tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: conntrack: limit sysctl setting for boolean options
We use the zero and one to limit the boolean options setting.
After this patch we only set 0 or 1 to boolean options for nf
conntrack sysctl.
Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
authored by
Tonghao Zhang
and committed by
Pablo Neira Ayuso
8f14c99c
a4cb98f3
+36
-18
+3
-3
include/net/netns/conntrack.h
+3
-3
include/net/netns/conntrack.h
···
24
24
25
25
struct nf_tcp_net {
26
26
unsigned int timeouts[TCP_CONNTRACK_TIMEOUT_MAX];
27
-
unsigned int tcp_loose;
28
-
unsigned int tcp_be_liberal;
29
-
unsigned int tcp_max_retrans;
27
+
int tcp_loose;
28
+
int tcp_be_liberal;
29
+
int tcp_max_retrans;
30
30
};
31
31
32
32
enum udp_conntrack {
+33
-15
net/netfilter/nf_conntrack_standalone.c
+33
-15
net/netfilter/nf_conntrack_standalone.c
···
511
511
/* Log invalid packets of a given protocol */
512
512
static int log_invalid_proto_min __read_mostly;
513
513
static int log_invalid_proto_max __read_mostly = 255;
514
+
static int zero;
515
+
static int one = 1;
514
516
515
517
/* size the user *wants to set */
516
518
static unsigned int nf_conntrack_htable_size_user __read_mostly;
···
626
624
[NF_SYSCTL_CT_CHECKSUM] = {
627
625
.procname = "nf_conntrack_checksum",
628
626
.data = &init_net.ct.sysctl_checksum,
629
-
.maxlen = sizeof(unsigned int),
627
+
.maxlen = sizeof(int),
630
628
.mode = 0644,
631
-
.proc_handler = proc_dointvec,
629
+
.proc_handler = proc_dointvec_minmax,
630
+
.extra1 = &zero,
631
+
.extra2 = &one,
632
632
},
633
633
[NF_SYSCTL_CT_LOG_INVALID] = {
634
634
.procname = "nf_conntrack_log_invalid",
···
651
647
[NF_SYSCTL_CT_ACCT] = {
652
648
.procname = "nf_conntrack_acct",
653
649
.data = &init_net.ct.sysctl_acct,
654
-
.maxlen = sizeof(unsigned int),
650
+
.maxlen = sizeof(int),
655
651
.mode = 0644,
656
-
.proc_handler = proc_dointvec,
652
+
.proc_handler = proc_dointvec_minmax,
653
+
.extra1 = &zero,
654
+
.extra2 = &one,
657
655
},
658
656
[NF_SYSCTL_CT_HELPER] = {
659
657
.procname = "nf_conntrack_helper",
660
658
.data = &init_net.ct.sysctl_auto_assign_helper,
661
-
.maxlen = sizeof(unsigned int),
659
+
.maxlen = sizeof(int),
662
660
.mode = 0644,
663
-
.proc_handler = proc_dointvec,
661
+
.proc_handler = proc_dointvec_minmax,
662
+
.extra1 = &zero,
663
+
.extra2 = &one,
664
664
},
665
665
#ifdef CONFIG_NF_CONNTRACK_EVENTS
666
666
[NF_SYSCTL_CT_EVENTS] = {
667
667
.procname = "nf_conntrack_events",
668
668
.data = &init_net.ct.sysctl_events,
669
-
.maxlen = sizeof(unsigned int),
669
+
.maxlen = sizeof(int),
670
670
.mode = 0644,
671
-
.proc_handler = proc_dointvec,
671
+
.proc_handler = proc_dointvec_minmax,
672
+
.extra1 = &zero,
673
+
.extra2 = &one,
672
674
},
673
675
#endif
674
676
#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
675
677
[NF_SYSCTL_CT_TIMESTAMP] = {
676
678
.procname = "nf_conntrack_timestamp",
677
679
.data = &init_net.ct.sysctl_tstamp,
678
-
.maxlen = sizeof(unsigned int),
680
+
.maxlen = sizeof(int),
679
681
.mode = 0644,
680
-
.proc_handler = proc_dointvec,
682
+
.proc_handler = proc_dointvec_minmax,
683
+
.extra1 = &zero,
684
+
.extra2 = &one,
681
685
},
682
686
#endif
683
687
[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = {
···
756
744
},
757
745
[NF_SYSCTL_CT_PROTO_TCP_LOOSE] = {
758
746
.procname = "nf_conntrack_tcp_loose",
759
-
.maxlen = sizeof(unsigned int),
747
+
.maxlen = sizeof(int),
760
748
.mode = 0644,
761
-
.proc_handler = proc_dointvec,
749
+
.proc_handler = proc_dointvec_minmax,
750
+
.extra1 = &zero,
751
+
.extra2 = &one,
762
752
},
763
753
[NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = {
764
754
.procname = "nf_conntrack_tcp_be_liberal",
765
-
.maxlen = sizeof(unsigned int),
755
+
.maxlen = sizeof(int),
766
756
.mode = 0644,
767
-
.proc_handler = proc_dointvec,
757
+
.proc_handler = proc_dointvec_minmax,
758
+
.extra1 = &zero,
759
+
.extra2 = &one,
768
760
},
769
761
[NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = {
770
762
.procname = "nf_conntrack_tcp_max_retrans",
···
903
887
.procname = "nf_conntrack_dccp_loose",
904
888
.maxlen = sizeof(int),
905
889
.mode = 0644,
906
-
.proc_handler = proc_dointvec,
890
+
.proc_handler = proc_dointvec_minmax,
891
+
.extra1 = &zero,
892
+
.extra2 = &one,
907
893
},
908
894
#endif
909
895
#ifdef CONFIG_NF_CT_PROTO_GRE