netfilter: connlimit: improve packet-to-closed-connection logic (d9ec4f1e) · Commits · e / devices / android_kernel_fairphone_FP4

net/netfilter/xt_connlimit.c

+8 −15

Original line number	Original line	Diff line number	Diff line
	@@ -112,29 +112,22 @@ static int count_hlist(struct net *net,
	hlist_for_each_entry_safe(conn, n, head, node) {		hlist_for_each_entry_safe(conn, n, head, node) {
	found = nf_conntrack_find_get(net, NF_CT_DEFAULT_ZONE,		found = nf_conntrack_find_get(net, NF_CT_DEFAULT_ZONE,
	&conn->tuple);		&conn->tuple);
	found_ct = NULL;		if (found == NULL) {
			hlist_del(&conn->node);
			kfree(conn);
			continue;
			}

	if (found != NULL)
	found_ct = nf_ct_tuplehash_to_ctrack(found);		found_ct = nf_ct_tuplehash_to_ctrack(found);

	if (found_ct != NULL &&		if (nf_ct_tuple_equal(&conn->tuple, tuple)) {
	nf_ct_tuple_equal(&conn->tuple, tuple) &&
	!already_closed(found_ct))
	/*		/*
	* Just to be sure we have it only once in the list.		* Just to be sure we have it only once in the list.
	* We should not see tuples twice unless someone hooks		* We should not see tuples twice unless someone hooks
	* this into a table without "-p tcp --syn".		* this into a table without "-p tcp --syn".
	*/		*/
	addit = false;		addit = false;
			} else if (already_closed(found_ct)) {
	if (found == NULL) {
	/* this one is gone */
	hlist_del(&conn->node);
	kfree(conn);
	continue;
	}

	if (already_closed(found_ct)) {
	/*		/*
	* we do not care about connections which are		* we do not care about connections which are
	* closed already -> ditch it		* closed already -> ditch it