diff options
author | Patrick McHardy <kaber@trash.net> | 2007-07-08 01:36:24 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-07-11 01:18:12 -0400 |
commit | f264a7df08d50bb4a23be6a9aa06940e497ac1c4 (patch) | |
tree | c07c92616a50107c2dacc5836626d4b6a12c57ae /net | |
parent | b560580a13b180bc1e3cad7ffbc93388cc39be5d (diff) |
[NETFILTER]: nf_conntrack_expect: introduce nf_conntrack_expect_max sysct
As a last step of preventing DoS by creating lots of expectations, this
patch introduces a global maximum and a sysctl to control it. The default
is initialized to 4 * the expectation hash table size, which results in
1/64 of the default maxmimum of conntracks.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nf_conntrack_expect.c | 10 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_standalone.c | 9 |
2 files changed, 18 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index 5ef0dd439e76..513828fdaa2c 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c | |||
@@ -35,6 +35,7 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize); | |||
35 | 35 | ||
36 | static unsigned int nf_ct_expect_hash_rnd __read_mostly; | 36 | static unsigned int nf_ct_expect_hash_rnd __read_mostly; |
37 | static unsigned int nf_ct_expect_count; | 37 | static unsigned int nf_ct_expect_count; |
38 | unsigned int nf_ct_expect_max __read_mostly; | ||
38 | static int nf_ct_expect_hash_rnd_initted __read_mostly; | 39 | static int nf_ct_expect_hash_rnd_initted __read_mostly; |
39 | static int nf_ct_expect_vmalloc; | 40 | static int nf_ct_expect_vmalloc; |
40 | 41 | ||
@@ -367,6 +368,14 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect) | |||
367 | master_help->expecting >= master_help->helper->max_expected) | 368 | master_help->expecting >= master_help->helper->max_expected) |
368 | evict_oldest_expect(master); | 369 | evict_oldest_expect(master); |
369 | 370 | ||
371 | if (nf_ct_expect_count >= nf_ct_expect_max) { | ||
372 | if (net_ratelimit()) | ||
373 | printk(KERN_WARNING | ||
374 | "nf_conntrack: expectation table full"); | ||
375 | ret = -EMFILE; | ||
376 | goto out; | ||
377 | } | ||
378 | |||
370 | nf_ct_expect_insert(expect); | 379 | nf_ct_expect_insert(expect); |
371 | nf_ct_expect_event(IPEXP_NEW, expect); | 380 | nf_ct_expect_event(IPEXP_NEW, expect); |
372 | ret = 0; | 381 | ret = 0; |
@@ -522,6 +531,7 @@ int __init nf_conntrack_expect_init(void) | |||
522 | if (!nf_ct_expect_hsize) | 531 | if (!nf_ct_expect_hsize) |
523 | nf_ct_expect_hsize = 1; | 532 | nf_ct_expect_hsize = 1; |
524 | } | 533 | } |
534 | nf_ct_expect_max = nf_ct_expect_hsize * 4; | ||
525 | 535 | ||
526 | nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize, | 536 | nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize, |
527 | &nf_ct_expect_vmalloc); | 537 | &nf_ct_expect_vmalloc); |
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 098e7993932a..6af96c6e29fb 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c | |||
@@ -372,7 +372,14 @@ static ctl_table nf_ct_sysctl_table[] = { | |||
372 | .extra1 = &log_invalid_proto_min, | 372 | .extra1 = &log_invalid_proto_min, |
373 | .extra2 = &log_invalid_proto_max, | 373 | .extra2 = &log_invalid_proto_max, |
374 | }, | 374 | }, |
375 | 375 | { | |
376 | .ctl_name = CTL_UNNUMBERED, | ||
377 | .procname = "nf_conntrack_expect_max", | ||
378 | .data = &nf_ct_expect_max, | ||
379 | .maxlen = sizeof(int), | ||
380 | .mode = 0644, | ||
381 | .proc_handler = &proc_dointvec, | ||
382 | }, | ||
376 | { .ctl_name = 0 } | 383 | { .ctl_name = 0 } |
377 | }; | 384 | }; |
378 | 385 | ||