diff options
| author | Florian Westphal <fw@strlen.de> | 2021-12-09 17:39:26 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-12-16 14:10:52 +0100 |
| commit | 76f12e632a15a20c8de3532d64a0708cf0e32f11 (patch) | |
| tree | 626ed65ee87def3d18f3cc6491eff9e600cea62e /net | |
| parent | netfilter: fix regression in looped (broad|multi)cast's MAC handling (diff) | |
| download | linux-76f12e632a15a20c8de3532d64a0708cf0e32f11.tar.xz linux-76f12e632a15a20c8de3532d64a0708cf0e32f11.zip | |
netfilter: ctnetlink: remove expired entries first
When dumping conntrack table to userspace via ctnetlink, check if the ct has
already expired before doing any of the 'skip' checks.
This expires dead entries faster.
/proc handler also removes outdated entries first.
Reported-by: Vitaly Zuevsky <vzuevsky@ns1.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 81d03acf68d4..ec4164c32d27 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1195,8 +1195,6 @@ restart: } hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]], hnnode) { - if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL) - continue; ct = nf_ct_tuplehash_to_ctrack(h); if (nf_ct_is_expired(ct)) { if (i < ARRAY_SIZE(nf_ct_evict) && @@ -1208,6 +1206,9 @@ restart: if (!net_eq(net, nf_ct_net(ct))) continue; + if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL) + continue; + if (cb->args[1]) { if (ct != last) continue; |