conntrack error

conntrack error

[Piotrek Kaczmarek]

Hi,
I encountered the following situation - when there are around 20000 connections
"cat /proc/net/ip_conntrack" doesn't display all connections and outputs
"cat: No space left on device" error. If I patch kernel with POM and 'nth' module
(only patch, don't load the module) the same happens around 17000 connections.
It happenes both with 2.6.9 and 2.6.10 kernels.

Why is it so? Is this matter of memory limit or something else?

Thank you in advantage,

-- 
Piotrek Kaczmarek

Re: conntrack error

[Jason Opperisano]

On Fri, 2005-02-11 at 05:55, Piotrek Kaczmarek wrote:
> Hi,
> I encountered the following situation - when there are around 20000 connections
> "cat /proc/net/ip_conntrack" doesn't display all connections and outputs
> "cat: No space left on device" error. If I patch kernel with POM and 'nth' module
> (only patch, don't load the module) the same happens around 17000 connections.
> It happenes both with 2.6.9 and 2.6.10 kernels.
> 
> Why is it so? Is this matter of memory limit or something else?

what does:

  sysctl net.ipv4.netfilter.ip_conntrack_max

say?  i don't suppose it would be quite that simple, but might as well
start there.

-j

--
"Son, when you participate in sporting events, it's not whether you
 win or lose: it's how drunk you get."
	--The Simpsons

Re: conntrack error

[Piotrek Kaczmarek]

On Fri, Feb 11, 2005 at 01:07:36PM +0000, Jason Opperisano wrote:
> 
> On Fri, 2005-02-11 at 05:55, Piotrek Kaczmarek wrote:
> > Hi,
> > I encountered the following situation - when there are around 20000 connections
> > "cat /proc/net/ip_conntrack" doesn't display all connections and outputs
> > "cat: No space left on device" error. If I patch kernel with POM and 'nth' module
> > (only patch, don't load the module) the same happens around 17000 connections.
> > It happenes both with 2.6.9 and 2.6.10 kernels.
> >
> > Why is it so? Is this matter of memory limit or something else?
> 
> what does:
> 
>   sysctl net.ipv4.netfilter.ip_conntrack_max
> 
> say?  i don't suppose it would be quite that simple, but might as well
> start there.

# sysctl net.ipv4.netfilter.ip_conntrack_max
net.ipv4.netfilter.ip_conntrack_max = 30000

-- 
Piotr Kaczmarek

Re: conntrack error

[Jason Opperisano]

On Fri, Feb 11, 2005 at 04:22:17PM +0100, Piotrek Kaczmarek wrote:
> # sysctl net.ipv4.netfilter.ip_conntrack_max
> net.ipv4.netfilter.ip_conntrack_max = 30000

i assume you set that manually, as i don't think there's an amount
of physical RAM that would result in 30000 on the dot...  speaking of
which--how much physical RAM does this machine have?  you would need 512
MB RAM for ip_conntrack_max to be automatically calculated to 32768,
even though the conntrack table would only really use around 12 MB of
kernel memory.  also--is this machine dedicated solely to firewalling,
or is there something else chewing up your RAM?

-j

--
"I have thought this through. First, I will send Bart the money to
 fly home. Then I will murder him."
        --The Simpsons

Re: conntrack error

[Piotrek Kaczmarek]

On Fri, Feb 11, 2005 at 03:33:22PM +0000, Jason Opperisano wrote:
> On Fri, Feb 11, 2005 at 04:22:17PM +0100, Piotrek Kaczmarek wrote:
> > # sysctl net.ipv4.netfilter.ip_conntrack_max
> > net.ipv4.netfilter.ip_conntrack_max = 30000
> 
> i assume you set that manually, as i don't think there's an amount
> of physical RAM that would result in 30000 on the dot...  speaking of
> which--how much physical RAM does this machine have?  you would need 512
> MB RAM for ip_conntrack_max to be automatically calculated to 32768,
> even though the conntrack table would only really use around 12 MB of
> kernel memory.  also--is this machine dedicated solely to firewalling,
> or is there something else chewing up your RAM?

Yes, I set it by hand, I have 256mb of ram, currently there are ~17000 connections
and 'free' shows 70mb of free memory. That machine is dedicated to routing/firewalling

-- 
Piotr Kaczmarek

conntrack error

[Piotrek Kaczmarek]

Hi,
I encountered the following situation - when there are around 20000 connections
"cat /proc/net/ip_conntrack" doesn't display all connections and outputs
"cat: No space left on device" error. If I patch kernel with POM and 'nth' module
(only patch, don't load the module) the same happens around 17000 connections.
It happenes both with 2.6.9 and 2.6.10 kernels.

Why is it so? Is this matter of memory limit or something else?

Thank you in advantage,

-- 
Piotrek Kaczmarek

Re: conntrack error

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 643 bytes --]

Piotrek Kaczmarek wrote:

>Hi,
>I encountered the following situation - when there are around 20000 connections
>"cat /proc/net/ip_conntrack" doesn't display all connections and outputs
>"cat: No space left on device" error. If I patch kernel with POM and 'nth' module
>(only patch, don't load the module) the same happens around 17000 connections.
>It happenes both with 2.6.9 and 2.6.10 kernels.
>
>Why is it so? Is this matter of memory limit or something else?
>
It happens when the first hash chain it tries to dump exceeds the available
size. This patch should fix it. You need to apply both patches to avoid 
rejects.

Regards
Patrick


[-- Attachment #2: 2.diff --]
[-- Type: text/x-patch, Size: 5764 bytes --]

# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
#   2005/02/13 00:16:46+01:00 kaber@coreworks.de 
#   [NETFILTER]: Fix /proc/net/ip_conntrack seq_file operations
#   
#   ip_conntrack dumps an entire hash chain at a time. If dumping
#   the first hash chain exceeds the available room nothing has
#   been copied and seq_read() stops and returns the error. Change
#   it to dump just a single entry at a time.
#   
#   Signed-off-by: Patrick McHardy <kaber@trash.net>
# 
# net/ipv4/netfilter/ip_conntrack_standalone.c
#   2005/02/13 00:16:34+01:00 kaber@coreworks.de +77 -39
#   [NETFILTER]: Fix /proc/net/ip_conntrack seq_file operations
#   
#   ip_conntrack dumps an entire hash chain at a time. If dumping
#   the first hash chain exceeds the available room nothing has
#   been copied and seq_read() stops and returns the error. Change
#   it to dump just a single entry at a time.
#   
#   Signed-off-by: Patrick McHardy <kaber@trash.net>
# 
diff -Nru a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c	2005-02-13 00:20:00 +01:00
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c	2005-02-13 00:20:00 +01:00
@@ -77,34 +77,70 @@
 #define seq_print_counters(x, y)	0
 #endif
 
-static void *ct_seq_start(struct seq_file *s, loff_t *pos)
+struct ct_iter_state {
+	unsigned int bucket;
+};
+
+static struct list_head *ct_get_first(struct seq_file *seq)
 {
-	if (*pos >= ip_conntrack_htable_size)
-		return NULL;
-	return &ip_conntrack_hash[*pos];
+	struct ct_iter_state *st = seq->private;
+
+	for (st->bucket = 0;
+	     st->bucket < ip_conntrack_htable_size;
+	     st->bucket++) {
+		if (!list_empty(&ip_conntrack_hash[st->bucket]))
+			return ip_conntrack_hash[st->bucket].next;
+	}
+	return NULL;
 }
-  
-static void ct_seq_stop(struct seq_file *s, void *v)
+
+static struct list_head *ct_get_next(struct seq_file *seq, struct list_head *head)
 {
+	struct ct_iter_state *st = seq->private;
+
+	head = head->next;
+	while (head == &ip_conntrack_hash[st->bucket]) {
+		if (++st->bucket >= ip_conntrack_htable_size)
+			return NULL;
+		head = ip_conntrack_hash[st->bucket].next;
+	}
+	return head;
+}
+
+static struct list_head *ct_get_idx(struct seq_file *seq, loff_t pos)
+{
+	struct list_head *head = ct_get_first(seq);
+
+	if (head)
+		while (pos && (head = ct_get_next(seq, head)))
+			pos--;
+	return pos ? NULL : head;
+}
+
+static void *ct_seq_start(struct seq_file *seq, loff_t *pos)
+{
+	READ_LOCK(&ip_conntrack_lock);
+	return ct_get_idx(seq, *pos);
 }
 
 static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos)
 {
 	(*pos)++;
-	if (*pos >= ip_conntrack_htable_size)
-		return NULL;
-	return &ip_conntrack_hash[*pos];
+	return ct_get_next(s, v);
 }
   
-/* return 0 on success, 1 in case of error */
-static int ct_seq_real_show(const struct ip_conntrack_tuple_hash *hash,
-			    struct seq_file *s)
+static void ct_seq_stop(struct seq_file *s, void *v)
+{
+	READ_UNLOCK(&ip_conntrack_lock);
+}
+ 
+static int ct_seq_show(struct seq_file *s, void *v)
 {
+	const struct ip_conntrack_tuple_hash *hash = v;
 	const struct ip_conntrack *conntrack = tuplehash_to_ctrack(hash);
 	struct ip_conntrack_protocol *proto;
 
 	MUST_BE_READ_LOCKED(&ip_conntrack_lock);
-
 	IP_NF_ASSERT(conntrack);
 
 	/* we only want to print DIR_ORIGINAL */
@@ -121,58 +157,44 @@
 		      timer_pending(&conntrack->timeout)
 		      ? (long)(conntrack->timeout.expires - jiffies)/HZ
 		      : 0) != 0)
-		return 1;
+		return -ENOSPC;
 
 	if (proto->print_conntrack(s, conntrack))
-		return 1;
+		return -ENOSPC;
   
 	if (print_tuple(s, &conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
 			proto))
-		return 1;
+		return -ENOSPC;
 
  	if (seq_print_counters(s, &conntrack->counters[IP_CT_DIR_ORIGINAL]))
-		return 1;
+		return -ENOSPC;
 
 	if (!(test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)))
 		if (seq_printf(s, "[UNREPLIED] "))
-			return 1;
+			return -ENOSPC;
 
 	if (print_tuple(s, &conntrack->tuplehash[IP_CT_DIR_REPLY].tuple,
 			proto))
-		return 1;
+		return -ENOSPC;
 
  	if (seq_print_counters(s, &conntrack->counters[IP_CT_DIR_REPLY]))
-		return 1;
+		return -ENOSPC;
 
 	if (test_bit(IPS_ASSURED_BIT, &conntrack->status))
 		if (seq_printf(s, "[ASSURED] "))
-			return 1;
+			return -ENOSPC;
 
 #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
 	if (seq_printf(s, "mark=%lu ", conntrack->mark))
-		return 1;
+		return -ENOSPC;
 #endif
 
 	if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
-		return 1;
+		return -ENOSPC;
 
 	return 0;
 }
 
-static int ct_seq_show(struct seq_file *s, void *v)
-{
-	struct list_head *list = v;
-	int ret = 0;
-
-	/* FIXME: Simply truncates if hash chain too long. */
-	READ_LOCK(&ip_conntrack_lock);
-	if (LIST_FIND(list, ct_seq_real_show,
-		      struct ip_conntrack_tuple_hash *, s))
-		ret = -ENOSPC;
-	READ_UNLOCK(&ip_conntrack_lock);
-	return ret;
-}
-	
 static struct seq_operations ct_seq_ops = {
 	.start = ct_seq_start,
 	.next  = ct_seq_next,
@@ -182,7 +204,23 @@
   
 static int ct_open(struct inode *inode, struct file *file)
 {
-	return seq_open(file, &ct_seq_ops);
+	struct seq_file *seq;
+	struct ct_iter_state *st;
+	int ret;
+
+	st = kmalloc(sizeof(struct ct_iter_state), GFP_KERNEL);
+	if (st == NULL)
+		return -ENOMEM;
+	ret = seq_open(file, &ct_seq_ops);
+	if (ret)
+		goto out_free;
+	seq          = file->private_data;
+	seq->private = st;
+	memset(st, 0, sizeof(struct ct_iter_state));
+	return ret;
+out_free:
+	kfree(st);
+	return ret;
 }
 
 static struct file_operations ct_file_ops = {
@@ -190,7 +228,7 @@
 	.open    = ct_open,
 	.read    = seq_read,
 	.llseek  = seq_lseek,
-	.release = seq_release
+	.release = seq_release_private,
 };
   
 /* expects */

[-- Attachment #3: 1.diff --]
[-- Type: text/x-patch, Size: 2554 bytes --]

# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
#   2005/02/04 04:16:35+01:00 kaber@coreworks.de 
#   [NETFILTER]: Use correct types in seq_printf calls
#   
#   Signed-off-by: Patrick McHardy <kaber@trash.net>
# 
# net/ipv4/netfilter/ipt_hashlimit.c
#   2005/02/04 04:16:26+01:00 kaber@coreworks.de +1 -1
#   [NETFILTER]: Use correct types in seq_printf calls
#   
#   Signed-off-by: Patrick McHardy <kaber@trash.net>
# 
# net/ipv4/netfilter/ip_conntrack_standalone.c
#   2005/02/04 04:16:26+01:00 kaber@coreworks.de +6 -5
#   [NETFILTER]: Use correct types in seq_printf calls
#   
#   Signed-off-by: Patrick McHardy <kaber@trash.net>
# 
diff -Nru a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c	2005-02-13 00:20:14 +01:00
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c	2005-02-13 00:20:14 +01:00
@@ -115,11 +115,12 @@
 			       .tuple.dst.protonum);
 	IP_NF_ASSERT(proto);
 
-	if (seq_printf(s, "%-8s %u %lu ",
+	if (seq_printf(s, "%-8s %u %ld ",
 		      proto->name,
 		      conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum,
 		      timer_pending(&conntrack->timeout)
-		      ? (conntrack->timeout.expires - jiffies)/HZ : 0) != 0)
+		      ? (long)(conntrack->timeout.expires - jiffies)/HZ
+		      : 0) != 0)
 		return 1;
 
 	if (proto->print_conntrack(s, conntrack))
@@ -148,7 +149,7 @@
 			return 1;
 
 #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
-	if (seq_printf(s, "mark=%ld ", conntrack->mark))
+	if (seq_printf(s, "mark=%lu ", conntrack->mark))
 		return 1;
 #endif
 
@@ -235,8 +236,8 @@
 	struct ip_conntrack_expect *expect = v;
 
 	if (expect->timeout.function)
-		seq_printf(s, "%lu ", timer_pending(&expect->timeout)
-			   ? (expect->timeout.expires - jiffies)/HZ : 0);
+		seq_printf(s, "%ld ", timer_pending(&expect->timeout)
+			   ? (long)(expect->timeout.expires - jiffies)/HZ : 0);
 	else
 		seq_printf(s, "- ");
 
diff -Nru a/net/ipv4/netfilter/ipt_hashlimit.c b/net/ipv4/netfilter/ipt_hashlimit.c
--- a/net/ipv4/netfilter/ipt_hashlimit.c	2005-02-13 00:20:14 +01:00
+++ b/net/ipv4/netfilter/ipt_hashlimit.c	2005-02-13 00:20:14 +01:00
@@ -609,7 +609,7 @@
 	rateinfo_recalc(ent, jiffies);
 
 	return seq_printf(s, "%ld %u.%u.%u.%u:%u->%u.%u.%u.%u:%u %u %u %u\n",
-			(ent->expires - jiffies)/HZ,
+			(long)(ent->expires - jiffies)/HZ,
 			NIPQUAD(ent->dst.src_ip), ntohs(ent->dst.src_port),
 			NIPQUAD(ent->dst.dst_ip), ntohs(ent->dst.dst_port),
 			ent->rateinfo.credit, ent->rateinfo.credit_cap,

Re: conntrack error

[Rimas]

Hi Patrick,


I have the same problem with the conntrack.
I tried to use your patches on 2.6.10 vanila kernel but I got these error 
messages
root@webgate:/usr/src/linux-2.6.10# patch -p1 < 1.diff
(Stripping trailing CRs from patch.)
patching file net/ipv4/netfilter/ip_conntrack_standalone.c
Hunk #1 succeeded at 114 (offset -1 lines).
Hunk #3 FAILED at 236.
1 out of 3 hunks FAILED -- saving rejects to file 
net/ipv4/netfilter/ip_conntrack_standalone.c.rej
(Stripping trailing CRs from patch.)
patching file net/ipv4/netfilter/ipt_hashlimit.c
root@webgate:/usr/src/linux-2.6.10# patch -p1 < 2.diff
(Stripping trailing CRs from patch.)
patching file net/ipv4/netfilter/ip_conntrack_standalone.c
Hunk #1 FAILED at 77.
Hunk #2 succeeded at 156 (offset -1 lines).
Hunk #4 succeeded at 227 (offset -1 lines).
1 out of 4 hunks FAILED -- saving rejects to file 
net/ipv4/netfilter/ip_conntrack_standalone.c.rej


Thanks

Remus


----- Original Message ----- 
From: "Patrick McHardy" <kaber@trash.net>
To: "Piotrek Kaczmarek" <kaczorek@k.daleka.net>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Saturday, February 12, 2005 11:21 PM
Subject: Re: conntrack error


> Piotrek Kaczmarek wrote:
>
>>Hi,
>>I encountered the following situation - when there are around 20000 
>>connections
>>"cat /proc/net/ip_conntrack" doesn't display all connections and outputs
>>"cat: No space left on device" error. If I patch kernel with POM and 'nth' 
>>module
>>(only patch, don't load the module) the same happens around 17000 
>>connections.
>>It happenes both with 2.6.9 and 2.6.10 kernels.
>>
>>Why is it so? Is this matter of memory limit or something else?
>>
> It happens when the first hash chain it tries to dump exceeds the 
> available
> size. This patch should fix it. You need to apply both patches to avoid
> rejects.
>
> Regards
> Patrick
>
>


--------------------------------------------------------------------------------


># This is a BitKeeper generated diff -Nru style patch.
> #
> # ChangeSet
> #   2005/02/13 00:16:46+01:00 kaber@coreworks.de
> #   [NETFILTER]: Fix /proc/net/ip_conntrack seq_file operations
> #
> #   ip_conntrack dumps an entire hash chain at a time. If dumping
> #   the first hash chain exceeds the available room nothing has
> #   been copied and seq_read() stops and returns the error. Change
> #   it to dump just a single entry at a time.
> #
> #   Signed-off-by: Patrick McHardy <kaber@trash.net>
> #
> # net/ipv4/netfilter/ip_conntrack_standalone.c
> #   2005/02/13 00:16:34+01:00 kaber@coreworks.de +77 -39
> #   [NETFILTER]: Fix /proc/net/ip_conntrack seq_file operations
> #
> #   ip_conntrack dumps an entire hash chain at a time. If dumping
> #   the first hash chain exceeds the available room nothing has
> #   been copied and seq_read() stops and returns the error. Change
> #   it to dump just a single entry at a time.
> #
> #   Signed-off-by: Patrick McHardy <kaber@trash.net>
> #
> diff -Nru a/net/ipv4/netfilter/ip_conntrack_standalone.c 
> b/net/ipv4/netfilter/ip_conntrack_standalone.c
> --- a/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-02-13 00:20:00 
> +01:00
> +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-02-13 00:20:00 
> +01:00
> @@ -77,34 +77,70 @@
> #define seq_print_counters(x, y) 0
> #endif
>
> -static void *ct_seq_start(struct seq_file *s, loff_t *pos)
> +struct ct_iter_state {
> + unsigned int bucket;
> +};
> +
> +static struct list_head *ct_get_first(struct seq_file *seq)
> {
> - if (*pos >= ip_conntrack_htable_size)
> - return NULL;
> - return &ip_conntrack_hash[*pos];
> + struct ct_iter_state *st = seq->private;
> +
> + for (st->bucket = 0;
> +      st->bucket < ip_conntrack_htable_size;
> +      st->bucket++) {
> + if (!list_empty(&ip_conntrack_hash[st->bucket]))
> + return ip_conntrack_hash[st->bucket].next;
> + }
> + return NULL;
> }
> -
> -static void ct_seq_stop(struct seq_file *s, void *v)
> +
> +static struct list_head *ct_get_next(struct seq_file *seq, struct 
> list_head *head)
> {
> + struct ct_iter_state *st = seq->private;
> +
> + head = head->next;
> + while (head == &ip_conntrack_hash[st->bucket]) {
> + if (++st->bucket >= ip_conntrack_htable_size)
> + return NULL;
> + head = ip_conntrack_hash[st->bucket].next;
> + }
> + return head;
> +}
> +
> +static struct list_head *ct_get_idx(struct seq_file *seq, loff_t pos)
> +{
> + struct list_head *head = ct_get_first(seq);
> +
> + if (head)
> + while (pos && (head = ct_get_next(seq, head)))
> + pos--;
> + return pos ? NULL : head;
> +}
> +
> +static void *ct_seq_start(struct seq_file *seq, loff_t *pos)
> +{
> + READ_LOCK(&ip_conntrack_lock);
> + return ct_get_idx(seq, *pos);
> }
>
> static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos)
> {
>  (*pos)++;
> - if (*pos >= ip_conntrack_htable_size)
> - return NULL;
> - return &ip_conntrack_hash[*pos];
> + return ct_get_next(s, v);
> }
>
> -/* return 0 on success, 1 in case of error */
> -static int ct_seq_real_show(const struct ip_conntrack_tuple_hash *hash,
> -     struct seq_file *s)
> +static void ct_seq_stop(struct seq_file *s, void *v)
> +{
> + READ_UNLOCK(&ip_conntrack_lock);
> +}
> +
> +static int ct_seq_show(struct seq_file *s, void *v)
> {
> + const struct ip_conntrack_tuple_hash *hash = v;
>  const struct ip_conntrack *conntrack = tuplehash_to_ctrack(hash);
>  struct ip_conntrack_protocol *proto;
>
>  MUST_BE_READ_LOCKED(&ip_conntrack_lock);
> -
>  IP_NF_ASSERT(conntrack);
>
>  /* we only want to print DIR_ORIGINAL */
> @@ -121,58 +157,44 @@
>        timer_pending(&conntrack->timeout)
>        ? (long)(conntrack->timeout.expires - jiffies)/HZ
>        : 0) != 0)
> - return 1;
> + return -ENOSPC;
>
>  if (proto->print_conntrack(s, conntrack))
> - return 1;
> + return -ENOSPC;
>
>  if (print_tuple(s, &conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
>  proto))
> - return 1;
> + return -ENOSPC;
>
>  if (seq_print_counters(s, &conntrack->counters[IP_CT_DIR_ORIGINAL]))
> - return 1;
> + return -ENOSPC;
>
>  if (!(test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)))
>  if (seq_printf(s, "[UNREPLIED] "))
> - return 1;
> + return -ENOSPC;
>
>  if (print_tuple(s, &conntrack->tuplehash[IP_CT_DIR_REPLY].tuple,
>  proto))
> - return 1;
> + return -ENOSPC;
>
>  if (seq_print_counters(s, &conntrack->counters[IP_CT_DIR_REPLY]))
> - return 1;
> + return -ENOSPC;
>
>  if (test_bit(IPS_ASSURED_BIT, &conntrack->status))
>  if (seq_printf(s, "[ASSURED] "))
> - return 1;
> + return -ENOSPC;
>
> #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
>  if (seq_printf(s, "mark=%lu ", conntrack->mark))
> - return 1;
> + return -ENOSPC;
> #endif
>
>  if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
> - return 1;
> + return -ENOSPC;
>
>  return 0;
> }
>
> -static int ct_seq_show(struct seq_file *s, void *v)
> -{
> - struct list_head *list = v;
> - int ret = 0;
> -
> - /* FIXME: Simply truncates if hash chain too long. */
> - READ_LOCK(&ip_conntrack_lock);
> - if (LIST_FIND(list, ct_seq_real_show,
> -       struct ip_conntrack_tuple_hash *, s))
> - ret = -ENOSPC;
> - READ_UNLOCK(&ip_conntrack_lock);
> - return ret;
> -}
> -
> static struct seq_operations ct_seq_ops = {
>  .start = ct_seq_start,
>  .next  = ct_seq_next,
> @@ -182,7 +204,23 @@
>
> static int ct_open(struct inode *inode, struct file *file)
> {
> - return seq_open(file, &ct_seq_ops);
> + struct seq_file *seq;
> + struct ct_iter_state *st;
> + int ret;
> +
> + st = kmalloc(sizeof(struct ct_iter_state), GFP_KERNEL);
> + if (st == NULL)
> + return -ENOMEM;
> + ret = seq_open(file, &ct_seq_ops);
> + if (ret)
> + goto out_free;
> + seq          = file->private_data;
> + seq->private = st;
> + memset(st, 0, sizeof(struct ct_iter_state));
> + return ret;
> +out_free:
> + kfree(st);
> + return ret;
> }
>
> static struct file_operations ct_file_ops = {
> @@ -190,7 +228,7 @@
>  .open    = ct_open,
>  .read    = seq_read,
>  .llseek  = seq_lseek,
> - .release = seq_release
> + .release = seq_release_private,
> };
>
> /* expects */
>


--------------------------------------------------------------------------------


># This is a BitKeeper generated diff -Nru style patch.
> #
> # ChangeSet
> #   2005/02/04 04:16:35+01:00 kaber@coreworks.de
> #   [NETFILTER]: Use correct types in seq_printf calls
> #
> #   Signed-off-by: Patrick McHardy <kaber@trash.net>
> #
> # net/ipv4/netfilter/ipt_hashlimit.c
> #   2005/02/04 04:16:26+01:00 kaber@coreworks.de +1 -1
> #   [NETFILTER]: Use correct types in seq_printf calls
> #
> #   Signed-off-by: Patrick McHardy <kaber@trash.net>
> #
> # net/ipv4/netfilter/ip_conntrack_standalone.c
> #   2005/02/04 04:16:26+01:00 kaber@coreworks.de +6 -5
> #   [NETFILTER]: Use correct types in seq_printf calls
> #
> #   Signed-off-by: Patrick McHardy <kaber@trash.net>
> #
> diff -Nru a/net/ipv4/netfilter/ip_conntrack_standalone.c 
> b/net/ipv4/netfilter/ip_conntrack_standalone.c
> --- a/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-02-13 00:20:14 
> +01:00
> +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-02-13 00:20:14 
> +01:00
> @@ -115,11 +115,12 @@
>         .tuple.dst.protonum);
>  IP_NF_ASSERT(proto);
>
> - if (seq_printf(s, "%-8s %u %lu ",
> + if (seq_printf(s, "%-8s %u %ld ",
>        proto->name,
>        conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum,
>        timer_pending(&conntrack->timeout)
> -       ? (conntrack->timeout.expires - jiffies)/HZ : 0) != 0)
> +       ? (long)(conntrack->timeout.expires - jiffies)/HZ
> +       : 0) != 0)
>  return 1;
>
>  if (proto->print_conntrack(s, conntrack))
> @@ -148,7 +149,7 @@
>  return 1;
>
> #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
> - if (seq_printf(s, "mark=%ld ", conntrack->mark))
> + if (seq_printf(s, "mark=%lu ", conntrack->mark))
>  return 1;
> #endif
>
> @@ -235,8 +236,8 @@
>  struct ip_conntrack_expect *expect = v;
>
>  if (expect->timeout.function)
> - seq_printf(s, "%lu ", timer_pending(&expect->timeout)
> -    ? (expect->timeout.expires - jiffies)/HZ : 0);
> + seq_printf(s, "%ld ", timer_pending(&expect->timeout)
> +    ? (long)(expect->timeout.expires - jiffies)/HZ : 0);
>  else
>  seq_printf(s, "- ");
>
> diff -Nru a/net/ipv4/netfilter/ipt_hashlimit.c 
> b/net/ipv4/netfilter/ipt_hashlimit.c
> --- a/net/ipv4/netfilter/ipt_hashlimit.c 2005-02-13 00:20:14 +01:00
> +++ b/net/ipv4/netfilter/ipt_hashlimit.c 2005-02-13 00:20:14 +01:00
> @@ -609,7 +609,7 @@
>  rateinfo_recalc(ent, jiffies);
>
>  return seq_printf(s, "%ld %u.%u.%u.%u:%u->%u.%u.%u.%u:%u %u %u %u\n",
> - (ent->expires - jiffies)/HZ,
> + (long)(ent->expires - jiffies)/HZ,
>  NIPQUAD(ent->dst.src_ip), ntohs(ent->dst.src_port),
>  NIPQUAD(ent->dst.dst_ip), ntohs(ent->dst.dst_port),
>  ent->rateinfo.credit, ent->rateinfo.credit_cap,
> 

Re: conntrack error

[Patrick McHardy]

Rimas wrote:

> Hi Patrick,
>
>
> I have the same problem with the conntrack.
> I tried to use your patches on 2.6.10 vanila kernel but I got these 
> error messages 

They are based on my 2.6.12 tree, but I think they should apply to 
2.6.11-rc4.

Regards
Patrick

Re: conntrack error

[Rimas]

Thanks Patrick,

I will try with 2.6.11-rc4.

Remus

----- Original Message ----- 
From: "Patrick McHardy" <kaber@trash.net>
To: "Rimas" <rmocius@auste.elnet.lt>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Monday, February 14, 2005 1:10 PM
Subject: Re: conntrack error


> Rimas wrote:
> 
>> Hi Patrick,
>>
>>
>> I have the same problem with the conntrack.
>> I tried to use your patches on 2.6.10 vanila kernel but I got these 
>> error messages 
> 
> They are based on my 2.6.12 tree, but I think they should apply to 
> 2.6.11-rc4.
> 
> Regards
> Patrick
> 
>

Re: conntrack error

[Rimas]

Patrick,

The patch 2.diff does not apply to 2.6.11-rc4.

Is any chance to get the conntrack working properly with 2.6.11?

Thanks

Remus


> They are based on my 2.6.12 tree, but I think they should apply to 
> 2.6.11-rc4.
> 
> Regards
> Patrick
> 
>