Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

netfilter: connlimit: improve packet-to-closed-connection logic

Instead of freeing the entry from our list and then adding
it back again in the 'packet to closing connection' case just keep the
matching entry around.  Also drop the found_ct != NULL test as
nf_ct_tuplehash_to_ctrack is just container_of().

Reviewed-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal 11 years ago
parent
15cfd52895
commit
d9ec4f1ee2
1 changed files with 8 additions and 15 deletions
Split View Show Diff Stats
  1. 8 15
      net/netfilter/xt_connlimit.c

+ 8 - 15
net/netfilter/xt_connlimit.c
View File 

@@ -112,29 +112,22 @@ static int count_hlist(struct net *net,
 
 	hlist_for_each_entry_safe(conn, n, head, node) {
 
 		found    = nf_conntrack_find_get(net, NF_CT_DEFAULT_ZONE,
 
 						 &conn->tuple);
 
-		found_ct = NULL;
 
+		if (found == NULL) {
 
+			hlist_del(&conn->node);
 
+			kfree(conn);
 
+			continue;
 
+		}
 
 
-		if (found != NULL)
 
-			found_ct = nf_ct_tuplehash_to_ctrack(found);
 
+		found_ct = nf_ct_tuplehash_to_ctrack(found);
 
 
-		if (found_ct != NULL &&
 
-		    nf_ct_tuple_equal(&conn->tuple, tuple) &&
 
-		    !already_closed(found_ct))
 
+		if (nf_ct_tuple_equal(&conn->tuple, tuple)) {
 
 			/*
 
 			 * Just to be sure we have it only once in the list.
 
 			 * We should not see tuples twice unless someone hooks
 
 			 * this into a table without "-p tcp --syn".
 
 			 */
 
 			addit = false;
 
-
 
-		if (found == NULL) {
 
-			/* this one is gone */
 
-			hlist_del(&conn->node);
 
-			kfree(conn);
 
-			continue;
 
-		}
 
-
 
-		if (already_closed(found_ct)) {
 
+		} else if (already_closed(found_ct)) {
 
 			/*
 
 			 * we do not care about connections which are
 
 			 * closed already -> ditch it