Commit 3bcc5fdf1b1a00be162159c420ea04e0adf709ec
Committed by
Pablo Neira Ayuso
Pablo Neira Ayuso
1 parent
d9ec4f1ee2
netfilter: connlimit: move insertion of new element out of count function
Allows easier code-reuse in followup patches. Reviewed-by: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Showing 1 changed file with 23 additions and 15 deletions Side-by-side Diff
net/netfilter/xt_connlimit.c
| ... | ... | @@ -97,13 +97,12 @@ |
| 97 | 97 | const struct nf_conntrack_tuple *tuple, |
| 98 | 98 | const union nf_inet_addr *addr, |
| 99 | 99 | const union nf_inet_addr *mask, |
| 100 | - u_int8_t family) | |
| 100 | + u_int8_t family, bool *addit) | |
| 101 | 101 | { |
| 102 | 102 | const struct nf_conntrack_tuple_hash *found; |
| 103 | 103 | struct xt_connlimit_conn *conn; |
| 104 | 104 | struct hlist_node *n; |
| 105 | 105 | struct nf_conn *found_ct; |
| 106 | - bool addit = true; | |
| 107 | 106 | int matches = 0; |
| 108 | 107 | |
| 109 | 108 | rcu_read_lock(); |
| ... | ... | @@ -126,7 +125,7 @@ |
| 126 | 125 | * We should not see tuples twice unless someone hooks |
| 127 | 126 | * this into a table without "-p tcp --syn". |
| 128 | 127 | */ |
| 129 | - addit = false; | |
| 128 | + *addit = false; | |
| 130 | 129 | } else if (already_closed(found_ct)) { |
| 131 | 130 | /* |
| 132 | 131 | * we do not care about connections which are |
| 133 | 132 | |
| ... | ... | @@ -146,20 +145,22 @@ |
| 146 | 145 | |
| 147 | 146 | rcu_read_unlock(); |
| 148 | 147 | |
| 149 | - if (addit) { | |
| 150 | - /* save the new connection in our list */ | |
| 151 | - conn = kmalloc(sizeof(*conn), GFP_ATOMIC); | |
| 152 | - if (conn == NULL) | |
| 153 | - return -ENOMEM; | |
| 154 | - conn->tuple = *tuple; | |
| 155 | - conn->addr = *addr; | |
| 156 | - hlist_add_head(&conn->node, head); | |
| 157 | - ++matches; | |
| 158 | - } | |
| 159 | - | |
| 160 | 148 | return matches; |
| 161 | 149 | } |
| 162 | 150 | |
| 151 | +static bool add_hlist(struct hlist_head *head, | |
| 152 | + const struct nf_conntrack_tuple *tuple, | |
| 153 | + const union nf_inet_addr *addr) | |
| 154 | +{ | |
| 155 | + struct xt_connlimit_conn *conn = kmalloc(sizeof(*conn), GFP_ATOMIC); | |
| 156 | + if (conn == NULL) | |
| 157 | + return false; | |
| 158 | + conn->tuple = *tuple; | |
| 159 | + conn->addr = *addr; | |
| 160 | + hlist_add_head(&conn->node, head); | |
| 161 | + return true; | |
| 162 | +} | |
| 163 | + | |
| 163 | 164 | static int count_them(struct net *net, |
| 164 | 165 | struct xt_connlimit_data *data, |
| 165 | 166 | const struct nf_conntrack_tuple *tuple, |
| ... | ... | @@ -170,6 +171,7 @@ |
| 170 | 171 | struct hlist_head *hhead; |
| 171 | 172 | int count; |
| 172 | 173 | u32 hash; |
| 174 | + bool addit = true; | |
| 173 | 175 | |
| 174 | 176 | if (family == NFPROTO_IPV6) |
| 175 | 177 | hash = connlimit_iphash6(addr, mask); |
| ... | ... | @@ -179,7 +181,13 @@ |
| 179 | 181 | hhead = &data->iphash[hash]; |
| 180 | 182 | |
| 181 | 183 | spin_lock_bh(&data->lock); |
| 182 | - count = count_hlist(net, hhead, tuple, addr, mask, family); | |
| 184 | + count = count_hlist(net, hhead, tuple, addr, mask, family, &addit); | |
| 185 | + if (addit) { | |
| 186 | + if (add_hlist(hhead, tuple, addr)) | |
| 187 | + count++; | |
| 188 | + else | |
| 189 | + count = -ENOMEM; | |
| 190 | + } | |
| 183 | 191 | spin_unlock_bh(&data->lock); |
| 184 | 192 | |
| 185 | 193 | return count; |