[PATCH] [connlimit] connlimit-above early loop termination

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] [connlimit] connlimit-above early loop termination
@ 2011-02-11 16:22 Stefan Berger
  2011-02-11 17:00 ` Patrick McHardy
  0 siblings, 1 reply; 3+ messages in thread
From: Stefan Berger @ 2011-02-11 16:22 UTC (permalink / raw)
  To: Patrick McHardy, netfilter-devel, netfilter, coreteam

The patch below introduces an early termination of the loop that is
counting matches. It terminates once the counter has exceeded the
threshold provided by the user. There's no point in continuing the loop
afterwards and looking at other entries.

It plays together with the following code further below:

return (connections > info->limit) ^ info->inverse;

where connections is the result of the counted connection, which in turn
is the matches variable in the loop. So once 

        -> matches = info->limit + 1    
alias   -> matches > info->limit
alias   -> matches > threshold 

we can terminate the loop.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> 


diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 5c5b6b9..f3ced9c 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -97,7 +97,8 @@ static int count_them(struct net *net,
 		      const struct nf_conntrack_tuple *tuple,
 		      const union nf_inet_addr *addr,
 		      const union nf_inet_addr *mask,
-		      u_int8_t family)
+		      u_int8_t family,
+		      unsigned int threshold)
 {
 	const struct nf_conntrack_tuple_hash *found;
 	struct xt_connlimit_conn *conn;
@@ -151,9 +152,14 @@ static int count_them(struct net *net,
 			continue;
 		}

-		if (same_source_net(addr, mask, &conn->tuple.src.u3, family))
+		if (same_source_net(addr, mask, &conn->tuple.src.u3, family)) {
 			/* same source network -> be counted! */
 			++matches;
+			if (matches > threshold) {
+				nf_ct_put(found_ct);
+				break;
+			}
+		}
 		nf_ct_put(found_ct);
 	}

@@ -201,7 +207,8 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)

 	spin_lock_bh(&info->data->lock);
 	connections = count_them(net, info->data, tuple_ptr, &addr,
-	                         &info->mask, par->family);
+	                         &info->mask, par->family,
+	                         info->limit);
 	spin_unlock_bh(&info->data->lock);

 	if (connections < 0) {




^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] [connlimit] connlimit-above early loop termination
  2011-02-11 16:22 [PATCH] [connlimit] connlimit-above early loop termination Stefan Berger
@ 2011-02-11 17:00 ` Patrick McHardy
  2011-02-13 18:53   ` Stefan Berger
  0 siblings, 1 reply; 3+ messages in thread
From: Patrick McHardy @ 2011-02-11 17:00 UTC (permalink / raw)
  To: Stefan Berger; +Cc: netfilter-devel, netfilter, coreteam

On 11.02.2011 17:22, Stefan Berger wrote:
> The patch below introduces an early termination of the loop that is
> counting matches. It terminates once the counter has exceeded the
> threshold provided by the user. There's no point in continuing the loop
> afterwards and looking at other entries.
> 
> It plays together with the following code further below:
> 
> return (connections > info->limit) ^ info->inverse;
> 
> where connections is the result of the counted connection, which in turn
> is the matches variable in the loop. So once 
> 
>         -> matches = info->limit + 1    
> alias   -> matches > info->limit
> alias   -> matches > threshold 
> 
> we can terminate the loop.
> 

Applied, thanks Stefan.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] [connlimit] connlimit-above early loop termination
  2011-02-11 17:00 ` Patrick McHardy
@ 2011-02-13 18:53   ` Stefan Berger
  0 siblings, 0 replies; 3+ messages in thread
From: Stefan Berger @ 2011-02-13 18:53 UTC (permalink / raw)
  To: Patrick McHardy; +Cc: netfilter-devel, netfilter, coreteam

On 02/11/2011 12:00 PM, Patrick McHardy wrote:
> On 11.02.2011 17:22, Stefan Berger wrote:
>> The patch below introduces an early termination of the loop that is
>> counting matches. It terminates once the counter has exceeded the
>> threshold provided by the user. There's no point in continuing the loop
>> afterwards and looking at other entries.
>>
>> It plays together with the following code further below:
>>
>> return (connections>  info->limit) ^ info->inverse;
>>
>> where connections is the result of the counted connection, which in turn
>> is the matches variable in the loop. So once
>>
>>          ->  matches = info->limit + 1
>> alias   ->  matches>  info->limit
>> alias   ->  matches>  threshold
>>
>> we can terminate the loop.
>>
> Applied, thanks Stefan.
I am currently creating a derivative of this module for a slightly 
different purpose. While testing that one and not using the -m state 
--state -NEW in front of the -m connlimit, I saw that that shortcut 
doesn't work properly but keeps on adding entries into the list. So, 
unfortunately I have to withdraw that patch. I apologize and I'll send a 
patch for this.

   Regards,
      Stefan

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2011-02-13 18:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-11 16:22 [PATCH] [connlimit] connlimit-above early loop termination Stefan Berger
2011-02-11 17:00 ` Patrick McHardy
2011-02-13 18:53   ` Stefan Berger

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).