<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - nft_table_validate() exceptionally slow for some configurations"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1460">1460</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>nft_table_validate() exceptionally slow for some configurations
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>nftables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86_64
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>enhancement
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>kernel
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>pablo@netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>steve@opendium.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=606" name="attach_606" title="Example pathological configuration">attachment 606</a> <a href="attachment.cgi?id=606&action=edit" title="Example pathological configuration">[details]</a></span>
Example pathological configuration

nf_tables_check_loops() and nft_table_validate() are executed when new rules
are added to nftables.  These are brute-force validation functions which walk
over the entire ruleset, following all jumps and gotos.  Chains which are
jumped/goto'd to multiple times are walked over multiple times.

nft_table_validate() can become extremely slow with some configurations.  The
attached test-case takes 5 seconds to validate on my test machine, during which
time the CPU is locked up and the machine is unresponsive.  Worse
configurations are trivial to implement, locking the machine up for many
minutes at a time.

I'm not sure why, but nf_table_check_loops() seems comparatively fast.  As far
as I can see it walks over the ruleset in the same way as nft_table_validate()
(although it doesn't always start from the root chains, so doesn't always check
the whole ruleset).

There are more efficient algorithms for checking for loops, and adding some
caching to nft_chain_validate() so that chains aren't revisited multiple times
would be a big help.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>