|
|
@@ -33,8 +33,9 @@
|
|
|
|
|
|
/* we will save the tuples of all connections we care about */
|
|
|
struct xt_connlimit_conn {
|
|
|
- struct list_head list;
|
|
|
- struct nf_conntrack_tuple tuple;
|
|
|
+ struct list_head list;
|
|
|
+ struct nf_conntrack_tuple tuple;
|
|
|
+ union nf_inet_addr addr;
|
|
|
};
|
|
|
|
|
|
struct xt_connlimit_data {
|
|
|
@@ -151,7 +152,7 @@ static int count_them(struct net *net,
|
|
|
continue;
|
|
|
}
|
|
|
|
|
|
- if (same_source_net(addr, mask, &conn->tuple.src.u3, family))
|
|
|
+ if (same_source_net(addr, mask, &conn->addr, family))
|
|
|
/* same source network -> be counted! */
|
|
|
++matches;
|
|
|
nf_ct_put(found_ct);
|
|
|
@@ -165,6 +166,7 @@ static int count_them(struct net *net,
|
|
|
if (conn == NULL)
|
|
|
return -ENOMEM;
|
|
|
conn->tuple = *tuple;
|
|
|
+ conn->addr = *addr;
|
|
|
list_add(&conn->list, hash);
|
|
|
++matches;
|
|
|
}
|
|
|
@@ -185,15 +187,11 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
|
|
int connections;
|
|
|
|
|
|
ct = nf_ct_get(skb, &ctinfo);
|
|
|
- if (ct != NULL) {
|
|
|
- if (info->flags & XT_CONNLIMIT_DADDR)
|
|
|
- tuple_ptr = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
|
|
|
- else
|
|
|
- tuple_ptr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
|
|
|
- } else if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
|
|
|
- par->family, &tuple)) {
|
|
|
+ if (ct != NULL)
|
|
|
+ tuple_ptr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
|
|
|
+ else if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
|
|
|
+ par->family, &tuple))
|
|
|
goto hotdrop;
|
|
|
- }
|
|
|
|
|
|
if (par->family == NFPROTO_IPV6) {
|
|
|
const struct ipv6hdr *iph = ipv6_hdr(skb);
|
Changli Gao