[NETFILTER]: nf_conntrack_expect: introduce nf_conntrack_expect_max sysct As a last step of preventing DoS by creating lots of expectations, this patch introduces a global maximum and a sysctl to control it. The default is initialized to 4 * the expectation hash table size, which results in 1/64 of the default maxmimum of conntracks. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: f264a7df08d50bb4a23be6a9aa06940e497ac1c4 [log] [tgz]
author: Patrick McHardy <kaber@trash.net> Sat Jul 07 22:36:24 2007 -0700
committer: David S. Miller <davem@sunset.davemloft.net> Tue Jul 10 22:18:12 2007 -0700
tree: c07c92616a50107c2dacc5836626d4b6a12c57ae
parent: b560580a13b180bc1e3cad7ffbc93388cc39be5d [diff] [blame]
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 098e799..6af96c6 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c

@@ -372,7 +372,14 @@
 		.extra1		= &log_invalid_proto_min,
 		.extra2		= &log_invalid_proto_max,
 	},
-
+	{
+		.ctl_name	= CTL_UNNUMBERED,
+		.procname	= "nf_conntrack_expect_max",
+		.data		= &nf_ct_expect_max,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec,
+	},
 	{ .ctl_name = 0 }
 };
commit	f264a7df08d50bb4a23be6a9aa06940e497ac1c4	[log] [tgz]
author	Patrick McHardy <kaber@trash.net>	Sat Jul 07 22:36:24 2007 -0700
committer	David S. Miller <davem@sunset.davemloft.net>	Tue Jul 10 22:18:12 2007 -0700
tree	c07c92616a50107c2dacc5836626d4b6a12c57ae
parent	b560580a13b180bc1e3cad7ffbc93388cc39be5d [diff] [blame]