[{"id":3669678,"web_url":"http://patchwork.ozlabs.org/comment/3669678/","msgid":"","list_archive_url":null,"date":"2026-03-26T12:03:32","subject":"Re: [PATCH nf] netfilter: nf_tables: reject requests exceeding\n NF_FLOW_RULE_ACTION_MAX actions","submitter":{"id":90904,"url":"http://patchwork.ozlabs.org/api/people/90904/","name":"Fernando Fernandez Mancera","email":"fmancera@suse.de"},"content":"On 3/25/26 5:41 PM, Florian Westphal wrote:\n> nf_flow_offload_rule_alloc() allocates space for NF_FLOW_RULE_ACTION_MAX\n> entries. Make sure userspace passes more entries to us.\n> \n\nnit: shouldn't this be \"Make sure userspace does not pass more entries \nto us\"?\n\nOther than that, LGTM.\n\nThanks.\n\n> Reported-by: Hyunwoo Kim \n> Signed-off-by: Florian Westphal \n> ---\n> Can also route via nf-next if thats deemed the better tree.\n> \n> include/net/netfilter/nf_flow_table.h | 2 ++\n> net/netfilter/nf_flow_table_offload.c | 2 --\n> net/netfilter/nf_tables_offload.c | 5 +++--\n> 3 files changed, 5 insertions(+), 4 deletions(-)\n> \n> diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h\n> index b09c11c048d5..0b2fb1467b3f 100644\n> --- a/include/net/netfilter/nf_flow_table.h\n> +++ b/include/net/netfilter/nf_flow_table.h\n> @@ -13,6 +13,8 @@\n> #include \n> #include \n> \n> +#define NF_FLOW_RULE_ACTION_MAX\t16\n> +\n> struct nf_flowtable;\n> struct nf_flow_rule;\n> struct flow_offload;\n> diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c\n> index 9b677e116487..11463682bbfa 100644\n> --- a/net/netfilter/nf_flow_table_offload.c\n> +++ b/net/netfilter/nf_flow_table_offload.c\n> @@ -727,8 +727,6 @@ int nf_flow_rule_route_ipv6(struct net *net, struct flow_offload *flow,\n> }\n> EXPORT_SYMBOL_GPL(nf_flow_rule_route_ipv6);\n> \n> -#define NF_FLOW_RULE_ACTION_MAX\t16\n> -\n> static struct nf_flow_rule *\n> nf_flow_offload_rule_alloc(struct net *net,\n> \t\t\t const struct flow_offload_work *offload,\n> diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c\n> index 9101b1703b52..a2f7966bc201 100644\n> --- a/net/netfilter/nf_tables_offload.c\n> +++ b/net/netfilter/nf_tables_offload.c\n> @@ -88,10 +88,11 @@ static void nft_flow_rule_transfer_vlan(struct nft_offload_ctx *ctx,\n> struct nft_flow_rule *nft_flow_rule_create(struct net *net,\n> \t\t\t\t\t const struct nft_rule *rule)\n> {\n> +\tunsigned int num_actions = 0;\n> \tstruct nft_offload_ctx *ctx;\n> \tstruct nft_flow_rule *flow;\n> -\tint num_actions = 0, err;\n> \tstruct nft_expr *expr;\n> +\tint err;\n> \n> \texpr = nft_expr_first(rule);\n> \twhile (nft_expr_more(rule, expr)) {\n> @@ -102,7 +103,7 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,\n> \t\texpr = nft_expr_next(expr);\n> \t}\n> \n> -\tif (num_actions == 0)\n> +\tif (num_actions == 0 || num_actions > NF_FLOW_RULE_ACTION_MAX)\n> \t\treturn ERR_PTR(-EOPNOTSUPP);\n> \n> \tflow = nft_flow_rule_alloc(num_actions);","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=RmMX0orp;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=u1T2dEzi;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=UcvWAWIo;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=eD/a150Z;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11438-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"RmMX0orp\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"u1T2dEzi\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"UcvWAWIo\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"eD/a150Z\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.131","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de","smtp-out2.suse.de;\n\tdkim=pass header.d=suse.de header.s=susede2_rsa header.b=UcvWAWIo;\n\tdkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=\"eD/a150Z\""],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fhMsS2SRKz1yGD\n\tfor ; Thu, 26 Mar 2026 23:05:00 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 3F6C730685AF\n\tfor ; Thu, 26 Mar 2026 12:03:56 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id AC3C43EF67D;\n\tThu, 26 Mar 2026 12:03:47 +0000 (UTC)","from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id C22DE3CEB9D\n\tfor ; Thu, 26 Mar 2026 12:03:45 +0000 (UTC)","from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org\n [IPv6:2a07:de40:b281:104:10:150:64:97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out2.suse.de (Postfix) with ESMTPS id 7D2E45BDC2;\n\tThu, 26 Mar 2026 12:03:42 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 471B34A0A3;\n\tThu, 26 Mar 2026 12:03:42 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid p3FrDp4gxWkCDwAAD6G6ig\n\t(envelope-from ); Thu, 26 Mar 2026 12:03:42 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774526627; cv=none;\n b=ksTQO3tetpkLtNRrUVzsbxX2m1CJPXg5/N/t2E0tgixEAMIxmzk6z/nkNiM76o8iCJabuz2XTB2GhHewuLJ3H6oyqcIMorEom2ojvcrPkWJBlWCGugWLMZ3PqJyKJZd6z9s6nkxRNinvii9AaJVu+RhZaoAe45QpbJe02VDXgxU=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774526627; c=relaxed/simple;\n\tbh=lYncb5gap7/s7TUbwdoLclIJw9i1Jk+jPmtLrC6O1mA=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=rKwYQvYsJDCGLDB18qV14j72HMNr5/aE5rQnjk5RlrEkYpXTpJbb3zaYEIK0uRziIgzYwsAgqOs1DC/XTc214t6ufJIPdH75AZLGsglzPhTww4CRr5wqEN6G+A2tNy4A+co/mkTrDaBPMJTmFiqI4P+ZLj3rXKaHAiNsGhDum98=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=RmMX0orp;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=u1T2dEzi;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=UcvWAWIo;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=eD/a150Z; arc=none smtp.client-ip=195.135.223.131","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1774526623;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=lIY3FeUqnm3QhmIXC0Dww/bdHTuvfA9CUN9w3TpPtKA=;\n\tb=RmMX0orpdvKWHwdkCgKUqPy2i7IDyJKpw/CGLGtXjmX4bpAa6dNxLhbctODQ77A4/C0x5h\n\t3prT0+yqxV8MG1pPYXOcLUc2jL70vhaZ0oU7ns9zsZfxHKRqRCTPwvpv+gtXgrEJ59drhH\n\tybj6Us5uXgRZ4sYkjgdPnNpnf4xaUXQ=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1774526623;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=lIY3FeUqnm3QhmIXC0Dww/bdHTuvfA9CUN9w3TpPtKA=;\n\tb=u1T2dEziI9mhFNq8pfhdiW6eUVQbVxZZ/sdYpSePSW5oi3zYb6od/fNIRHX6XeUhqYBFZz\n\tCg1Jjz/MrLK+EpAw==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1774526622;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=lIY3FeUqnm3QhmIXC0Dww/bdHTuvfA9CUN9w3TpPtKA=;\n\tb=UcvWAWIoYSo8w/qA5LJqTr8zVxT0BODMUZLaJodZPcOJLDoReEpap3HPpgXgMC2ddbVNmP\n\twSuhPOdmLDu14CQPNZszfkgCSM0jXVUY/PQjT1EojbIMvfdqUt+TM6nwkqWsHkEfW96O8G\n\tmN/SBxaNadcddecFdRETRd74ScYFrGY=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1774526622;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=lIY3FeUqnm3QhmIXC0Dww/bdHTuvfA9CUN9w3TpPtKA=;\n\tb=eD/a150Zj4sTVgnhx0AYsalsjatT/cBVcrVoGgL84qmanR01RwA7ZClY8aVJSYdjQCPy1x\n\tndrwZQtOFpRnQQCQ=="],"Message-ID":"","Date":"Thu, 26 Mar 2026 13:03:32 +0100","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH nf] netfilter: nf_tables: reject requests exceeding\n NF_FLOW_RULE_ACTION_MAX actions","To":"Florian Westphal , netfilter-devel@vger.kernel.org","Cc":"Hyunwoo Kim ","References":"<20260325164130.29060-1-fw@strlen.de>","Content-Language":"en-US","From":"Fernando Fernandez Mancera ","In-Reply-To":"<20260325164130.29060-1-fw@strlen.de>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Spamd-Result":"default: False [-4.51 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tR_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tMIME_GOOD(-0.10)[text/plain];\n\tMX_GOOD(-0.01)[];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tRBL_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:104:10:150:64:97:from];\n\tARC_NA(0.00)[];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tTO_DN_SOME(0.00)[];\n\tMIME_TRACE(0.00)[0:+];\n\tFREEMAIL_ENVRCPT(0.00)[gmail.com];\n\tRCVD_TLS_ALL(0.00)[];\n\tSPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tFROM_HAS_DN(0.00)[];\n\tFREEMAIL_CC(0.00)[gmail.com];\n\tMID_RHS_MATCH_FROM(0.00)[];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tRECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:106:10:150:64:167:received];\n\tDKIM_TRACE(0.00)[suse.de:+];\n\tRCPT_COUNT_THREE(0.00)[3];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,suse.de:mid,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns]","X-Rspamd-Action":"no action","X-Spam-Flag":"NO","X-Spam-Score":"-4.51","X-Spam-Level":"","X-Rspamd-Server":"rspamd1.dmz-prg2.suse.org","X-Rspamd-Queue-Id":"7D2E45BDC2"}},{"id":3669974,"web_url":"http://patchwork.ozlabs.org/comment/3669974/","msgid":"","list_archive_url":null,"date":"2026-03-26T21:49:47","subject":"Re: [PATCH nf] netfilter: nf_tables: reject requests exceeding\n NF_FLOW_RULE_ACTION_MAX actions","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Wed, Mar 25, 2026 at 05:41:27PM +0100, Florian Westphal wrote:\n> nf_flow_offload_rule_alloc() allocates space for NF_FLOW_RULE_ACTION_MAX\n> entries. Make sure userspace passes more entries to us.\n\nWhile the flowtable hardware offload uses a fixed maximum number of\nactions NF_FLOW_RULE_ACTION_MAX for simplicity.\n\nBut nf_tables hardware offload allocates the number of actions\ndynamically from nft_flow_rule_create(), such function iterates to\ncheck if there is .offload_action is true, the increments the array of\nactions by one for each.\n\nPossible actions (note payload mangling is currently not supported\nin nf_tables hardware offload).\n\nThis is fragile, because advancing the action array is opencoded:\n\n entry = &flow->rule->action.entries[ctx->num_actions++];\n\nI can make a patch for nf-next to add a helper, but I don't see any\nissue on nf_tables_offload at this stage. There are three actions only\nand they add one single entry to the array.\n\nAs for the flowtable hardware offload (different infrastructure)\nI proposed a different approach:\n\nhttps://patchwork.ozlabs.org/project/netfilter-devel/patch/20260326200935.729750-1-pablo@netfilter.org/","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=UtkIrd84;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11469-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"UtkIrd84\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fhcrW6NMyz1y1j\n\tfor ; Fri, 27 Mar 2026 08:50:03 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id E1139302573E\n\tfor ; Thu, 26 Mar 2026 21:49:57 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id B49C725CC40;\n\tThu, 26 Mar 2026 21:49:56 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 332B12FFFA4\n\tfor ; Thu, 26 Mar 2026 21:49:51 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id DF890600B5;\n\tThu, 26 Mar 2026 22:49:49 +0100 (CET)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774561795; cv=none;\n b=elyvwuKZx/aF2d0+O8kSpnSOcTXvmIWHo2qD7XYtO03ADxqh5PzgVldc6HtOLCPJm07upT4B2dQ2/kyqYkZ0GoW6qs9Spydkdi6PzXzdBXOo35Vz58fHuKTLrE3AKJKhAnVsP90mnJbCpqQGbtrPuAZWMvXLWd2Mfq/OOAlzXZg=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774561795; c=relaxed/simple;\n\tbh=XoZBdsERT/9UIca3qb0ZwBhaKEe6m8oSB08aD3Vt1ng=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=IUz70USsCscIhkw2G/dZ+uDfCOfu7M1bPs8/bEltnKUXO8PeoO6af9auJp1x5cFV7noKQ+A2RT8All+nsMdQOKrzvqkbCej/cdcXoTbpUpi8GFarh5TkpZsRlgfcJPQz41Z+m2ALdAGYn/lc+o8cq+37b2NiLYhdbPbC+ikgLR4=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=UtkIrd84; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1774561790;\n\tbh=ZjL3l2xJ2jUBKp4CxO7jPABE4lAjECANivTqF2jjdbo=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=UtkIrd84Q86TXZpu709y1ZDo8CsF2lz1haJGyNwGP4FuEYLqrA3p9LMLVD5flAFzZ\n\t +RV145FnBwzSTMIXYrIC9YWykagfBnBuAv9m9qpoRpN5z067sN3J6gRIZrAw4wW72H\n\t 1Dfodvtg0JpjzzVT33S3mlWkJ5cLBNcGhCgBDuU7hjUkBNJIbzjpA7Iq/DtS0k2Suj\n\t zrGNjho410xYtQ7BTnysYQgsu+2vV+KbkVwFsRV2b3ep6fxq6kwzRSIkdvgzJZsj28\n\t XxKAb24XZ6Q26ewDXYj+5kTTyA5nehgwnop3VPlGEVDWfyrhPY07xxhpNbnO2uPFAM\n\t fMQBVRWCST2og==","Date":"Thu, 26 Mar 2026 22:49:47 +0100","From":"Pablo Neira Ayuso ","To":"Florian Westphal ","Cc":"netfilter-devel@vger.kernel.org, Hyunwoo Kim ","Subject":"Re: [PATCH nf] netfilter: nf_tables: reject requests exceeding\n NF_FLOW_RULE_ACTION_MAX actions","Message-ID":"","References":"<20260325164130.29060-1-fw@strlen.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20260325164130.29060-1-fw@strlen.de>"}}]