On Sat, Jan 17, 2015 at 08:06:21AM +0000, Patrick McHardy wrote: > > Resizing might also fail because of memory allocation problems, but > I'd argue that its better to continue with a non-optimal sized table > and retry later than to completely fail, at least unless the API > user has explicitly requested this behaviour. > > As for the element counter, yeah, it should prevent overflow. In that > case I agree that failing insertion is the easiest solution. Well you have to consider the security aspect. These days root- only is no longer an acceptable excuse given things like namespaces. If you don't fail the insertions while the expansion is ongoing, and assuming a dump can postpone expansions, then you can essentially insert entries into the hash table at will which is an easy DoS attack. Note that you don't have to fail the insertion right away. I think waiting until you reach max * 2 would be fine. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
