[PATCH 02/13] netfilter: xt_connlimit: connlimit-above early loop termination

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: kaber@trash.net
To: davem@davemloft.net
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH 02/13] netfilter: xt_connlimit: connlimit-above early loop termination
Date: Wed,  2 Mar 2011 13:12:42 +0100	[thread overview]
Message-ID: <1299067973-15977-3-git-send-email-kaber@trash.net> (raw)
In-Reply-To: <1299067973-15977-1-git-send-email-kaber@trash.net>

From: Stefan Berger <stefanb@linux.vnet.ibm.com>

The patch below introduces an early termination of the loop that is
counting matches. It terminates once the counter has exceeded the
threshold provided by the user. There's no point in continuing the loop
afterwards and looking at other entries.

It plays together with the following code further below:

return (connections > info->limit) ^ info->inverse;

where connections is the result of the counted connection, which in turn
is the matches variable in the loop. So once

        -> matches = info->limit + 1
alias   -> matches > info->limit
alias   -> matches > threshold

we can terminate the loop.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/xt_connlimit.c |   13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index e029c48..82ce7c5 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -97,7 +97,8 @@ static int count_them(struct net *net,
 		      const struct nf_conntrack_tuple *tuple,
 		      const union nf_inet_addr *addr,
 		      const union nf_inet_addr *mask,
-		      u_int8_t family)
+		      u_int8_t family,
+		      unsigned int threshold)
 {
 	const struct nf_conntrack_tuple_hash *found;
 	struct xt_connlimit_conn *conn;
@@ -151,9 +152,14 @@ static int count_them(struct net *net,
 			continue;
 		}
 
-		if (same_source_net(addr, mask, &conn->tuple.src.u3, family))
+		if (same_source_net(addr, mask, &conn->tuple.src.u3, family)) {
 			/* same source network -> be counted! */
 			++matches;
+			if (matches > threshold) {
+				nf_ct_put(found_ct);
+				break;
+			}
+		}
 		nf_ct_put(found_ct);
 	}
 
@@ -207,7 +213,8 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
 
 	spin_lock_bh(&info->data->lock);
 	connections = count_them(net, info->data, tuple_ptr, &addr,
-	                         &info->mask, par->family);
+	                         &info->mask, par->family,
+	                         info->limit);
 	spin_unlock_bh(&info->data->lock);
 
 	if (connections < 0)
-- 
1.7.4

next prev parent reply	other threads:[~2011-03-02 12:13 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-02 12:12 [PATCH 00/13] netfilter: netfilter update kaber
2011-03-02 12:12 ` [PATCH 01/13] netfilter: ipset: add dependency on CONFIG_NETFILTER_NETLINK kaber
2011-03-02 12:12 ` kaber [this message]
2011-03-02 12:12 ` [PATCH 03/13] bridge: netfilter: fix information leak kaber
2011-03-02 12:12 ` [PATCH 04/13] Revert "netfilter: xt_connlimit: connlimit-above early loop termination" kaber
2011-03-02 12:12 ` [PATCH 05/13] netfilter: xt_conntrack: warn about use in raw table kaber
2011-03-02 12:12 ` [PATCH 06/13] netfilter: nfnetlink_log: remove unused parameter kaber
2011-03-02 12:12 ` [PATCH 07/13] ipvs: fix timer in get_curr_sync_buff kaber
2011-03-02 12:12 ` [PATCH 08/13] ipvs: remove extra lookups for ICMP packets kaber
2011-03-02 12:12 ` [PATCH 09/13] ipvs: make "no destination available" message more informative kaber
2011-03-02 12:12 ` [PATCH 10/13] ipvs: use hlist instead of list kaber
2011-03-02 12:12 ` [PATCH 11/13] ipvs: use enum to instead of magic numbers kaber
2011-03-02 12:12 ` [PATCH 12/13] ipvs: unify the formula to estimate the overhead of processing connections kaber
2011-03-02 12:12 ` [PATCH 13/13] netfilter: nf_ct_tcp: fix out of sync scenario while in SYN_RECV kaber
2011-03-02 19:30 ` [PATCH 00/13] netfilter: netfilter update David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e029c48 dfblob:82ce7c5 )
 OR (
bs:"[PATCH 02/13] netfilter: xt_connlimit: connlimit-above early loop termination" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1299067973-15977-3-git-send-email-kaber@trash.net \
    --to=kaber@trash.net \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).