diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2025-10-22 22:56:50 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2025-11-05 15:32:16 +0000 |
| commit | f3b94f47f55c502e8983f9bd294e963e75b2963a (patch) | |
| tree | 9fcfaf8780e4e1730da14719faf26bbf4624793c | |
| parent | c57262716b08717b6a9c5533941d4e0a2d180d46 (diff) | |
ipfilter: Add an htable max size tuneable.
Add an ipfilter runtime option (ipf -T) to adjust the default
maximum hash table size. Default it to 1024 entries. It will be
used by a subsequent commit to limit any damage due to excessively
large hash table input by the user.
Reviewed by: markj
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D53284
| -rw-r--r-- | sys/netpfil/ipfilter/netinet/ip_htable.c | 7 | ||||
| -rw-r--r-- | sys/netpfil/ipfilter/netinet/ip_htable.h | 2 |
2 files changed, 9 insertions, 0 deletions
diff --git a/sys/netpfil/ipfilter/netinet/ip_htable.c b/sys/netpfil/ipfilter/netinet/ip_htable.c index 9680017eb399..39777508731f 100644 --- a/sys/netpfil/ipfilter/netinet/ip_htable.c +++ b/sys/netpfil/ipfilter/netinet/ip_htable.c @@ -97,6 +97,7 @@ typedef struct ipf_htable_softc_s { iphtable_t *ipf_htables[LOOKUP_POOL_SZ]; iphtent_t *ipf_node_explist; ipftuneable_t *ipf_htable_tune; + u_int ipf_htable_size_max; } ipf_htable_softc_t; ipf_lookup_t ipf_htable_backend = { @@ -124,6 +125,10 @@ ipf_lookup_t ipf_htable_backend = { static ipftuneable_t ipf_htable_tuneables[] = { + { { (void *)offsetof(ipf_htable_softc_t, ipf_htable_size_max) }, + "htable_size_max", 1, 0x7fffffff, + stsizeof(ipf_htable_softc_t, ipf_htable_size_max), + 0, NULL, NULL }, { { NULL }, NULL, 0, 0, 0, @@ -206,6 +211,8 @@ ipf_htable_soft_init(ipf_main_softc_t *softc, void *arg) bzero((char *)softh, sizeof(*softh)); + softh->ipf_htable_size_max = IPHTABLE_MAX_SIZE; + return (0); } diff --git a/sys/netpfil/ipfilter/netinet/ip_htable.h b/sys/netpfil/ipfilter/netinet/ip_htable.h index 55c289e57ff6..3a8782ccd4b2 100644 --- a/sys/netpfil/ipfilter/netinet/ip_htable.h +++ b/sys/netpfil/ipfilter/netinet/ip_htable.h @@ -55,6 +55,8 @@ typedef struct iphtable_s { char iph_name[FR_GROUPLEN]; /* hash table number */ } iphtable_t; +#define IPHTABLE_MAX_SIZE 1024 + /* iph_type */ #define IPHASH_LOOKUP 0 #define IPHASH_GROUPMAP 1 |