From: kd6lvw <kd6lvw@xxxxxxxxx> When converting "--connlimit-mask $bits" to a 128-bit v6 mask, the code uses a left shift on v6_mask[n]. This requires v6_mask to be filled with all one-bits beforehand, but this initialization was not done. References: http://bugzilla.netfilter.org/show_bug.cgi?id=597 Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxx> --- extensions/libxt_connlimit.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c index f001a2e..403e7e6 100644 --- a/extensions/libxt_connlimit.c +++ b/extensions/libxt_connlimit.c @@ -26,7 +26,9 @@ static const struct option connlimit_opts[] = { static void connlimit_init(struct xt_entry_match *match) { struct xt_connlimit_info *info = (void *)match->data; - info->v4_mask = 0xFFFFFFFFUL; + + /* This will also initialize the v4 mask correctly */ + memset(info->v6_mask, 0xFF, sizeof(info->v6_mask)); } static void prefix_to_netmask(u_int32_t *mask, unsigned int prefix_len) -- 1.6.3.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html