diff options
| author |   Patrick McHardy <kaber@trash.net> | 2007-07-07 22:36:24 -0700 |
|---|---|---|
| committer |   David S. Miller <davem@sunset.davemloft.net> | 2007-07-10 22:18:12 -0700 |
| commit | f264a7df08d50bb4a23be6a9aa06940e497ac1c4 (patch) | |
| tree | c07c92616a50107c2dacc5836626d4b6a12c57ae /include/net/netfilter | |
| parent | [NETFILTER]: nf_conntrack_expect: maintain per conntrack expectation list (diff) | |
| download | linux-dev-f264a7df08d50bb4a23be6a9aa06940e497ac1c4.tar.xz linux-dev-f264a7df08d50bb4a23be6a9aa06940e497ac1c4.zip | |
[NETFILTER]: nf_conntrack_expect: introduce nf_conntrack_expect_max sysct
As a last step of preventing DoS by creating lots of expectations, this
patch introduces a global maximum and a sysctl to control it. The default
is initialized to 4 * the expectation hash table size, which results in
1/64 of the default maxmimum of conntracks.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net/netfilter')
| -rw-r--r-- | include/net/netfilter/nf_conntrack_expect.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index 9d5af4e22c4f..cae1a0dce365 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h @@ -8,6 +8,7 @@ extern struct hlist_head *nf_ct_expect_hash; extern unsigned int nf_ct_expect_hsize; +extern unsigned int nf_ct_expect_max; struct nf_conntrack_expect { |