aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
authorPablo Neira Ayuso <pablo@netfilter.org>2026-06-22 21:35:18 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2026-06-23 13:10:34 +0200
commitbe57dd9c1c1796e368582313af2b3849f78ac224 (patch)
treeafb80725494e1ca60f9c1e921f93311862e6134c /net
parent979c13114c0bb6ab9135e2c93e00c79c412aef09 (diff)
downloadath-be57dd9c1c1796e368582313af2b3849f78ac224.tar.gz
netfilter: nf_conntrack_expect: run expectation eviction with no helper
Run expectation eviction if no helper is specified to deal with the nft_ct expectation support. Cap the maximum expectation limit per master conntrack to NF_CT_EXPECT_MAX_CNT (255). Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nf_conntrack_expect.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 9454913e1b337..113bb1cb1683f 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -499,6 +499,13 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect,
if (p->max_expected &&
master_help->expecting[expect->class] >= p->max_expected)
evict_oldest_expect(master_help, expect, p);
+ } else {
+ const struct nf_conntrack_expect_policy default_exp_policy = {
+ .max_expected = NF_CT_EXPECT_MAX_CNT,
+ };
+
+ if (master_help->expecting[expect->class] >= default_exp_policy.max_expected)
+ evict_oldest_expect(master_help, expect, &default_exp_policy);
}
cnet = nf_ct_pernet(net);