diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2026-06-22 21:35:18 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2026-06-23 13:10:34 +0200 |
| commit | be57dd9c1c1796e368582313af2b3849f78ac224 (patch) | |
| tree | afb80725494e1ca60f9c1e921f93311862e6134c /net | |
| parent | 979c13114c0bb6ab9135e2c93e00c79c412aef09 (diff) | |
| download | ath-be57dd9c1c1796e368582313af2b3849f78ac224.tar.gz | |
netfilter: nf_conntrack_expect: run expectation eviction with no helper
Run expectation eviction if no helper is specified to deal with the
nft_ct expectation support.
Cap the maximum expectation limit per master conntrack to
NF_CT_EXPECT_MAX_CNT (255).
Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/nf_conntrack_expect.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index 9454913e1b337..113bb1cb1683f 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c @@ -499,6 +499,13 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect, if (p->max_expected && master_help->expecting[expect->class] >= p->max_expected) evict_oldest_expect(master_help, expect, p); + } else { + const struct nf_conntrack_expect_policy default_exp_policy = { + .max_expected = NF_CT_EXPECT_MAX_CNT, + }; + + if (master_help->expecting[expect->class] >= default_exp_policy.max_expected) + evict_oldest_expect(master_help, expect, &default_exp_policy); } cnet = nf_ct_pernet(net); |
