Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 20b7975e authored by Stefan Berger's avatar Stefan Berger Committed by Patrick McHardy
Browse files

Revert "netfilter: xt_connlimit: connlimit-above early loop termination" 



This reverts commit 44bd4de9.

I have to revert the early loop termination in connlimit since it generates
problems when an iptables statement does not use -m state --state NEW before
the connlimit match extension.

Signed-off-by: default avatarStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent d846f711

net/netfilter/xt_connlimit.c

+3 −10
Original line number Diff line number Diff line
@@ -97,8 +97,7 @@ static int count_them(struct net *net, 
		      const struct nf_conntrack_tuple *tuple,

		      const union nf_inet_addr *addr,

		      const union nf_inet_addr *mask,

		      u_int8_t family,

		      unsigned int threshold)

		      u_int8_t family)

{

	const struct nf_conntrack_tuple_hash *found;

	struct xt_connlimit_conn *conn;
@@ -152,14 +151,9 @@ static int count_them(struct net *net, 
			continue;

		}



		if (same_source_net(addr, mask, &conn->tuple.src.u3, family)) {

		if (same_source_net(addr, mask, &conn->tuple.src.u3, family))

			/* same source network -> be counted! */

			++matches;

			if (matches > threshold) {

				nf_ct_put(found_ct);

				break;

			}

		}

		nf_ct_put(found_ct);

	}
@@ -213,8 +207,7 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par) 


	spin_lock_bh(&info->data->lock);

	connections = count_them(net, info->data, tuple_ptr, &addr,

	                         &info->mask, par->family,

	                         info->limit);

	                         &info->mask, par->family);

	spin_unlock_bh(&info->data->lock);



	if (connections < 0)