xt_connlimit 20070707 kernel
Jan Engelhardt
jengelh at computergmbh.de
Wed Jul 11 20:19:31 CEST 2007
On Jul 11 2007 20:18, Jan Engelhardt wrote:
>>Thats expected I guess, 1 is usually "success" for the tuple parsing
>>functions.
>>
>Such functions should at best return bool :(
>Anyway, please take this patch (to be folded onto xt_connlimit) -
>runtime-'tested' this time.
>
>Thanks,
> Jan
>===
Signed-off-by: Jan Engelhardt <jengelh at gmx.de>
>---
> net/netfilter/xt_connlimit.c | 22 +++++-----------------
> 1 file changed, 5 insertions(+), 17 deletions(-)
>
>Index: net-2.6/net/netfilter/xt_connlimit.c
>===================================================================
>--- net-2.6.orig/net/netfilter/xt_connlimit.c
>+++ net-2.6/net/netfilter/xt_connlimit.c
>@@ -185,31 +185,19 @@ static bool connlimit_match(const struct
> unsigned int protoff, bool *hotdrop)
> {
> const struct xt_connlimit_info *info = matchinfo;
>- const struct nf_conntrack_tuple *tuple_ptr;
> union nf_conntrack_address addr, mask;
> struct nf_conntrack_tuple tuple;
>+ const struct nf_conntrack_tuple *tuple_ptr = &tuple;
> enum ip_conntrack_info ctinfo;
> const struct nf_conn *ct;
> int connections;
>
> ct = nf_ct_get(skb, &ctinfo);
>- if (ct != NULL) {
>+ if (ct != NULL)
> tuple_ptr = &ct->tuplehash[0].tuple;
>- } else {
>- struct nf_conntrack_l3proto *l3proto;
>- struct nf_conntrack_l4proto *l4proto;
>-
>- l3proto = __nf_ct_l3proto_find(match->family);
>- if (l3proto == NULL)
>- goto hotdrop;
>- l4proto = __nf_ct_l4proto_find(match->family, match->proto);
>- if (l4proto == NULL)
>- goto hotdrop;
>- if (nf_ct_get_tuple(skb, 0, 0, match->family, match->proto,
>- &tuple, NULL, NULL) != 0)
>- goto hotdrop;
>- tuple_ptr = &tuple;
>- }
>+ else if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
>+ match->family, &tuple))
>+ goto hotdrop;
>
> if (match->family == AF_INET6) {
> const struct ipv6hdr *iph = ipv6_hdr(skb);
>
Jan
--
More information about the netfilter-devel
mailing list