diff --git a/include/linux/netfilter/xt_connlimit.h b/include/linux/netfilter/xt_connlimit.h index 37e933c9987d0ddf680cc58c3ffb00719d644c67..315d2dce9da66b4d9fdacba6da001f1d4fc31c84 100644 --- a/include/linux/netfilter/xt_connlimit.h +++ b/include/linux/netfilter/xt_connlimit.h @@ -5,8 +5,13 @@ struct xt_connlimit_data; struct xt_connlimit_info { union { - __be32 v4_mask; - __be32 v6_mask[4]; + union nf_inet_addr mask; +#ifndef __KERNEL__ + union { + __be32 v4_mask; + __be32 v6_mask[4]; + }; +#endif }; unsigned int limit, inverse; diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index b7a684607c736ca8a20facf0d91dc4739d14297b..6a9e2a35718656a6841dd8f96f769a7e2fb3b5e7 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c @@ -185,7 +185,7 @@ connlimit_mt(const struct sk_buff *skb, const struct net_device *in, bool *hotdrop) { const struct xt_connlimit_info *info = matchinfo; - union nf_inet_addr addr, mask; + union nf_inet_addr addr; struct nf_conntrack_tuple tuple; const struct nf_conntrack_tuple *tuple_ptr = &tuple; enum ip_conntrack_info ctinfo; @@ -202,15 +202,14 @@ connlimit_mt(const struct sk_buff *skb, const struct net_device *in, if (match->family == AF_INET6) { const struct ipv6hdr *iph = ipv6_hdr(skb); memcpy(&addr.ip6, &iph->saddr, sizeof(iph->saddr)); - memcpy(&mask.ip6, info->v6_mask, sizeof(info->v6_mask)); } else { const struct iphdr *iph = ip_hdr(skb); addr.ip = iph->saddr; - mask.ip = info->v4_mask; } spin_lock_bh(&info->data->lock); - connections = count_them(info->data, tuple_ptr, &addr, &mask, match); + connections = count_them(info->data, tuple_ptr, &addr, + &info->mask, match); spin_unlock_bh(&info->data->lock); if (connections < 0) {