Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Mon, May 12, 2025 at 10:08:56PM -0400, Shaun Brady wrote: > [...] > > Add a new counter, total_jump_counter, to nft_ctx. On every call to > > nft_table_validate() (rule addition time, versus packet inspection time) > > start the counter at the current sum of all jump counts in all other > > tables with the same family, as well as netdev. > > What about the bridge family? If bridged frames are passed up to the > IP stack, then these hooks can have basechains with jumps too. Good point, I forgot about this. > Maybe it is better to have a global limit for all tables, regardless > the family, in a non-init-netns? Looks like it would be simpler. The only cases where processing is disjunct is ipv4 vs. ipv6. And arp. But large arp rulesets are unicorns so we should not bother with that.
