diff options
author | Patrick McHardy <kaber@trash.net> | 2006-08-13 21:06:02 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2006-08-13 21:06:02 -0400 |
commit | 1c7628bd7a458faf7c96ef521f6d3a5ea9b106b8 (patch) | |
tree | 45c4a21ee032a813df08dd4e4dc47b0a14fa571d | |
parent | 97c802a113989800430a981b6f36b14c62163d37 (diff) |
[NETFILTER]: xt_hashlimit: fix limit off-by-one
Hashlimit doesn't account for the first packet, which is inconsistent
with the limit match.
Reported by ryan.castellucci@gmail.com, netfilter bugzilla #500.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/netfilter/ipt_hashlimit.c | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/net/ipv4/netfilter/ipt_hashlimit.c b/net/ipv4/netfilter/ipt_hashlimit.c index 6b662449e825..3bd2368e1fc9 100644 --- a/net/ipv4/netfilter/ipt_hashlimit.c +++ b/net/ipv4/netfilter/ipt_hashlimit.c | |||
@@ -454,15 +454,12 @@ hashlimit_match(const struct sk_buff *skb, | |||
454 | dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg * | 454 | dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg * |
455 | hinfo->cfg.burst); | 455 | hinfo->cfg.burst); |
456 | dh->rateinfo.cost = user2credits(hinfo->cfg.avg); | 456 | dh->rateinfo.cost = user2credits(hinfo->cfg.avg); |
457 | 457 | } else { | |
458 | spin_unlock_bh(&hinfo->lock); | 458 | /* update expiration timeout */ |
459 | return 1; | 459 | dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire); |
460 | rateinfo_recalc(dh, now); | ||
460 | } | 461 | } |
461 | 462 | ||
462 | /* update expiration timeout */ | ||
463 | dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire); | ||
464 | |||
465 | rateinfo_recalc(dh, now); | ||
466 | if (dh->rateinfo.credit >= dh->rateinfo.cost) { | 463 | if (dh->rateinfo.credit >= dh->rateinfo.cost) { |
467 | /* We're underlimit. */ | 464 | /* We're underlimit. */ |
468 | dh->rateinfo.credit -= dh->rateinfo.cost; | 465 | dh->rateinfo.credit -= dh->rateinfo.cost; |