[rh7,01/19] ms/netfilter: conntrack: don't attempt to iterate over empty table

Submitted by Konstantin Khorenko on May 22, 2020, 8:10 a.m.


Message ID 20200522081056.28326-2-khorenko@virtuozzo.com
State New
Series "netfilter: conntrack: fix false-positive compiler warning in early_drop()"
Headers show

Commit Message

Konstantin Khorenko May 22, 2020, 8:10 a.m.
From: Florian Westphal <fw@strlen.de>

Once we place all conntracks into same table iteration becomes more
costly because the table contains conntracks that we are not interested
in (belonging to other netns).

So don't bother scanning if the current namespace has no entries.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>


(cherry picked from commit 88b68bc5237c84c6ff6f78568653780869a94a95)
Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
 net/netfilter/nf_conntrack_core.c | 3 +++
 1 file changed, 3 insertions(+)

Patch hide | download patch | download mbox

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index c6c2af8db9f6e..e2af1d742a20f 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1575,6 +1575,9 @@  void nf_ct_iterate_cleanup(struct net *net,
+	if (atomic_read(&net->ct.count) == 0)
+		return;
 	while ((ct = get_next_corpse(net, iter, data, &bucket)) != NULL) {
 		/* Time to push up daises... */
 		if (del_timer(&ct->timeout))