diff options
| author | Patrick McHardy <kaber@trash.net> | 2007-07-08 01:33:47 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2007-07-11 01:17:59 -0400 |
| commit | a71c085562bcc99e8b711cab4222bff1f6e955da (patch) | |
| tree | 7de563d406e8e9e44065b53c664f837f97f8b3fe /include/net | |
| parent | e9c1b084e17ca225b6be731b819308ee0f9e04b8 (diff) | |
[NETFILTER]: nf_conntrack: use hashtable for expectations
Currently all expectations are kept on a global list that
- needs to be searched for every new conncetion
- needs to be walked for evicting expectations when a master connection
has reached its limit
- needs to be walked on connection destruction for connections that
have open expectations
This is obviously not good, especially when considering helpers like
H.323 that register *lots* of expectations and can set up permanent
expectations, but it also allows for an easy DoS against firewalls
using connection tracking helpers.
Use a hashtable for expectations to avoid incurring the search overhead
for every new connection. The default hash size is 1/256 of the conntrack
hash table size, this can be overriden using a module parameter.
This patch only introduces the hash table for expectation lookups and
keeps other users to reduce the noise, the following patches will get
rid of it completely.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net')
| -rw-r--r-- | include/net/netfilter/nf_conntrack_core.h | 1 | ||||
| -rw-r--r-- | include/net/netfilter/nf_conntrack_expect.h | 5 |
2 files changed, 5 insertions, 1 deletions
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h index a18f79c80db8..4056f5f08da1 100644 --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h | |||
| @@ -84,7 +84,6 @@ print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, | |||
| 84 | struct nf_conntrack_l4proto *proto); | 84 | struct nf_conntrack_l4proto *proto); |
| 85 | 85 | ||
| 86 | extern struct hlist_head *nf_conntrack_hash; | 86 | extern struct hlist_head *nf_conntrack_hash; |
| 87 | extern struct list_head nf_ct_expect_list; | ||
| 88 | extern rwlock_t nf_conntrack_lock ; | 87 | extern rwlock_t nf_conntrack_lock ; |
| 89 | extern struct hlist_head unconfirmed; | 88 | extern struct hlist_head unconfirmed; |
| 90 | 89 | ||
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index cf6a619664e8..424d4bdb9848 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h | |||
| @@ -7,12 +7,17 @@ | |||
| 7 | #include <net/netfilter/nf_conntrack.h> | 7 | #include <net/netfilter/nf_conntrack.h> |
| 8 | 8 | ||
| 9 | extern struct list_head nf_ct_expect_list; | 9 | extern struct list_head nf_ct_expect_list; |
| 10 | extern struct hlist_head *nf_ct_expect_hash; | ||
| 11 | extern unsigned int nf_ct_expect_hsize; | ||
| 10 | 12 | ||
| 11 | struct nf_conntrack_expect | 13 | struct nf_conntrack_expect |
| 12 | { | 14 | { |
| 13 | /* Internal linked list (global expectation list) */ | 15 | /* Internal linked list (global expectation list) */ |
| 14 | struct list_head list; | 16 | struct list_head list; |
| 15 | 17 | ||
| 18 | /* Hash member */ | ||
| 19 | struct hlist_node hnode; | ||
| 20 | |||
| 16 | /* We expect this tuple, with the following mask */ | 21 | /* We expect this tuple, with the following mask */ |
| 17 | struct nf_conntrack_tuple tuple; | 22 | struct nf_conntrack_tuple tuple; |
| 18 | struct nf_conntrack_tuple_mask mask; | 23 | struct nf_conntrack_tuple_mask mask; |