1024 is a very aggressive limit -- it will most likely not break any real-world ruleset, but it might break certain iptables test scripts out there. If we were to use this limit it becomes feasible to allocate jump stack directly via a percpu allocation (16kbytes needed per cpu in that case). Signed-off-by: Florian Westphal <fw@xxxxxxxxx> --- no changes since v1. net/netfilter/x_tables.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 9b42b5e..2be4f8e 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -39,6 +39,7 @@ MODULE_AUTHOR("Harald Welte <laforge@xxxxxxxxxxxxx>"); MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module"); #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1)) +#define XT_MAX_STACKSIZE 1024 struct compat_delta { unsigned int offset; /* offset in kernel */ @@ -735,6 +736,9 @@ static int xt_jumpstack_alloc(struct xt_table_info *i) unsigned int size; int cpu; + if (i->stacksize > XT_MAX_STACKSIZE) + return -ELOOP; + size = sizeof(void **) * nr_cpu_ids; if (size > PAGE_SIZE) i->jumpstack = vzalloc(size); -- 2.0.5 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html