1k is huge and will mean we'd need to support tailcalls in the nf_hook bpf converter. We need about 5 insns per hook at this time, ignoring prologue/epilogue. 32 should be fine, typically even extreme cases need about 8 hooks per hook location. Signed-off-by: Florian Westphal <fw@xxxxxxxxx> --- net/netfilter/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/core.c b/net/netfilter/core.c index 3fd268afc13e..f4359179eba9 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -42,7 +42,7 @@ EXPORT_SYMBOL(nf_hooks_needed); static DEFINE_MUTEX(nf_hook_mutex); /* max hooks per family/hooknum */ -#define MAX_HOOK_COUNT 1024 +#define MAX_HOOK_COUNT 32 #define nf_entry_dereference(e) \ rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex)) -- 2.32.0
