diff options
author | Patrick McHardy <kaber@trash.net> | 2007-07-08 01:33:47 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-07-11 01:17:59 -0400 |
commit | a71c085562bcc99e8b711cab4222bff1f6e955da (patch) | |
tree | 7de563d406e8e9e44065b53c664f837f97f8b3fe /include | |
parent | e9c1b084e17ca225b6be731b819308ee0f9e04b8 (diff) |
[NETFILTER]: nf_conntrack: use hashtable for expectations
Currently all expectations are kept on a global list that
- needs to be searched for every new conncetion
- needs to be walked for evicting expectations when a master connection
has reached its limit
- needs to be walked on connection destruction for connections that
have open expectations
This is obviously not good, especially when considering helpers like
H.323 that register *lots* of expectations and can set up permanent
expectations, but it also allows for an easy DoS against firewalls
using connection tracking helpers.
Use a hashtable for expectations to avoid incurring the search overhead
for every new connection. The default hash size is 1/256 of the conntrack
hash table size, this can be overriden using a module parameter.
This patch only introduces the hash table for expectation lookups and
keeps other users to reduce the noise, the following patches will get
rid of it completely.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/net/netfilter/nf_conntrack_core.h | 1 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack_expect.h | 5 |
2 files changed, 5 insertions, 1 deletions
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h index a18f79c80db8..4056f5f08da1 100644 --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h | |||
@@ -84,7 +84,6 @@ print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, | |||
84 | struct nf_conntrack_l4proto *proto); | 84 | struct nf_conntrack_l4proto *proto); |
85 | 85 | ||
86 | extern struct hlist_head *nf_conntrack_hash; | 86 | extern struct hlist_head *nf_conntrack_hash; |
87 | extern struct list_head nf_ct_expect_list; | ||
88 | extern rwlock_t nf_conntrack_lock ; | 87 | extern rwlock_t nf_conntrack_lock ; |
89 | extern struct hlist_head unconfirmed; | 88 | extern struct hlist_head unconfirmed; |
90 | 89 | ||
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index cf6a619664e8..424d4bdb9848 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h | |||
@@ -7,12 +7,17 @@ | |||
7 | #include <net/netfilter/nf_conntrack.h> | 7 | #include <net/netfilter/nf_conntrack.h> |
8 | 8 | ||
9 | extern struct list_head nf_ct_expect_list; | 9 | extern struct list_head nf_ct_expect_list; |
10 | extern struct hlist_head *nf_ct_expect_hash; | ||
11 | extern unsigned int nf_ct_expect_hsize; | ||
10 | 12 | ||
11 | struct nf_conntrack_expect | 13 | struct nf_conntrack_expect |
12 | { | 14 | { |
13 | /* Internal linked list (global expectation list) */ | 15 | /* Internal linked list (global expectation list) */ |
14 | struct list_head list; | 16 | struct list_head list; |
15 | 17 | ||
18 | /* Hash member */ | ||
19 | struct hlist_node hnode; | ||
20 | |||
16 | /* We expect this tuple, with the following mask */ | 21 | /* We expect this tuple, with the following mask */ |
17 | struct nf_conntrack_tuple tuple; | 22 | struct nf_conntrack_tuple tuple; |
18 | struct nf_conntrack_tuple_mask mask; | 23 | struct nf_conntrack_tuple_mask mask; |