diff options
| author | Stefan Berger <stefanb@linux.vnet.ibm.com> | 2011-02-14 10:54:33 -0500 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2011-02-14 10:54:33 -0500 |
| commit | 20b7975e5aefc7fd08b7f582f3901b1669725cd0 (patch) | |
| tree | b11e232bd7200281ab3ec90ed5765fe51fce9562 /net | |
| parent | d846f71195d57b0bbb143382647c2c6638b04c5a (diff) | |
Revert "netfilter: xt_connlimit: connlimit-above early loop termination"
This reverts commit 44bd4de9c2270b22c3c898310102bc6be9ed2978.
I have to revert the early loop termination in connlimit since it generates
problems when an iptables statement does not use -m state --state NEW before
the connlimit match extension.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/xt_connlimit.c | 13 |
1 files changed, 3 insertions, 10 deletions
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index 82ce7c5fbbc2..e029c4807404 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c | |||
| @@ -97,8 +97,7 @@ static int count_them(struct net *net, | |||
| 97 | const struct nf_conntrack_tuple *tuple, | 97 | const struct nf_conntrack_tuple *tuple, |
| 98 | const union nf_inet_addr *addr, | 98 | const union nf_inet_addr *addr, |
| 99 | const union nf_inet_addr *mask, | 99 | const union nf_inet_addr *mask, |
| 100 | u_int8_t family, | 100 | u_int8_t family) |
| 101 | unsigned int threshold) | ||
| 102 | { | 101 | { |
| 103 | const struct nf_conntrack_tuple_hash *found; | 102 | const struct nf_conntrack_tuple_hash *found; |
| 104 | struct xt_connlimit_conn *conn; | 103 | struct xt_connlimit_conn *conn; |
| @@ -152,14 +151,9 @@ static int count_them(struct net *net, | |||
| 152 | continue; | 151 | continue; |
| 153 | } | 152 | } |
| 154 | 153 | ||
| 155 | if (same_source_net(addr, mask, &conn->tuple.src.u3, family)) { | 154 | if (same_source_net(addr, mask, &conn->tuple.src.u3, family)) |
| 156 | /* same source network -> be counted! */ | 155 | /* same source network -> be counted! */ |
| 157 | ++matches; | 156 | ++matches; |
| 158 | if (matches > threshold) { | ||
| 159 | nf_ct_put(found_ct); | ||
| 160 | break; | ||
| 161 | } | ||
| 162 | } | ||
| 163 | nf_ct_put(found_ct); | 157 | nf_ct_put(found_ct); |
| 164 | } | 158 | } |
| 165 | 159 | ||
| @@ -213,8 +207,7 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 213 | 207 | ||
| 214 | spin_lock_bh(&info->data->lock); | 208 | spin_lock_bh(&info->data->lock); |
| 215 | connections = count_them(net, info->data, tuple_ptr, &addr, | 209 | connections = count_them(net, info->data, tuple_ptr, &addr, |
| 216 | &info->mask, par->family, | 210 | &info->mask, par->family); |
| 217 | info->limit); | ||
| 218 | spin_unlock_bh(&info->data->lock); | 211 | spin_unlock_bh(&info->data->lock); |
| 219 | 212 | ||
| 220 | if (connections < 0) | 213 | if (connections < 0) |