tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[NETFILTER]: nf_conntrack_expect: introduce nf_conntrack_expect_max sysct

As a last step of preventing DoS by creating lots of expectations, this
patch introduces a global maximum and a sysctl to control it. The default
is initialized to 4 * the expectation hash table size, which results in
1/64 of the default maxmimum of conntracks.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Patrick McHardy and committed by
David S. Miller f264a7df b560580a

+19 -1
+1
include/net/netfilter/nf_conntrack_expect.h
··· 8 8 9 9 extern struct hlist_head *nf_ct_expect_hash; 10 10 extern unsigned int nf_ct_expect_hsize; 11 + extern unsigned int nf_ct_expect_max; 11 12 12 13 struct nf_conntrack_expect 13 14 {
+10
net/netfilter/nf_conntrack_expect.c
··· 35 35 36 36 static unsigned int nf_ct_expect_hash_rnd __read_mostly; 37 37 static unsigned int nf_ct_expect_count; 38 + unsigned int nf_ct_expect_max __read_mostly; 38 39 static int nf_ct_expect_hash_rnd_initted __read_mostly; 39 40 static int nf_ct_expect_vmalloc; 40 41 ··· 368 367 master_help->expecting >= master_help->helper->max_expected) 369 368 evict_oldest_expect(master); 370 369 370 + if (nf_ct_expect_count >= nf_ct_expect_max) { 371 + if (net_ratelimit()) 372 + printk(KERN_WARNING 373 + "nf_conntrack: expectation table full"); 374 + ret = -EMFILE; 375 + goto out; 376 + } 377 + 371 378 nf_ct_expect_insert(expect); 372 379 nf_ct_expect_event(IPEXP_NEW, expect); 373 380 ret = 0; ··· 531 522 if (!nf_ct_expect_hsize) 532 523 nf_ct_expect_hsize = 1; 533 524 } 525 + nf_ct_expect_max = nf_ct_expect_hsize * 4; 534 526 535 527 nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize, 536 528 &nf_ct_expect_vmalloc);
+8 -1
net/netfilter/nf_conntrack_standalone.c
··· 372 372 .extra1 = &log_invalid_proto_min, 373 373 .extra2 = &log_invalid_proto_max, 374 374 }, 375 - 375 + { 376 + .ctl_name = CTL_UNNUMBERED, 377 + .procname = "nf_conntrack_expect_max", 378 + .data = &nf_ct_expect_max, 379 + .maxlen = sizeof(int), 380 + .mode = 0644, 381 + .proc_handler = &proc_dointvec, 382 + }, 376 383 { .ctl_name = 0 } 377 384 }; 378 385