Jan Engelhardt <jengelh@xxxxxxx> schrieb:
>Commit v2.6.19-rc1~1272^2~41 tells us that r->cost != 0 can happen when
>a running state is saved to userspace and then reinstated from there.
>
>Make sure that priv is initialized with some values when that happens.
>
>Signed-off-by: Jan Engelhardt <jengelh@xxxxxxx>
>---
> net/netfilter/xt_limit.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
>diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
>index 5c22ce8..a4c1e45 100644
>--- a/net/netfilter/xt_limit.c
>+++ b/net/netfilter/xt_limit.c
>@@ -117,11 +117,11 @@ static int limit_mt_check(const struct
>xt_mtchk_param *par)
>
> /* For SMP, we only want to use one set of state. */
> r->master = priv;
>+ /* User avg in seconds * XT_LIMIT_SCALE: convert to jiffies *
>+ 128. */
>+ priv->prev = jiffies;
>+ priv->credit = user2credits(r->avg * r->burst); /* Credits full. */
> if (r->cost == 0) {
>- /* User avg in seconds * XT_LIMIT_SCALE: convert to jiffies *
>- 128. */
>- priv->prev = jiffies;
>- priv->credit = user2credits(r->avg * r->burst); /* Credits full. */
> r->credit_cap = priv->credit; /* Credits full. */
> r->cost = user2credits(r->avg);
> }
I don't think we can do any better than this. We could reuse the old state from userspace, but that might have changed in the kernel as well.
Perhaps for the future we can find some way to optionally associate elements of the new ruleset with the old one and keep states when parameters haven't changed. Probably hard though since the new ruleset is constructed in the kernel while the old one is still active.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
