]> git.karo-electronics.de Git - linux-beck.git/commit
netfilter: xt_connlimit: fix daddr connlimit in SNAT scenario
authorChangli Gao <xiaosuo@gmail.com>
Tue, 15 Mar 2011 12:23:28 +0000 (13:23 +0100)
committerPatrick McHardy <kaber@trash.net>
Tue, 15 Mar 2011 12:23:28 +0000 (13:23 +0100)
commit8183e3a88aced228ab9770762692be6cc3786e80
tree091cf02201486f436cbc0596aadf51dafbc3784a
parentf2247fbdc41372d64c89505280419ceb45d80a31
netfilter: xt_connlimit: fix daddr connlimit in SNAT scenario

We use the reply tuples when limiting the connections by the destination
addresses, however, in SNAT scenario, the final reply tuples won't be
ready until SNAT is done in POSTROUING or INPUT chain, and the following
nf_conntrack_find_get() in count_tem() will get nothing, so connlimit
can't work as expected.

In this patch, the original tuples are always used, and an additional
member addr is appended to save the address in either end.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
net/netfilter/xt_connlimit.c