[netfilter-cvslog] r3308 - in trunk/patch-o-matic-ng/set: linux/include/linux/netfilter_ipv4 linux/net/ipv4/netfilter linux-2.6/include/linux/netfilter_ipv4 linux-2.6/net/ipv4/netfilter

kadlec at netfilter.org kadlec at netfilter.org
Mon Dec 6 10:33:00 CET 2004


Author: kadlec at netfilter.org
Date: 2004-12-06 10:32:59 +0100 (Mon, 06 Dec 2004)
New Revision: 3308

Added:
   trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_malloc.h
   trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set_malloc.h
Modified:
   trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set.h
   trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ipt_set.h
   trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_iphash.c
   trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_macipmap.c
   trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c
   trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_set.c
   trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set.h
   trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ipt_set.h
   trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set.c
   trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_iphash.c
   trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_macipmap.c
   trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_SET.c
   trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_set.c
Log:
macipmap bugfix with normalized memory management (JK)


Modified: trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set.h
===================================================================
--- trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set.h	2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set.h	2004-12-06 09:32:59 UTC (rev 3308)
@@ -66,8 +66,8 @@
 
 #define IP_SET_INVALID_ID	65535
 
-/* How deep we follow bindings (minus one) */
-#define IP_SET_MAX_BINDINGS	7
+/* How deep we follow bindings  */
+#define IP_SET_MAX_BINDINGS	6
 
 /*
  * Option flags for kernel operations (ipt_set_info)

Added: trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set_malloc.h
===================================================================
--- trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set_malloc.h	2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set_malloc.h	2004-12-06 09:32:59 UTC (rev 3308)
@@ -0,0 +1,27 @@
+#ifndef _IP_SET_MALLOC_H
+#define _IP_SET_MALLOC_H
+
+#ifdef __KERNEL__
+
+/* Memory allocation and deallocation */
+static size_t max_malloc_size = 131072;		/* Guaranteed: slab.c */
+
+static inline void * ip_set_malloc(size_t bytes)
+{
+	if (bytes > max_malloc_size)
+		return vmalloc(bytes);
+	else
+		return kmalloc(bytes, GFP_KERNEL);
+}
+
+static inline void ip_set_free(void * data, size_t bytes)
+{
+	if (bytes > max_malloc_size)
+		vfree(data);
+	else
+		kfree(data);
+}
+
+#endif				/* __KERNEL__ */
+
+#endif /*_IP_SET_MALLOC_H*/

Modified: trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ipt_set.h
===================================================================
--- trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ipt_set.h	2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ipt_set.h	2004-12-06 09:32:59 UTC (rev 3308)
@@ -5,7 +5,7 @@
 
 struct ipt_set_info {
 	ip_set_id_t index;
-	u_int32_t flags[IP_SET_MAX_BINDINGS];
+	u_int32_t flags[IP_SET_MAX_BINDINGS + 1];
 };
 
 /* match info */

Modified: trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set.c	2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set.c	2004-12-06 09:32:59 UTC (rev 3308)
@@ -1087,16 +1087,22 @@
 	set_list->ref = atomic_read(&set->ref);
 
 	/* Fill in set spefific header data */
+	DP("call list_header");
 	set->type->list_header(set, data + *used);
+	DP("call list_header, done");
 	*used += set_list->header_size;
 
 	/* Get and ensure set specific members size */
+	DP("call list_members_size");
 	set_list->members_size = set->type->list_members_size(set);
+	DP("call list_members_size, done");
 	if (*used + set_list->members_size > len)
 		goto unlock_set;
 
 	/* Fill in set spefific members data */
+	DP("call list_members");
 	set->type->list_members(set, data + *used);
+	DP("call list_members, done");
 	*used += set_list->members_size;
 	read_unlock_bh(&set->lock);
 

Modified: trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_iphash.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_iphash.c	2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_iphash.c	2004-12-06 09:32:59 UTC (rev 3308)
@@ -22,6 +22,7 @@
 
 #include <net/ip.h>
 
+#include <linux/netfilter_ipv4/ip_set_malloc.h>
 #include <linux/netfilter_ipv4/ip_set_iphash.h>
 #include <linux/netfilter_ipv4/ip_set_jhash.h>
 #include <linux/netfilter_ipv4/ip_set_prime.h>
@@ -176,7 +177,7 @@
 	tmp.hashsize = hashsize;
 	
 	newbytes = hashsize * sizeof(ip_set_ip_t);
-	tmp.members = vmalloc(newbytes);
+	tmp.members = ip_set_malloc(newbytes);
 	if (!tmp.members) {
 		DP("out of memory for %d bytes", newbytes);
 		return -ENOMEM;
@@ -191,20 +192,22 @@
 	}
 	if (res) {
 		/* Failure, try again */
-		vfree(tmp.members);
 		write_unlock_bh(&set->lock);
+		ip_set_free(tmp.members, newbytes);
 		goto again;
 	}
 	
 	/* Success at resizing! */
 	members = map->members;
+	hashsize = map->hashsize;
+	
 	map->initval = tmp.initval;
 	map->prime = tmp.prime;
 	map->hashsize = tmp.hashsize;
 	map->members = tmp.members;
 	write_unlock_bh(&set->lock);
 
-	vfree(members);
+	ip_set_free(members, hashsize * sizeof(ip_set_ip_t));
 
 	return 0;
 }
@@ -280,7 +283,7 @@
 	map->resize = req->resize;
 	map->netmask = req->netmask;
 	newbytes = map->hashsize * sizeof(ip_set_ip_t);
-	map->members = vmalloc(newbytes);
+	map->members = ip_set_malloc(newbytes);
 	if (!map->members) {
 		DP("out of memory for %d bytes", newbytes);
 		kfree(map);
@@ -296,7 +299,7 @@
 {
 	struct ip_set_iphash *map = (struct ip_set_iphash *) set->data;
 
-	vfree(map->members);
+	ip_set_free(map->members, map->hashsize * sizeof(ip_set_ip_t));
 	kfree(map);
 
 	set->data = NULL;

Modified: trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_macipmap.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_macipmap.c	2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_macipmap.c	2004-12-06 09:32:59 UTC (rev 3308)
@@ -23,6 +23,7 @@
 #include <linux/if_ether.h>
 #include <linux/vmalloc.h>
 
+#include <linux/netfilter_ipv4/ip_set_malloc.h>
 #include <linux/netfilter_ipv4/ip_set_macipmap.h>
 
 static int
@@ -47,8 +48,6 @@
 	   set->name, NIPQUAD(req->ip), NIPQUAD(*hash_ip));		
 	if (test_bit(IPSET_MACIP_ISSET,
 		     &table[req->ip - map->first_ip].flags)) {
-		/* Is mac pointer valid?
-		 * If so, compare... */
 		return (memcmp(req->ethernet,
 			       &table[req->ip - map->first_ip].ethernet,
 			       ETH_ALEN) == 0);
@@ -192,6 +191,11 @@
 		       hash_ip);
 }
 
+static inline size_t members_size(ip_set_id_t from, ip_set_id_t to)
+{
+	return (size_t)((to - from + 1) * sizeof(struct ip_set_macip));
+}
+
 static int create(struct ip_set *set, const void *data, size_t size)
 {
 	int newbytes;
@@ -229,8 +233,9 @@
 	map->flags = req->flags;
 	map->first_ip = req->from;
 	map->last_ip = req->to;
-	newbytes = (req->to - req->from + 1) * sizeof(struct ip_set_macip);
-	map->members = vmalloc(newbytes);
+	newbytes = members_size(map->first_ip, map->last_ip);
+	map->members = ip_set_malloc(newbytes);
+	DP("members: %u %p", newbytes, map->members);
 	if (!map->members) {
 		DP("out of memory for %d bytes", newbytes);
 		kfree(map);
@@ -247,7 +252,7 @@
 	struct ip_set_macipmap *map =
 	    (struct ip_set_macipmap *) set->data;
 
-	vfree(map->members);
+	ip_set_free(map->members, members_size(map->first_ip, map->last_ip));
 	kfree(map);
 
 	set->data = NULL;
@@ -257,8 +262,7 @@
 {
 	struct ip_set_macipmap *map =
 	    (struct ip_set_macipmap *) set->data;
-	memset(map->members, 0, (map->last_ip - map->first_ip)
-	       * sizeof(struct ip_set_macip));
+	memset(map->members, 0, members_size(map->first_ip, map->last_ip));
 }
 
 static int list_header_size(const struct ip_set *set)
@@ -286,8 +290,8 @@
 	struct ip_set_macipmap *map =
 	    (struct ip_set_macipmap *) set->data;
 
-	return (map->last_ip
-		- map->first_ip + 1) * sizeof(struct ip_set_macip);
+	DP("%u", members_size(map->first_ip, map->last_ip));
+	return members_size(map->first_ip, map->last_ip);
 }
 
 static void list_members(const struct ip_set *set, void *data)
@@ -295,9 +299,9 @@
 	struct ip_set_macipmap *map =
 	    (struct ip_set_macipmap *) set->data;
 
-	int bytes = (map->last_ip - 
-		     - map->first_ip + 1) * sizeof(struct ip_set_macip);
+	int bytes = members_size(map->first_ip, map->last_ip);
 
+	DP("members: %u %p", bytes, map->members);
 	memcpy(data, map->members, bytes);
 }
 

Modified: trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_SET.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_SET.c	2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_SET.c	2004-12-06 09:32:59 UTC (rev 3308)
@@ -78,7 +78,11 @@
 			return 0;	/* error */
 		}
 	}
-
+	if (info->add_set.flags[IP_SET_MAX_BINDINGS] != 0
+	    || info->del_set.flags[IP_SET_MAX_BINDINGS] != 0) {
+		ip_set_printk("That's nasty!");
+		return 0;	/* error */
+	}
 	return 1;
 }
 

Modified: trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_set.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_set.c	2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_set.c	2004-12-06 09:32:59 UTC (rev 3308)
@@ -68,6 +68,10 @@
 			      info->match_set.index);
 		return 0;	/* error */
 	}
+	if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) {
+		ip_set_printk("That's nasty!");
+		return 0;	/* error */
+	}
 
 	return 1;
 }

Modified: trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set.h
===================================================================
--- trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set.h	2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set.h	2004-12-06 09:32:59 UTC (rev 3308)
@@ -66,8 +66,8 @@
 
 #define IP_SET_INVALID_ID	65535
 
-/* How deep we follow bindings (minus one) */
-#define IP_SET_MAX_BINDINGS	7
+/* How deep we follow bindings */
+#define IP_SET_MAX_BINDINGS	6
 
 /*
  * Option flags for kernel operations (ipt_set_info)

Added: trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_malloc.h
===================================================================
--- trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_malloc.h	2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_malloc.h	2004-12-06 09:32:59 UTC (rev 3308)
@@ -0,0 +1,34 @@
+#ifndef _IP_SET_MALLOC_H
+#define _IP_SET_MALLOC_H
+
+#ifdef __KERNEL__
+
+/* Memory allocation and deallocation */
+static size_t max_malloc_size = 0;
+
+static inline void init_max_malloc_size(void)
+{
+#define CACHE(x) max_malloc_size = x;
+#include <linux/kmalloc_sizes.h>
+#undef CACHE
+}
+
+static inline void * ip_set_malloc(size_t bytes)
+{
+	if (bytes > max_malloc_size)
+		return vmalloc(bytes);
+	else
+		return kmalloc(bytes, GFP_KERNEL);
+}
+
+static inline void ip_set_free(void * data, size_t bytes)
+{
+	if (bytes > max_malloc_size)
+		vfree(data);
+	else
+		kfree(data);
+}
+
+#endif				/* __KERNEL__ */
+
+#endif /*_IP_SET_MALLOC_H*/

Modified: trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ipt_set.h
===================================================================
--- trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ipt_set.h	2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ipt_set.h	2004-12-06 09:32:59 UTC (rev 3308)
@@ -5,7 +5,7 @@
 
 struct ipt_set_info {
 	ip_set_id_t index;
-	u_int32_t flags[IP_SET_MAX_BINDINGS];
+	u_int32_t flags[IP_SET_MAX_BINDINGS + 1];
 };
 
 /* match info */

Modified: trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_iphash.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_iphash.c	2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_iphash.c	2004-12-06 09:32:59 UTC (rev 3308)
@@ -21,6 +21,7 @@
 
 #include <net/ip.h>
 
+#include <linux/netfilter_ipv4/ip_set_malloc.h>
 #include <linux/netfilter_ipv4/ip_set_iphash.h>
 #include <linux/netfilter_ipv4/ip_set_jhash.h>
 #include <linux/netfilter_ipv4/ip_set_prime.h>
@@ -175,7 +176,7 @@
 	tmp.hashsize = hashsize;
 	
 	newbytes = hashsize * sizeof(ip_set_ip_t);
-	tmp.members = vmalloc(newbytes);
+	tmp.members = ip_set_malloc(newbytes);
 	if (!tmp.members) {
 		DP("out of memory for %d bytes", newbytes);
 		return -ENOMEM;
@@ -190,20 +191,22 @@
 	}
 	if (res) {
 		/* Failure, try again */
-		vfree(tmp.members);
 		write_unlock_bh(&set->lock);
+		ip_set_free(tmp.members, newbytes);
 		goto again;
 	}
 	
 	/* Success at resizing! */
 	members = map->members;
+	hashsize = map->hashsize;
+
 	map->initval = tmp.initval;
 	map->prime = tmp.prime;
 	map->hashsize = tmp.hashsize;
 	map->members = tmp.members;
 	write_unlock_bh(&set->lock);
 
-	vfree(members);
+	ip_set_free(members, hashsize * sizeof(ip_set_ip_t));
 
 	return 0;
 }
@@ -279,7 +282,7 @@
 	map->resize = req->resize;
 	map->netmask = req->netmask;
 	newbytes = map->hashsize * sizeof(ip_set_ip_t);
-	map->members = vmalloc(newbytes);
+	map->members = ip_set_malloc(newbytes);
 	if (!map->members) {
 		DP("out of memory for %d bytes", newbytes);
 		kfree(map);
@@ -295,7 +298,7 @@
 {
 	struct ip_set_iphash *map = (struct ip_set_iphash *) set->data;
 
-	vfree(map->members);
+	ip_set_free(map->members, map->hashsize * sizeof(ip_set_ip_t));
 	kfree(map);
 
 	set->data = NULL;
@@ -367,6 +370,7 @@
 
 static int __init init(void)
 {
+	init_max_malloc_size();
 	return ip_set_register_set_type(&ip_set_iphash);
 }
 

Modified: trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_macipmap.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_macipmap.c	2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_macipmap.c	2004-12-06 09:32:59 UTC (rev 3308)
@@ -22,6 +22,7 @@
 #include <linux/if_ether.h>
 #include <linux/vmalloc.h>
 
+#include <linux/netfilter_ipv4/ip_set_malloc.h>
 #include <linux/netfilter_ipv4/ip_set_macipmap.h>
 
 static int
@@ -46,8 +47,6 @@
 	   set->name, NIPQUAD(req->ip), NIPQUAD(*hash_ip));		
 	if (test_bit(IPSET_MACIP_ISSET,
 		     (void *) &table[req->ip - map->first_ip].flags)) {
-		/* Is mac pointer valid?
-		 * If so, compare... */
 		return (memcmp(req->ethernet,
 			       &table[req->ip - map->first_ip].ethernet,
 			       ETH_ALEN) == 0);
@@ -192,6 +191,11 @@
 		       hash_ip);
 }
 
+static inline size_t members_size(ip_set_id_t from, ip_set_id_t to)
+{
+	return (size_t)((to - from + 1) * sizeof(struct ip_set_macip));
+}
+
 static int create(struct ip_set *set, const void *data, size_t size)
 {
 	int newbytes;
@@ -229,8 +233,8 @@
 	map->flags = req->flags;
 	map->first_ip = req->from;
 	map->last_ip = req->to;
-	newbytes = (req->to - req->from + 1) * sizeof(struct ip_set_macip);
-	map->members = vmalloc(newbytes);
+	newbytes = members_size(map->first_ip, map->last_ip);
+	map->members = ip_set_malloc(newbytes);
 	if (!map->members) {
 		DP("out of memory for %d bytes", newbytes);
 		kfree(map);
@@ -247,7 +251,7 @@
 	struct ip_set_macipmap *map =
 	    (struct ip_set_macipmap *) set->data;
 
-	vfree(map->members);
+	ip_set_free(map->members, members_size(map->first_ip, map->last_ip));
 	kfree(map);
 
 	set->data = NULL;
@@ -257,8 +261,7 @@
 {
 	struct ip_set_macipmap *map =
 	    (struct ip_set_macipmap *) set->data;
-	memset(map->members, 0, (map->last_ip - map->first_ip)
-	       * sizeof(struct ip_set_macip));
+	memset(map->members, 0, members_size(map->first_ip, map->last_ip));
 }
 
 static int list_header_size(const struct ip_set *set)
@@ -286,8 +289,7 @@
 	struct ip_set_macipmap *map =
 	    (struct ip_set_macipmap *) set->data;
 
-	return (map->last_ip
-		- map->first_ip + 1) * sizeof(struct ip_set_macip);
+	return members_size(map->first_ip, map->last_ip);
 }
 
 static void list_members(const struct ip_set *set, void *data)
@@ -295,8 +297,7 @@
 	struct ip_set_macipmap *map =
 	    (struct ip_set_macipmap *) set->data;
 
-	int bytes = (map->last_ip - 
-		     - map->first_ip + 1) * sizeof(struct ip_set_macip);
+	int bytes = members_size(map->first_ip, map->last_ip);
 
 	memcpy(data, map->members, bytes);
 }
@@ -328,6 +329,7 @@
 
 static int __init init(void)
 {
+	init_max_malloc_size();
 	return ip_set_register_set_type(&ip_set_macipmap);
 }
 

Modified: trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c	2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c	2004-12-06 09:32:59 UTC (rev 3308)
@@ -78,6 +78,11 @@
 			return 0;	/* error */
 		}
 	}
+	if (info->add_set.flags[IP_SET_MAX_BINDINGS] != 0
+	    || info->del_set.flags[IP_SET_MAX_BINDINGS] != 0) {
+		ip_set_printk("That's nasty!");
+		return 0;	/* error */
+	}
 
 	return 1;
 }

Modified: trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_set.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_set.c	2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_set.c	2004-12-06 09:32:59 UTC (rev 3308)
@@ -66,6 +66,10 @@
 			      info->match_set.index);
 		return 0;	/* error */
 	}
+	if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) {
+		ip_set_printk("That's nasty!");
+		return 0;	/* error */
+	}
 
 	return 1;
 }




More information about the netfilter-cvslog mailing list