netfilter: nf_conntrack: extend with extra stat counter

I suspect an unfortunatly series of events occuring under a DDoS
attack, in function __nf_conntrack_find() nf_contrack_core.c.

Adding a stats counter to see if the search is restarted too often.

Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>

3 files changed, 11 insertions, 7 deletions

diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index 2fb7b76da94f..244f7cb08d68 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -336,12 +336,12 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
         const struct ip_conntrack_stat *st = v;
 
         if (v == SEQ_START_TOKEN) {
-                seq_printf(seq, "entries  searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error  expect_new expect_create expect_delete\n");
+                seq_printf(seq, "entries  searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error  expect_new expect_create expect_delete search_restart\n");
                 return 0;
         }
 
         seq_printf(seq, "%08x  %08x %08x %08x %08x %08x %08x %08x "
-                        "%08x %08x %08x %08x %08x  %08x %08x %08x \n",
+                        "%08x %08x %08x %08x %08x  %08x %08x %08x %08x\n",
                    nr_conntracks,
                    st->searched,
                    st->found,
@@ -358,7 +358,8 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
 
                    st->expect_new,
                    st->expect_create,
-                   st->expect_delete
+                   st->expect_delete,
+                   st->search_restart
                 );
         return 0;
 }
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 0c9bbe93cc16..3907efb97a7c 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -319,8 +319,10 @@ begin:
          * not the expected one, we must restart lookup.
          * We probably met an item that was moved to another chain.
          */
-        if (get_nulls_value(n) != hash)
+        if (get_nulls_value(n) != hash) {
+                NF_CT_STAT_INC(net, search_restart);
                 goto begin;
+        }
         local_bh_enable();
 
         return NULL;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index faa8eb3722b9..ea4a8d384234 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -252,12 +252,12 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
         const struct ip_conntrack_stat *st = v;
 
         if (v == SEQ_START_TOKEN) {
-                seq_printf(seq, "entries  searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error  expect_new expect_create expect_delete\n");
+                seq_printf(seq, "entries  searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error  expect_new expect_create expect_delete search_restart\n");
                 return 0;
         }
 
         seq_printf(seq, "%08x  %08x %08x %08x %08x %08x %08x %08x "
-                        "%08x %08x %08x %08x %08x  %08x %08x %08x \n",
+                        "%08x %08x %08x %08x %08x  %08x %08x %08x %08x\n",
                    nr_conntracks,
                    st->searched,
                    st->found,
@@ -274,7 +274,8 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
 
                    st->expect_new,
                    st->expect_create,
-                   st->expect_delete
+                   st->expect_delete,
+                   st->search_restart
                 );
         return 0;
 }