| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250408081712.54037-1-xiafei_xupt@163.com>
Date: Tue, 8 Apr 2025 16:17:12 +0800
From: lvxiafei <xiafei_xupt@....com>
To: fw@...len.de
Cc: coreteam@...filter.org,
davem@...emloft.net,
edumazet@...gle.com,
horms@...nel.org,
kadlec@...filter.org,
kuba@...nel.org,
linux-kernel@...r.kernel.org,
lvxiafei@...setime.com,
netdev@...r.kernel.org,
netfilter-devel@...r.kernel.org,
pabeni@...hat.com,
pablo@...filter.org,
xiafei_xupt@....com
Subject: Re: [PATCH] netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_max sysctl
On Monday 2025-04-07 12:13, Florian Westphal wrote:
>lvxiafei <xiafei_xupt@....com> wrote:
>> The modification of nf_conntrack_max in one netns
>> should not affect the value in another one.
>
>nf_conntrack_max can only be changed in init_net.
>
>Given the check isn't removed:
> /* Don't allow non-init_net ns to alter global sysctls */
> if (!net_eq(&init_net, net)) {
> table[NF_SYSCTL_CT_MAX].mode = 0444;
>
>... this patch seems untested?
>
>But, removing this check would allow any netns to consume
>arbitrary amount of kernel memory.
>
>How do you prevent this?
Yes, this check needs to be deleted
All netns share the original nf_conntrack_max. The nf_conntrack_max
limit does not limit the total ct_count of all netns. When it is changed
to a netns-level parameter, the default value is the same as the original
default value (=max_factor*nf_conntrack_htable_size), which is a global
(ancestral) limit, and kernel memory consumption is not affected.
Powered by blists - more mailing lists