aboutsummaryrefslogtreecommitdiff
path: root/sys/netinet/ip_fw2.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netinet/ip_fw2.c')
-rw-r--r--sys/netinet/ip_fw2.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c
index 0d3da1b01c08..10a2bc03d9a0 100644
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@@ -768,8 +768,10 @@ next_pass:
!TIME_LEQ( q->expire, time_second ))
goto next;
}
- UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
- continue;
+ if (q->dyn_type != O_LIMIT_PARENT || !q->count) {
+ UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
+ continue;
+ }
next:
prev=q;
q=q->next;
@@ -804,13 +806,14 @@ lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int *match_direction,
goto done; /* not found */
i = hash_packet( pkt );
for (prev=NULL, q = ipfw_dyn_v[i] ; q != NULL ; ) {
- if (q->dyn_type == O_LIMIT_PARENT)
+ if (q->dyn_type == O_LIMIT_PARENT && q->count)
goto next;
if (TIME_LEQ( q->expire, time_second)) { /* expire entry */
UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
continue;
}
- if ( pkt->proto == q->id.proto) {
+ if (pkt->proto == q->id.proto &&
+ q->dyn_type != O_LIMIT_PARENT) {
if (pkt->src_ip == q->id.src_ip &&
pkt->dst_ip == q->id.dst_ip &&
pkt->src_port == q->id.src_port &&
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-16 08:26:27 +0000