linux/include
Florian Westphal c6dd940b1f netfilter: allow early drop of assured conntracks
If insertion of a new conntrack fails because the table is full, the kernel
searches the next buckets of the hash slot where the new connection
was supposed to be inserted at for an entry that hasn't seen traffic
in reply direction (non-assured), if it finds one, that entry is
is dropped and the new connection entry is allocated.

Allow the conntrack gc worker to also remove *assured* conntracks if
resources are low.

Do this by querying the l4 tracker, e.g. tcp connections are now dropped
if they are no longer established (e.g. in finwait).

This could be refined further, e.g. by adding 'soft' established timeout
(i.e., a timeout that is only used once we get close to resource
exhaustion).

Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-04-19 17:55:17 +02:00
..
acpi
asm-generic Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-04-02 09:22:03 -07:00
clocksource
crypto net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
drm drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces 2017-03-30 11:43:39 +02:00
dt-bindings scripts/spelling.txt: add "overide" pattern and fix typo instances 2017-03-09 17:01:09 -08:00
keys
kvm
linux netfilter: Add nfnl_msg_type() helper function 2017-04-07 16:31:36 +02:00
math-emu
media media fixes for v4.11-rc2 2017-03-09 15:50:56 -08:00
memory
misc
net netfilter: allow early drop of assured conntracks 2017-04-19 17:55:17 +02:00
pcmcia
ras
rdma IB/core: Restore I/O MMU, s390 and powerpc support 2017-03-24 21:51:16 -04:00
rxrpc
scsi
soc
sound
target target: fix ALUA transition timeout handling 2017-03-18 14:47:28 -07:00
trace There was some breakage with the changes for jump labels in the 4.11 merge 2017-03-07 09:37:28 -08:00
uapi netfilter: nft_ct: allow to set ctnetlink event types of a connection 2017-04-19 17:55:16 +02:00
video drm/exynos/decon5433: signal frame done interrupt at front porch 2017-03-21 13:17:22 +09:00
xen Merge branch 'stable/for-linus-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/swiotlb 2017-03-07 10:23:17 -08:00
Kbuild