首页 发现 帮助
注册 登录
phyus
/
linux-vybrid_public
8
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

[NETFILTER]: nf_conntrack_expect: introduce nf_conntrack_expect_max sysct

As a last step of preventing DoS by creating lots of expectations, this
patch introduces a global maximum and a sysctl to control it. The default
is initialized to 4 * the expectation hash table size, which results in
1/64 of the default maxmimum of conntracks.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy 18 年之前
父节点
b560580a13
当前提交
f264a7df08
共有 3 个文件被更改,包括 19 次插入1 次删除
合并视图 显示文件统计
  1. 1 0
      include/net/netfilter/nf_conntrack_expect.h
  2. 10 0
      net/netfilter/nf_conntrack_expect.c
  3. 8 1
      net/netfilter/nf_conntrack_standalone.c

+ 1 - 0
include/net/netfilter/nf_conntrack_expect.h
查看文件 

@@ -8,6 +8,7 @@
 
 
 
 extern struct hlist_head *nf_ct_expect_hash;
 
 extern struct hlist_head *nf_ct_expect_hash;
 
 extern unsigned int nf_ct_expect_hsize;
 
 extern unsigned int nf_ct_expect_hsize;
 
+extern unsigned int nf_ct_expect_max;
 
 
 
 struct nf_conntrack_expect
 
 struct nf_conntrack_expect
 
 {
 
 {

+ 10 - 0
net/netfilter/nf_conntrack_expect.c
查看文件 

@@ -35,6 +35,7 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
 
 
 
 static unsigned int nf_ct_expect_hash_rnd __read_mostly;
 
 static unsigned int nf_ct_expect_hash_rnd __read_mostly;
 
 static unsigned int nf_ct_expect_count;
 
 static unsigned int nf_ct_expect_count;
 
+unsigned int nf_ct_expect_max __read_mostly;
 
 static int nf_ct_expect_hash_rnd_initted __read_mostly;
 
 static int nf_ct_expect_hash_rnd_initted __read_mostly;
 
 static int nf_ct_expect_vmalloc;
 
 static int nf_ct_expect_vmalloc;
 
 
 
@@ -367,6 +368,14 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect)
 
 	    master_help->expecting >= master_help->helper->max_expected)
 
 	    master_help->expecting >= master_help->helper->max_expected)
 
 		evict_oldest_expect(master);
 
 		evict_oldest_expect(master);
 
 
 
+	if (nf_ct_expect_count >= nf_ct_expect_max) {
 
+		if (net_ratelimit())
 
+			printk(KERN_WARNING
 
+			       "nf_conntrack: expectation table full");
 
+		ret = -EMFILE;
 
+		goto out;
 
+	}
 
+
 
 	nf_ct_expect_insert(expect);
 
 	nf_ct_expect_insert(expect);
 
 	nf_ct_expect_event(IPEXP_NEW, expect);
 
 	nf_ct_expect_event(IPEXP_NEW, expect);
 
 	ret = 0;
 
 	ret = 0;
 
@@ -522,6 +531,7 @@ int __init nf_conntrack_expect_init(void)
 
 		if (!nf_ct_expect_hsize)
 
 		if (!nf_ct_expect_hsize)
 
 			nf_ct_expect_hsize = 1;
 
 			nf_ct_expect_hsize = 1;
 
 	}
 
 	}
 
+	nf_ct_expect_max = nf_ct_expect_hsize * 4;
 
 
 
 	nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,
 
 	nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,
 
 						  &nf_ct_expect_vmalloc);
 
 						  &nf_ct_expect_vmalloc);

+ 8 - 1
net/netfilter/nf_conntrack_standalone.c
查看文件 

@@ -372,7 +372,14 @@ static ctl_table nf_ct_sysctl_table[] = {
 
 		.extra1		= &log_invalid_proto_min,
 
 		.extra1		= &log_invalid_proto_min,
 
 		.extra2		= &log_invalid_proto_max,
 
 		.extra2		= &log_invalid_proto_max,
 
 	},
 
 	},
 
-
 
+	{
 
+		.ctl_name	= CTL_UNNUMBERED,
 
+		.procname	= "nf_conntrack_expect_max",
 
+		.data		= &nf_ct_expect_max,
 
+		.maxlen		= sizeof(int),
 
+		.mode		= 0644,
 
+		.proc_handler	= &proc_dointvec,
 
+	},
 
 	{ .ctl_name = 0 }
 
 	{ .ctl_name = 0 }
 
 };
 
 };