From a6281c6f10110bf64e51c04a37c0fe9f9508482e Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 22 Dec 2008 13:03:55 +0100
Subject: cache: fix ENOSPC errors due to over-population of inactive entries

This patch fixes a problem that can result in cache over-population
with inactive entries due to mismatching in the comparison. This
may result in lots of ENOSPC errors while trying to add new entries
to the internal cache.

We may have entries in the internal cache that with the same
original tuple, but different reply tuple due to NAT port
adjustment. Thus, the comparison that happens during the entry
hashtable lookup fails and we add a new entry while keeping
the old one.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/cache.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/cache.c b/src/cache.c
index 6106d28..525832b 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -88,7 +88,7 @@ static int compare(const void *data1, const void *data2)
 	const struct us_conntrack *u1 = data1;
 	const struct us_conntrack *u2 = data2;
 
-	return nfct_cmp(u1->ct, u2->ct, NFCT_CMP_ORIG | NFCT_CMP_REPL);
+	return nfct_cmp(u1->ct, u2->ct, NFCT_CMP_ORIG);
 }
 
 struct cache_feature *cache_feature[CACHE_MAX_FEATURE] = {
-- 
cgit v1.2.3