Commit 2b749f25 authored Sep 21, 2025 by Florian Westphal

netfilter: conntrack: disable 0 value for conntrack_max setting



Undocumented historical artifact inherited from ip_conntrack.
If value is 0, then no limit is applied at all, conntrack table
can grow to huge value, only limited by size of conntrack hashes and
the kernel-internal upper limit on the hash chain lengths.

This feature makes no sense; users can just set
conntrack_max=2147483647 (INT_MAX).

Disallow a 0 value.  This will make it slightly easier to allow
per-netns constraints for this value in a future patch.

Signed-off-by: Florian Westphal <fw@strlen.de>

parent 320d80ee

net/netfilter/nf_conntrack_core.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1668,7 +1668,7 @@ __nf_conntrack_alloc(struct net *net,
		/* We don't want any race condition at early drop stage */
		ct_count = atomic_inc_return(&cnet->count);

		if (nf_conntrack_max && unlikely(ct_count > nf_conntrack_max)) {
		if (unlikely(ct_count > nf_conntrack_max)) {
		if (!early_drop(net, hash)) {
		if (!conntrack_gc_work.early_drop)
		conntrack_gc_work.early_drop = true;

net/netfilter/nf_conntrack_standalone.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -648,7 +648,7 @@ static struct ctl_table nf_ct_sysctl_table[] = {
		.maxlen = sizeof(int),
		.mode = 0644,
		.proc_handler = proc_dointvec_minmax,
		.extra1 = SYSCTL_ZERO,
		.extra1 = SYSCTL_ONE,
		.extra2 = SYSCTL_INT_MAX,
		},
		[NF_SYSCTL_CT_COUNT] = {
		@@ -929,7 +929,7 @@ static struct ctl_table nf_ct_netfilter_table[] = {
		.maxlen = sizeof(int),
		.mode = 0644,
		.proc_handler = proc_dointvec_minmax,
		.extra1 = SYSCTL_ZERO,
		.extra1 = SYSCTL_ONE,
		.extra2 = SYSCTL_INT_MAX,
		},
		};