![Florian Westphal](/assets/img/avatar_default.png)
There is a misconception about what "insert_failed" means. We increment this even when a clash got resolved, so it might not indicate a problem. Add a dedicated counter for clash resolution and only increment insert_failed if a clash cannot be resolved. For the old /proc interface, export this in place of an older stat that got removed a while back. For ctnetlink, export this with a new attribute. Also correct an outdated comment that implies we add a duplicate tuple -- we only add the (unique) reply direction. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
43 lines
963 B
C
43 lines
963 B
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _NF_CONNTRACK_COMMON_H
|
|
#define _NF_CONNTRACK_COMMON_H
|
|
|
|
#include <linux/atomic.h>
|
|
#include <uapi/linux/netfilter/nf_conntrack_common.h>
|
|
|
|
struct ip_conntrack_stat {
|
|
unsigned int found;
|
|
unsigned int invalid;
|
|
unsigned int insert;
|
|
unsigned int insert_failed;
|
|
unsigned int clash_resolve;
|
|
unsigned int drop;
|
|
unsigned int early_drop;
|
|
unsigned int error;
|
|
unsigned int expect_new;
|
|
unsigned int expect_create;
|
|
unsigned int expect_delete;
|
|
unsigned int search_restart;
|
|
};
|
|
|
|
#define NFCT_INFOMASK 7UL
|
|
#define NFCT_PTRMASK ~(NFCT_INFOMASK)
|
|
|
|
struct nf_conntrack {
|
|
atomic_t use;
|
|
};
|
|
|
|
void nf_conntrack_destroy(struct nf_conntrack *nfct);
|
|
static inline void nf_conntrack_put(struct nf_conntrack *nfct)
|
|
{
|
|
if (nfct && atomic_dec_and_test(&nfct->use))
|
|
nf_conntrack_destroy(nfct);
|
|
}
|
|
static inline void nf_conntrack_get(struct nf_conntrack *nfct)
|
|
{
|
|
if (nfct)
|
|
atomic_inc(&nfct->use);
|
|
}
|
|
|
|
#endif /* _NF_CONNTRACK_COMMON_H */
|