* [NETFILTER 01/02]: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state
@ 2008-06-04 16:17 Patrick McHardy
2008-06-04 16:58 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Patrick McHardy @ 2008-06-04 16:17 UTC (permalink / raw)
To: David S. Miller; +Cc: Netfilter Development Mailinglist
[-- Attachment #1: Type: text/plain, Size: 242 bytes --]
Hi Dave,
following are two netfilter fixes for 2.6.26, fixing connection
accounting of closed connections in the iptables connlimit module
and inconsistent locking in IPv6 conntrack defragmentation.
I'll also send both patches to -stable.
[-- Attachment #2: 01.diff --]
[-- Type: text/x-diff, Size: 1570 bytes --]
[NETFILTER]: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state
In xt_connlimit match module, the counter of an IP is decreased when
the TCP packet is go through the chain with ip_conntrack state TW.
Well, it's very natural that the server and client close the socket
with FIN packet. But when the client/server close the socket with RST
packet(using so_linger), the counter for this connection still exsit.
The following patch can fix it which is based on linux-2.6.25.4
Signed-off-by: Dong Wei <dwei.zh@gmail.com>
Acked-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit df31d38473b31c8c18449419fbe9af219f3579f3
tree 93b5d2ee26d6531053453d28007ec42b056a9fde
parent 3446b9d57edd0b96a89715fef222879e4919a115
author Dong Wei <dwei.zh@gmail.com> Mon, 02 Jun 2008 16:47:27 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 02 Jun 2008 16:47:27 +0200
net/netfilter/xt_connlimit.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 2e89a00..70907f6 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -73,7 +73,8 @@ connlimit_iphash6(const union nf_inet_addr *addr,
static inline bool already_closed(const struct nf_conn *conn)
{
if (nf_ct_protonum(conn) == IPPROTO_TCP)
- return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT;
+ return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT ||
+ conn->proto.tcp.state == TCP_CONNTRACK_CLOSE;
else
return 0;
}
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [NETFILTER 01/02]: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state
2008-06-04 16:17 [NETFILTER 01/02]: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state Patrick McHardy
@ 2008-06-04 16:58 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2008-06-04 16:58 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
From: Patrick McHardy <kaber@trash.net>
Date: Wed, 04 Jun 2008 18:17:52 +0200
> [NETFILTER]: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state
>
> In xt_connlimit match module, the counter of an IP is decreased when
> the TCP packet is go through the chain with ip_conntrack state TW.
> Well, it's very natural that the server and client close the socket
> with FIN packet. But when the client/server close the socket with RST
> packet(using so_linger), the counter for this connection still exsit.
> The following patch can fix it which is based on linux-2.6.25.4
>
> Signed-off-by: Dong Wei <dwei.zh@gmail.com>
> Acked-by: Jan Engelhardt <jengelh@medozas.de>
> Signed-off-by: Patrick McHardy <kaber@trash.net>
Applied.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-06-04 16:58 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-06-04 16:17 [NETFILTER 01/02]: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state Patrick McHardy
2008-06-04 16:58 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.