netfilter: conntrack: do not increment two error counters at same time
The /proc interface for nf_conntrack displays the "error" counter as "icmp_error". It makes sense to not increment "invalid" when failing to handle an icmp packet since those are special. For example, its possible for conntrack to see partial and/or fragmented packets inside icmp errors. This should be a separate event and not get mixed with the "invalid" counter. Likewise, remove the "error" increment for errors from get_l4proto(). After this, the error counter will only increment for errors coming from icmp(v6) packet handling. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Florian Westphal
Pablo Neira Ayuso
parent
7a81575b80
commit
b1328e54ac
|
|
@ -1725,10 +1725,8 @@ nf_conntrack_handle_icmp(struct nf_conn *tmpl,
|
|||
else
|
||||
return NF_ACCEPT;
|
||||
|
||||
if (ret <= 0) {
|
||||
if (ret <= 0)
|
||||
NF_CT_STAT_INC_ATOMIC(state->net, error);
|
||||
NF_CT_STAT_INC_ATOMIC(state->net, invalid);
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
|
@ -1813,7 +1811,6 @@ nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state)
|
|||
dataoff = get_l4proto(skb, skb_network_offset(skb), state->pf, &protonum);
|
||||
if (dataoff <= 0) {
|
||||
pr_debug("not prepared to track yet or error occurred\n");
|
||||
NF_CT_STAT_INC_ATOMIC(state->net, error);
|
||||
NF_CT_STAT_INC_ATOMIC(state->net, invalid);
|
||||
ret = NF_ACCEPT;
|
||||
goto out;
|
||||
|
|
|
|||
Loading…
Reference in New Issue