2 files changed, 18 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 5ef0dd439e..513828fdaa 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -35,6 +35,7 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
 static unsigned int nf_ct_expect_hash_rnd __read_mostly;
 static unsigned int nf_ct_expect_count;
+unsigned int nf_ct_expect_max __read_mostly;
 static int nf_ct_expect_hash_rnd_initted __read_mostly;
 static int nf_ct_expect_vmalloc;
@@ -367,6 +368,14 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect)
            master_help->expecting >= master_help->helper->max_expected)
                evict_oldest_expect(master);
+        if (nf_ct_expect_count >= nf_ct_expect_max) {
+                if (net_ratelimit())
+                        printk(KERN_WARNING
+                               "nf_conntrack: expectation table full");
+                ret = -EMFILE;
+                goto out;
+        }
        nf_ct_expect_insert(expect);
        nf_ct_expect_event(IPEXP_NEW, expect);
        ret = 0;
@@ -522,6 +531,7 @@ int __init nf_conntrack_expect_init(void)
                if (!nf_ct_expect_hsize)
                        nf_ct_expect_hsize = 1;
        }
+        nf_ct_expect_max = nf_ct_expect_hsize * 4;
        nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,
                                                  &nf_ct_expect_vmalloc);
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 098e799393..6af96c6e29 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -372,7 +372,14 @@ static ctl_table nf_ct_sysctl_table[] = {
                .extra1         = &log_invalid_proto_min,
                .extra2         = &log_invalid_proto_max,
        },
+        {
+                .ctl_name       = CTL_UNNUMBERED,
+                .procname       = "nf_conntrack_expect_max",
+                .data           = &nf_ct_expect_max,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec,
+        },
        { .ctl_name = 0 }
 };

diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index 5ef0dd439e..513828fdaa 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c
@@ -35,6 +35,7 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
35		35
36	static unsigned int nf_ct_expect_hash_rnd __read_mostly;	36	static unsigned int nf_ct_expect_hash_rnd __read_mostly;
37	static unsigned int nf_ct_expect_count;	37	static unsigned int nf_ct_expect_count;
		38	unsigned int nf_ct_expect_max __read_mostly;
38	static int nf_ct_expect_hash_rnd_initted __read_mostly;	39	static int nf_ct_expect_hash_rnd_initted __read_mostly;
39	static int nf_ct_expect_vmalloc;	40	static int nf_ct_expect_vmalloc;
40		41
@@ -367,6 +368,14 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect)
367	master_help->expecting >= master_help->helper->max_expected)	368	master_help->expecting >= master_help->helper->max_expected)
368	evict_oldest_expect(master);	369	evict_oldest_expect(master);
369		370
		371	if (nf_ct_expect_count >= nf_ct_expect_max) {
		372	if (net_ratelimit())
		373	printk(KERN_WARNING
		374	"nf_conntrack: expectation table full");
		375	ret = -EMFILE;
		376	goto out;
		377	}
		378
370	nf_ct_expect_insert(expect);	379	nf_ct_expect_insert(expect);
371	nf_ct_expect_event(IPEXP_NEW, expect);	380	nf_ct_expect_event(IPEXP_NEW, expect);
372	ret = 0;	381	ret = 0;
@@ -522,6 +531,7 @@ int __init nf_conntrack_expect_init(void)
522	if (!nf_ct_expect_hsize)	531	if (!nf_ct_expect_hsize)
523	nf_ct_expect_hsize = 1;	532	nf_ct_expect_hsize = 1;
524	}	533	}
		534	nf_ct_expect_max = nf_ct_expect_hsize * 4;
525		535
526	nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,	536	nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,
527	&nf_ct_expect_vmalloc);	537	&nf_ct_expect_vmalloc);


diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 098e799393..6af96c6e29 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c
@@ -372,7 +372,14 @@ static ctl_table nf_ct_sysctl_table[] = {
372	.extra1 = &log_invalid_proto_min,	372	.extra1 = &log_invalid_proto_min,
373	.extra2 = &log_invalid_proto_max,	373	.extra2 = &log_invalid_proto_max,
374	},	374	},
375		375	{
		376	.ctl_name = CTL_UNNUMBERED,
		377	.procname = "nf_conntrack_expect_max",
		378	.data = &nf_ct_expect_max,
		379	.maxlen = sizeof(int),
		380	.mode = 0644,
		381	.proc_handler = &proc_dointvec,
		382	},
376	{ .ctl_name = 0 }	383	{ .ctl_name = 0 }
377	};	384	};
378		385