[PATCH nf-next] netfilter: evict stale entries when user reads /proc/net/nf

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH nf-next] netfilter: evict stale entries when user reads /proc/net/nf_conntrack
@ 2016-09-22 21:49 Florian Westphal
  2016-09-25 11:47 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2016-09-22 21:49 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

Fabian reports a possible conntrack memory leak (could not reproduce so
far), however, one minor issue can be easily resolved:

> cat /proc/net/nf_conntrack | wc -l = 5
> 4 minutes required to clean up the table.

We should not report those timed-out entries to the user in first place.
And instead of just skipping those timed-out entries while iterating over
the table we can also zap them (we already do this during ctnetlink
walks, but I forgot about the /proc interface).

Fixes: f330a7fdbe16 ("netfilter: conntrack: get rid of conntrack timer")
Reported-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_conntrack_standalone.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 7d52f8401afd..5f446cd9f3fd 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -212,6 +212,11 @@ static int ct_seq_show(struct seq_file *s, void *v)
 	if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use)))
 		return 0;
 
+	if (nf_ct_should_gc(ct)) {
+		nf_ct_kill(ct);
+		goto release;
+	}
+
 	/* we only want to print DIR_ORIGINAL */
 	if (NF_CT_DIRECTION(hash))
 		goto release;
-- 
2.7.3


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH nf-next] netfilter: evict stale entries when user reads /proc/net/nf_conntrack
  2016-09-22 21:49 [PATCH nf-next] netfilter: evict stale entries when user reads /proc/net/nf_conntrack Florian Westphal
@ 2016-09-25 11:47 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2016-09-25 11:47 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

On Thu, Sep 22, 2016 at 11:49:17PM +0200, Florian Westphal wrote:
> Fabian reports a possible conntrack memory leak (could not reproduce so
> far), however, one minor issue can be easily resolved:
> 
> > cat /proc/net/nf_conntrack | wc -l = 5
> > 4 minutes required to clean up the table.
> 
> We should not report those timed-out entries to the user in first place.
> And instead of just skipping those timed-out entries while iterating over
> the table we can also zap them (we already do this during ctnetlink
> walks, but I forgot about the /proc interface).
> 
> Fixes: f330a7fdbe16 ("netfilter: conntrack: get rid of conntrack timer")
> Reported-by: Fabian Frederick <fabf@skynet.be>
> Signed-off-by: Florian Westphal <fw@strlen.de>

Applied, thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-09-25 11:47 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-22 21:49 [PATCH nf-next] netfilter: evict stale entries when user reads /proc/net/nf_conntrack Florian Westphal
2016-09-25 11:47 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).