Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1c7628bd authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller
Browse files

[NETFILTER]: xt_hashlimit: fix limit off-by-one 



Hashlimit doesn't account for the first packet, which is inconsistent
with the limit match.

Reported by ryan.castellucci@gmail.com, netfilter bugzilla #500.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 97c802a1

net/ipv4/netfilter/ipt_hashlimit.c

+4 −7
Original line number Diff line number Diff line
@@ -454,15 +454,12 @@ hashlimit_match(const struct sk_buff *skb, 
		dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg * 

							hinfo->cfg.burst);

		dh->rateinfo.cost = user2credits(hinfo->cfg.avg);



		spin_unlock_bh(&hinfo->lock);

		return 1;

	}



	} else {

		/* update expiration timeout */

		dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);



		rateinfo_recalc(dh, now);

	}



	if (dh->rateinfo.credit >= dh->rateinfo.cost) {

		/* We're underlimit. */

		dh->rateinfo.credit -= dh->rateinfo.cost;