netfilter: conntrack: add clash resolution stat counter

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

There is a misconception about what "insert_failed" means.

We increment this even when a clash got resolved, so it might not indicate
a problem.

Add a dedicated counter for clash resolution and only increment
insert_failed if a clash cannot be resolved.

For the old /proc interface, export this in place of an older stat
that got removed a while back.
For ctnetlink, export this with a new attribute.

Also correct an outdated comment that implies we add a duplicate tuple --
we only add the (unique) reply direction.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by

Pablo Neira Ayuso 5 years ago bc924704 4afc41df

+11 -6

5 changed files

expand all

include

linux

netfilter

nf_conntrack_common.h

uapi

linux

netfilter

nfnetlink_conntrack.h

net

netfilter

nf_conntrack_core.c

nf_conntrack_netlink.c

nf_conntrack_standalone.c

include/linux/netfilter/nf_conntrack_common.h

··· 10 10 unsigned int invalid; 11 11 unsigned int insert; 12 12 unsigned int insert_failed; 13 + unsigned int clash_resolve; 13 14 unsigned int drop; 14 15 unsigned int early_drop; 15 16 unsigned int error;

include/uapi/linux/netfilter/nfnetlink_conntrack.h

··· 256 256 CTA_STATS_EARLY_DROP, 257 257 CTA_STATS_ERROR, 258 258 CTA_STATS_SEARCH_RESTART, 259 + CTA_STATS_CLASH_RESOLVE, 259 260 __CTA_STATS_MAX, 260 261 }; 261 262 #define CTA_STATS_MAX (__CTA_STATS_MAX - 1)

+5 -4

net/netfilter/nf_conntrack_core.c

··· 859 859 860 860 out: 861 861 nf_conntrack_double_unlock(hash, reply_hash); 862 - NF_CT_STAT_INC(net, insert_failed); 863 862 local_bh_enable(); 864 863 return -EEXIST; 865 864 } ··· 933 934 nf_conntrack_put(&loser_ct->ct_general); 934 935 nf_ct_set(skb, ct, ctinfo); 935 936 936 - NF_CT_STAT_INC(net, insert_failed); 937 + NF_CT_STAT_INC(net, clash_resolve); 937 938 return NF_ACCEPT; 938 939 } 939 940 ··· 997 998 998 999 hlist_nulls_add_head_rcu(&loser_ct->tuplehash[IP_CT_DIR_REPLY].hnnode, 999 1000 &nf_conntrack_hash[repl_idx]); 1001 + 1002 + NF_CT_STAT_INC(net, clash_resolve); 1000 1003 return NF_ACCEPT; 1001 1004 } 1002 1005 ··· 1028 1027 * 1029 1028 * Failing that, the new, unconfirmed conntrack is still added to the table 1030 1029 * provided that the collision only occurs in the ORIGINAL direction. 1031 - * The new entry will be added after the existing one in the hash list, 1030 + * The new entry will be added only in the non-clashing REPLY direction, 1032 1031 * so packets in the ORIGINAL direction will continue to match the existing 1033 1032 * entry. The new entry will also have a fixed timeout so it expires -- 1034 - * due to the collision, it will not see bidirectional traffic. 1033 + * due to the collision, it will only see reply traffic. 1035 1034 * 1036 1035 * Returns NF_DROP if the clash could not be resolved. 1037 1036 */

+3 -1

net/netfilter/nf_conntrack_netlink.c

··· 2516 2516 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) || 2517 2517 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) || 2518 2518 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART, 2519 - htonl(st->search_restart))) 2519 + htonl(st->search_restart)) || 2520 + nla_put_be32(skb, CTA_STATS_CLASH_RESOLVE, 2521 + htonl(st->clash_resolve))) 2520 2522 goto nla_put_failure; 2521 2523 2522 2524 nlmsg_end(skb, nlh);

+1 -1

net/netfilter/nf_conntrack_standalone.c

··· 435 435 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " 436 436 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n", 437 437 nr_conntracks, 438 - 0, 438 + st->clash_resolve, /* was: searched */ 439 439 st->found, 440 440 0, 441 441 st->invalid,