From: Jakub Kicinski <kuba@kernel.org>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org, pabeni@redhat.com, edumazet@google.com,
fw@strlen.de, horms@kernel.org
Subject: Re: [PATCH net-next 11/17] netfilter: nf_conncount: rework API to use sk_buff directly
Date: Fri, 28 Nov 2025 20:15:30 -0800 [thread overview]
Message-ID: <20251128201530.10e5c3c2@kernel.org> (raw)
In-Reply-To: <20251128002345.29378-12-pablo@netfilter.org>
On Fri, 28 Nov 2025 00:23:38 +0000 Pablo Neira Ayuso wrote:
> static int __nf_conncount_add(struct net *net,
> - struct nf_conncount_list *list,
> - const struct nf_conntrack_tuple *tuple,
> - const struct nf_conntrack_zone *zone)
> + const struct sk_buff *skb,
> + u16 l3num,
> + struct nf_conncount_list *list)
> {
> + const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
> const struct nf_conntrack_tuple_hash *found;
> struct nf_conncount_tuple *conn, *conn_n;
> + struct nf_conntrack_tuple tuple;
> + struct nf_conn *ct = NULL;
> struct nf_conn *found_ct;
> unsigned int collect = 0;
> + bool refcounted = false;
> +
> + if (!get_ct_or_tuple_from_skb(net, skb, l3num, &ct, &tuple, &zone, &refcounted))
> + return -ENOENT;
> +
> + if (ct && nf_ct_is_confirmed(ct)) {
> + if (refcounted)
> + nf_ct_put(ct);
> + return 0;
> + }
> if ((u32)jiffies == list->last_gc)
> goto add_new_node;
> @@ -144,10 +194,10 @@ static int __nf_conncount_add(struct net *net,
> if (IS_ERR(found)) {
> /* Not found, but might be about to be confirmed */
> if (PTR_ERR(found) == -EAGAIN) {
> - if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
> + if (nf_ct_tuple_equal(&conn->tuple, &tuple) &&
> nf_ct_zone_id(&conn->zone, conn->zone.dir) ==
> nf_ct_zone_id(zone, zone->dir))
> - return 0; /* already exists */
> + goto out_put; /* already exists */
> } else {
> collect++;
> }
> @@ -156,7 +206,7 @@ static int __nf_conncount_add(struct net *net,
>
> found_ct = nf_ct_tuplehash_to_ctrack(found);
>
> - if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
> + if (nf_ct_tuple_equal(&conn->tuple, &tuple) &&
> nf_ct_zone_equal(found_ct, zone, zone->dir)) {
> /*
> * We should not see tuples twice unless someone hooks
> @@ -165,7 +215,7 @@ static int __nf_conncount_add(struct net *net,
> * Attempt to avoid a re-add in this case.
> */
> nf_ct_put(found_ct);
> - return 0;
> + goto out_put;
> } else if (already_closed(found_ct)) {
> /*
> * we do not care about connections which are
> @@ -188,31 +238,35 @@ static int __nf_conncount_add(struct net *net,
> if (conn == NULL)
> return -ENOMEM;
The AI review tool points out this an another direct return missing a put(ct).
Similar issue in count_tree(). Please take a look and follow up where
appropriate:
https://netdev-ai.bots.linux.dev/ai-review.html?id=348ddc42-0343-4832-9047-0c62767f074f
> - conn->tuple = *tuple;
> + conn->tuple = tuple;
> conn->zone = *zone;
> conn->cpu = raw_smp_processor_id();
> conn->jiffies32 = (u32)jiffies;
> list_add_tail(&conn->node, &list->head);
> list->count++;
> list->last_gc = (u32)jiffies;
> +
> +out_put:
> + if (refcounted)
> + nf_ct_put(ct);
> return 0;
> }
next prev parent reply other threads:[~2025-11-29 4:15 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-28 0:23 [PATCH net-next,v3 00/17] Netfilter updates for net-next Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 01/17] netfilter: flowtable: check for maximum number of encapsulations in bridge vlan Pablo Neira Ayuso
2025-11-29 4:20 ` patchwork-bot+netdevbpf
2025-11-28 0:23 ` [PATCH net-next 02/17] netfilter: flowtable: move path discovery infrastructure to its own file Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 03/17] netfilter: flowtable: consolidate xmit path Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 04/17] netfilter: flowtable: inline vlan encapsulation in " Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 05/17] netfilter: flowtable: inline pppoe " Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 06/17] netfilter: flowtable: remove hw_ifidx Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 07/17] netfilter: flowtable: use tuple address to calculate next hop Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 08/17] netfilter: flowtable: Add IPIP rx sw acceleration Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 09/17] netfilter: flowtable: Add IPIP tx " Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 10/17] selftests: netfilter: nft_flowtable.sh: Add IPIP flowtable selftest Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 11/17] netfilter: nf_conncount: rework API to use sk_buff directly Pablo Neira Ayuso
2025-11-29 4:15 ` Jakub Kicinski [this message]
2025-11-28 0:23 ` [PATCH net-next 12/17] netfilter: nf_conncount: make nf_conncount_gc_list() to disable BH Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 13/17] netfilter: nft_connlimit: update the count if add was skipped Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 14/17] netfilter: nft_connlimit: add support to object update operation Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 15/17] selftests: netfilter: nft_flowtable.sh: Add the capability to send IPv6 TCP traffic Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 16/17] netfilter: ip6t_srh: fix UAPI kernel-doc comments format Pablo Neira Ayuso
2025-11-28 0:23 ` [PATCH net-next 17/17] netfilter: nf_tables: improve UAPI kernel-doc comments Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251128201530.10e5c3c2@kernel.org \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).