| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Oct 2021 14:10:42 +0200
From: Florian Westphal <fw@...len.de>
To: <netfilter-devel@...r.kernel.org>
Cc: bpf@...r.kernel.org, netdev@...r.kernel.org, me@...que.spb.ru,
Florian Westphal <fw@...len.de>
Subject: [PATCH RFC nf-next 5/9] netfilter: reduce allowed hook count to 32
1k is huge and will mean we'd need to support tailcalls in the
nf_hook bpf converter.
We need about 5 insns per hook at this time, ignoring prologue/epilogue.
32 should be fine, typically even extreme cases need about 8 hooks per
hook location.
Signed-off-by: Florian Westphal <fw@...len.de>
---
net/netfilter/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3fd268afc13e..f4359179eba9 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -42,7 +42,7 @@ EXPORT_SYMBOL(nf_hooks_needed);
static DEFINE_MUTEX(nf_hook_mutex);
/* max hooks per family/hooknum */
-#define MAX_HOOK_COUNT 1024
+#define MAX_HOOK_COUNT 32
#define nf_entry_dereference(e) \
rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex))
--
2.32.0
Powered by blists - more mailing lists