From: Pablo Neira Ayuso <pablo@netfilter.org>
To: nicolas.bouchinet@clip-os.org
Cc: netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
coreteam@netfilter.org
Subject: Re: [PATCH v1 1/9] sysctl: Fixes nf_conntrack_max bounds
Date: Wed, 29 Jan 2025 00:00:34 +0100 [thread overview]
Message-ID: <Z5lhkiWI9-nP9O1g@calendula> (raw)
In-Reply-To: <20250127142014.37834-2-nicolas.bouchinet@clip-os.org>
Hi,
Please, collapse patch 1/9 and 2/9 and post it to
netfilter-devel@vger.kernel.org targeting at the nf-next tree.
Thanks.
On Mon, Jan 27, 2025 at 03:19:58PM +0100, nicolas.bouchinet@clip-os.org wrote:
> From: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>
>
> Bound nf_conntrack_max sysctl writings between SYSCTL_ZERO
> and SYSCTL_INT_MAX.
>
> The proc_handler has thus been updated to proc_dointvec_minmax.
>
> Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>
> ---
> net/netfilter/nf_conntrack_standalone.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
> index 7d4f0fa8b609d..40ed3ef9cb22d 100644
> --- a/net/netfilter/nf_conntrack_standalone.c
> +++ b/net/netfilter/nf_conntrack_standalone.c
> @@ -619,7 +619,9 @@ static struct ctl_table nf_ct_sysctl_table[] = {
> .data = &nf_conntrack_max,
> .maxlen = sizeof(int),
> .mode = 0644,
> - .proc_handler = proc_dointvec,
> + .proc_handler = proc_dointvec_minmax,
> + .extra1 = SYSCTL_ZERO,
> + .extra2 = SYSCTL_INT_MAX,
> },
> [NF_SYSCTL_CT_COUNT] = {
> .procname = "nf_conntrack_count",
> @@ -948,7 +950,9 @@ static struct ctl_table nf_ct_netfilter_table[] = {
> .data = &nf_conntrack_max,
> .maxlen = sizeof(int),
> .mode = 0644,
> - .proc_handler = proc_dointvec,
> + .proc_handler = proc_dointvec_minmax,
> + .extra1 = SYSCTL_ZERO,
> + .extra2 = SYSCTL_INT_MAX,
> },
> };
>
> --
> 2.48.1
>
>
next prev parent reply other threads:[~2025-01-28 23:00 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-27 14:19 [PATCH v1 0/9] Fixes multiple sysctl bound checks nicolas.bouchinet
2025-01-27 14:19 ` [PATCH v1 1/9] sysctl: Fixes nf_conntrack_max bounds nicolas.bouchinet
2025-01-28 23:00 ` Pablo Neira Ayuso [this message]
2025-01-27 14:19 ` [PATCH v1 2/9] sysctl: Fixes nf_conntrack_expect_max bounds nicolas.bouchinet
2025-01-27 14:20 ` [PATCH v1 3/9] sysctl: Fixes gc_thresh bounds nicolas.bouchinet
2025-01-27 14:20 ` [PATCH v1 4/9] sysctl: Fixes idmap_cache_timeout bounds nicolas.bouchinet
2025-01-27 14:20 ` [PATCH v1 5/9] sysctl: Fixes nsm_local_state bounds nicolas.bouchinet
2025-01-27 14:20 ` [PATCH v1 6/9] sysctl/coda: Fixes timeout bounds nicolas.bouchinet
2025-01-27 14:20 ` [PATCH v1 7/9] sysctl: Fixes scsi_logging_level bounds nicolas.bouchinet
2025-01-27 14:20 ` [PATCH v1 8/9] sysctl/infiniband: Fixes infiniband sysctl bounds nicolas.bouchinet
2025-01-27 14:20 ` [PATCH v1 9/9] sysctl: Fixes max-user-freq bounds nicolas.bouchinet
2025-01-27 18:05 ` [PATCH v1 0/9] Fixes multiple sysctl bound checks Joe Damato
2025-01-28 9:43 ` Nicolas Bouchinet
2025-01-27 20:00 ` Jakub Kicinski
2025-02-21 8:23 ` Joel Granados
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z5lhkiWI9-nP9O1g@calendula \
--to=pablo@netfilter.org \
--cc=coreteam@netfilter.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nicolas.bouchinet@clip-os.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.