Skip to content

Commit

Permalink
[NETFILTER]: xt_hashlimit: fix limit off-by-one
Browse files Browse the repository at this point in the history 
Hashlimit doesn't account for the first packet, which is inconsistent
with the limit match.

Reported by ryan.castellucci@gmail.com, netfilter bugzilla #500.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Patrick McHardy authored and David S. Miller committed Aug 14, 2006
1 parent 97c802a commit 1c7628b
Showing 1 changed file with 4 additions and 7 deletions.
11 changes: 4 additions & 7 deletions net/ipv4/netfilter/ipt_hashlimit.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -454,15 +454,12 @@ hashlimit_match(const struct sk_buff *skb,
dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg *
hinfo->cfg.burst);
dh->rateinfo.cost = user2credits(hinfo->cfg.avg);

spin_unlock_bh(&hinfo->lock);
return 1;
} else {
/* update expiration timeout */
dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
rateinfo_recalc(dh, now);
}

/* update expiration timeout */
dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);

rateinfo_recalc(dh, now);
if (dh->rateinfo.credit >= dh->rateinfo.cost) {
/* We're underlimit. */
dh->rateinfo.credit -= dh->rateinfo.cost;
Expand Down

0 comments on commit 1c7628b

Please sign in to comment.