commit f264a7df08d50bb4a23be6a9aa06940e497ac1c4
author Patrick McHardy <kaber@trash.net> Sat Jul 07 22:36:24 2007 -0700
committer David S. Miller <davem@sunset.davemloft.net> Tue Jul 10 22:18:12 2007 -0700
tree c07c92616a50107c2dacc5836626d4b6a12c57ae
parent b560580a13b180bc1e3cad7ffbc93388cc39be5d

[NETFILTER]: nf_conntrack_expect: introduce nf_conntrack_expect_max sysct

As a last step of preventing DoS by creating lots of expectations, this
patch introduces a global maximum and a sysctl to control it. The default
is initialized to 4 * the expectation hash table size, which results in
1/64 of the default maxmimum of conntracks.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/netfilter/nf_conntrack_expect.c

diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 5ef0dd4..513828f 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -35,6 +35,7 @@
 
 static unsigned int nf_ct_expect_hash_rnd __read_mostly;
 static unsigned int nf_ct_expect_count;
+unsigned int nf_ct_expect_max __read_mostly;
 static int nf_ct_expect_hash_rnd_initted __read_mostly;
 static int nf_ct_expect_vmalloc;
 
@@ -367,6 +368,14 @@
 	    master_help->expecting >= master_help->helper->max_expected)
 		evict_oldest_expect(master);
 
+	if (nf_ct_expect_count >= nf_ct_expect_max) {
+		if (net_ratelimit())
+			printk(KERN_WARNING
+			       "nf_conntrack: expectation table full");
+		ret = -EMFILE;
+		goto out;
+	}
+
 	nf_ct_expect_insert(expect);
 	nf_ct_expect_event(IPEXP_NEW, expect);
 	ret = 0;
@@ -522,6 +531,7 @@
 		if (!nf_ct_expect_hsize)
 			nf_ct_expect_hsize = 1;
 	}
+	nf_ct_expect_max = nf_ct_expect_hsize * 4;
 
 	nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,
 						  &nf_ct_expect_vmalloc);