diff options
| author |   Florian Westphal <fw@strlen.de> | 2021-08-26 15:54:22 +0200 |
|---|---|---|
| committer |   Pablo Neira Ayuso <pablo@netfilter.org> | 2021-08-30 11:52:21 +0200 |
| commit | d7e7747ac5c2496c98291944c6066adaa9f3b975 (patch) | |
| tree | 58f5bfa9d5169cfad2e44fb94bee310f188eb9ba /include/uapi/linux/netfilter | |
| parent | netfilter: conntrack: switch to siphash (diff) | |
| download | linux-dev-d7e7747ac5c2496c98291944c6066adaa9f3b975.tar.xz linux-dev-d7e7747ac5c2496c98291944c6066adaa9f3b975.zip | |
netfilter: refuse insertion if chain has grown too large
Also add a stat counter for this that gets exported both via old /proc
interface and ctnetlink.
Assuming the old default size of 16536 buckets and max hash occupancy of
64k, this results in 128k insertions (origin+reply), so ~8 entries per
chain on average.
The revised settings in this series will result in about two entries per
bucket on average.
This allows a hard-limit ceiling of 64.
This is not tunable at the moment, but its possible to either increase
nf_conntrack_buckets or decrease nf_conntrack_max to reduce average
lengths.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/uapi/linux/netfilter')
| -rw-r--r-- | include/uapi/linux/netfilter/nfnetlink_conntrack.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/uapi/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h index d8484be72fdc..5ade231f497b 100644 --- a/include/uapi/linux/netfilter/nfnetlink_conntrack.h +++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h @@ -257,6 +257,7 @@ enum ctattr_stats_cpu { CTA_STATS_ERROR, CTA_STATS_SEARCH_RESTART, CTA_STATS_CLASH_RESOLVE, + CTA_STATS_CHAIN_TOOLONG, __CTA_STATS_MAX, }; #define CTA_STATS_MAX (__CTA_STATS_MAX - 1) |