Гаврилов Игорь <iggorok@xxxxxxxxx> wrote: > if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, &tuple)) \ > goto fallback; \ > zone.id = NF_CT_DEFAULT_ZONE_ID; \ > zone.dir = NF_CT_DEFAULT_ZONE_DIR; \ > \ > thash = nf_conntrack_find_get(dev_net(skb->dev), &zone, &tuple);\ > if (!thash) goto fallback; \ > ct = nf_ct_tuplehash_to_ctrack(thash); \ > If nf_ct_get() fails to retrieve information from sk_buff, which is obvious on ingress, I use nf_ct_get_tuplepr() and nf_conntrack_find_get() like in net/sched/act_connmark.c, but I have encountered a problem - after a while traffic stops forwarding with the message "nf_conntrack: table is full" and conntrack -F doesn't help - nf_conntrack_count remains large - about 200k. Can anyone advise me how to fix this issue? You need to nf_ct_put(ct) once you're done with ct. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
