git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Sun, 16 Apr 2017 20:08:53 +0000 (22:08 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 19 Apr 2017 15:55:17 +0000 (17:55 +0200)
commit	1b0dd00e3d2e05ed9d57ef6dea37f8d878ff2751
tree	1798d94ac1667544a3c00cd04641cdfec8e385de	tree \| snapshot
parent	8c45b5c3e68dc01585d31c9ee7c2e4e5d69b3580	commit \| diff

netfilter: allow early drop of assured conntracks

If insertion of a new conntrack fails because the table is full, the kernel
searches the next buckets of the hash slot where the new connection
was supposed to be inserted at for an entry that hasn't seen traffic
in reply direction (non-assured), if it finds one, that entry is
is dropped and the new connection entry is allocated.

Allow the conntrack gc worker to also remove *assured* conntracks if
resources are low.

Do this by querying the l4 tracker, e.g. tcp connections are now dropped
if they are no longer established (e.g. in finwait).

This could be refined further, e.g. by adding 'soft' established timeout
(i.e., a timeout that is only used once we get close to resource
exhaustion).

Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/nf_conntrack_l4proto.h		diff \| blob \| history
net/netfilter/nf_conntrack_core.c		diff \| blob \| history
net/netfilter/nf_conntrack_proto_dccp.c		diff \| blob \| history
net/netfilter/nf_conntrack_proto_sctp.c		diff \| blob \| history
net/netfilter/nf_conntrack_proto_tcp.c		diff \| blob \| history