aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2007-07-08 01:36:24 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-07-11 01:18:12 -0400
commitf264a7df08d50bb4a23be6a9aa06940e497ac1c4 (patch)
treec07c92616a50107c2dacc5836626d4b6a12c57ae /net
parentb560580a13b180bc1e3cad7ffbc93388cc39be5d (diff)
[NETFILTER]: nf_conntrack_expect: introduce nf_conntrack_expect_max sysct
As a last step of preventing DoS by creating lots of expectations, this patch introduces a global maximum and a sysctl to control it. The default is initialized to 4 * the expectation hash table size, which results in 1/64 of the default maxmimum of conntracks. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nf_conntrack_expect.c10
-rw-r--r--net/netfilter/nf_conntrack_standalone.c9
2 files changed, 18 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 5ef0dd439e76..513828fdaa2c 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -35,6 +35,7 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
35 35
36static unsigned int nf_ct_expect_hash_rnd __read_mostly; 36static unsigned int nf_ct_expect_hash_rnd __read_mostly;
37static unsigned int nf_ct_expect_count; 37static unsigned int nf_ct_expect_count;
38unsigned int nf_ct_expect_max __read_mostly;
38static int nf_ct_expect_hash_rnd_initted __read_mostly; 39static int nf_ct_expect_hash_rnd_initted __read_mostly;
39static int nf_ct_expect_vmalloc; 40static int nf_ct_expect_vmalloc;
40 41
@@ -367,6 +368,14 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect)
367 master_help->expecting >= master_help->helper->max_expected) 368 master_help->expecting >= master_help->helper->max_expected)
368 evict_oldest_expect(master); 369 evict_oldest_expect(master);
369 370
371 if (nf_ct_expect_count >= nf_ct_expect_max) {
372 if (net_ratelimit())
373 printk(KERN_WARNING
374 "nf_conntrack: expectation table full");
375 ret = -EMFILE;
376 goto out;
377 }
378
370 nf_ct_expect_insert(expect); 379 nf_ct_expect_insert(expect);
371 nf_ct_expect_event(IPEXP_NEW, expect); 380 nf_ct_expect_event(IPEXP_NEW, expect);
372 ret = 0; 381 ret = 0;
@@ -522,6 +531,7 @@ int __init nf_conntrack_expect_init(void)
522 if (!nf_ct_expect_hsize) 531 if (!nf_ct_expect_hsize)
523 nf_ct_expect_hsize = 1; 532 nf_ct_expect_hsize = 1;
524 } 533 }
534 nf_ct_expect_max = nf_ct_expect_hsize * 4;
525 535
526 nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize, 536 nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,
527 &nf_ct_expect_vmalloc); 537 &nf_ct_expect_vmalloc);
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 098e7993932a..6af96c6e29fb 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -372,7 +372,14 @@ static ctl_table nf_ct_sysctl_table[] = {
372 .extra1 = &log_invalid_proto_min, 372 .extra1 = &log_invalid_proto_min,
373 .extra2 = &log_invalid_proto_max, 373 .extra2 = &log_invalid_proto_max,
374 }, 374 },
375 375 {
376 .ctl_name = CTL_UNNUMBERED,
377 .procname = "nf_conntrack_expect_max",
378 .data = &nf_ct_expect_max,
379 .maxlen = sizeof(int),
380 .mode = 0644,
381 .proc_handler = &proc_dointvec,
382 },
376 { .ctl_name = 0 } 383 { .ctl_name = 0 }
377}; 384};
378 385