const struct nf_conntrack_tuple *tuple,
                      const union nf_inet_addr *addr,
                      const union nf_inet_addr *mask,
-                     u_int8_t family)
+                     u_int8_t family,
+                     unsigned int threshold)
 {
        const struct nf_conntrack_tuple_hash *found;
        struct xt_connlimit_conn *conn;
                        continue;
                }
 
-               if (same_source_net(addr, mask, &conn->tuple.src.u3, family))
+               if (same_source_net(addr, mask, &conn->tuple.src.u3, family)) {
                        /* same source network -> be counted! */
                        ++matches;
+                       if (matches > threshold) {
+                               nf_ct_put(found_ct);
+                               break;
+                       }
+               }
                nf_ct_put(found_ct);
        }
 
 
        spin_lock_bh(&info->data->lock);
        connections = count_them(net, info->data, tuple_ptr, &addr,
-                                &info->mask, par->family);
+                                &info->mask, par->family,
+                                info->limit);
        spin_unlock_bh(&info->data->lock);
 
        if (connections < 0)