netfilter: conntrack: disable 0 value for conntrack_max setting

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Undocumented historical artifact inherited from ip_conntrack.
If value is 0, then no limit is applied at all, conntrack table
can grow to huge value, only limited by size of conntrack hashes and
the kernel-internal upper limit on the hash chain lengths.

This feature makes no sense; users can just set
conntrack_max=2147483647 (INT_MAX).

Disallow a 0 value. This will make it slightly easier to allow
per-netns constraints for this value in a future patch.

Signed-off-by: Florian Westphal <fw@strlen.de>

Florian Westphal 5 months ago 2b749f25 320d80ee

+3 -3

2 changed files

expand all

net

netfilter

nf_conntrack_core.c

nf_conntrack_standalone.c

+1 -1

net/netfilter/nf_conntrack_core.c

··· 1668 1668 /* We don't want any race condition at early drop stage */ 1669 1669 ct_count = atomic_inc_return(&cnet->count); 1670 1670 1671 - if (nf_conntrack_max && unlikely(ct_count > nf_conntrack_max)) { 1671 + if (unlikely(ct_count > nf_conntrack_max)) { 1672 1672 if (!early_drop(net, hash)) { 1673 1673 if (!conntrack_gc_work.early_drop) 1674 1674 conntrack_gc_work.early_drop = true;

+2 -2

net/netfilter/nf_conntrack_standalone.c

··· 648 648 .maxlen = sizeof(int), 649 649 .mode = 0644, 650 650 .proc_handler = proc_dointvec_minmax, 651 - .extra1 = SYSCTL_ZERO, 651 + .extra1 = SYSCTL_ONE, 652 652 .extra2 = SYSCTL_INT_MAX, 653 653 }, 654 654 [NF_SYSCTL_CT_COUNT] = { ··· 929 929 .maxlen = sizeof(int), 930 930 .mode = 0644, 931 931 .proc_handler = proc_dointvec_minmax, 932 - .extra1 = SYSCTL_ZERO, 932 + .extra1 = SYSCTL_ONE, 933 933 .extra2 = SYSCTL_INT_MAX, 934 934 }, 935 935 };