Date: Wed, 5 Nov 2025 15:34:01 GMT From: Cy Schubert <cy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: f3b94f47f55c - main - ipfilter: Add an htable max size tuneable. Message-ID: <202511051534.5A5FY1LA033289@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=f3b94f47f55c502e8983f9bd294e963e75b2963a commit f3b94f47f55c502e8983f9bd294e963e75b2963a Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2025-10-22 22:56:50 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2025-11-05 15:32:16 +0000 ipfilter: Add an htable max size tuneable. Add an ipfilter runtime option (ipf -T) to adjust the default maximum hash table size. Default it to 1024 entries. It will be used by a subsequent commit to limit any damage due to excessively large hash table input by the user. Reviewed by: markj MFC after: 1 week Differential revision: https://reviews.freebsd.org/D53284 --- sys/netpfil/ipfilter/netinet/ip_htable.c | 7 +++++++ sys/netpfil/ipfilter/netinet/ip_htable.h | 2 ++ 2 files changed, 9 insertions(+) diff --git a/sys/netpfil/ipfilter/netinet/ip_htable.c b/sys/netpfil/ipfilter/netinet/ip_htable.c index 9680017eb399..39777508731f 100644 --- a/sys/netpfil/ipfilter/netinet/ip_htable.c +++ b/sys/netpfil/ipfilter/netinet/ip_htable.c @@ -97,6 +97,7 @@ typedef struct ipf_htable_softc_s { iphtable_t *ipf_htables[LOOKUP_POOL_SZ]; iphtent_t *ipf_node_explist; ipftuneable_t *ipf_htable_tune; + u_int ipf_htable_size_max; } ipf_htable_softc_t; ipf_lookup_t ipf_htable_backend = { @@ -124,6 +125,10 @@ ipf_lookup_t ipf_htable_backend = { static ipftuneable_t ipf_htable_tuneables[] = { + { { (void *)offsetof(ipf_htable_softc_t, ipf_htable_size_max) }, + "htable_size_max", 1, 0x7fffffff, + stsizeof(ipf_htable_softc_t, ipf_htable_size_max), + 0, NULL, NULL }, { { NULL }, NULL, 0, 0, 0, @@ -206,6 +211,8 @@ ipf_htable_soft_init(ipf_main_softc_t *softc, void *arg) bzero((char *)softh, sizeof(*softh)); + softh->ipf_htable_size_max = IPHTABLE_MAX_SIZE; + return (0); } diff --git a/sys/netpfil/ipfilter/netinet/ip_htable.h b/sys/netpfil/ipfilter/netinet/ip_htable.h index 55c289e57ff6..3a8782ccd4b2 100644 --- a/sys/netpfil/ipfilter/netinet/ip_htable.h +++ b/sys/netpfil/ipfilter/netinet/ip_htable.h @@ -55,6 +55,8 @@ typedef struct iphtable_s { char iph_name[FR_GROUPLEN]; /* hash table number */ } iphtable_t; +#define IPHTABLE_MAX_SIZE 1024 + /* iph_type */ #define IPHASH_LOOKUP 0 #define IPHASH_GROUPMAP 1help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202511051534.5A5FY1LA033289>