git: f3b94f47f55c - main - ipfilter: Add an htable max size tuneable.

Wed, 05 Nov 2025 07:34:21 -0800 

The branch main has been updated by cy:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=f3b94f47f55c502e8983f9bd294e963e75b2963a

commit f3b94f47f55c502e8983f9bd294e963e75b2963a
Author:     Cy Schubert <[email protected]>
AuthorDate: 2025-10-22 22:56:50 +0000
Commit:     Cy Schubert <[email protected]>
CommitDate: 2025-11-05 15:32:16 +0000

    ipfilter: Add an htable max size tuneable.
    
    Add an ipfilter runtime option (ipf -T) to adjust the default
    maximum hash table size. Default it to 1024 entries. It will be
    used by a subsequent commit to limit any damage due to excessively
    large hash table input by the user.
    
    Reviewed by:            markj
    MFC after:              1 week
    Differential revision:  https://reviews.freebsd.org/D53284
---
 sys/netpfil/ipfilter/netinet/ip_htable.c | 7 +++++++
 sys/netpfil/ipfilter/netinet/ip_htable.h | 2 ++
 2 files changed, 9 insertions(+)

diff --git a/sys/netpfil/ipfilter/netinet/ip_htable.c 
b/sys/netpfil/ipfilter/netinet/ip_htable.c
index 9680017eb399..39777508731f 100644
--- a/sys/netpfil/ipfilter/netinet/ip_htable.c
+++ b/sys/netpfil/ipfilter/netinet/ip_htable.c
@@ -97,6 +97,7 @@ typedef struct ipf_htable_softc_s {
        iphtable_t      *ipf_htables[LOOKUP_POOL_SZ];
        iphtent_t       *ipf_node_explist;
        ipftuneable_t   *ipf_htable_tune;
+       u_int           ipf_htable_size_max;
 } ipf_htable_softc_t;
 
 ipf_lookup_t ipf_htable_backend = {
@@ -124,6 +125,10 @@ ipf_lookup_t ipf_htable_backend = {
 
 
 static ipftuneable_t ipf_htable_tuneables[] = {
+       { { (void *)offsetof(ipf_htable_softc_t, ipf_htable_size_max) },
+               "htable_size_max",      1,      0x7fffffff,
+               stsizeof(ipf_htable_softc_t, ipf_htable_size_max),
+               0,                      NULL,   NULL },
        { { NULL },
                NULL,                   0,      0,
                0,
@@ -206,6 +211,8 @@ ipf_htable_soft_init(ipf_main_softc_t *softc, void *arg)
 
        bzero((char *)softh, sizeof(*softh));
 
+       softh->ipf_htable_size_max = IPHTABLE_MAX_SIZE;
+
        return (0);
 }
 
diff --git a/sys/netpfil/ipfilter/netinet/ip_htable.h 
b/sys/netpfil/ipfilter/netinet/ip_htable.h
index 55c289e57ff6..3a8782ccd4b2 100644
--- a/sys/netpfil/ipfilter/netinet/ip_htable.h
+++ b/sys/netpfil/ipfilter/netinet/ip_htable.h
@@ -55,6 +55,8 @@ typedef       struct  iphtable_s      {
        char    iph_name[FR_GROUPLEN];  /* hash table number */
 } iphtable_t;
 
+#define IPHTABLE_MAX_SIZE      1024
+
 /* iph_type */
 #define        IPHASH_LOOKUP   0
 #define        IPHASH_GROUPMAP 1

Reply via email to