diff options
author | Patrick McHardy <kaber@trash.net> | 2007-07-07 22:36:24 -0700 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-07-10 22:18:12 -0700 |
commit | f264a7df08d50bb4a23be6a9aa06940e497ac1c4 (patch) | |
tree | c07c92616a50107c2dacc5836626d4b6a12c57ae /net/netfilter/nf_conntrack_expect.c | |
parent | b560580a13b180bc1e3cad7ffbc93388cc39be5d (diff) | |
download | kernel_samsung_smdk4412-f264a7df08d50bb4a23be6a9aa06940e497ac1c4.zip kernel_samsung_smdk4412-f264a7df08d50bb4a23be6a9aa06940e497ac1c4.tar.gz kernel_samsung_smdk4412-f264a7df08d50bb4a23be6a9aa06940e497ac1c4.tar.bz2 |
[NETFILTER]: nf_conntrack_expect: introduce nf_conntrack_expect_max sysct
As a last step of preventing DoS by creating lots of expectations, this
patch introduces a global maximum and a sysctl to control it. The default
is initialized to 4 * the expectation hash table size, which results in
1/64 of the default maxmimum of conntracks.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter/nf_conntrack_expect.c')
-rw-r--r-- | net/netfilter/nf_conntrack_expect.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index 5ef0dd4..513828f 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c @@ -35,6 +35,7 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize); static unsigned int nf_ct_expect_hash_rnd __read_mostly; static unsigned int nf_ct_expect_count; +unsigned int nf_ct_expect_max __read_mostly; static int nf_ct_expect_hash_rnd_initted __read_mostly; static int nf_ct_expect_vmalloc; @@ -367,6 +368,14 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect) master_help->expecting >= master_help->helper->max_expected) evict_oldest_expect(master); + if (nf_ct_expect_count >= nf_ct_expect_max) { + if (net_ratelimit()) + printk(KERN_WARNING + "nf_conntrack: expectation table full"); + ret = -EMFILE; + goto out; + } + nf_ct_expect_insert(expect); nf_ct_expect_event(IPEXP_NEW, expect); ret = 0; @@ -522,6 +531,7 @@ int __init nf_conntrack_expect_init(void) if (!nf_ct_expect_hsize) nf_ct_expect_hsize = 1; } + nf_ct_expect_max = nf_ct_expect_hsize * 4; nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize, &nf_ct_expect_vmalloc); |