Re: [PATCH] netfilter: conntrack: add new sysctl to disable RST check

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le 26/05/2021 à 11:24, Ali Abdallah a écrit :
> This patch adds a new sysctl tcp_ignore_invalid_rst to disable marking
> out of segments RSTs as INVALID.
> 
> Signed-off-by: Ali Abdallah <aabdallah@xxxxxxx>
> ---
>  Documentation/networking/nf_conntrack-sysctl.rst |  6 ++++++
>  include/net/netns/conntrack.h                    |  1 +
>  net/netfilter/nf_conntrack_proto_tcp.c           |  6 +++++-
>  net/netfilter/nf_conntrack_standalone.c          | 10 ++++++++++
>  4 files changed, 22 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/networking/nf_conntrack-sysctl.rst b/Documentation/networking/nf_conntrack-sysctl.rst
> index 11a9b76786cb..45f5a9690172 100644
> --- a/Documentation/networking/nf_conntrack-sysctl.rst
> +++ b/Documentation/networking/nf_conntrack-sysctl.rst
> @@ -110,6 +110,12 @@ nf_conntrack_tcp_be_liberal - BOOLEAN
>  	Be conservative in what you do, be liberal in what you accept from others.
>  	If it's non-zero, we mark only out of window RST segments as INVALID.
>  
> +nf_conntrack_tcp_ignore_invalid_rst - BOOLEAN
> +	- 0 - disabled (default)
> +	- not 0 - enabled
If I correctly read the patch, the only "not 0" possible value is 1. Why not
using explicitly "1"?

[snip]

> @@ -778,6 +779,14 @@ static struct ctl_table nf_ct_sysctl_table[] = {
>  		.extra1 	= SYSCTL_ZERO,
>  		.extra2 	= SYSCTL_ONE,
>  	},
> +	[NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST] = {
> +		.procname	= "nf_conntrack_tcp_ignore_invalid_rst",
> +		.maxlen		= sizeof(u8),
> +		.mode		= 0644,
> +		.proc_handler	= proc_dou8vec_minmax,
> +		.extra1		= SYSCTL_ZERO,
> +		.extra2		= SYSCTL_ONE,
Max == 1.


Regards,
Nicolas



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux