From: Patrick McHardy <kaber@trash.net>
To: "David S. Miller" <davem@davemloft.net>
Cc: Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>
Subject: [NETFILTER 01/02]: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state
Date: Wed, 04 Jun 2008 18:17:52 +0200 [thread overview]
Message-ID: <4846C030.6080707@trash.net> (raw)
[-- Attachment #1: Type: text/plain, Size: 242 bytes --]
Hi Dave,
following are two netfilter fixes for 2.6.26, fixing connection
accounting of closed connections in the iptables connlimit module
and inconsistent locking in IPv6 conntrack defragmentation.
I'll also send both patches to -stable.
[-- Attachment #2: 01.diff --]
[-- Type: text/x-diff, Size: 1570 bytes --]
[NETFILTER]: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state
In xt_connlimit match module, the counter of an IP is decreased when
the TCP packet is go through the chain with ip_conntrack state TW.
Well, it's very natural that the server and client close the socket
with FIN packet. But when the client/server close the socket with RST
packet(using so_linger), the counter for this connection still exsit.
The following patch can fix it which is based on linux-2.6.25.4
Signed-off-by: Dong Wei <dwei.zh@gmail.com>
Acked-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit df31d38473b31c8c18449419fbe9af219f3579f3
tree 93b5d2ee26d6531053453d28007ec42b056a9fde
parent 3446b9d57edd0b96a89715fef222879e4919a115
author Dong Wei <dwei.zh@gmail.com> Mon, 02 Jun 2008 16:47:27 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 02 Jun 2008 16:47:27 +0200
net/netfilter/xt_connlimit.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 2e89a00..70907f6 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -73,7 +73,8 @@ connlimit_iphash6(const union nf_inet_addr *addr,
static inline bool already_closed(const struct nf_conn *conn)
{
if (nf_ct_protonum(conn) == IPPROTO_TCP)
- return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT;
+ return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT ||
+ conn->proto.tcp.state == TCP_CONNTRACK_CLOSE;
else
return 0;
}
next reply other threads:[~2008-06-04 16:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-04 16:17 Patrick McHardy [this message]
2008-06-04 16:58 ` [NETFILTER 01/02]: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4846C030.6080707@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.