diff options
author | Patrick McHardy <kaber@trash.net> | 2007-07-07 22:36:24 -0700 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-07-10 22:18:12 -0700 |
commit | f264a7df08d50bb4a23be6a9aa06940e497ac1c4 (patch) | |
tree | c07c92616a50107c2dacc5836626d4b6a12c57ae /net/netfilter/nf_conntrack_standalone.c | |
parent | b560580a13b180bc1e3cad7ffbc93388cc39be5d (diff) |
[NETFILTER]: nf_conntrack_expect: introduce nf_conntrack_expect_max sysct
As a last step of preventing DoS by creating lots of expectations, this
patch introduces a global maximum and a sysctl to control it. The default
is initialized to 4 * the expectation hash table size, which results in
1/64 of the default maxmimum of conntracks.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter/nf_conntrack_standalone.c')
-rw-r--r-- | net/netfilter/nf_conntrack_standalone.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 098e7993932a..6af96c6e29fb 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -372,7 +372,14 @@ static ctl_table nf_ct_sysctl_table[] = { .extra1 = &log_invalid_proto_min, .extra2 = &log_invalid_proto_max, }, - + { + .ctl_name = CTL_UNNUMBERED, + .procname = "nf_conntrack_expect_max", + .data = &nf_ct_expect_max, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = &proc_dointvec, + }, { .ctl_name = 0 } }; |