[Top] [All Lists]

Re: deleting a conntrack record

To: Tobias DiPasquale <codeslinger@xxxxxxxxx>
Subject: Re: deleting a conntrack record
From: Patrick McHardy <kaber@xxxxxxxxx>
Date: Thu, 17 Jun 2004 18:02:16 +0200
Cc: netdev <netdev@xxxxxxxxxxx>, linux-net <linux-net@xxxxxxxxxxxxxxx>, netfilter <netfilter-devel@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <>
References: <>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 Debian/1.6-5
Tobias DiPasquale wrote:
Hello all,

I have a module that exports a /proc entry which takes a string with 4
args in it (src IP/port and dst IP/port) and then attempts to delete
the conntrack entry for the TCP connection associated with those
arguments. Here's the code in question (keep reading past the code for
a description of the problem I'm having):

static inline int kill_ct_record( const struct ip_conntrack *c, void *p)
       struct ip_conntrack *q = (struct ip_conntrack *)p;

       if (!memcmp( &c->tuplehash[IP_CT_DIR_ORIGINAL],
                    sizeof( struct ip_conntrack_tuple_hash))) {
               ip_conntrack_put( q);
               return 1;
       return 0;

static int delete_ct_record( u_int32_t src, u_int16_t sport, u_int32_t
dst, u_int16_t dport)
       struct ip_conntrack_tuple tuple;
       struct ip_conntrack_tuple_hash *h;

       memset( &tuple, 0, sizeof( tuple));
       tuple.src.ip = src;
       tuple.src.u.tcp.port = sport;
       tuple.dst.ip = dst;
       tuple.dst.u.tcp.port = dport;
       tuple.dst.protonum = IPPROTO_TCP;
       h = ip_conntrack_find_get( &tuple, NULL);
       if (!h)
               return -ENOENT;
       ip_ct_selective_cleanup( kill_ct_record, h->ctrack);
       return 1;

The problem is as follows:

There is a userspace script that runs from cron every 5 minutes. It
looks through the /proc/net/ip_conntrack listing to see if any connections are "stale" (i.e. haven't seen a packet from them in
some amount of time). It then feeds their connection information
into my module's /proc entry so that those conntrack records can
be destroyed.

Why don't you just adjust the timeout values in /proc/sys/net/ipv4/netfilter ?

In the kill_ct_record() function in the module, if the ip_conntrack_put() call is not commented out, this causes the box to go into some infinite loop after some unspecified amount of time. There is no LKCD dump and I don't know what happened since I wasn't physically present for the crash in any of the instances.

On the other hand, when the ip_conntrack_put() call _is_ commented
out, the system leaks memory from conntrack as indicated in the
ip_conntrack line in /proc/slabinfo. But the crash doesn't happen
under that condition.

The function passed to ip_ct_selective_cleanup is supposed to decide if a conntrack should be destroyed by returning 0/1, not to do it itself. ip_ct_selective_cleanup tries to destroy the already destroyed conntrack.

So, is there a cleaner way to hand-delete a conntrack record? Or is this the only method? Or is there some error in the way that I am doing the above?

By the way, this is almost exactly what ctnetlink does to delete a
conntrack record so any errors discovered here will almost surely have
to be fixed there, as well.

Thanks for pointing that out, I've fixed the ctnetlink code.


<Prev in Thread] Current Thread [Next in Thread>