[{"id":3675253,"web_url":"http://patchwork.ozlabs.org/comment/3675253/","msgid":"","list_archive_url":null,"date":"2026-04-09T11:05:59","subject":"Re: [PATCH v2] netfilter: nft_fwd_netdev: use recursion counter in\n neigh egress path","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Thu, Apr 09, 2026 at 06:49:12PM +0800, Weiming Shi wrote:\n> nft_fwd_neigh can be used in egress chains (NF_NETDEV_EGRESS). When the\n> forwarding rule targets the same device or two devices forward to each\n> other, neigh_xmit() triggers dev_queue_xmit() which re-enters\n> nf_hook_egress(), causing infinite recursion and stack overflow.\n> \n> Move the nf_get_nf_dup_skb_recursion() accessor and NF_RECURSION_LIMIT\n> to the shared header nf_dup_netdev.h as a static inline, so that\n> nft_fwd_netdev can use the recursion counter directly without exported\n> function call overhead. Guard neigh_xmit() with the same recursion\n> limit already used in nf_do_netdev_egress().\n> \n> Fixes: f87b9464d152 (\"netfilter: nft_fwd_netdev: Support egress hook\")\n\nI would just restrict this \"feature\", I don't see a point in allowing\nthis from egress?\n\n> Reported-by: Xiang Mei \n> Signed-off-by: Weiming Shi \n> ---\n> include/net/netfilter/nf_dup_netdev.h | 13 +++++++++++++\n> net/netfilter/nf_dup_netdev.c | 16 ----------------\n> net/netfilter/nft_fwd_netdev.c | 7 +++++++\n> 3 files changed, 20 insertions(+), 16 deletions(-)\n> \n> diff --git a/include/net/netfilter/nf_dup_netdev.h b/include/net/netfilter/nf_dup_netdev.h\n> index b175d271aec9..609bcf422a9b 100644\n> --- a/include/net/netfilter/nf_dup_netdev.h\n> +++ b/include/net/netfilter/nf_dup_netdev.h\n> @@ -3,10 +3,23 @@\n> #define _NF_DUP_NETDEV_H_\n> \n> #include \n> +#include \n> +#include \n> \n> void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif);\n> void nf_fwd_netdev_egress(const struct nft_pktinfo *pkt, int oif);\n> \n> +#define NF_RECURSION_LIMIT\t2\n> +\n> +static inline u8 *nf_get_nf_dup_skb_recursion(void)\n> +{\n> +#ifndef CONFIG_PREEMPT_RT\n> +\treturn this_cpu_ptr(&softnet_data.xmit.nf_dup_skb_recursion);\n> +#else\n> +\treturn ¤t->net_xmit.nf_dup_skb_recursion;\n> +#endif\n> +}\n> +\n> struct nft_offload_ctx;\n> struct nft_flow_rule;\n> \n> diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf_dup_netdev.c\n> index fab8b9011098..a958a1b0c5be 100644\n> --- a/net/netfilter/nf_dup_netdev.c\n> +++ b/net/netfilter/nf_dup_netdev.c\n> @@ -13,22 +13,6 @@\n> #include \n> #include \n> \n> -#define NF_RECURSION_LIMIT\t2\n> -\n> -#ifndef CONFIG_PREEMPT_RT\n> -static u8 *nf_get_nf_dup_skb_recursion(void)\n> -{\n> -\treturn this_cpu_ptr(&softnet_data.xmit.nf_dup_skb_recursion);\n> -}\n> -#else\n> -\n> -static u8 *nf_get_nf_dup_skb_recursion(void)\n> -{\n> -\treturn ¤t->net_xmit.nf_dup_skb_recursion;\n> -}\n> -\n> -#endif\n> -\n> static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev,\n> \t\t\t\tenum nf_dev_hooks hook)\n> {\n> diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c\n> index 152a9fb4d23a..492bb599a499 100644\n> --- a/net/netfilter/nft_fwd_netdev.c\n> +++ b/net/netfilter/nft_fwd_netdev.c\n> @@ -141,13 +141,20 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,\n> \t\tgoto out;\n> \t}\n> \n> +\tif (*nf_get_nf_dup_skb_recursion() > NF_RECURSION_LIMIT) {\n> +\t\tverdict = NF_DROP;\n> +\t\tgoto out;\n> +\t}\n> +\n> \tdev = dev_get_by_index_rcu(nft_net(pkt), oif);\n> \tif (dev == NULL)\n> \t\treturn;\n> \n> \tskb->dev = dev;\n> \tskb_clear_tstamp(skb);\n> +\t(*nf_get_nf_dup_skb_recursion())++;\n> \tneigh_xmit(neigh_table, dev, addr, skb);\n> +\t(*nf_get_nf_dup_skb_recursion())--;\n> out:\n> \tregs->verdict.code = verdict;\n> }\n> -- \n> 2.43.0\n> \n>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=Q4KIBn+q;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11759-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"Q4KIBn+q\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frxxT3kbLz1yD3\n\tfor ; Thu, 09 Apr 2026 21:08:13 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id DDA33301992E\n\tfor ; Thu, 9 Apr 2026 11:06:17 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 3DBC93C0638;\n\tThu, 9 Apr 2026 11:06:15 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 0388726A1AF;\n\tThu, 9 Apr 2026 11:06:10 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 5B3A9600B5;\n\tThu, 9 Apr 2026 13:06:02 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775732774; cv=none;\n b=rQtcVcvP5lsypyf7dnXcnTtCpXYJfz1LHem4SyOSHxfZScj0eN5OW4dLK9z0JlrNoStygcOiOlnZhUoqkEDjrwvxwDxphvFqN+pu36Y14Kd59h1MrjbjE7IEsP2ozw0qwx9hXGo86y7+36kJwHczq0Hl/Am6HbEJIkhO1H6w6Lc=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775732774; c=relaxed/simple;\n\tbh=2YHFrzrI84d9lpiXpxi3bnyki3GTSvsusW4oxazVRnA=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=oZ8mxvGxHzcuqd5qHMpt1+Le4LlrRMLbosiztJgVn8o3GI8cC4dLW7nM2JRDAYtbDMLfBgUJpL4/ehEUhPcy+32YW9lq5+S1ZWhJo9nsuEw/nS1raciY7yXtPbqAmFFadqhRl+DyW9HmF3n0OQUTWc5Z2DbYE7dhf0Hplm2Cl+A=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=Q4KIBn+q; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1775732762;\n\tbh=Rqu/gVOitW7Ns+Rt9dxe6qvnEaTF9koiHqNOvlCaxxw=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=Q4KIBn+qAbOy7EGryTB0I7AkCyB37k8XY47oQU/Qi78dm6Ut9JSo8QGBvHqt5KN0h\n\t Ly3cm0k+5HXYuYoIyrtRqxalS9yi8D/HNxWHBDpP8tjjqBb1CJkkz+umNPi1ZfLqkv\n\t 9m33Vg3S+pRFdZJH72oDKV4IlUyzvn0GVKlnnYt6O6KMQN8ImT6jKArG1vU7o/nSup\n\t 6m3aH/lMjciTHb0/9IbiegtfRF9Wxj0/eWIGfVfp6btpFMRePcRyAkIl2VdrrjNN+V\n\t eq+XvSmzYMMetUMTKycE868w9EDWIxhWyVCxiqUds9+EzDfi21hUPXjmSsYUq/mAMZ\n\t YYvMIxbqo7xfw==","Date":"Thu, 9 Apr 2026 13:05:59 +0200","From":"Pablo Neira Ayuso ","To":"Weiming Shi ","Cc":"Florian Westphal ,\n\t\"David S . Miller\" ,\n\tEric Dumazet ,\n\tJakub Kicinski , Paolo Abeni ,\n\tPhil Sutter , Simon Horman ,\n\tnetfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tnetdev@vger.kernel.org, Xiang Mei ","Subject":"Re: [PATCH v2] netfilter: nft_fwd_netdev: use recursion counter in\n neigh egress path","Message-ID":"","References":"<20260409104911.722698-2-bestswngs@gmail.com>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20260409104911.722698-2-bestswngs@gmail.com>"}},{"id":3675255,"web_url":"http://patchwork.ozlabs.org/comment/3675255/","msgid":"","list_archive_url":null,"date":"2026-04-09T11:21:24","subject":"Re: [PATCH v2] netfilter: nft_fwd_netdev: use recursion counter in\n neigh egress path","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Thu, Apr 09, 2026 at 01:06:03PM +0200, Pablo Neira Ayuso wrote:\n> On Thu, Apr 09, 2026 at 06:49:12PM +0800, Weiming Shi wrote:\n> > nft_fwd_neigh can be used in egress chains (NF_NETDEV_EGRESS). When the\n> > forwarding rule targets the same device or two devices forward to each\n> > other, neigh_xmit() triggers dev_queue_xmit() which re-enters\n> > nf_hook_egress(), causing infinite recursion and stack overflow.\n> > \n> > Move the nf_get_nf_dup_skb_recursion() accessor and NF_RECURSION_LIMIT\n> > to the shared header nf_dup_netdev.h as a static inline, so that\n> > nft_fwd_netdev can use the recursion counter directly without exported\n> > function call overhead. Guard neigh_xmit() with the same recursion\n> > limit already used in nf_do_netdev_egress().\n> > \n> > Fixes: f87b9464d152 (\"netfilter: nft_fwd_netdev: Support egress hook\")\n> \n> I would just restrict this \"feature\", I don't see a point in allowing\n> this from egress?\n\nHm, actually this can be combined with if0 device, fixing it makes sense.\n\n> > Reported-by: Xiang Mei \n> > Signed-off-by: Weiming Shi \n> > ---\n> > include/net/netfilter/nf_dup_netdev.h | 13 +++++++++++++\n> > net/netfilter/nf_dup_netdev.c | 16 ----------------\n> > net/netfilter/nft_fwd_netdev.c | 7 +++++++\n> > 3 files changed, 20 insertions(+), 16 deletions(-)\n> > \n> > diff --git a/include/net/netfilter/nf_dup_netdev.h b/include/net/netfilter/nf_dup_netdev.h\n> > index b175d271aec9..609bcf422a9b 100644\n> > --- a/include/net/netfilter/nf_dup_netdev.h\n> > +++ b/include/net/netfilter/nf_dup_netdev.h\n> > @@ -3,10 +3,23 @@\n> > #define _NF_DUP_NETDEV_H_\n> > \n> > #include \n> > +#include \n> > +#include \n> > \n> > void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif);\n> > void nf_fwd_netdev_egress(const struct nft_pktinfo *pkt, int oif);\n> > \n> > +#define NF_RECURSION_LIMIT\t2\n> > +\n> > +static inline u8 *nf_get_nf_dup_skb_recursion(void)\n> > +{\n> > +#ifndef CONFIG_PREEMPT_RT\n> > +\treturn this_cpu_ptr(&softnet_data.xmit.nf_dup_skb_recursion);\n> > +#else\n> > +\treturn ¤t->net_xmit.nf_dup_skb_recursion;\n> > +#endif\n> > +}\n> > +\n> > struct nft_offload_ctx;\n> > struct nft_flow_rule;\n> > \n> > diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf_dup_netdev.c\n> > index fab8b9011098..a958a1b0c5be 100644\n> > --- a/net/netfilter/nf_dup_netdev.c\n> > +++ b/net/netfilter/nf_dup_netdev.c\n> > @@ -13,22 +13,6 @@\n> > #include \n> > #include \n> > \n> > -#define NF_RECURSION_LIMIT\t2\n> > -\n> > -#ifndef CONFIG_PREEMPT_RT\n> > -static u8 *nf_get_nf_dup_skb_recursion(void)\n> > -{\n> > -\treturn this_cpu_ptr(&softnet_data.xmit.nf_dup_skb_recursion);\n> > -}\n> > -#else\n> > -\n> > -static u8 *nf_get_nf_dup_skb_recursion(void)\n> > -{\n> > -\treturn ¤t->net_xmit.nf_dup_skb_recursion;\n> > -}\n> > -\n> > -#endif\n> > -\n> > static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev,\n> > \t\t\t\tenum nf_dev_hooks hook)\n> > {\n> > diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c\n> > index 152a9fb4d23a..492bb599a499 100644\n> > --- a/net/netfilter/nft_fwd_netdev.c\n> > +++ b/net/netfilter/nft_fwd_netdev.c\n> > @@ -141,13 +141,20 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,\n> > \t\tgoto out;\n> > \t}\n> > \n> > +\tif (*nf_get_nf_dup_skb_recursion() > NF_RECURSION_LIMIT) {\n> > +\t\tverdict = NF_DROP;\n> > +\t\tgoto out;\n> > +\t}\n> > +\n> > \tdev = dev_get_by_index_rcu(nft_net(pkt), oif);\n> > \tif (dev == NULL)\n> > \t\treturn;\n> > \n> > \tskb->dev = dev;\n> > \tskb_clear_tstamp(skb);\n> > +\t(*nf_get_nf_dup_skb_recursion())++;\n> > \tneigh_xmit(neigh_table, dev, addr, skb);\n> > +\t(*nf_get_nf_dup_skb_recursion())--;\n> > out:\n> > \tregs->verdict.code = verdict;\n> > }\n> > -- \n> > 2.43.0\n> > \n> >","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=DwVscG7o;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11760-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"DwVscG7o\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fryF20Dlvz1yD3\n\tfor ; Thu, 09 Apr 2026 21:21:41 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 3F20D301E3FC\n\tfor ; Thu, 9 Apr 2026 11:21:32 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 303D63C13FB;\n\tThu, 9 Apr 2026 11:21:31 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 038653A5E9D;\n\tThu, 9 Apr 2026 11:21:28 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id C59196017D;\n\tThu, 9 Apr 2026 13:21:26 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775733690; cv=none;\n b=tuFPe41xAI+TGV6sOk3PUoOxYALmT35vdrF2Jmi2P7+EW7YgdOu8Okhao/vvbmgFKOLvJ+UNVpAtb9FYtqIQM+J5rAJFj0zvQHYuMmjtBK71N/rBO+/VLi76rywOWdcK0I/4piBmhMXbIG9a3+EJ5jVq5dyuP1zXtjQ3Xc9FDXg=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775733690; c=relaxed/simple;\n\tbh=NGMroKs/p2DZlb2g6lLg1hb0RQfNUoYX7FW0BZLqLnM=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=h0fGDBqAOPQVZKIr/4FkajRAiQ44ZmAtvpNmFcdqPr1QUH2a4NNcv+0JvM4D4pT9dOar/G30qhP+zDR3ZjEX3W/fxJE5IPQtF1ZMkJ/2Hq75p7+PoT/Cnzpq4qm14Ykg5LnjHK4PSvkWw4c9DCn5dnsNrWjV47gX9n4M/rQs4kM=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=DwVscG7o; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1775733686;\n\tbh=vO1SZlyg17Nlm20gzEKS1YEEuJac2pZ/3FgZ4TW4cX0=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=DwVscG7ooHrqu5iGPCAjWFEcRowFiYaKsi55UZx0weTQWXmNYu4HWR+xUJEG6Fwy5\n\t lqKqIokc3VcxbtlglnFiKbGh1RKBrVBqfUyeWjgPadLEhDM6fVSuXYRruFxHmEXw6e\n\t Z0wD6baQPRD/PND/81CoOdRCovsYlFkbrqSX2hGBExoroGuNmy1VQ5Aiv6iGBiHjDU\n\t vSwuUkgfEgNFkLIr+VULpn/YbgJnfdz4Mp4lvyVkwuFXUpFRr7Zm2kSAkqyOeXTvYY\n\t ou85BUybDQfR6Am52UdfoL0X6V6RBNo0+BLdJwwnLxm6Q8PQF3VF+IJpZCaYvzMb7P\n\t HAXEVC654ukbQ==","Date":"Thu, 9 Apr 2026 13:21:24 +0200","From":"Pablo Neira Ayuso ","To":"Weiming Shi ","Cc":"Florian Westphal ,\n\t\"David S . Miller\" ,\n\tEric Dumazet ,\n\tJakub Kicinski , Paolo Abeni ,\n\tPhil Sutter , Simon Horman ,\n\tnetfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tnetdev@vger.kernel.org, Xiang Mei ","Subject":"Re: [PATCH v2] netfilter: nft_fwd_netdev: use recursion counter in\n neigh egress path","Message-ID":"","References":"<20260409104911.722698-2-bestswngs@gmail.com>\n ","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":""}},{"id":3675363,"web_url":"http://patchwork.ozlabs.org/comment/3675363/","msgid":"","list_archive_url":null,"date":"2026-04-09T15:06:05","subject":"Re: [PATCH v2] netfilter: nft_fwd_netdev: use recursion counter in\n neigh egress path","submitter":{"id":92941,"url":"http://patchwork.ozlabs.org/api/people/92941/","name":"Weiming Shi","email":"bestswngs@gmail.com"},"content":"On 26-04-09 13:21, Pablo Neira Ayuso wrote:\n> On Thu, Apr 09, 2026 at 01:06:03PM +0200, Pablo Neira Ayuso wrote:\n> > On Thu, Apr 09, 2026 at 06:49:12PM +0800, Weiming Shi wrote:\n> > > nft_fwd_neigh can be used in egress chains (NF_NETDEV_EGRESS). When the\n> > > forwarding rule targets the same device or two devices forward to each\n> > > other, neigh_xmit() triggers dev_queue_xmit() which re-enters\n> > > nf_hook_egress(), causing infinite recursion and stack overflow.\n> > > \n> > > Move the nf_get_nf_dup_skb_recursion() accessor and NF_RECURSION_LIMIT\n> > > to the shared header nf_dup_netdev.h as a static inline, so that\n> > > nft_fwd_netdev can use the recursion counter directly without exported\n> > > function call overhead. Guard neigh_xmit() with the same recursion\n> > > limit already used in nf_do_netdev_egress().\n> > > \n> > > Fixes: f87b9464d152 (\"netfilter: nft_fwd_netdev: Support egress hook\")\n> > \n> > I would just restrict this \"feature\", I don't see a point in allowing\n> > this from egress?\n> \n> Hm, actually this can be combined with if0 device, fixing it makes sense.\n> \n> > > Reported-by: Xiang Mei \n> > > Signed-off-by: Weiming Shi \n> > > ---\n> > > include/net/netfilter/nf_dup_netdev.h | 13 +++++++++++++\n> > > net/netfilter/nf_dup_netdev.c | 16 ----------------\n> > > net/netfilter/nft_fwd_netdev.c | 7 +++++++\n> > > 3 files changed, 20 insertions(+), 16 deletions(-)\n> > > \n> > > diff --git a/include/net/netfilter/nf_dup_netdev.h b/include/net/netfilter/nf_dup_netdev.h\n> > > index b175d271aec9..609bcf422a9b 100644\n> > > --- a/include/net/netfilter/nf_dup_netdev.h\n> > > +++ b/include/net/netfilter/nf_dup_netdev.h\n> > > @@ -3,10 +3,23 @@\n> > > #define _NF_DUP_NETDEV_H_\n> > > \n> > > #include \n> > > +#include \n> > > +#include \n> > > \n> > > void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif);\n> > > void nf_fwd_netdev_egress(const struct nft_pktinfo *pkt, int oif);\n> > > \n> > > +#define NF_RECURSION_LIMIT\t2\n> > > +\n> > > +static inline u8 *nf_get_nf_dup_skb_recursion(void)\n> > > +{\n> > > +#ifndef CONFIG_PREEMPT_RT\n> > > +\treturn this_cpu_ptr(&softnet_data.xmit.nf_dup_skb_recursion);\n> > > +#else\n> > > +\treturn ¤t->net_xmit.nf_dup_skb_recursion;\n> > > +#endif\n> > > +}\n> > > +\n> > > struct nft_offload_ctx;\n> > > struct nft_flow_rule;\n> > > \n> > > diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf_dup_netdev.c\n> > > index fab8b9011098..a958a1b0c5be 100644\n> > > --- a/net/netfilter/nf_dup_netdev.c\n> > > +++ b/net/netfilter/nf_dup_netdev.c\n> > > @@ -13,22 +13,6 @@\n> > > #include \n> > > #include \n> > > \n> > > -#define NF_RECURSION_LIMIT\t2\n> > > -\n> > > -#ifndef CONFIG_PREEMPT_RT\n> > > -static u8 *nf_get_nf_dup_skb_recursion(void)\n> > > -{\n> > > -\treturn this_cpu_ptr(&softnet_data.xmit.nf_dup_skb_recursion);\n> > > -}\n> > > -#else\n> > > -\n> > > -static u8 *nf_get_nf_dup_skb_recursion(void)\n> > > -{\n> > > -\treturn ¤t->net_xmit.nf_dup_skb_recursion;\n> > > -}\n> > > -\n> > > -#endif\n> > > -\n> > > static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev,\n> > > \t\t\t\tenum nf_dev_hooks hook)\n> > > {\n> > > diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c\n> > > index 152a9fb4d23a..492bb599a499 100644\n> > > --- a/net/netfilter/nft_fwd_netdev.c\n> > > +++ b/net/netfilter/nft_fwd_netdev.c\n> > > @@ -141,13 +141,20 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,\n> > > \t\tgoto out;\n> > > \t}\n> > > \n> > > +\tif (*nf_get_nf_dup_skb_recursion() > NF_RECURSION_LIMIT) {\n> > > +\t\tverdict = NF_DROP;\n> > > +\t\tgoto out;\n> > > +\t}\n> > > +\n> > > \tdev = dev_get_by_index_rcu(nft_net(pkt), oif);\n> > > \tif (dev == NULL)\n> > > \t\treturn;\n> > > \n> > > \tskb->dev = dev;\n> > > \tskb_clear_tstamp(skb);\n> > > +\t(*nf_get_nf_dup_skb_recursion())++;\n> > > \tneigh_xmit(neigh_table, dev, addr, skb);\n> > > +\t(*nf_get_nf_dup_skb_recursion())--;\n> > > out:\n> > > \tregs->verdict.code = verdict;\n> > > }\n> > > -- \n> > > 2.43.0\n> > > \n> > > \n\nThanks Pablo. So shall I keep v2 as is, or is there anything else you'd \nlike me to change?","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=aFEJvn/E;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11773-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"aFEJvn/E\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.210.172","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fs3DC5Hz4z1xy1\n\tfor ; Fri, 10 Apr 2026 01:06:19 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 96CF1300A309\n\tfor ; Thu, 9 Apr 2026 15:06:16 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id C7BC03DA7E2;\n\tThu, 9 Apr 2026 15:06:12 +0000 (UTC)","from mail-pf1-f172.google.com (mail-pf1-f172.google.com\n [209.85.210.172])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C9E63B6363\n\tfor ; Thu, 9 Apr 2026 15:06:10 +0000 (UTC)","by mail-pf1-f172.google.com with SMTP id\n d2e1a72fcca58-82cebbdbdccso579608b3a.1\n for ;\n Thu, 09 Apr 2026 08:06:10 -0700 (PDT)","from SLSGDTSWING002 ([129.126.109.177])\n by smtp.gmail.com with ESMTPSA id\n d2e1a72fcca58-82cf9c6ba2fsm24779155b3a.45.2026.04.09.08.06.06\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 09 Apr 2026 08:06:09 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775747172; cv=none;\n b=n+mtPu4H0mXv85h3do2CKZveZPNckU7E9LdtuOwgVaMk3QkxotjLm7oAExCq2/4cKIgN/LczK20J+4iG7WnjiFsgOQGSgRCxfqvoCWqOAy7bl/NjEddlXWcsX/QLGiLF9bE/kP9ToP9g2dKXVbQjTajT6dAl86hMmPXzG7zuNqI=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775747172; c=relaxed/simple;\n\tbh=iduZko/88iujLyFvTRXcgG+QUimtLLRipU7l8Yq24Kc=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=k8D8aK58LGLSMWZlmslpCl7LCDJE9Cxll8v7thAfHn9Q3gzhfh+YeZt4xLRPFUXfZPICYKofKF6vnJVawJmcHWNKQNpLUmeAGbqQrFLSjfODQRoJDSVK1emXVqO2IiXs4a3Q0csnIyxwmqz2JLGj0mwtnox9/xMT+EbnO2TJnqs=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=aFEJvn/E; arc=none smtp.client-ip=209.85.210.172","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1775747170; x=1776351970;\n darn=vger.kernel.org;\n h=in-reply-to:content-disposition:mime-version:references:message-id\n :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;\n bh=JNkav/yhWdJLbDPIInjuFZXY0iHAcSm7PTNNRKiplfk=;\n b=aFEJvn/EEpt+JVsqt2JniGJgVgE3MgGuKMeDYK0/zVYJlgudOoSmY/SIKefkld9Log\n Jn3+mggIq4vvF1F0wjZ/k8Z35CGkD9S+ajQMAzVxsteGVB5N2Hz8EH2FHqcC44K6XnT3\n 0u9e1IOz2kFDhjOpgoIUJPkV9CvkO2QpuUzlytupwQcQnj5upmOYCCUxPd474dimNwWo\n sM1uUx93KCLZAPYeo4Nm5bTMTXw9o6LqSvZa5Q4GaxbFNGeZh30RWDhWg0A4E4/0mpYQ\n bOIT3AJDOeo5gILw+HnF1QVymyCv4AhHnK0JIBmACgUidFuXV44Q1gYbJy+WT/GeFhci\n xs6Q==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775747170; x=1776351970;\n h=in-reply-to:content-disposition:mime-version:references:message-id\n :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc\n :subject:date:message-id:reply-to;\n bh=JNkav/yhWdJLbDPIInjuFZXY0iHAcSm7PTNNRKiplfk=;\n b=pUBsMt5alj563h4q4XQg5Q7lcP1IXXpQCTzHrT6nzgzPD9oyF5THTPUGvZrPp+sEIn\n DXsp2B5kWbx24eEdlDJwaljbgBYNoxOsP7lFJGJJzVyQNgBf1xamQhnyYzgwQ+HCi/zr\n WDkAT0Sot/tdq3p0nee9O+JWq+9fvFKggXEDCmfGDqRGP0YxnYuDAZyfWJH/R7zyB5ay\n N4YbJGA3aJJnP8pMafoxC+h0VXeKEX7nVU2PvhZ5apO+xvx7FehPf4qu2ETtWGKBdJ9y\n P+aIs33Rt9pb4E3v1uPjKTWVPkvu9IVv813IMOeCZWSWHYSwBj2F0hloiAvVgOkswPG8\n YZlA==","X-Forwarded-Encrypted":"i=1;\n AJvYcCUyHRAmDealdNWtAkWMC9bzTEzPEEY/cT8+rf1V25Jpsid94ATCAIu/t5K6pF+WXCGB8pRgcHZvo393LMBNpBM=@vger.kernel.org","X-Gm-Message-State":"AOJu0Yyw2fxlivLyg7Py6cIasDZDrhL5Xk1lTIum3Bwd505hWevnSkaa\n\tyOjAPB74Xou7dB6H5t121H/eoIbSdPUTtxK5+zd1IhRQSJdNKrVfgcZ7","X-Gm-Gg":"AeBDiesCr4HtsowYehdt1NcFTkTwcdJBdimd3z68y4+fJ1EjqzxYRJG/55Grpl3STIF\n\tT0G098gwTlpvm2kZ3eO5040aHu8omzMnFe42nmooA494zGMp12oH9FUfFx2UPS4fxjqsROM6Rq7\n\tU2mY6lGk4UuYQQvzFMYkcKMaU5cDZOnCv7y7bJH/uZ43hLmMT0kvo+1X6CciiJD9TAZhY0K64Cc\n\t4UFyhFonoz59VKsm+7aneeL30in4nAuk5Uo6b8sDRQ8FJGxm57EWd2Cl/zTDWZsBe9+JucZvQIg\n\t5Qx7q5m29Py45sidbu/oQYjEQoo4lslJ9PIri3jDqcgG7KMtbjXps2rIZwYrML0j5zt4iCpMiDs\n\tSFlKErNO7yUuaQ4xbZraEcANGeAvgWpKlaMOVRWOsj36rzrPAlsCYIVzAzmVPz/64qlcW9IAsMR\n\t42LVvtApcjH+zflS8sGXpFFy/5nRjaurFDU4MgrhpgEXbKsqb6IaSSmBifNH6l","X-Received":"by 2002:aa7:8892:0:b0:829:6f7d:3086 with SMTP id\n d2e1a72fcca58-82dd8aba240mr3203326b3a.11.1775747170163;\n Thu, 09 Apr 2026 08:06:10 -0700 (PDT)","Date":"Thu, 9 Apr 2026 23:06:05 +0800","From":"Weiming Shi ","To":"Pablo Neira Ayuso ","Cc":"Florian Westphal ,\n\t\"David S . Miller\" ,\n\tEric Dumazet ,\n\tJakub Kicinski , Paolo Abeni ,\n\tPhil Sutter , Simon Horman ,\n\tnetfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tnetdev@vger.kernel.org, Xiang Mei ","Subject":"Re: [PATCH v2] netfilter: nft_fwd_netdev: use recursion counter in\n neigh egress path","Message-ID":"","References":"<20260409104911.722698-2-bestswngs@gmail.com>\n \n ","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":""}}]