Hi Dave, following are two netfilter fixes for 2.6.26, fixing connection accounting of closed connections in the iptables connlimit module and inconsistent locking in IPv6 conntrack defragmentation. I'll also send both patches to -stable.
[NETFILTER]: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state In xt_connlimit match module, the counter of an IP is decreased when the TCP packet is go through the chain with ip_conntrack state TW. Well, it's very natural that the server and client close the socket with FIN packet. But when the client/server close the socket with RST packet(using so_linger), the counter for this connection still exsit. The following patch can fix it which is based on linux-2.6.25.4 Signed-off-by: Dong Wei <dwei.zh@xxxxxxxxx> Acked-by: Jan Engelhardt <jengelh@xxxxxxxxxx> Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx> --- commit df31d38473b31c8c18449419fbe9af219f3579f3 tree 93b5d2ee26d6531053453d28007ec42b056a9fde parent 3446b9d57edd0b96a89715fef222879e4919a115 author Dong Wei <dwei.zh@xxxxxxxxx> Mon, 02 Jun 2008 16:47:27 +0200 committer Patrick McHardy <kaber@xxxxxxxxx> Mon, 02 Jun 2008 16:47:27 +0200 net/netfilter/xt_connlimit.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index 2e89a00..70907f6 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c @@ -73,7 +73,8 @@ connlimit_iphash6(const union nf_inet_addr *addr, static inline bool already_closed(const struct nf_conn *conn) { if (nf_ct_protonum(conn) == IPPROTO_TCP) - return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT; + return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT || + conn->proto.tcp.state == TCP_CONNTRACK_CLOSE; else return 0; }