diff options
| author | Yi-Hung Wei | 2018-06-12 19:51:34 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso | 2018-06-12 20:07:07 +0200 |
| commit | 21ba8847f857028dc83a0f341e16ecc616e34740 (patch) | |
| tree | 2df27a0099a40362eebd1a1a6be182d52134a550 /net/netfilter/nft_connlimit.c | |
| parent | netfilter: xt_connmark: fix list corruption on rmmod (diff) | |
| download | kernel-qcow2-linux-21ba8847f857028dc83a0f341e16ecc616e34740.tar.gz kernel-qcow2-linux-21ba8847f857028dc83a0f341e16ecc616e34740.tar.xz kernel-qcow2-linux-21ba8847f857028dc83a0f341e16ecc616e34740.zip | |
netfilter: nf_conncount: Fix garbage collection with zones
Currently, we use check_hlist() for garbage colleciton. However, we
use the ‘zone’ from the counted entry to query the existence of
existing entries in the hlist. This could be wrong when they are in
different zones, and this patch fixes this issue.
Fixes: e59ea3df3fc2 ("netfilter: xt_connlimit: honor conntrack zone if available")
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nft_connlimit.c')
| -rw-r--r-- | net/netfilter/nft_connlimit.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c index 50c068d660e5..a832c59f0a9c 100644 --- a/net/netfilter/nft_connlimit.c +++ b/net/netfilter/nft_connlimit.c @@ -52,7 +52,7 @@ static inline void nft_connlimit_do_eval(struct nft_connlimit *priv, if (!addit) goto out; - if (!nf_conncount_add(&priv->hhead, tuple_ptr)) { + if (!nf_conncount_add(&priv->hhead, tuple_ptr, zone)) { regs->verdict.code = NF_DROP; spin_unlock_bh(&priv->lock); return; |