[NETFILTER]: xt_hashlimit: fix limit off-by-one

Hashlimit doesn't account for the first packet, which is inconsistent with the limit match. Reported by ryan.castellucci@gmail.com, netfilter bugzilla #500. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Patrick McHardy <kaber@trash.net> 2006-08-13 21:06:02 -0400
committer: David S. Miller <davem@davemloft.net> 2006-08-13 21:06:02 -0400
commit: 1c7628bd7a458faf7c96ef521f6d3a5ea9b106b8 (patch)
tree: 45c4a21ee032a813df08dd4e4dc47b0a14fa571d /net/ipv4
parent: 97c802a113989800430a981b6f36b14c62163d37 (diff)
1 files changed, 4 insertions, 7 deletions
diff --git a/net/ipv4/netfilter/ipt_hashlimit.c b/net/ipv4/netfilter/ipt_hashlimit.c
index 6b662449e825..3bd2368e1fc9 100644
--- a/net/ipv4/netfilter/ipt_hashlimit.c
+++ b/net/ipv4/netfilter/ipt_hashlimit.c
@@ -454,15 +454,12 @@ hashlimit_match(const struct sk_buff *skb,
                dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg * 
                                                        hinfo->cfg.burst);
                dh->rateinfo.cost = user2credits(hinfo->cfg.avg);
+        } else {
-                spin_unlock_bh(&hinfo->lock);
+                /* update expiration timeout */
-                return 1;
+                dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
+                rateinfo_recalc(dh, now);
        }
-        /* update expiration timeout */
-        dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
-        rateinfo_recalc(dh, now);
        if (dh->rateinfo.credit >= dh->rateinfo.cost) {
                /* We're underlimit. */
                dh->rateinfo.credit -= dh->rateinfo.cost;
author	Patrick McHardy <kaber@trash.net>	2006-08-13 21:06:02 -0400
committer	David S. Miller <davem@davemloft.net>	2006-08-13 21:06:02 -0400
commit	1c7628bd7a458faf7c96ef521f6d3a5ea9b106b8 (patch)
tree	45c4a21ee032a813df08dd4e4dc47b0a14fa571d /net/ipv4
parent	97c802a113989800430a981b6f36b14c62163d37 (diff)

diff --git a/net/ipv4/netfilter/ipt_hashlimit.c b/net/ipv4/netfilter/ipt_hashlimit.c index 6b662449e825..3bd2368e1fc9 100644 --- a/net/ipv4/netfilter/ipt_hashlimit.c +++ b/net/ipv4/netfilter/ipt_hashlimit.c
@@ -454,15 +454,12 @@ hashlimit_match(const struct sk_buff *skb,
454	dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg *	454	dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg *
455	hinfo->cfg.burst);	455	hinfo->cfg.burst);
456	dh->rateinfo.cost = user2credits(hinfo->cfg.avg);	456	dh->rateinfo.cost = user2credits(hinfo->cfg.avg);
457		457	} else {
458	spin_unlock_bh(&hinfo->lock);	458	/* update expiration timeout */
459	return 1;	459	dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
		460	rateinfo_recalc(dh, now);
460	}	461	}
461		462
462	/* update expiration timeout */
463	dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
464
465	rateinfo_recalc(dh, now);
466	if (dh->rateinfo.credit >= dh->rateinfo.cost) {	463	if (dh->rateinfo.credit >= dh->rateinfo.cost) {
467	/* We're underlimit. */	464	/* We're underlimit. */
468	dh->rateinfo.credit -= dh->rateinfo.cost;	465	dh->rateinfo.credit -= dh->rateinfo.cost;