leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[NETFILTER]: xt_hashlimit: fix limit off-by-one

Browse Source 
Hashlimit doesn't account for the first packet, which is inconsistent
with the limit match.

Reported by ryan.castellucci@gmail.com, netfilter bugzilla #500.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Patrick McHardy 2006-08-13 18:06:02 -07:00 committed by David S. Miller
parent 97c802a113
commit 1c7628bd7a
1 changed files with 4 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
net/ipv4/netfilter/ipt_hashlimit.c
View File

@ -454,15 +454,12 @@ hashlimit_match(const struct sk_buff *skb,
dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg * dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg *
hinfo->cfg.burst); hinfo->cfg.burst);
dh->rateinfo.cost = user2credits(hinfo->cfg.avg); dh->rateinfo.cost = user2credits(hinfo->cfg.avg);
} else {
spin_unlock_bh(&hinfo->lock); /* update expiration timeout */
return 1; dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
rateinfo_recalc(dh, now);
} }
/* update expiration timeout */
dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
rateinfo_recalc(dh, now);
if (dh->rateinfo.credit >= dh->rateinfo.cost) { if (dh->rateinfo.credit >= dh->rateinfo.cost) {
/* We're underlimit. */ /* We're underlimit. */
dh->rateinfo.credit -= dh->rateinfo.cost; dh->rateinfo.credit -= dh->rateinfo.cost;