From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: Dong Wei <dwei.zh@gmail.com>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] Fix connlimit bug when receive RST packet in ESTABLISHED state
Date: Mon, 02 Jun 2008 15:01:22 +0200 [thread overview]
Message-ID: <4843EF22.9010207@trash.net> (raw)
In-Reply-To: <alpine.LNX.1.10.0806021428440.4055@fbirervta.pbzchgretzou.qr>
Jan Engelhardt wrote:
> On Monday 2008-06-02 14:20, Patrick McHardy wrote:
>> Dong Wei wrote:
>>> diff -ruN a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
>>> --- a/net/netfilter/xt_connlimit.c 2008-06-02 18:48:38.000000000 +0800
>>> +++ b/net/netfilter/xt_connlimit.c 2008-06-02 18:50:40.000000000 +0800
>>> @@ -75,7 +75,8 @@
>>> u_int16_t proto = conn->tuplehash[0].tuple.dst.protonum;
>>>
>>> if (proto == IPPROTO_TCP)
>>> - return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT;
>>> + return (conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT
>>> + || conn->proto.tcp.state == TCP_CONNTRACK_CLOSE);
>> Looks fine to me. Jan?
>
> The check for TCP_CONNTRACK_TIME_WAIT was introduced since there is
> the 2*MSL delay before the TIME_WAIT->CLOSED transition, and not
> counting a connection beginning with TIME_WAIT is common sense/what
> people expect.
Yes, though the end-result might not be what people expect.
The connection can be reopened, exceeding the configured
limit, and lots of TIME_WAIT/CLOSE connections might linger
around.
> Though the cleanup delay between TCP_CONNTRACK_CLOSE and (deallocated
> state) is much less than 2*MSL, it makes sense to also add this case
> per common sense.
>
> Patch is fine, yes, but you do not need the redundant
> ( ) that were introduced.
I'll remove them when applying the patch.
Dong, I need a Signed-off-by: line from you before I can apply this.
next prev parent reply other threads:[~2008-06-02 13:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-02 11:22 [PATCH] Fix connlimit bug when receive RST packet in ESTABLISHED state Dong Wei
2008-06-02 12:20 ` Patrick McHardy
2008-06-02 12:46 ` Jan Engelhardt
2008-06-02 13:01 ` Patrick McHardy [this message]
2008-06-02 13:44 ` Dong Wei
2008-06-02 13:51 ` Patrick McHardy
2008-06-02 14:35 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4843EF22.9010207@trash.net \
--to=kaber@trash.net \
--cc=dwei.zh@gmail.com \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.