lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aR5ObjGO4SaD3GkX@calendula>
Date: Thu, 20 Nov 2025 00:10:38 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Phil Sutter <phil@....cc>, Florian Westphal <fw@...len.de>,
	Hamza Mahfooz <hamzamahfooz@...ux.microsoft.com>,
	netdev@...r.kernel.org, Jozsef Kadlecsik <kadlec@...filter.org>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	Simon Horman <horms@...nel.org>, netfilter-devel@...r.kernel.org,
	coreteam@...filter.org, linux-kernel@...r.kernel.org
Subject: Re: Soft lock-ups caused by iptables

On Wed, Nov 19, 2025 at 07:12:37PM +0100, Phil Sutter wrote:
> On Wed, Nov 19, 2025 at 04:58:46PM +0100, Florian Westphal wrote:
> > Phil Sutter <phil@....cc> wrote:
> > > On nftables side, maybe we could annotate chains with a depth value once
> > > validated to skip digging into them again when revisiting from another
> > > jump?
> > 
> > Yes, but you also need to annotate the type of the last base chain origin,
> > else you might skip validation of 'chain foo' because its depth value says its
> > fine but new caller is coming from filter, not nat, and chain foo had
> > masquerade expression.

You could also have chains being called from different levels.

> There would need to be masks of valid types and hooks recording the
> restrictions imposed on a non-base chain by its rules' expressions.
> Maybe this even needs a matrix for cases where some hooks are OK in some
> families/types but not others.

I posted a series to maintain a graph that relates jumps
chain-to-chain, set-to-chain and chain-to-set (both backwards and
forward) to improve validation, I would need to come back to it.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ