diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2010-09-22 06:34:12 (GMT) |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2010-09-22 06:34:12 (GMT) |
commit | 5b92b61f3891517d18d0573ad2c939c81b59ecfe (patch) | |
tree | 4d61d64041d559e6478a53f865fb779df99cedc9 /net/ipv4/netfilter/nf_nat_ftp.c | |
parent | 26c15cfd291f8b4ee40b4bbdf5e3772adfd704f5 (diff) | |
download | linux-5b92b61f3891517d18d0573ad2c939c81b59ecfe.tar.xz |
netfilter: nf_nat: better error handling of nf_ct_expect_related() in helpers
This patch improves the situation in which the expectation table is
full for conntrack NAT helpers. Basically, we give up if we don't
find a place in the table instead of looping over nf_ct_expect_related()
with a different port (we should only do this if it returns -EBUSY, for
-EMFILE or -ESHUTDOWN I think that it's better to skip this).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/ipv4/netfilter/nf_nat_ftp.c')
-rw-r--r-- | net/ipv4/netfilter/nf_nat_ftp.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/nf_nat_ftp.c b/net/ipv4/netfilter/nf_nat_ftp.c index 86e0e84f..dc73abb 100644 --- a/net/ipv4/netfilter/nf_nat_ftp.c +++ b/net/ipv4/netfilter/nf_nat_ftp.c @@ -79,9 +79,16 @@ static unsigned int nf_nat_ftp(struct sk_buff *skb, /* Try to get same port: if not, try to change it. */ for (port = ntohs(exp->saved_proto.tcp.port); port != 0; port++) { + int ret; + exp->tuple.dst.u.tcp.port = htons(port); - if (nf_ct_expect_related(exp) == 0) + ret = nf_ct_expect_related(exp); + if (ret == 0) + break; + else if (ret != -EBUSY) { + port = 0; break; + } } if (port == 0) |