| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aR4Ildw_PYHPAkPo@orbyte.nwl.cc> Date: Wed, 19 Nov 2025 19:12:37 +0100 From: Phil Sutter <phil@....cc> To: Florian Westphal <fw@...len.de> Cc: Hamza Mahfooz <hamzamahfooz@...ux.microsoft.com>, netdev@...r.kernel.org, Pablo Neira Ayuso <pablo@...filter.org>, Jozsef Kadlecsik <kadlec@...filter.org>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, netfilter-devel@...r.kernel.org, coreteam@...filter.org, linux-kernel@...r.kernel.org Subject: Re: Soft lock-ups caused by iptables On Wed, Nov 19, 2025 at 04:58:46PM +0100, Florian Westphal wrote: > Phil Sutter <phil@....cc> wrote: > > On nftables side, maybe we could annotate chains with a depth value once > > validated to skip digging into them again when revisiting from another > > jump? > > Yes, but you also need to annotate the type of the last base chain origin, > else you might skip validation of 'chain foo' because its depth value says its > fine but new caller is coming from filter, not nat, and chain foo had > masquerade expression. There would need to be masks of valid types and hooks recording the restrictions imposed on a non-base chain by its rules' expressions. Maybe this even needs a matrix for cases where some hooks are OK in some families/types but not others. Cheers, Phil
Powered by blists - more mailing lists