Hi, Jan My Signed-off-by message is: Signed-off-by: Dong Wei <dwei.zh@xxxxxxxxx> Thanks On Mon, Jun 2, 2008 at 9:01 PM, Patrick McHardy <kaber@xxxxxxxxx> wrote: > Jan Engelhardt wrote: >> >> On Monday 2008-06-02 14:20, Patrick McHardy wrote: >>> >>> Dong Wei wrote: >>>> >>>> diff -ruN a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c >>>> --- a/net/netfilter/xt_connlimit.c 2008-06-02 18:48:38.000000000 >>>> +0800 >>>> +++ b/net/netfilter/xt_connlimit.c 2008-06-02 18:50:40.000000000 >>>> +0800 >>>> @@ -75,7 +75,8 @@ >>>> u_int16_t proto = conn->tuplehash[0].tuple.dst.protonum; >>>> >>>> if (proto == IPPROTO_TCP) >>>> - return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT; >>>> + return (conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT >>>> + || conn->proto.tcp.state == >>>> TCP_CONNTRACK_CLOSE); >>> >>> Looks fine to me. Jan? >> >> The check for TCP_CONNTRACK_TIME_WAIT was introduced since there is >> the 2*MSL delay before the TIME_WAIT->CLOSED transition, and not >> counting a connection beginning with TIME_WAIT is common sense/what >> people expect. > > Yes, though the end-result might not be what people expect. > The connection can be reopened, exceeding the configured > limit, and lots of TIME_WAIT/CLOSE connections might linger > around. > >> Though the cleanup delay between TCP_CONNTRACK_CLOSE and (deallocated >> state) is much less than 2*MSL, it makes sense to also add this case >> per common sense. >> >> Patch is fine, yes, but you do not need the redundant >> ( ) that were introduced. > > I'll remove them when applying the patch. > > Dong, I need a Signed-off-by: line from you before I can apply this. > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
