Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f264a7df08d50bb4a23be6a9aa06940e497ac1c4
Commit:     f264a7df08d50bb4a23be6a9aa06940e497ac1c4
Parent:     b560580a13b180bc1e3cad7ffbc93388cc39be5d
Author:     Patrick McHardy <[EMAIL PROTECTED]>
AuthorDate: Sat Jul 7 22:36:24 2007 -0700
Committer:  David S. Miller <[EMAIL PROTECTED]>
CommitDate: Tue Jul 10 22:18:12 2007 -0700

    [NETFILTER]: nf_conntrack_expect: introduce nf_conntrack_expect_max sysct
    
    As a last step of preventing DoS by creating lots of expectations, this
    patch introduces a global maximum and a sysctl to control it. The default
    is initialized to 4 * the expectation hash table size, which results in
    1/64 of the default maxmimum of conntracks.
    
    Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
    Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
---
 include/net/netfilter/nf_conntrack_expect.h |    1 +
 net/netfilter/nf_conntrack_expect.c         |   10 ++++++++++
 net/netfilter/nf_conntrack_standalone.c     |    9 ++++++++-
 3 files changed, 19 insertions(+), 1 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_expect.h 
b/include/net/netfilter/nf_conntrack_expect.h
index 9d5af4e..cae1a0d 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -8,6 +8,7 @@
 
 extern struct hlist_head *nf_ct_expect_hash;
 extern unsigned int nf_ct_expect_hsize;
+extern unsigned int nf_ct_expect_max;
 
 struct nf_conntrack_expect
 {
diff --git a/net/netfilter/nf_conntrack_expect.c 
b/net/netfilter/nf_conntrack_expect.c
index 5ef0dd4..513828f 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -35,6 +35,7 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
 
 static unsigned int nf_ct_expect_hash_rnd __read_mostly;
 static unsigned int nf_ct_expect_count;
+unsigned int nf_ct_expect_max __read_mostly;
 static int nf_ct_expect_hash_rnd_initted __read_mostly;
 static int nf_ct_expect_vmalloc;
 
@@ -367,6 +368,14 @@ int nf_ct_expect_related(struct nf_conntrack_expect 
*expect)
            master_help->expecting >= master_help->helper->max_expected)
                evict_oldest_expect(master);
 
+       if (nf_ct_expect_count >= nf_ct_expect_max) {
+               if (net_ratelimit())
+                       printk(KERN_WARNING
+                              "nf_conntrack: expectation table full");
+               ret = -EMFILE;
+               goto out;
+       }
+
        nf_ct_expect_insert(expect);
        nf_ct_expect_event(IPEXP_NEW, expect);
        ret = 0;
@@ -522,6 +531,7 @@ int __init nf_conntrack_expect_init(void)
                if (!nf_ct_expect_hsize)
                        nf_ct_expect_hsize = 1;
        }
+       nf_ct_expect_max = nf_ct_expect_hsize * 4;
 
        nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,
                                                  &nf_ct_expect_vmalloc);
diff --git a/net/netfilter/nf_conntrack_standalone.c 
b/net/netfilter/nf_conntrack_standalone.c
index 098e799..6af96c6 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -372,7 +372,14 @@ static ctl_table nf_ct_sysctl_table[] = {
                .extra1         = &log_invalid_proto_min,
                .extra2         = &log_invalid_proto_max,
        },
-
+       {
+               .ctl_name       = CTL_UNNUMBERED,
+               .procname       = "nf_conntrack_expect_max",
+               .data           = &nf_ct_expect_max,
+               .maxlen         = sizeof(int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec,
+       },
        { .ctl_name = 0 }
 };
 
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to