Revert "netfilter: xt_connlimit: connlimit-above early loop termination"
authorStefan Berger <stefanb@linux.vnet.ibm.com>
Mon, 14 Feb 2011 15:54:33 +0000 (16:54 +0100)
committerPatrick McHardy <kaber@trash.net>
Mon, 14 Feb 2011 15:54:33 +0000 (16:54 +0100)
This reverts commit 44bd4de9c2270b22c3c898310102bc6be9ed2978.

I have to revert the early loop termination in connlimit since it generates
problems when an iptables statement does not use -m state --state NEW before
the connlimit match extension.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
net/netfilter/xt_connlimit.c

index 82ce7c5fbbc25c0370426ee021aaca811e36da13..e029c4807404f3a4c5644cff7e9f8ef2618d1e7f 100644 (file)
@@ -97,8 +97,7 @@ static int count_them(struct net *net,
                      const struct nf_conntrack_tuple *tuple,
                      const union nf_inet_addr *addr,
                      const union nf_inet_addr *mask,
-                     u_int8_t family,
-                     unsigned int threshold)
+                     u_int8_t family)
 {
        const struct nf_conntrack_tuple_hash *found;
        struct xt_connlimit_conn *conn;
@@ -152,14 +151,9 @@ static int count_them(struct net *net,
                        continue;
                }
 
-               if (same_source_net(addr, mask, &conn->tuple.src.u3, family)) {
+               if (same_source_net(addr, mask, &conn->tuple.src.u3, family))
                        /* same source network -> be counted! */
                        ++matches;
-                       if (matches > threshold) {
-                               nf_ct_put(found_ct);
-                               break;
-                       }
-               }
                nf_ct_put(found_ct);
        }
 
@@ -213,8 +207,7 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
 
        spin_lock_bh(&info->data->lock);
        connections = count_them(net, info->data, tuple_ptr, &addr,
-                                &info->mask, par->family,
-                                info->limit);
+                                &info->mask, par->family);
        spin_unlock_bh(&info->data->lock);
 
        if (connections < 0)