• Patrick McHardy's avatar
    netfilter: nf_conntrack: fix hash resizing with namespaces · d696c7bd
    Patrick McHardy authored
    As noticed by Jon Masters <jonathan@jonmasters.org>, the conntrack hash
    size is global and not per namespace, but modifiable at runtime through
    /sys/module/nf_conntrack/hashsize. Changing the hash size will only
    resize the hash in the current namespace however, so other namespaces
    will use an invalid hash size. This can cause crashes when enlarging
    the hashsize, or false negative lookups when shrinking it.
    
    Move the hash size into the per-namespace data and only use the global
    hash size to initialize the per-namespace value when instanciating a
    new namespace. Additionally restrict hash resizing to init_net for
    now as other namespaces are not handled currently.
    
    Cc: stable@kernel.org
    Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    d696c7bd
conntrack.h 898 Bytes