Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit af740b2c authored by Jesper Dangaard Brouer's avatar Jesper Dangaard Brouer Committed by Patrick McHardy
Browse files

netfilter: nf_conntrack: extend with extra stat counter 



I suspect an unfortunatly series of events occuring under a DDoS
attack, in function __nf_conntrack_find() nf_contrack_core.c.

Adding a stats counter to see if the search is restarted too often.

Signed-off-by: default avatarJesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent cecc74de

include/linux/netfilter/nf_conntrack_common.h

+1 −0
Original line number Diff line number Diff line
@@ -113,6 +113,7 @@ struct ip_conntrack_stat { 
	unsigned int expect_new;

	unsigned int expect_create;

	unsigned int expect_delete;

	unsigned int search_restart;

};



/* call to create an explicit dependency on nf_conntrack. */

net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c

+4 −3
Original line number Diff line number Diff line
@@ -336,12 +336,12 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v) 
	const struct ip_conntrack_stat *st = v;



	if (v == SEQ_START_TOKEN) {

		seq_printf(seq, "entries  searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error  expect_new expect_create expect_delete\n");

		seq_printf(seq, "entries  searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error  expect_new expect_create expect_delete search_restart\n");

		return 0;

	}



	seq_printf(seq, "%08x  %08x %08x %08x %08x %08x %08x %08x "

			"%08x %08x %08x %08x %08x  %08x %08x %08x \n",

			"%08x %08x %08x %08x %08x  %08x %08x %08x %08x\n",

		   nr_conntracks,

		   st->searched,

		   st->found,
@@ -358,7 +358,8 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v) 


		   st->expect_new,

		   st->expect_create,

		   st->expect_delete

		   st->expect_delete,

		   st->search_restart

		);

	return 0;

}

net/netfilter/nf_conntrack_core.c

+3 −1
Original line number Diff line number Diff line
@@ -319,8 +319,10 @@ begin: 
	 * not the expected one, we must restart lookup.

	 * We probably met an item that was moved to another chain.

	 */

	if (get_nulls_value(n) != hash)

	if (get_nulls_value(n) != hash) {

		NF_CT_STAT_INC(net, search_restart);

		goto begin;

	}

	local_bh_enable();



	return NULL;

net/netfilter/nf_conntrack_standalone.c

+4 −3
Original line number Diff line number Diff line
@@ -252,12 +252,12 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v) 
	const struct ip_conntrack_stat *st = v;



	if (v == SEQ_START_TOKEN) {

		seq_printf(seq, "entries  searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error  expect_new expect_create expect_delete\n");

		seq_printf(seq, "entries  searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error  expect_new expect_create expect_delete search_restart\n");

		return 0;

	}



	seq_printf(seq, "%08x  %08x %08x %08x %08x %08x %08x %08x "

			"%08x %08x %08x %08x %08x  %08x %08x %08x \n",

			"%08x %08x %08x %08x %08x  %08x %08x %08x %08x\n",

		   nr_conntracks,

		   st->searched,

		   st->found,
@@ -274,7 +274,8 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v) 


		   st->expect_new,

		   st->expect_create,

		   st->expect_delete

		   st->expect_delete,

		   st->search_restart

		);

	return 0;

}