Jan Engelhardt <jengelh@xxxxxxx> wrote: > On Wednesday 2015-07-08 23:15, Florian Westphal wrote: > > >The jump stack overflow tests are no longer needed as well -- since > >->stacksize is the largest call depth we cannot exceed it. > > The tests were once added for the rare case that a cloned packet hits > another TEE. Can we be sure they are no longer needed? Hmm, not sure I understand. If a TEE'd skb hits another TEE target there is no reentry since the tee_active percpu indicator is true. So where can we enter ip(6)tables *twice* via TEE? Sure, a TEE'd packet can e.g. hit REJECT which then causes another reentry into ip(6)tables. But it should be ok since we 'only' clobber the "alternate" jumpstack and a DROP will be issued by REJECT. Could you please outline a problematic scenario? Thanks! > >+ /* No TEE support for arptables, so no need to switch to alternate > >+ * stack. All targets that reenter must return absolte verdicts. > > absolute Thanks, will fix > >+ /* Switch to alternate jumpstack if we're being invoked via TEE. > >+ * The problem is that TEE issues XT_CONTINUE verdict on original > >+ * skb so we must not clobber the jumpstack. > > Well that is not really a problem but a feature :) Sorry, I did not mean to imply TEE was misbehaving. I'll shorten this to: "TEE will issue XT_CONTINUE verdict" ... Thanks for reviewing. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
