| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250410131717.GA14051@breakpoint.cc> Date: Thu, 10 Apr 2025 15:17:17 +0200 From: Florian Westphal <fw@...len.de> To: lvxiafei <xiafei_xupt@....com> Cc: fw@...len.de, coreteam@...filter.org, davem@...emloft.net, edumazet@...gle.com, horms@...nel.org, kadlec@...filter.org, kuba@...nel.org, linux-kernel@...r.kernel.org, lvxiafei@...setime.com, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org, pabeni@...hat.com, pablo@...filter.org Subject: Re: [PATCH V3] netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_max sysctl lvxiafei <xiafei_xupt@....com> wrote: > Florian Westphal <fw@...len.de> wrote: > > I suggest to remove nf_conntrack_max as a global variable, > > make net.nf_conntrack_max use init_net.nf_conntrack_max too internally, > > so in the init_net both sysctls remain the same. > > The nf_conntrack_max global variable is a system calculated > value and should not be removed. > nf_conntrack_max = max_factor * nf_conntrack_htable_size; Thats the default calculation for the initial sysctl value: net/netfilter/nf_conntrack_standalone.c: .data = &nf_conntrack_max, net/netfilter/nf_conntrack_standalone.c: .data = &nf_conntrack_max, You can make an initial patch that replaces all occurences of nf_conntrack_max with cnet->sysctl_conntrack_max (adding a 'unsigned int sysctl_conntrack_max' to struct nf_conntrack_net). Then, in a second patch, remove the '0444' readonly and redirect the child netns to use the copy in its own pernet area rather than the init_net one.
Powered by blists - more mailing lists