From: Jakub Kicinski <kuba@kernel.org>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org, pabeni@redhat.com, edumazet@google.com,
fw@strlen.de, horms@kernel.org
Subject: Re: [PATCH net-next 11/17] netfilter: nf_conncount: rework API to use sk_buff directly
Date: Fri, 28 Nov 2025 20:15:30 -0800 [thread overview]
Message-ID: <20251128201530.10e5c3c2@kernel.org> (raw)
In-Reply-To: <20251128002345.29378-12-pablo@netfilter.org>
On Fri, 28 Nov 2025 00:23:38 +0000 Pablo Neira Ayuso wrote:
> static int __nf_conncount_add(struct net *net,
> - struct nf_conncount_list *list,
> - const struct nf_conntrack_tuple *tuple,
> - const struct nf_conntrack_zone *zone)
> + const struct sk_buff *skb,
> + u16 l3num,
> + struct nf_conncount_list *list)
> {
> + const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
> const struct nf_conntrack_tuple_hash *found;
> struct nf_conncount_tuple *conn, *conn_n;
> + struct nf_conntrack_tuple tuple;
> + struct nf_conn *ct = NULL;
> struct nf_conn *found_ct;
> unsigned int collect = 0;
> + bool refcounted = false;
> +
> + if (!get_ct_or_tuple_from_skb(net, skb, l3num, &ct, &tuple, &zone, &refcounted))
> + return -ENOENT;
> +
> + if (ct && nf_ct_is_confirmed(ct)) {
> + if (refcounted)
> + nf_ct_put(ct);
> + return 0;
> + }
> if ((u32)jiffies == list->last_gc)
> goto add_new_node;
> @@ -144,10 +194,10 @@ static int __nf_conncount_add(struct net *net,
> if (IS_ERR(found)) {
> /* Not found, but might be about to be confirmed */
> if (PTR_ERR(found) == -EAGAIN) {
> - if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
> + if (nf_ct_tuple_equal(&conn->tuple, &tuple) &&
> nf_ct_zone_id(&conn->zone, conn->zone.dir) ==
> nf_ct_zone_id(zone, zone->dir))
> - return 0; /* already exists */
> + goto out_put; /* already exists */
> } else {
> collect++;
> }
> @@ -156,7 +206,7 @@ static int __nf_conncount_add(struct net *net,
>
> found_ct = nf_ct_tuplehash_to_ctrack(found);
>
> - if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
> + if (nf_ct_tuple_equal(&conn->tuple, &tuple) &&
> nf_ct_zone_equal(found_ct, zone, zone->dir)) {
> /*
> * We should not see tuples twice unless someone hooks
> @@ -165,7 +215,7 @@ static int __nf_conncount_add(struct net *net,
> * Attempt to avoid a re-add in this case.
> */
> nf_ct_put(found_ct);
> - return 0;
> + goto out_put;
> } else if (already_closed(found_ct)) {
> /*
> * we do not care about connections which are
> @@ -188,31 +238,35 @@ static int __nf_conncount_add(struct net *net,
> if (conn == NULL)
> return -ENOMEM;
The AI review tool points out this an another direct return missing a put(ct).
Similar issue in count_tree(). Please take a look and follow up where
appropriate:
https://netdev-ai.bots.linux.dev/ai-review.html?id=348ddc42-0343-4832-9047-0c62767f074f
> - conn->tuple = *tuple;
> + conn->tuple = tuple;
> conn->zone = *zone;
> conn->cpu = raw_smp_processor_id();
> conn->jiffies32 = (u32)jiffies;
> list_add_tail(&conn->node, &list->head);
> list->count++;
> list->last_gc = (u32)jiffies;
> +
> +out_put:
> + if (refcounted)
> + nf_ct_put(ct);
> return 0;
> }
next prev parent reply other threads:[~2025-11-29 4:15 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-28 0:23 [PATCH net-next,v3 00/17] Netfilter updates for net-next Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 01/17] netfilter: flowtable: check for maximum number of encapsulations in bridge vlan Pablo Neira Ayuso
2025-11-29 4:20 ` patchwork-bot+netdevbpf
2025-11-28 0:23 ` [PATCH net-next 02/17] netfilter: flowtable: move path discovery infrastructure to its own file Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 03/17] netfilter: flowtable: consolidate xmit path Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 04/17] netfilter: flowtable: inline vlan encapsulation in " Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 05/17] netfilter: flowtable: inline pppoe " Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 06/17] netfilter: flowtable: remove hw_ifidx Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 07/17] netfilter: flowtable: use tuple address to calculate next hop Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 08/17] netfilter: flowtable: Add IPIP rx sw acceleration Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 09/17] netfilter: flowtable: Add IPIP tx " Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 10/17] selftests: netfilter: nft_flowtable.sh: Add IPIP flowtable selftest Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 11/17] netfilter: nf_conncount: rework API to use sk_buff directly Pablo Neira Ayuso
2025-11-29 4:15 ` Jakub Kicinski [this message]
2025-11-28 0:23 ` [PATCH net-next 12/17] netfilter: nf_conncount: make nf_conncount_gc_list() to disable BH Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 13/17] netfilter: nft_connlimit: update the count if add was skipped Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 14/17] netfilter: nft_connlimit: add support to object update operation Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 15/17] selftests: netfilter: nft_flowtable.sh: Add the capability to send IPv6 TCP traffic Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 16/17] netfilter: ip6t_srh: fix UAPI kernel-doc comments format Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 17/17] netfilter: nf_tables: improve UAPI kernel-doc comments Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251128201530.10e5c3c2@kernel.org \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.