Message ID | 20221005141309.31758-6-fw@strlen.de (mailing list archive) |
---|---|
State | RFC |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | netfilter: bpf base hook program generator | expand |
diff --git a/net/netfilter/core.c b/net/netfilter/core.c index 593fec9434d7..17165f9cf4a1 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -42,7 +42,7 @@ EXPORT_SYMBOL(nf_hooks_needed); static DEFINE_MUTEX(nf_hook_mutex); /* max hooks per family/hooknum */ -#define MAX_HOOK_COUNT 1024 +#define MAX_HOOK_COUNT 32 #define nf_entry_dereference(e) \ rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex))
1k is huge and will mean we'd need to support tailcalls in the nf_hook bpf converter. We need about 5 insns per hook at this time, ignoring prologue/epilogue. 32 should be fine, typically even extreme cases need about 8 hooks per hook location. Signed-off-by: Florian Westphal <fw@strlen.de> --- net/netfilter/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)