Commit f264a7df authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller

[NETFILTER]: nf_conntrack_expect: introduce nf_conntrack_expect_max sysct

As a last step of preventing DoS by creating lots of expectations, this
patch introduces a global maximum and a sysctl to control it. The default
is initialized to 4 * the expectation hash table size, which results in
1/64 of the default maxmimum of conntracks.
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent b560580a
...@@ -8,6 +8,7 @@ ...@@ -8,6 +8,7 @@
extern struct hlist_head *nf_ct_expect_hash; extern struct hlist_head *nf_ct_expect_hash;
extern unsigned int nf_ct_expect_hsize; extern unsigned int nf_ct_expect_hsize;
extern unsigned int nf_ct_expect_max;
struct nf_conntrack_expect struct nf_conntrack_expect
{ {
......
...@@ -35,6 +35,7 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize); ...@@ -35,6 +35,7 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
static unsigned int nf_ct_expect_hash_rnd __read_mostly; static unsigned int nf_ct_expect_hash_rnd __read_mostly;
static unsigned int nf_ct_expect_count; static unsigned int nf_ct_expect_count;
unsigned int nf_ct_expect_max __read_mostly;
static int nf_ct_expect_hash_rnd_initted __read_mostly; static int nf_ct_expect_hash_rnd_initted __read_mostly;
static int nf_ct_expect_vmalloc; static int nf_ct_expect_vmalloc;
...@@ -367,6 +368,14 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect) ...@@ -367,6 +368,14 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect)
master_help->expecting >= master_help->helper->max_expected) master_help->expecting >= master_help->helper->max_expected)
evict_oldest_expect(master); evict_oldest_expect(master);
if (nf_ct_expect_count >= nf_ct_expect_max) {
if (net_ratelimit())
printk(KERN_WARNING
"nf_conntrack: expectation table full");
ret = -EMFILE;
goto out;
}
nf_ct_expect_insert(expect); nf_ct_expect_insert(expect);
nf_ct_expect_event(IPEXP_NEW, expect); nf_ct_expect_event(IPEXP_NEW, expect);
ret = 0; ret = 0;
...@@ -522,6 +531,7 @@ int __init nf_conntrack_expect_init(void) ...@@ -522,6 +531,7 @@ int __init nf_conntrack_expect_init(void)
if (!nf_ct_expect_hsize) if (!nf_ct_expect_hsize)
nf_ct_expect_hsize = 1; nf_ct_expect_hsize = 1;
} }
nf_ct_expect_max = nf_ct_expect_hsize * 4;
nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize, nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,
&nf_ct_expect_vmalloc); &nf_ct_expect_vmalloc);
......
...@@ -372,7 +372,14 @@ static ctl_table nf_ct_sysctl_table[] = { ...@@ -372,7 +372,14 @@ static ctl_table nf_ct_sysctl_table[] = {
.extra1 = &log_invalid_proto_min, .extra1 = &log_invalid_proto_min,
.extra2 = &log_invalid_proto_max, .extra2 = &log_invalid_proto_max,
}, },
{
.ctl_name = CTL_UNNUMBERED,
.procname = "nf_conntrack_expect_max",
.data = &nf_ct_expect_max,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = &proc_dointvec,
},
{ .ctl_name = 0 } { .ctl_name = 0 }
}; };
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment