Index: linux/net/ipv4/netfilter/ipt_connlimit.c
===================================================================
--- linux/net/ipv4/netfilter/ipt_connlimit.c	(revision 3889)
+++ linux/net/ipv4/netfilter/ipt_connlimit.c	(working copy)
@@ -55,7 +55,7 @@
 	struct ipt_connlimit_conn *conn;
 	struct list_head *hash,*lh;
 
-	spin_lock(&data->lock);
+	spin_lock_bh(&data->lock);
 	tuple = ct->tuplehash[0].tuple;
 	hash = &data->iphash[ipt_iphash(addr & mask)];
 
@@ -63,8 +63,8 @@
 	for (lh = hash->next; lh != hash; lh = lh->next) {
 		conn = list_entry(lh,struct ipt_connlimit_conn,list);
 		found = ip_conntrack_find_get(&conn->tuple,ct);
-		if (0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
-		    found != NULL &&
+		if (found != NULL &&
+		    0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
 		    found->ctrack->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
 			/* Just to be sure we have it only once in the list.
 			   We should'nt see tuples twice unless someone hooks this
@@ -117,7 +117,7 @@
 		list_add(&conn->list,hash);
 		matches++;
 	}
-	spin_unlock(&data->lock);
+	spin_unlock_bh(&data->lock);
 	return matches;
 }
 
Index: linux-2.6/net/ipv4/netfilter/ipt_connlimit.c
===================================================================
--- linux-2.6/net/ipv4/netfilter/ipt_connlimit.c	(revision 3889)
+++ linux-2.6/net/ipv4/netfilter/ipt_connlimit.c	(working copy)
@@ -55,7 +55,7 @@
 	struct ipt_connlimit_conn *conn;
 	struct list_head *hash,*lh;
 
-	spin_lock(&data->lock);
+	spin_lock_bh(&data->lock);
 	tuple = ct->tuplehash[0].tuple;
 	hash = &data->iphash[ipt_iphash(addr & mask)];
 
@@ -63,9 +63,9 @@
 	for (lh = hash->next; lh != hash; lh = lh->next) {
 		conn = list_entry(lh,struct ipt_connlimit_conn,list);
 		found = ip_conntrack_find_get(&conn->tuple,ct);
-		if (0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
-		    found != NULL &&
-		    found->ctrack->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
+		if (found != NULL
+		    && 0 == memcmp(&conn->tuple,&tuple,sizeof(tuple))
+		    && found->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
 			/* Just to be sure we have it only once in the list.
 			   We should'nt see tuples twice unless someone hooks this
 			   into a table without "-p tcp --syn" */
@@ -110,7 +110,7 @@
 #endif
 		conn = kmalloc(sizeof(*conn),GFP_ATOMIC);
 		if (NULL == conn) {
-			spin_unlock(&data->lock);
+			spin_unlock_bh(&data->lock);
 			return -1;
 		}
 		memset(conn,0,sizeof(*conn));
@@ -119,7 +119,7 @@
 		list_add(&conn->list,hash);
 		matches++;
 	}
-	spin_unlock(&data->lock);
+	spin_unlock_bh(&data->lock);
 	return matches;
 }