From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753278AbcGUTAj (ORCPT <rfc822;w@1wt.eu>);
	Thu, 21 Jul 2016 15:00:39 -0400
Received: from mail-wm0-f65.google.com ([74.125.82.65]:35582 "EHLO
	mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751858AbcGUTAh (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 21 Jul 2016 15:00:37 -0400
Subject: Re: [PATCH 3.12 28/88] netfilter: x_tables: validate targets of jumps
To: Greg KH <greg@kroah.com>, Jiri Slaby <jirislaby@gmail.com>
References: <3d4036cb9b963cdd270c02856a888183da0623db.1468483951.git.jslaby@suse.cz>
 <42b891251b3b9f241fb5f0a90e87b15d2fef0a74.1468483951.git.jslaby@suse.cz>
 <8d66c06f-7633-357e-f091-c182d78fb219@gmail.com>
 <20160721185633.GA24661@kroah.com>
Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org,
        Florian Westphal <fw@strlen.de>,
        Pablo Neira Ayuso <pablo@netfilter.org>
From: Jiri Slaby <jslaby@suse.cz>
Message-ID: <769ca2fb-b99c-a6a4-2559-5c12887d5e8a@suse.cz>
Date: Thu, 21 Jul 2016 21:00:33 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <20160721185633.GA24661@kroah.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 07/21/2016, 08:56 PM, Greg KH wrote:
> On Thu, Jul 21, 2016 at 08:36:18AM +0200, Jiri Slaby wrote:
>> On 07/14/2016, 10:15 AM, Jiri Slaby wrote:
>>> From: Florian Westphal <fw@strlen.de>
>>>
>>> 3.12-stable review patch.  If anyone has any objections, please let me know.
>>>
>>> ===============
>>>
>>> commit 36472341017529e2b12573093cc0f68719300997 upstream.
>>
>> I am now dropping this one. 3.12.62 will be released without that patch.
>> After the performance issue is resolved, it will be requeued.
> 
> Personally, I think the bug fixes were more important than the
> performance issues at this point in time, but it's your call to make :)

Ok, but to quote [1]:
iptables-restore will take forever (gave up after 10 minutes)

I would say it proved itself not to be a performance issue, but rather a
functional issue :). Both Pablo and Florian suggested to postpone the patch.

[1]
http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/64099

thanks,
-- 
js
suse labs