diff options
| author | Pablo Neira Ayuso | 2010-09-22 08:34:12 +0200 |
|---|---|---|
| committer | Patrick McHardy | 2010-09-22 08:34:12 +0200 |
| commit | 5b92b61f3891517d18d0573ad2c939c81b59ecfe (patch) | |
| tree | 4d61d64041d559e6478a53f865fb779df99cedc9 /net/ipv4/netfilter/nf_nat_ftp.c | |
| parent | ipvs: changes related to service usecnt (diff) | |
| download | kernel-qcow2-linux-5b92b61f3891517d18d0573ad2c939c81b59ecfe.tar.gz kernel-qcow2-linux-5b92b61f3891517d18d0573ad2c939c81b59ecfe.tar.xz kernel-qcow2-linux-5b92b61f3891517d18d0573ad2c939c81b59ecfe.zip | |
netfilter: nf_nat: better error handling of nf_ct_expect_related() in helpers
This patch improves the situation in which the expectation table is
full for conntrack NAT helpers. Basically, we give up if we don't
find a place in the table instead of looping over nf_ct_expect_related()
with a different port (we should only do this if it returns -EBUSY, for
-EMFILE or -ESHUTDOWN I think that it's better to skip this).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/ipv4/netfilter/nf_nat_ftp.c')
| -rw-r--r-- | net/ipv4/netfilter/nf_nat_ftp.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/nf_nat_ftp.c b/net/ipv4/netfilter/nf_nat_ftp.c index 86e0e84ff0a0..dc73abb3fe27 100644 --- a/net/ipv4/netfilter/nf_nat_ftp.c +++ b/net/ipv4/netfilter/nf_nat_ftp.c @@ -79,9 +79,16 @@ static unsigned int nf_nat_ftp(struct sk_buff *skb, /* Try to get same port: if not, try to change it. */ for (port = ntohs(exp->saved_proto.tcp.port); port != 0; port++) { + int ret; + exp->tuple.dst.u.tcp.port = htons(port); - if (nf_ct_expect_related(exp) == 0) + ret = nf_ct_expect_related(exp); + if (ret == 0) + break; + else if (ret != -EBUSY) { + port = 0; break; + } } if (port == 0) |