![Florian Westphal](/assets/img/avatar_default.png)
These counters sit in hot path and do show up in perf, this is especially true for 'found' and 'searched' which get incremented for every packet processed. Information like searched=212030105 new=623431 found=333613 delete=623327 does not seem too helpful nowadays: - on busy systems found and searched will overflow every few hours (these are 32bit integers), other more busy ones every few days. - for debugging there are better methods, such as iptables' trace target, the conntrack log sysctls. Nowadays we also have perf tool. This removes packet path stat counters except those that are expected to be 0 (or close to 0) on a normal system, e.g. 'insert_failed' (race happened) or 'invalid' (proto tracker rejects). The insert stat is retained for the ctnetlink case. The found stat is retained for the tuple-is-taken check when NAT has to determine if it needs to pick a different source address. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
25 lines
572 B
C
25 lines
572 B
C
#ifndef _NF_CONNTRACK_COMMON_H
|
|
#define _NF_CONNTRACK_COMMON_H
|
|
|
|
#include <uapi/linux/netfilter/nf_conntrack_common.h>
|
|
|
|
struct ip_conntrack_stat {
|
|
unsigned int found;
|
|
unsigned int invalid;
|
|
unsigned int ignore;
|
|
unsigned int insert;
|
|
unsigned int insert_failed;
|
|
unsigned int drop;
|
|
unsigned int early_drop;
|
|
unsigned int error;
|
|
unsigned int expect_new;
|
|
unsigned int expect_create;
|
|
unsigned int expect_delete;
|
|
unsigned int search_restart;
|
|
};
|
|
|
|
/* call to create an explicit dependency on nf_conntrack. */
|
|
void need_conntrack(void);
|
|
|
|
#endif /* _NF_CONNTRACK_COMMON_H */
|