation of 'chain foo' because its depth value says its
> fine but new caller is coming from filter, not nat, and chain foo had
> masquerade expression.

There would need to be masks of valid types and hooks recording the
restrictions imposed on a non-base chain by its rules' expressions.
Maybe this even needs a matrix for cases where some hooks are OK in some
families/types but not others.

Cheers, Phil