aboutsummaryrefslogtreecommitdiffstats
path: root/net/netfilter
diff options
context:
space:
mode:
authorJesper Dangaard Brouer <hawk@comx.dk>2010-04-23 06:34:56 -0400
committerPatrick McHardy <kaber@trash.net>2010-04-23 06:34:56 -0400
commitaf740b2c8f4521e2c45698ee6040941a82d6349d (patch)
treeae9fb87ebbfd422b07cb8e027fbe13e9c40c403e /net/netfilter
parentcecc74de25d2cfb08e7702cd38e3f195950f1228 (diff)
netfilter: nf_conntrack: extend with extra stat counter
I suspect an unfortunatly series of events occuring under a DDoS attack, in function __nf_conntrack_find() nf_contrack_core.c. Adding a stats counter to see if the search is restarted too often. Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/netfilter')
-rw-r--r--net/netfilter/nf_conntrack_core.c4
-rw-r--r--net/netfilter/nf_conntrack_standalone.c7
2 files changed, 7 insertions, 4 deletions
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 0c9bbe93cc16..3907efb97a7c 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -319,8 +319,10 @@ begin:
319 * not the expected one, we must restart lookup. 319 * not the expected one, we must restart lookup.
320 * We probably met an item that was moved to another chain. 320 * We probably met an item that was moved to another chain.
321 */ 321 */
322 if (get_nulls_value(n) != hash) 322 if (get_nulls_value(n) != hash) {
323 NF_CT_STAT_INC(net, search_restart);
323 goto begin; 324 goto begin;
325 }
324 local_bh_enable(); 326 local_bh_enable();
325 327
326 return NULL; 328 return NULL;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index faa8eb3722b9..ea4a8d384234 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -252,12 +252,12 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
252 const struct ip_conntrack_stat *st = v; 252 const struct ip_conntrack_stat *st = v;
253 253
254 if (v == SEQ_START_TOKEN) { 254 if (v == SEQ_START_TOKEN) {
255 seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete\n"); 255 seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n");
256 return 0; 256 return 0;
257 } 257 }
258 258
259 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " 259 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x "
260 "%08x %08x %08x %08x %08x %08x %08x %08x \n", 260 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n",
261 nr_conntracks, 261 nr_conntracks,
262 st->searched, 262 st->searched,
263 st->found, 263 st->found,
@@ -274,7 +274,8 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
274 274
275 st->expect_new, 275 st->expect_new,
276 st->expect_create, 276 st->expect_create,
277 st->expect_delete 277 st->expect_delete,
278 st->search_restart
278 ); 279 );
279 return 0; 280 return 0;
280} 281}
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-13 17:11:04 -0400