aboutsummaryrefslogtreecommitdiffstats
path: root/net/netfilter/nf_conntrack_netlink.c
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2021-08-26 15:54:22 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2021-08-30 11:52:21 +0200
commitd7e7747ac5c2496c98291944c6066adaa9f3b975 (patch)
tree58f5bfa9d5169cfad2e44fb94bee310f188eb9ba /net/netfilter/nf_conntrack_netlink.c
parentnetfilter: conntrack: switch to siphash (diff)
downloadlinux-dev-d7e7747ac5c2496c98291944c6066adaa9f3b975.tar.xz
linux-dev-d7e7747ac5c2496c98291944c6066adaa9f3b975.zip
netfilter: refuse insertion if chain has grown too large
Also add a stat counter for this that gets exported both via old /proc interface and ctnetlink. Assuming the old default size of 16536 buckets and max hash occupancy of 64k, this results in 128k insertions (origin+reply), so ~8 entries per chain on average. The revised settings in this series will result in about two entries per bucket on average. This allows a hard-limit ceiling of 64. This is not tunable at the moment, but its possible to either increase nf_conntrack_buckets or decrease nf_conntrack_max to reduce average lengths. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nf_conntrack_netlink.c')
-rw-r--r--net/netfilter/nf_conntrack_netlink.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index e81af33b233b..3f081ae08266 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2484,7 +2484,9 @@ ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
nla_put_be32(skb, CTA_STATS_SEARCH_RESTART,
htonl(st->search_restart)) ||
nla_put_be32(skb, CTA_STATS_CLASH_RESOLVE,
- htonl(st->clash_resolve)))
+ htonl(st->clash_resolve)) ||
+ nla_put_be32(skb, CTA_STATS_CHAIN_TOOLONG,
+ htonl(st->chaintoolong)))
goto nla_put_failure;
nlmsg_end(skb, nlh);
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.