On Thu, 12 Feb 2015 18:09:31 +0100 Florian Westphal <fw@xxxxxxxxx> wrote: [snip] > > This patch seems to be doing > > something different, and I note that nstamps_max_mask is > > unconditionally set later in recent_mt_check() anyway. > > No, its only set if recent_table_lookup returns NULL. > We return soon after we bump the refcnt when we take this branch. You probably are working on a more up-to-date branch. Your patch assigning to nstamps_max_mask is only executed if recent_table_lookup() does not return NULL. In the 3.19.0 kernel, the assignment to nstamps_max_mask in line 404 also only occurs if recent_table_lookup() does not return NULL. > > Can the check for the value of hit_count simply be omitted? In what > > circumstances can it be anything other than true? > > You mean when nstamp_mask > t->nstamps_max_mask is false? > > e.g. > iptables -A foo -m recent --hitcount 5 > iptables -A foo -m recent --hitcount 4 > > (2nd rule finds existing table with mask 7). There's the rub I suspect, but as I say, I don't know your code. Let's leave it at that: if I apply the off-by-one patch it works for me (provided I don't change settings, which I don't in ordinary usage). I will wait for whatever you and/or others come up with in due course to solve it. Chris -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
