git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Thu, 26 Aug 2021 13:54:22 +0000 (15:54 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 30 Aug 2021 09:52:21 +0000 (11:52 +0200)
commit	280638bee62fdd4d53e94658b2502811bc33e324
tree	58f5bfa9d5169cfad2e44fb94bee310f188eb9ba	tree \| snapshot
parent	7aba898ee1fe035b50983ec2bfc0dc406cd364ca	commit \| diff

netfilter: refuse insertion if chain has grown too large

Also add a stat counter for this that gets exported both via old /proc
interface and ctnetlink.

Assuming the old default size of 16536 buckets and max hash occupancy of
64k, this results in 128k insertions (origin+reply), so ~8 entries per
chain on average.

The revised settings in this series will result in about two entries per
bucket on average.

This allows a hard-limit ceiling of 64.

This is not tunable at the moment, but its possible to either increase
nf_conntrack_buckets or decrease nf_conntrack_max to reduce average
lengths.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/linux/netfilter/nf_conntrack_common.h		diff \| blob \| history
include/uapi/linux/netfilter/nfnetlink_conntrack.h		diff \| blob \| history
net/netfilter/nf_conntrack_core.c		diff \| blob \| history
net/netfilter/nf_conntrack_netlink.c		diff \| blob \| history
net/netfilter/nf_conntrack_standalone.c		diff \| blob \| history