Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f264a7df authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller
Browse files

[NETFILTER]: nf_conntrack_expect: introduce nf_conntrack_expect_max sysct 



As a last step of preventing DoS by creating lots of expectations, this
patch introduces a global maximum and a sysctl to control it. The default
is initialized to 4 * the expectation hash table size, which results in
1/64 of the default maxmimum of conntracks.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent b560580a

include/net/netfilter/nf_conntrack_expect.h

+1 −0
Original line number Original line Diff line number Diff line
@@ -8,6 +8,7 @@ 




extern struct hlist_head *nf_ct_expect_hash;

extern struct hlist_head *nf_ct_expect_hash;

extern unsigned int nf_ct_expect_hsize;

extern unsigned int nf_ct_expect_hsize;

extern unsigned int nf_ct_expect_max;





struct nf_conntrack_expect

struct nf_conntrack_expect

{

{

net/netfilter/nf_conntrack_expect.c

+10 −0
Original line number Original line Diff line number Diff line
@@ -35,6 +35,7 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize); 




static unsigned int nf_ct_expect_hash_rnd __read_mostly;

static unsigned int nf_ct_expect_hash_rnd __read_mostly;

static unsigned int nf_ct_expect_count;

static unsigned int nf_ct_expect_count;

unsigned int nf_ct_expect_max __read_mostly;

static int nf_ct_expect_hash_rnd_initted __read_mostly;

static int nf_ct_expect_hash_rnd_initted __read_mostly;

static int nf_ct_expect_vmalloc;

static int nf_ct_expect_vmalloc;
@@ -367,6 +368,14 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect) 
	    master_help->expecting >= master_help->helper->max_expected)

	    master_help->expecting >= master_help->helper->max_expected)

		evict_oldest_expect(master);

		evict_oldest_expect(master);





	if (nf_ct_expect_count >= nf_ct_expect_max) {

		if (net_ratelimit())

			printk(KERN_WARNING

			       "nf_conntrack: expectation table full");

		ret = -EMFILE;

		goto out;

	}



	nf_ct_expect_insert(expect);

	nf_ct_expect_insert(expect);

	nf_ct_expect_event(IPEXP_NEW, expect);

	nf_ct_expect_event(IPEXP_NEW, expect);

	ret = 0;

	ret = 0;
@@ -522,6 +531,7 @@ int __init nf_conntrack_expect_init(void) 
		if (!nf_ct_expect_hsize)

		if (!nf_ct_expect_hsize)

			nf_ct_expect_hsize = 1;

			nf_ct_expect_hsize = 1;

	}

	}

	nf_ct_expect_max = nf_ct_expect_hsize * 4;





	nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,

	nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,

						  &nf_ct_expect_vmalloc);

						  &nf_ct_expect_vmalloc);

net/netfilter/nf_conntrack_standalone.c

+8 −1
Original line number Original line Diff line number Diff line
@@ -372,7 +372,14 @@ static ctl_table nf_ct_sysctl_table[] = { 
		.extra1		= &log_invalid_proto_min,

		.extra1		= &log_invalid_proto_min,

		.extra2		= &log_invalid_proto_max,

		.extra2		= &log_invalid_proto_max,

	},

	},



	{

		.ctl_name	= CTL_UNNUMBERED,

		.procname	= "nf_conntrack_expect_max",

		.data		= &nf_ct_expect_max,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= &proc_dointvec,

	},

	{ .ctl_name = 0 }

	{ .ctl_name = 0 }

};

};