Message ID | 1474580957-26032-1-git-send-email-fw@strlen.de |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
On Thu, Sep 22, 2016 at 11:49:17PM +0200, Florian Westphal wrote: > Fabian reports a possible conntrack memory leak (could not reproduce so > far), however, one minor issue can be easily resolved: > > > cat /proc/net/nf_conntrack | wc -l = 5 > > 4 minutes required to clean up the table. > > We should not report those timed-out entries to the user in first place. > And instead of just skipping those timed-out entries while iterating over > the table we can also zap them (we already do this during ctnetlink > walks, but I forgot about the /proc interface). > > Fixes: f330a7fdbe16 ("netfilter: conntrack: get rid of conntrack timer") > Reported-by: Fabian Frederick <fabf@skynet.be> > Signed-off-by: Florian Westphal <fw@strlen.de> Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 7d52f8401afd..5f446cd9f3fd 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -212,6 +212,11 @@ static int ct_seq_show(struct seq_file *s, void *v) if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use))) return 0; + if (nf_ct_should_gc(ct)) { + nf_ct_kill(ct); + goto release; + } + /* we only want to print DIR_ORIGINAL */ if (NF_CT_DIRECTION(hash)) goto release;