nf_conntrack_count is increasing

All of lore.kernel.org
 help / color / mirror / Atom feed

* nf_conntrack_count is increasing
@ 2015-12-09 11:25 Гаврилов Игорь
  2015-12-09 12:02 ` Florian Westphal
  0 siblings, 1 reply; 3+ messages in thread
From: Гаврилов Игорь @ 2015-12-09 11:25 UTC (permalink / raw)
  To: netfilter-devel

Hello everyone! I need your advice. I'm trying to improve cls_flow, so that it could get information about NATed addresses on ingress interface. I have changed the code from net/sched/act_connmark.c to make it possible:
	if (ct == NULL){						\
		        switch (tc_skb_protocol(skb)) {			\
		        case htons(ETH_P_IP):				\
                		proto = NFPROTO_IPV4; 			\
				break;					\
		        case htons(ETH_P_IPV6):				\
				proto = NFPROTO_IPV6;			\
				break;					\
			default: goto fallback;				\
	        } 							\
									\
	if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, &tuple)) \
                goto fallback;						\
        zone.id = NF_CT_DEFAULT_ZONE_ID;				\
        zone.dir = NF_CT_DEFAULT_ZONE_DIR;				\
									\
        thash = nf_conntrack_find_get(dev_net(skb->dev), &zone, &tuple);\
        if (!thash) goto fallback;					\
        ct = nf_ct_tuplehash_to_ctrack(thash);				\
	result = ct->tuplehash[(thash->tuple.dst.dir == IP_CT_DIR_REPLY) ? IP_CT_DIR_ORIGINAL : IP_CT_DIR_REPLY].tuple.src.member;	\
	} else {							\
If nf_ct_get() fails to retrieve information from sk_buff, which is obvious on ingress, I use nf_ct_get_tuplepr() and nf_conntrack_find_get() like in net/sched/act_connmark.c, but I have encountered a problem - after a while traffic stops forwarding with the message "nf_conntrack: table is full" and conntrack -F doesn't help - nf_conntrack_count remains large - about 200k. Can anyone advise me how to fix this issue?

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: nf_conntrack_count is increasing
  2015-12-09 11:25 nf_conntrack_count is increasing Гаврилов Игорь
@ 2015-12-09 12:02 ` Florian Westphal
  2015-12-09 12:23   ` Гаврилов Игорь
  0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2015-12-09 12:02 UTC (permalink / raw)
  To: Гаврилов Игорь
  Cc: netfilter-devel

Гаврилов Игорь <iggorok@yandex.ua> wrote:
> 	if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, &tuple)) \
>                 goto fallback;						\
>         zone.id = NF_CT_DEFAULT_ZONE_ID;				\
>         zone.dir = NF_CT_DEFAULT_ZONE_DIR;				\
> 									\
>         thash = nf_conntrack_find_get(dev_net(skb->dev), &zone, &tuple);\
>         if (!thash) goto fallback;					\
>         ct = nf_ct_tuplehash_to_ctrack(thash);				\

> If nf_ct_get() fails to retrieve information from sk_buff, which is obvious on ingress, I use nf_ct_get_tuplepr() and nf_conntrack_find_get() like in net/sched/act_connmark.c, but I have encountered a problem - after a while traffic stops forwarding with the message "nf_conntrack: table is full" and conntrack -F doesn't help - nf_conntrack_count remains large - about 200k. Can anyone advise me how to fix this issue?

You need to nf_ct_put(ct) once you're done with ct.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: nf_conntrack_count is increasing
  2015-12-09 12:02 ` Florian Westphal
@ 2015-12-09 12:23   ` Гаврилов Игорь
  0 siblings, 0 replies; 3+ messages in thread
From: Гаврилов Игорь @ 2015-12-09 12:23 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel@vger.kernel.org

Thank you for your reply. As far I understand nf_ct_put() needed only when I use nf_conntrack_find_get(), and doesn't needed with nf_ct_get(skb, &ctinfo).
And one more question - Is it possible to clear nf_conntrack_count, after those code usage without rebooting router? 

09.12.2015, 14:02, "Florian Westphal" <fw@strlen.de>:
> Гаврилов Игорь <iggorok@yandex.ua> wrote:
>>          if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, &tuple)) \
>>                  goto fallback; \
>>          zone.id = NF_CT_DEFAULT_ZONE_ID; \
>>          zone.dir = NF_CT_DEFAULT_ZONE_DIR; \
>>                                                                          \
>>          thash = nf_conntrack_find_get(dev_net(skb->dev), &zone, &tuple);\
>>          if (!thash) goto fallback; \
>>          ct = nf_ct_tuplehash_to_ctrack(thash); \
>
>>  If nf_ct_get() fails to retrieve information from sk_buff, which is obvious on ingress, I use nf_ct_get_tuplepr() and nf_conntrack_find_get() like in net/sched/act_connmark.c, but I have encountered a problem - after a while traffic stops forwarding with the message "nf_conntrack: table is full" and conntrack -F doesn't help - nf_conntrack_count remains large - about 200k. Can anyone advise me how to fix this issue?
>
> You need to nf_ct_put(ct) once you're done with ct.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-12-09 12:31 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-12-09 11:25 nf_conntrack_count is increasing Гаврилов Игорь
2015-12-09 12:02 ` Florian Westphal
2015-12-09 12:23   ` Гаврилов Игорь

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.