netfilter: nf_conntrack: properly account terminating packets

Currently the last packet of a connection isn't accounted when its causing
abnormal termination.

Introduces nf_ct_kill_acct() which increments the accounting counters on
conntrack kill. The new function was necessary, because there are calls
to nf_ct_kill() which don't need accounting:

nf_conntrack_proto_tcp.c line ~847:
Kills ct and returns NF_REPEAT. We don't want to count twice.

nf_conntrack_proto_tcp.c line ~880:
Kills ct and returns NF_DROP. I think we don't want to count dropped
packets.

nf_conntrack_netlink.c line ~824:
As far as I can see ctnetlink_del_conntrack() is used to destroy a
conntrack on behalf of the user. There is an sk_buff, but I don't think
this is an actual packet. Incrementing counters here is therefore not
desired.

Signed-off-by: Fabian Hugelshofer <hugelshofer2006@gmx.ch>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index fc19ab23eeaafea6efa29b544dc5be26af3df1e2..d77dec768dc24ecb2616be531e6ca030dceabeaa 100644 (file)
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -223,7 +223,24 @@ static inline void nf_ct_refresh(struct nf_conn *ct,
        __nf_ct_refresh_acct(ct, 0, skb, extra_jiffies, 0);
 }
 
-extern void nf_ct_kill(struct nf_conn *ct);
+extern void __nf_ct_kill_acct(struct nf_conn *ct,
+                               enum ip_conntrack_info ctinfo,
+                               const struct sk_buff *skb,
+                               int do_acct);
+
+/* kill conntrack and do accounting */
+static inline void nf_ct_kill_acct(struct nf_conn *ct,
+                               enum ip_conntrack_info ctinfo,
+                               const struct sk_buff *skb)
+{
+       __nf_ct_kill_acct(ct, ctinfo, skb, 1);
+}
+
+/* kill conntrack without accounting */
+static inline void nf_ct_kill(struct nf_conn *ct)
+{
+       __nf_ct_kill_acct(ct, 0, NULL, 0);
+}
 
 /* These are for NAT.  Icky. */
 /* Update TCP window tracking data when NAT mangles the packet */

diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 0e21a46184fb06d09c9e1c0092a26d40b1a7587d..97791048fa9b0c3fd7afc9802025ebe6db963cf5 100644 (file)
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -88,7 +88,7 @@ static int icmp_packet(struct nf_conn *ct,
           (theoretically possible with SMP) */
        if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) {
                if (atomic_dec_and_test(&ct->proto.icmp.count))
-                       nf_ct_kill(ct);
+                       nf_ct_kill_acct(ct, ctinfo, skb);
        } else {
                atomic_inc(&ct->proto.icmp.count);
                nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb);

diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index fe081b90e05ebf7c4d573b09c4fca7e0c716d392..14d47d833545913d72c4453e28f7cc260689edb3 100644 (file)
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -90,7 +90,7 @@ static int icmpv6_packet(struct nf_conn *ct,
           (theoretically possible with SMP) */
        if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) {
                if (atomic_dec_and_test(&ct->proto.icmp.count))
-                       nf_ct_kill(ct);
+                       nf_ct_kill_acct(ct, ctinfo, skb);
        } else {
                atomic_inc(&ct->proto.icmp.count);
                nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb);

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 79b07c35eb872a80fe7b6f464584ca05a38769cb..e6d645221d5c1c0bd32faf843a7ff677b793293f 100644 (file)
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -848,12 +848,24 @@ acct:
 }
 EXPORT_SYMBOL_GPL(__nf_ct_refresh_acct);
 
-void nf_ct_kill(struct nf_conn *ct)
+void __nf_ct_kill_acct(struct nf_conn *ct,
+               enum ip_conntrack_info ctinfo,
+               const struct sk_buff *skb,
+               int do_acct)
 {
+#ifdef CONFIG_NF_CT_ACCT
+       if (do_acct) {
+               spin_lock_bh(&nf_conntrack_lock);
+               ct->counters[CTINFO2DIR(ctinfo)].packets++;
+               ct->counters[CTINFO2DIR(ctinfo)].bytes +=
+                       skb->len - skb_network_offset(skb);
+               spin_unlock_bh(&nf_conntrack_lock);
+       }
+#endif
        if (del_timer(&ct->timeout))
                ct->timeout.function((unsigned long)ct);
 }
-EXPORT_SYMBOL_GPL(nf_ct_kill);
+EXPORT_SYMBOL_GPL(__nf_ct_kill_acct);
 
 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
 

diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 223742f371f9a4d1cc3e56f88ac843c2bc545045..e7866dd3cde6cb2238f58cb9819cb3f414aa0e0f 100644 (file)
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -475,7 +475,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
        if (type == DCCP_PKT_RESET &&
            !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
                /* Tear down connection immediately if only reply is a RESET */
-               nf_ct_kill(ct);
+               nf_ct_kill_acct(ct, ctinfo, skb);
                return NF_ACCEPT;
        }
 

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index c4aa11e01405ae704b3f3f45403d98e92dd6b10a..8db13fba10bc823b02c1065634b8894a0789b349 100644 (file)
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -959,7 +959,7 @@ static int tcp_packet(struct nf_conn *ct,
                   problem case, so we can delete the conntrack
                   immediately.  --RR */
                if (th->rst) {
-                       nf_ct_kill(ct);
+                       nf_ct_kill_acct(ct, ctinfo, skb);
                        return NF_ACCEPT;
                }
        } else if (!test_bit(IPS_ASSURED_BIT, &ct->status)