diff options
| author | Gao Feng <fgao@ikuai8.com> | 2017-03-24 14:32:19 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-04-06 18:32:16 +0200 |
| commit | 92f73221f9e9e143d242e3eca9c512dac969765e (patch) | |
| tree | 9c493bd487511b3230393788568bfe3ae3ae81a2 /include/net | |
| parent | netfilter: nf_tables: add nft_is_base_chain() helper (diff) | |
| download | linux-92f73221f9e9e143d242e3eca9c512dac969765e.tar.xz linux-92f73221f9e9e143d242e3eca9c512dac969765e.zip | |
netfilter: expect: Make sure the max_expected limit is effective
Because the type of expecting, the member of nf_conn_help, is u8, it
would overflow after reach U8_MAX(255). So it doesn't work when we
configure the max_expected exceeds 255 with expect policy.
Now add the check for max_expected. Return the -EINVAL when it exceeds
the limit.
Signed-off-by: Gao Feng <fgao@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/net')
| -rw-r--r-- | include/net/netfilter/nf_conntrack_expect.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index 65cc2cb005d9..e84df8d3bf37 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h @@ -73,6 +73,7 @@ struct nf_conntrack_expect_policy { }; #define NF_CT_EXPECT_CLASS_DEFAULT 0 +#define NF_CT_EXPECT_MAX_CNT 255 int nf_conntrack_expect_pernet_init(struct net *net); void nf_conntrack_expect_pernet_fini(struct net *net); |