netfilter: nf_nat: better error handling of nf_ct_expect_related() in helpers This patch improves the situation in which the expectation table is full for conntrack NAT helpers. Basically, we give up if we don't find a place in the table instead of looping over nf_ct_expect_related() with a different port (we should only do this if it returns -EBUSY, for -EMFILE or -ESHUTDOWN I think that it's better to skip this). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>

commit: 5b92b61f3891517d18d0573ad2c939c81b59ecfe [log] [tgz]
author: Pablo Neira Ayuso <pablo@netfilter.org> Wed Sep 22 08:34:12 2010 +0200
committer: Patrick McHardy <kaber@trash.net> Wed Sep 22 08:34:12 2010 +0200
tree: 4d61d64041d559e6478a53f865fb779df99cedc9
parent: 26c15cfd291f8b4ee40b4bbdf5e3772adfd704f5 [diff] [blame]
diff --git a/net/ipv4/netfilter/nf_nat_amanda.c b/net/ipv4/netfilter/nf_nat_amanda.c
index c31b876..0f23b3f 100644
--- a/net/ipv4/netfilter/nf_nat_amanda.c
+++ b/net/ipv4/netfilter/nf_nat_amanda.c

@@ -44,9 +44,16 @@
 
 	/* Try to get same port: if not, try to change it. */
 	for (port = ntohs(exp->saved_proto.tcp.port); port != 0; port++) {
+		int ret;
+
 		exp->tuple.dst.u.tcp.port = htons(port);
-		if (nf_ct_expect_related(exp) == 0)
+		ret = nf_ct_expect_related(exp);
+		if (ret == 0)
 			break;
+		else if (ret != -EBUSY) {
+			port = 0;
+			break;
+		}
 	}
 
 	if (port == 0)
commit	5b92b61f3891517d18d0573ad2c939c81b59ecfe	[log] [tgz]
author	Pablo Neira Ayuso <pablo@netfilter.org>	Wed Sep 22 08:34:12 2010 +0200
committer	Patrick McHardy <kaber@trash.net>	Wed Sep 22 08:34:12 2010 +0200
tree	4d61d64041d559e6478a53f865fb779df99cedc9
parent	26c15cfd291f8b4ee40b4bbdf5e3772adfd704f5 [diff] [blame]