]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
netfilter: nf_conntrack_helper: cap maximum number of expectation at helper registration
authorPablo Neira Ayuso <pablo@netfilter.org>
Tue, 23 Jun 2026 10:56:55 +0000 (12:56 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Tue, 23 Jun 2026 11:10:48 +0000 (13:10 +0200)
commit397c8300972f6e1486fd1afd99a044648a401cd5
tree42ea05e3d8ee2e9f731a8e95ea15764576985a4c
parent6fb421bd07f156cdf0cdede062d31f1c21def326
netfilter: nf_conntrack_helper: cap maximum number of expectation at helper registration

On helper registration, the maximum number of expectations cannot go over
NF_CT_EXPECT_MAX_CNT (255), but zero can be specified then
nf_conntrack_expect_max applies. Turn zero into NF_CT_EXPECT_MAX_CNT
otherwise, expectation LRU eviction on insertion is disabled.

Moreover, expand this sanity check all expectation classes.

This max_expecy policy is only tunable since userspace helpers are
available, set Fixes: tag to the commit that adds such infrastructure.

Remove the check for p->max_expected given this field must always
be non-zero after this patch.

Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nf_conntrack_expect.c
net/netfilter/nf_conntrack_helper.c