diff options
| author | Patrick McHardy <kaber@trash.net> | 2007-07-08 01:36:24 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2007-07-11 01:18:12 -0400 |
| commit | f264a7df08d50bb4a23be6a9aa06940e497ac1c4 (patch) | |
| tree | c07c92616a50107c2dacc5836626d4b6a12c57ae /include/net | |
| parent | b560580a13b180bc1e3cad7ffbc93388cc39be5d (diff) | |
[NETFILTER]: nf_conntrack_expect: introduce nf_conntrack_expect_max sysct
As a last step of preventing DoS by creating lots of expectations, this
patch introduces a global maximum and a sysctl to control it. The default
is initialized to 4 * the expectation hash table size, which results in
1/64 of the default maxmimum of conntracks.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net')
| -rw-r--r-- | include/net/netfilter/nf_conntrack_expect.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index 9d5af4e22c4f..cae1a0dce365 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h | |||
| @@ -8,6 +8,7 @@ | |||
| 8 | 8 | ||
| 9 | extern struct hlist_head *nf_ct_expect_hash; | 9 | extern struct hlist_head *nf_ct_expect_hash; |
| 10 | extern unsigned int nf_ct_expect_hsize; | 10 | extern unsigned int nf_ct_expect_hsize; |
| 11 | extern unsigned int nf_ct_expect_max; | ||
| 11 | 12 | ||
| 12 | struct nf_conntrack_expect | 13 | struct nf_conntrack_expect |
| 13 | { | 14 | { |