Two recent commits switched inet rt and nexthop exception hashes from jhash to siphash. If those two spots are problematic then conntrack is affected as well, so switch voer to siphash too. While at it, add a hard upper limit on chain lengths and reject insertion if this is hit. Florian Westphal (3): netfilter: conntrack: sanitize table size default settings netfilter: conntrack: switch to siphash netfilter: conntrack: refuse insertion if chain has grown too large .../networking/nf_conntrack-sysctl.rst | 13 ++- include/linux/netfilter/nf_conntrack_common.h | 1 + .../linux/netfilter/nfnetlink_conntrack.h | 1 + net/netfilter/nf_conntrack_core.c | 103 ++++++++++++------ net/netfilter/nf_conntrack_expect.c | 25 +++-- net/netfilter/nf_conntrack_netlink.c | 4 +- net/netfilter/nf_conntrack_standalone.c | 4 +- net/netfilter/nf_nat_core.c | 18 ++- 8 files changed, 114 insertions(+), 55 deletions(-) -- 2.31.1