]> git.baikalelectronics.ru Git - kernel.git/commit
netfilter: xt_connlimit: fix daddr connlimit in SNAT scenario
authorChangli Gao <xiaosuo@gmail.com>
Tue, 15 Mar 2011 12:23:28 +0000 (13:23 +0100)
committerPatrick McHardy <kaber@trash.net>
Tue, 15 Mar 2011 12:23:28 +0000 (13:23 +0100)
commitf2028a070e6d8bf079385883b3da7aeec7d8a844
tree091cf02201486f436cbc0596aadf51dafbc3784a
parent05a7e11545a4ef0fb63350d17b91e9b8fd5b0afc
netfilter: xt_connlimit: fix daddr connlimit in SNAT scenario

We use the reply tuples when limiting the connections by the destination
addresses, however, in SNAT scenario, the final reply tuples won't be
ready until SNAT is done in POSTROUING or INPUT chain, and the following
nf_conntrack_find_get() in count_tem() will get nothing, so connlimit
can't work as expected.

In this patch, the original tuples are always used, and an additional
member addr is appended to save the address in either end.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
net/netfilter/xt_connlimit.c