lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aO5WDcNAegXi1Umg@strlen.de>
Date: Tue, 14 Oct 2025 15:54:21 +0200
From: Florian Westphal <fw@...len.de>
To: lvxiafei <xiafei_xupt@....com>
Cc: pablo@...filter.org, coreteam@...filter.org, davem@...emloft.net,
	edumazet@...gle.com, horms@...nel.org, kadlec@...filter.org,
	kuba@...nel.org, linux-kernel@...r.kernel.org,
	lvxiafei@...setime.com, netdev@...r.kernel.org,
	netfilter-devel@...r.kernel.org, pabeni@...hat.com
Subject: Re: [PATCH V6] netfilter: netns nf_conntrack: per-netns
 net.netfilter.nf_conntrack_max sysctl

lvxiafei <xiafei_xupt@....com> wrote:
> > > Wether its time to disallow 0 is a different topic and not related to this patch.
> > >
> > > I would argue: "yes", disallow 0 -- users can still set INT_MAX if they
> > >  want and that should provide enough rope to strangle yourself.
> 
> > The question is how to make it without breaking crazy people.
> 
> It seems that we need a new topic to discuss the maximum value that the system can
> tolerate to ensure safety:
> 
> 1. This value is a system limitation, not a user setting
> 2. This value should be calculated based on system resources
> 3. This value takes precedence over 0 and other larger values that the user sets
> 4. This value does not affect the value of the user setting, and 0 in the user
> setting can still indicate that the user setting is unlimited, maintaining
> compatibility with historical usage.

I've applied a variant of this patch to nf-next:testing.

Could you please check that I adapted it correctly?
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git/commit/?h=testing&id=b7bfa7d96fa5a7f3c2a69ad406ede520e658cb07

(I added a patch right before that rejects conntrack_max=0).

I wonder if we should update the sysctl path to reflect the
effective value, i.e., so that when netns sets

nf_conntrack_max=1000000

... but init_net is capped at 65536, then a listing
shows the sysctl at 65536.

It would be similar to what we do for max_buckets.

I also considered to make such a request fail at set time, but it
would make the sysctl fail/not fail 'randomly' and it also would
not do the right thing when init_net setting is reduced later.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ