[NETFILTER]: xt_hashlimit: fix limit off-by-one

Hashlimit doesn't account for the first packet, which is inconsistent
with the limit match.

Reported by ryan.castellucci@gmail.com, netfilter bugzilla #500.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/netfilter/ipt_hashlimit.c b/net/ipv4/netfilter/ipt_hashlimit.c
index 6b66244..3bd2368 100644 (file)
--- a/net/ipv4/netfilter/ipt_hashlimit.c
+++ b/net/ipv4/netfilter/ipt_hashlimit.c
@@ -454,15 +454,12 @@ hashlimit_match(const struct sk_buff *skb,
                dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg * 
                                                        hinfo->cfg.burst);
                dh->rateinfo.cost = user2credits(hinfo->cfg.avg);
-
-               spin_unlock_bh(&hinfo->lock);
-               return 1;
+       } else {
+               /* update expiration timeout */
+               dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
+               rateinfo_recalc(dh, now);
        }
 
-       /* update expiration timeout */
-       dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
-
-       rateinfo_recalc(dh, now);
        if (dh->rateinfo.credit >= dh->rateinfo.cost) {
                /* We're underlimit. */
                dh->rateinfo.credit -= dh->rateinfo.cost;