Commit b1328e54 authored Aug 26, 2020 by Florian Westphal Committed by Pablo Neira Ayuso Aug 28, 2020

netfilter: conntrack: do not increment two error counters at same time



The /proc interface for nf_conntrack displays the "error" counter as
"icmp_error".

It makes sense to not increment "invalid" when failing to handle an icmp
packet since those are special.

For example, its possible for conntrack to see partial and/or fragmented
packets inside icmp errors.  This should be a separate event and not get
mixed with the "invalid" counter.

Likewise, remove the "error" increment for errors from get_l4proto().
After this, the error counter will only increment for errors coming from
icmp(v6) packet handling.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 7a81575b

net/netfilter/nf_conntrack_core.c

+1 −4

Original line number	Diff line number	Diff line
		@@ -1725,10 +1725,8 @@ nf_conntrack_handle_icmp(struct nf_conn *tmpl,
		else
		return NF_ACCEPT;

		if (ret <= 0) {
		if (ret <= 0)
		NF_CT_STAT_INC_ATOMIC(state->net, error);
		NF_CT_STAT_INC_ATOMIC(state->net, invalid);
		}

		return ret;
		}
		@@ -1813,7 +1811,6 @@ nf_conntrack_in(struct sk_buff skb, const struct nf_hook_state state)
		dataoff = get_l4proto(skb, skb_network_offset(skb), state->pf, &protonum);
		if (dataoff <= 0) {
		pr_debug("not prepared to track yet or error occurred\n");
		NF_CT_STAT_INC_ATOMIC(state->net, error);
		NF_CT_STAT_INC_ATOMIC(state->net, invalid);
		ret = NF_ACCEPT;
		goto out;

Admin message