diff options
author | Vasily Averin <vasily.averin@linux.dev> | 2022-03-24 21:05:50 +0300 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-03-28 11:11:23 +0300 |
commit | 33758c891479ea1c736abfee64b5225925875557 (patch) | |
tree | c7c0a388313a1894e13529f422e2265ab830fb00 /net/netfilter/core.c | |
parent | f2dd495a8d589371289981d5ed33e6873df94ecc (diff) | |
download | linux-33758c891479ea1c736abfee64b5225925875557.tar.xz |
memcg: enable accounting for nft objects
nftables replaces iptables, but it lacks memcg accounting.
This patch account most of the memory allocation associated with nft
and should protect the host from misusing nft inside a memcg restricted
container.
Signed-off-by: Vasily Averin <vvs@openvz.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/core.c')
-rw-r--r-- | net/netfilter/core.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/core.c b/net/netfilter/core.c index 8a77a3fd69bc..77ae3e8d344c 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -58,7 +58,7 @@ static struct nf_hook_entries *allocate_hook_entries_size(u16 num) if (num == 0) return NULL; - e = kvzalloc(alloc, GFP_KERNEL); + e = kvzalloc(alloc, GFP_KERNEL_ACCOUNT); if (e) e->num_hook_entries = num; return e; |