Re: [PATCH] netfilter: ctnetlink: export nf_conntrack_max

[Pablo Neira Ayuso]

On Sun, May 06, 2018 at 04:30:14PM +0200, Florent Fourcot wrote:
> IPCTNL_MSG_CT_GET_STATS netlink command allow to monitor current number
> of conntrack entries. However, if one wants to compare it with the
> maximum (and detect exhaustion), the only solution is currently to read
> sysctl value.
> 
> This patch add nf_conntrack_max value in netlink message, and simplify
> monitoring for application built on netlink API.

Applied, thanks Florent.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] netfilter: ctnetlink: export nf_conntrack_max

[Florent Fourcot]

Hi Pablo,



Patch seems to be mangled by MUA, could you resend?



Indeed, sorry for the noise. I will resend it.

Best regards,

Florent.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] netfilter: ctnetlink: export nf_conntrack_max

[Pablo Neira Ayuso]

Hi Florent,

On Fri, Apr 20, 2018 at 10:48:55AM +0200, Florent Fourcot wrote:
> IPCTNL_MSG_CT_GET_STATS netlink command allow to monitor current number
> of conntrack entries. However, if one wants to compare it with the
> maximum (and detect exhaustion), the only solution is currently to read
> sysctl value.
> 
> This patch adds nf_conntrack_max value in netlink message, and simplify
> monitoring for application built on netlink API.

Patch seems to be mangled by MUA, could you resend?

Thanks!

> Signed-off-by: Florent Fourcot 
> ---
>  include/uapi/linux/netfilter/nfnetlink_conntrack.h | 1 +
>  net/netfilter/nf_conntrack_core.c  | 1 +
>  net/netfilter/nf_conntrack_netlink.c   | 3 +++
>  3 files changed, 5 insertions(+)
> 
> diff --git a/include/uapi/linux/netfilter/nfnetlink_conntrack.h
> b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
> index 77987111cab0..1d41810d17e2 100644
> --- a/include/uapi/linux/netfilter/nfnetlink_conntrack.h
> +++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
> @@ -262,6 +262,7 @@ enum ctattr_stats_cpu {
>  enum ctattr_stats_global {
>   CTA_STATS_GLOBAL_UNSPEC,
>   CTA_STATS_GLOBAL_ENTRIES,
> + CTA_STATS_GLOBAL_MAX_ENTRIES,
>   __CTA_STATS_GLOBAL_MAX,
>  };
>  #define CTA_STATS_GLOBAL_MAX (__CTA_STATS_GLOBAL_MAX - 1)
> diff --git a/net/netfilter/nf_conntrack_core.c
> b/net/netfilter/nf_conntrack_core.c
> index 41ff04ee2554..605441727008 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -186,6 +186,7 @@ unsigned int nf_conntrack_htable_size __read_mostly;
>  EXPORT_SYMBOL_GPL(nf_conntrack_htable_size);
> 
>  unsigned int nf_conntrack_max __read_mostly;
> +EXPORT_SYMBOL_GPL(nf_conntrack_max);
>  seqcount_t nf_conntrack_generation __read_mostly;
>  static unsigned int nf_conntrack_hash_rnd __read_mostly;
> 
> diff --git a/net/netfilter/nf_conntrack_netlink.c
> b/net/netfilter/nf_conntrack_netlink.c
> index 4c1d0c5bc268..d807b8770be3 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -2205,6 +2205,9 @@ ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32
> portid, u32 seq, u32 type,
>   if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks)))
>   goto nla_put_failure;
> 
> + if (nla_put_be32(skb, CTA_STATS_GLOBAL_MAX_ENTRIES,
> htonl(nf_conntrack_max)))
> + goto nla_put_failure;
> +
>   nlmsg_end(skb, nlh);
>   return skb->len;
> 
> --
> 2.11.0
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html