netfilter: connlimit: improve packet-to-closed-connection logic

Instead of freeing the entry from our list and then adding it back again in the 'packet to closing connection' case just keep the matching entry around. Also drop the found_ct != NULL test as nf_ct_tuplehash_to_ctrack is just container_of(). Reviewed-by: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: connlimit: improve packet-to-closed-connection logic
Instead of freeing the entry from our list and then adding it back again in the 'packet to closing connection' case just keep the matching entry around. Also drop the found_ct != NULL test as nf_ct_tuplehash_to_ctrack is just container_of(). Reviewed-by: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal · Pablo Neira Ayuso
1 parent 15cfd52895
Showing 1 changed file with 8 additions and 15 deletions Side-by-side Diff
net/netfilter/xt_connlimit.c
@@ -112,29 +112,22 @@
 	hlist_for_each_entry_safe(conn, n, head, node) {
 		found    = nf_conntrack_find_get(net, NF_CT_DEFAULT_ZONE,
 						 &conn->tuple);
-		found_ct = NULL;
+		if (found == NULL) {
+			hlist_del(&conn->node);
+			kfree(conn);
+			continue;
+		}
  
-		if (found != NULL)
-			found_ct = nf_ct_tuplehash_to_ctrack(found);
+		found_ct = nf_ct_tuplehash_to_ctrack(found);
  
-		if (found_ct != NULL &&
-		    nf_ct_tuple_equal(&conn->tuple, tuple) &&
-		    !already_closed(found_ct))
+		if (nf_ct_tuple_equal(&conn->tuple, tuple)) {
 			/*
 			 * Just to be sure we have it only once in the list.
 			 * We should not see tuples twice unless someone hooks
 			 * this into a table without "-p tcp --syn".
 			 */
 			addit = false;
-
-		if (found == NULL) {
-			/* this one is gone */
-			hlist_del(&conn->node);
-			kfree(conn);
-			continue;
-		}
-
-		if (already_closed(found_ct)) {
+		} else if (already_closed(found_ct)) {
 			/*
 			 * we do not care about connections which are
 			 * closed already -> ditch it
...	...	@@ -112,29 +112,22 @@
112	112	hlist_for_each_entry_safe(conn, n, head, node) {
113	113	found = nf_conntrack_find_get(net, NF_CT_DEFAULT_ZONE,
114	114	&conn->tuple);
115		- found_ct = NULL;
	115	+ if (found == NULL) {
	116	+ hlist_del(&conn->node);
	117	+ kfree(conn);
	118	+ continue;
	119	+ }
116	120
117		- if (found != NULL)
118		- found_ct = nf_ct_tuplehash_to_ctrack(found);
	121	+ found_ct = nf_ct_tuplehash_to_ctrack(found);
119	122
120		- if (found_ct != NULL &&
121		- nf_ct_tuple_equal(&conn->tuple, tuple) &&
122		- !already_closed(found_ct))
	123	+ if (nf_ct_tuple_equal(&conn->tuple, tuple)) {
123	124	/*
124	125	* Just to be sure we have it only once in the list.
125	126	* We should not see tuples twice unless someone hooks
126	127	* this into a table without "-p tcp --syn".
127	128	*/
128	129	addit = false;
129		-
130		- if (found == NULL) {
131		- /* this one is gone */
132		- hlist_del(&conn->node);
133		- kfree(conn);
134		- continue;
135		- }
136		-
137		- if (already_closed(found_ct)) {
	130	+ } else if (already_closed(found_ct)) {
138	131	/*
139	132	* we do not care about connections which are
140	133	* closed already -> ditch it