On Wednesday 2015-07-08 23:15, Florian Westphal wrote: >The jump stack overflow tests are no longer needed as well -- since >->stacksize is the largest call depth we cannot exceed it. The tests were once added for the rare case that a cloned packet hits another TEE. Can we be sure they are no longer needed? >+ /* No TEE support for arptables, so no need to switch to alternate >+ * stack. All targets that reenter must return absolte verdicts. absolute >+ /* Switch to alternate jumpstack if we're being invoked via TEE. >+ * The problem is that TEE issues XT_CONTINUE verdict on original >+ * skb so we must not clobber the jumpstack. Well that is not really a problem but a feature :) >+ /* Switch to alternate jumpstack if we're being invoked via TEE. >+ * The problem is that TEE issues XT_CONTINUE verdict on original >+ * skb so we must not clobber the jumpstack. >+ * >+ * For recursion via REJECT or SYNPROXY the stack will be clobbered >+ * but its no problem since absolute verdict is issued by these. "but it is no problem" -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
