Hi Dave,
following are two netfilter fixes for 2.6.26, fixing connection
accounting of closed connections in the iptables connlimit module
and inconsistent locking in IPv6 conntrack defragmentation.
I'll also send both patches to -stable.
[NETFILTER]: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state
In xt_connlimit match module, the counter of an IP is decreased when
the TCP packet is go through the chain with ip_conntrack state TW.
Well, it's very natural that the server and client close the socket
with FIN packet. But when the client/server close the socket with RST
packet(using so_linger), the counter for this connection still exsit.
The following patch can fix it which is based on linux-2.6.25.4
Signed-off-by: Dong Wei <dwei.zh@xxxxxxxxx>
Acked-by: Jan Engelhardt <jengelh@xxxxxxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
---
commit df31d38473b31c8c18449419fbe9af219f3579f3
tree 93b5d2ee26d6531053453d28007ec42b056a9fde
parent 3446b9d57edd0b96a89715fef222879e4919a115
author Dong Wei <dwei.zh@xxxxxxxxx> Mon, 02 Jun 2008 16:47:27 +0200
committer Patrick McHardy <kaber@xxxxxxxxx> Mon, 02 Jun 2008 16:47:27 +0200
net/netfilter/xt_connlimit.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 2e89a00..70907f6 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -73,7 +73,8 @@ connlimit_iphash6(const union nf_inet_addr *addr,
static inline bool already_closed(const struct nf_conn *conn)
{
if (nf_ct_protonum(conn) == IPPROTO_TCP)
- return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT;
+ return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT ||
+ conn->proto.tcp.state == TCP_CONNTRACK_CLOSE;
else
return 0;
}
