netfilter: nf_nat: better error handling of nf_ct_expect_related() in helpers

This patch improves the situation in which the expectation table is full for conntrack NAT helpers. Basically, we give up if we don't find a place in the table instead of looping over nf_ct_expect_related() with a different port (we should only do this if it returns -EBUSY, for -EMFILE or -ESHUTDOWN I think that it's better to skip this). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2010-09-22 08:34:12 +0200
committer: Patrick McHardy <kaber@trash.net> 2010-09-22 08:34:12 +0200
commit: 5b92b61f3891517d18d0573ad2c939c81b59ecfe (patch)
tree: 4d61d64041d559e6478a53f865fb779df99cedc9 /net/ipv4/netfilter/nf_nat_amanda.c
parent: 26c15cfd291f8b4ee40b4bbdf5e3772adfd704f5 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/nf_nat_amanda.c b/net/ipv4/netfilter/nf_nat_amanda.c
index c31b87668250..0f23b3f06df0 100644
--- a/net/ipv4/netfilter/nf_nat_amanda.c
+++ b/net/ipv4/netfilter/nf_nat_amanda.c
@@ -44,9 +44,16 @@ static unsigned int help(struct sk_buff *skb,
 
 	/* Try to get same port: if not, try to change it. */
 	for (port = ntohs(exp->saved_proto.tcp.port); port != 0; port++) {
+		int ret;
+
 		exp->tuple.dst.u.tcp.port = htons(port);
-		if (nf_ct_expect_related(exp) == 0)
+		ret = nf_ct_expect_related(exp);
+		if (ret == 0)
+			break;
+		else if (ret != -EBUSY) {
+			port = 0;
 			break;
+		}
 	}
 
 	if (port == 0)
author	Pablo Neira Ayuso <pablo@netfilter.org>	2010-09-22 08:34:12 +0200
committer	Patrick McHardy <kaber@trash.net>	2010-09-22 08:34:12 +0200
commit	5b92b61f3891517d18d0573ad2c939c81b59ecfe (patch)
tree	4d61d64041d559e6478a53f865fb779df99cedc9 /net/ipv4/netfilter/nf_nat_amanda.c
parent	26c15cfd291f8b4ee40b4bbdf5e3772adfd704f5 (diff)