diff options
| author | Patrick McHardy <kaber@trash.net> | 2007-07-07 22:33:47 -0700 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2007-07-10 22:17:59 -0700 |
| commit | a71c085562bcc99e8b711cab4222bff1f6e955da (patch) | |
| tree | 7de563d406e8e9e44065b53c664f837f97f8b3fe /net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | |
| parent | e9c1b084e17ca225b6be731b819308ee0f9e04b8 (diff) | |
[NETFILTER]: nf_conntrack: use hashtable for expectations
Currently all expectations are kept on a global list that
- needs to be searched for every new conncetion
- needs to be walked for evicting expectations when a master connection
has reached its limit
- needs to be walked on connection destruction for connections that
have open expectations
This is obviously not good, especially when considering helpers like
H.323 that register *lots* of expectations and can set up permanent
expectations, but it also allows for an easy DoS against firewalls
using connection tracking helpers.
Use a hashtable for expectations to avoid incurring the search overhead
for every new connection. The default hash size is 1/256 of the conntrack
hash table size, this can be overriden using a module parameter.
This patch only introduces the hash table for expectation lookups and
keeps other users to reduce the noise, the following patches will get
rid of it completely.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c')
0 files changed, 0 insertions, 0 deletions