xt_connlimit 20070628 kernel

Jan Engelhardt jengelh at computergmbh.de
Tue Jul 3 13:31:30 CEST 2007 

On Jul 3 2007 13:14, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> Each struct xt_connlimit_data is allowed to have a different hash 
>> function, as long as each function is injective.
>> 
>> A struct xt_connlimit_{info,data} is never fed both AF_INET and
>> AF_INET6 connections.
>> Hence it may use different hash functions for AF_INET and AF_INET6 
>> connections.
>> 
>> Does that help?
>
>
>Not really, you described the situation that led me to this question.
>I can see that you're not using the same hash for both and I question
>that.

See the patch below. It may help to understanding. (The code itself is
redundant, because the BUG_ONs will (should) never trigger.)

>>>Connections are identifier by their tuples, you can derive them 
>>>yourself and do a lookup based on that.
>> 
>> connlimit uses nf_ct_get(skb,...)->tuplehash[0].tuple to get at the 
>> tuple. nf_ct_get() can fail.
>> How else should I derive it?
>
>Use the conntrack tuple if one is available, otherwise use
>nf_ct_get_tuple().

So you are saying I should use...

  nf_ct_get_tuple(skb, 0, 0, match->family, match->proto, &tuple,
                  what_l3, what_l4);

at the top of count_them() and get rid of the nf_ct_get() in connlimit_match?


Thanks,
	Jan

---
 net/netfilter/xt_connlimit.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

Index: linux-2.6.22/net/netfilter/xt_connlimit.c
===================================================================
--- linux-2.6.22.orig/net/netfilter/xt_connlimit.c
+++ linux-2.6.22/net/netfilter/xt_connlimit.c
@@ -36,6 +36,7 @@ struct xt_connlimit_conn {
 
 struct xt_connlimit_data {
 	struct list_head iphash[256];
+	u_int16_t family;
 	spinlock_t lock;
 };
 
@@ -115,10 +116,13 @@ static int count_them(struct xt_connlimi
 
 	tuple = xct->tuplehash[0].tuple;
 
-	if (family == AF_INET6)
+	if (family == AF_INET6) {
+		BUG_ON(data->family != AF_INET6);
 		hash = &data->iphash[connlimit_iphash6(addr, mask)];
-	else
+	} else {
+		BUG_ON(data->family != AF_INET);
 		hash = &data->iphash[connlimit_iphash(addr->ip & mask->ip)];
+	}
 
 	read_lock_bh(&nf_conntrack_lock);
 
@@ -245,6 +249,8 @@ static bool connlimit_check(const char *
 	for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i)
 		INIT_LIST_HEAD(&info->data->iphash[i]);
 
+	/* Tag private structure with the type it is going to be used */
+	info->data->family = match->family;
 	return true;
 }

More information about the netfilter-devel mailing list