netfilter: nf_conntrack_expect: run expectation eviction with no helper

Run expectation eviction if no helper is specified to deal with the
nft_ct expectation support.

Cap the maximum expectation limit per master conntrack to
NF_CT_EXPECT_MAX_CNT (255).

Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 9454913e1b337e8cb3c30d374b10f82e4179b80d..113bb1cb1683fdbd7bbefb996828e9894272e163 100644 (file)
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -499,6 +499,13 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect,
                if (p->max_expected &&
                    master_help->expecting[expect->class] >= p->max_expected)
                        evict_oldest_expect(master_help, expect, p);
+       } else {
+               const struct nf_conntrack_expect_policy default_exp_policy = {
+                       .max_expected = NF_CT_EXPECT_MAX_CNT,
+               };
+
+               if (master_help->expecting[expect->class] >= default_exp_policy.max_expected)
+                       evict_oldest_expect(master_help, expect, &default_exp_policy);
        }
 
        cnet = nf_ct_pernet(net);