[NETFILTER 02/02]: xt_hashlimit: fix limit off-by-one
Patrick McHardy
kaber at trash.net
Wed Aug 9 11:41:27 CEST 2006
[NETFILTER]: xt_hashlimit: fix limit off-by-one
Hashlimit doesn't account for the first packet, which is inconsistent with
the limit match.
Reported by ryan.castellucci at gmail.com, netfilter bugzilla #500.
Signed-off-by: Patrick McHardy <kaber at trash.net>
---
commit afe7e5033e79c86de718cb7fce5961a50b1352d3
tree 3c02c7e82f9471ccf72712dc7d8d2f030cbda4fc
parent 71c55528be7cf1199376a1b1c5489f60bf2b2617
author Patrick McHardy <kaber at trash.net> Wed, 09 Aug 2006 11:08:26 +0200
committer Patrick McHardy <kaber at trash.net> Wed, 09 Aug 2006 11:08:26 +0200
net/ipv4/netfilter/ipt_hashlimit.c | 11 ++++-------
1 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_hashlimit.c b/net/ipv4/netfilter/ipt_hashlimit.c
index 6b66244..3bd2368 100644
--- a/net/ipv4/netfilter/ipt_hashlimit.c
+++ b/net/ipv4/netfilter/ipt_hashlimit.c
@@ -454,15 +454,12 @@ hashlimit_match(const struct sk_buff *sk
dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg *
hinfo->cfg.burst);
dh->rateinfo.cost = user2credits(hinfo->cfg.avg);
-
- spin_unlock_bh(&hinfo->lock);
- return 1;
+ } else {
+ /* update expiration timeout */
+ dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
+ rateinfo_recalc(dh, now);
}
- /* update expiration timeout */
- dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
-
- rateinfo_recalc(dh, now);
if (dh->rateinfo.credit >= dh->rateinfo.cost) {
/* We're underlimit. */
dh->rateinfo.credit -= dh->rateinfo.cost;
More information about the netfilter-devel
mailing list