xt_connlimit 20070707 kernel

Jan Engelhardt jengelh at computergmbh.de
Wed Jul 11 20:18:53 CEST 2007


On Jul 11 2007 20:04, Patrick McHardy wrote:
>> [...]
>> 
>> But, nf_ct_get_tuplepr() returns with 1, and I am not sure why.
>
>Thats expected I guess, 1 is usually "success" for the tuple parsing
>functions.
>
Such functions should at best return bool :(
Anyway, please take this patch (to be folded onto xt_connlimit) -
runtime-'tested' this time.

Thanks,
	Jan
===
---
 net/netfilter/xt_connlimit.c |   22 +++++-----------------
 1 file changed, 5 insertions(+), 17 deletions(-)

Index: net-2.6/net/netfilter/xt_connlimit.c
===================================================================
--- net-2.6.orig/net/netfilter/xt_connlimit.c
+++ net-2.6/net/netfilter/xt_connlimit.c
@@ -185,31 +185,19 @@ static bool connlimit_match(const struct
 			    unsigned int protoff, bool *hotdrop)
 {
 	const struct xt_connlimit_info *info = matchinfo;
-	const struct nf_conntrack_tuple *tuple_ptr;
 	union nf_conntrack_address addr, mask;
 	struct nf_conntrack_tuple tuple;
+	const struct nf_conntrack_tuple *tuple_ptr = &tuple;
 	enum ip_conntrack_info ctinfo;
 	const struct nf_conn *ct;
 	int connections;
 
 	ct = nf_ct_get(skb, &ctinfo);
-	if (ct != NULL) {
+	if (ct != NULL)
 		tuple_ptr = &ct->tuplehash[0].tuple;
-	} else {
-		struct nf_conntrack_l3proto *l3proto;
-		struct nf_conntrack_l4proto *l4proto;
-
-		l3proto = __nf_ct_l3proto_find(match->family);
-		if (l3proto == NULL)
-			goto hotdrop;
-		l4proto = __nf_ct_l4proto_find(match->family, match->proto);
-		if (l4proto == NULL)
-			goto hotdrop;
-		if (nf_ct_get_tuple(skb, 0, 0, match->family, match->proto,
-		    &tuple, NULL, NULL) != 0)
-			goto hotdrop;
-		tuple_ptr = &tuple;
-	}
+	else if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
+	    match->family, &tuple))
+		goto hotdrop;
 
 	if (match->family == AF_INET6) {
 		const struct ipv6hdr *iph = ipv6_hdr(skb);



More information about the netfilter-devel mailing list