[PATCH] netfilter: conntrack: account packets drop by tcp

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] netfilter: conntrack: account packets drop by tcp_packet()
@ 2009-02-23 10:15 Pablo Neira Ayuso
  2009-02-23 10:48 ` Jan Engelhardt
  2009-02-24 13:49 ` Patrick McHardy
  0 siblings, 2 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2009-02-23 10:15 UTC (permalink / raw)
  To: netfilter-devel; +Cc: kaber

Since tcp_packet() may return -NF_DROP in two situations, the
packet-drop stats must be increased.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

 net/netfilter/nf_conntrack_core.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 8b9dbb7..4503727 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -733,6 +733,8 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
 		nf_conntrack_put(skb->nfct);
 		skb->nfct = NULL;
 		NF_CT_STAT_INC_ATOMIC(net, invalid);
+		if (-ret == NF_DROP)
+			NF_CT_STAT_INC_ATOMIC(net, drop);
 		return -ret;
 	}
 


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] netfilter: conntrack: account packets drop by tcp_packet()
  2009-02-23 10:15 [PATCH] netfilter: conntrack: account packets drop by tcp_packet() Pablo Neira Ayuso
@ 2009-02-23 10:48 ` Jan Engelhardt
  2009-02-23 10:49   ` Patrick McHardy
  2009-02-24 13:49 ` Patrick McHardy
  1 sibling, 1 reply; 4+ messages in thread
From: Jan Engelhardt @ 2009-02-23 10:48 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel, kaber


On Monday 2009-02-23 11:15, Pablo Neira Ayuso wrote:
>diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
>index 8b9dbb7..4503727 100644
>--- a/net/netfilter/nf_conntrack_core.c
>+++ b/net/netfilter/nf_conntrack_core.c
>@@ -733,6 +733,8 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
> 		nf_conntrack_put(skb->nfct);
> 		skb->nfct = NULL;
> 		NF_CT_STAT_INC_ATOMIC(net, invalid);
>+		if (-ret == NF_DROP)
>+			NF_CT_STAT_INC_ATOMIC(net, drop);
> 		return -ret;
> 	}
> 

*boggle* Why not just "ret == -NF_DROP"?
The assumption would be near that "-NF_DROP" is a constant just
as "NF_DROP" would be, but "-ret" involves an extra instruction
for negating ret.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] netfilter: conntrack: account packets drop by tcp_packet()
  2009-02-23 10:48 ` Jan Engelhardt
@ 2009-02-23 10:49   ` Patrick McHardy
  0 siblings, 0 replies; 4+ messages in thread
From: Patrick McHardy @ 2009-02-23 10:49 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: Pablo Neira Ayuso, netfilter-devel

Jan Engelhardt wrote:
> On Monday 2009-02-23 11:15, Pablo Neira Ayuso wrote:
>> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
>> index 8b9dbb7..4503727 100644
>> --- a/net/netfilter/nf_conntrack_core.c
>> +++ b/net/netfilter/nf_conntrack_core.c
>> @@ -733,6 +733,8 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
>> 		nf_conntrack_put(skb->nfct);
>> 		skb->nfct = NULL;
>> 		NF_CT_STAT_INC_ATOMIC(net, invalid);
>> +		if (-ret == NF_DROP)
>> +			NF_CT_STAT_INC_ATOMIC(net, drop);
>> 		return -ret;
>> 	}
>>
> 
> *boggle* Why not just "ret == -NF_DROP"?
> The assumption would be near that "-NF_DROP" is a constant just
> as "NF_DROP" would be, but "-ret" involves an extra instruction
> for negating ret.

Indeed. No need to resend though, I'll fix it up.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] netfilter: conntrack: account packets drop by tcp_packet()
  2009-02-23 10:15 [PATCH] netfilter: conntrack: account packets drop by tcp_packet() Pablo Neira Ayuso
  2009-02-23 10:48 ` Jan Engelhardt
@ 2009-02-24 13:49 ` Patrick McHardy
  1 sibling, 0 replies; 4+ messages in thread
From: Patrick McHardy @ 2009-02-24 13:49 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Pablo Neira Ayuso wrote:
> Since tcp_packet() may return -NF_DROP in two situations, the
> packet-drop stats must be increased.

Applied, thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2009-02-24 13:49 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-02-23 10:15 [PATCH] netfilter: conntrack: account packets drop by tcp_packet() Pablo Neira Ayuso
2009-02-23 10:48 ` Jan Engelhardt
2009-02-23 10:49   ` Patrick McHardy
2009-02-24 13:49 ` Patrick McHardy

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.