John Hurley <john.hur...@netronome.com> wrote: > TC hooks allow the application of filters and actions to packets at both > ingress and egress of the network stack. It is possible, with poor > configuration, that this can produce loops whereby an ingress hook calls > a mirred egress action that has an egress hook that redirects back to > the first ingress etc. The TC core classifier protects against loops when > doing reclassifies but there is no protection against a packet looping > between multiple hooks and recursively calling act_mirred. This can lead > to stack overflow panics. > > Add a per CPU counter to act_mirred that is incremented for each recursive > call of the action function when processing a packet. If a limit is passed > then the packet is dropped and CPU counter reset. > > Note that this patch does not protect against loops in TC datapaths. Its > aim is to prevent stack overflow kernel panics that can be a consequence > of such loops.
LGTM, thanks.
