Phil Sutter <phil@xxxxxx> wrote: > Support tracking of up to 2^32-1 packets per table. Since users provide > the hitcount value in a __u32 variable, they can't exceed the max value > anymore. > > Requested-by: Fabio <pedretti.fabio@xxxxxxxxx> > Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1745 > Signed-off-by: Phil Sutter <phil@xxxxxx> > --- > net/netfilter/xt_recent.c | 15 +++++---------- > 1 file changed, 5 insertions(+), 10 deletions(-) > > diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c > index 60259280b2d5..77ac4964e2dc 100644 > --- a/net/netfilter/xt_recent.c > +++ b/net/netfilter/xt_recent.c > @@ -59,9 +59,9 @@ MODULE_PARM_DESC(ip_list_gid, "default owning group of /proc/net/xt_recent/* fil > /* retained for backwards compatibility */ > static unsigned int ip_pkt_list_tot __read_mostly; > module_param(ip_pkt_list_tot, uint, 0400); > -MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (max. 255)"); > +MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (max. 2^32 - 1)"); > > -#define XT_RECENT_MAX_NSTAMPS 256 > +#define XT_RECENT_MAX_NSTAMPS (1ULL << 32) Won't that allow massive mem hog? Actually I think this is already a mem hog, unbounded allocations from time where we had no untrusted netns :-(
