| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250523092129.98856-1-xiafei_xupt@163.com> Date: Fri, 23 May 2025 17:21:29 +0800 From: lvxiafei <xiafei_xupt@....com> To: pablo@...filter.org Cc: coreteam@...filter.org, davem@...emloft.net, edumazet@...gle.com, fw@...len.de, horms@...nel.org, kadlec@...filter.org, kuba@...nel.org, linux-kernel@...r.kernel.org, lvxiafei@...setime.com, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org, pabeni@...hat.com, xiafei_xupt@....com Subject: Re: [PATCH V6] netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_max sysctl On Thu, 22 May 2025 21:58:13 +0200, Pablo Neira Ayuso wrote: > > Wether its time to disallow 0 is a different topic and not related to this patch. > > > > I would argue: "yes", disallow 0 -- users can still set INT_MAX if they > > want and that should provide enough rope to strangle yourself. > The question is how to make it without breaking crazy people. It seems that we need a new topic to discuss the maximum value that the system can tolerate to ensure safety: 1. This value is a system limitation, not a user setting 2. This value should be calculated based on system resources 3. This value takes precedence over 0 and other larger values that the user sets 4. This value does not affect the value of the user setting, and 0 in the user setting can still indicate that the user setting is unlimited, maintaining compatibility with historical usage.
Powered by blists - more mailing lists