Thank you for your reply. As far I understand nf_ct_put() needed only when I use nf_conntrack_find_get(), and doesn't needed with nf_ct_get(skb, &ctinfo). And one more question - Is it possible to clear nf_conntrack_count, after those code usage without rebooting router? 09.12.2015, 14:02, "Florian Westphal" <fw@xxxxxxxxx>: > Гаврилов Игорь <iggorok@xxxxxxxxx> wrote: >> if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, &tuple)) \ >> goto fallback; \ >> zone.id = NF_CT_DEFAULT_ZONE_ID; \ >> zone.dir = NF_CT_DEFAULT_ZONE_DIR; \ >> \ >> thash = nf_conntrack_find_get(dev_net(skb->dev), &zone, &tuple);\ >> if (!thash) goto fallback; \ >> ct = nf_ct_tuplehash_to_ctrack(thash); \ > >> If nf_ct_get() fails to retrieve information from sk_buff, which is obvious on ingress, I use nf_ct_get_tuplepr() and nf_conntrack_find_get() like in net/sched/act_connmark.c, but I have encountered a problem - after a while traffic stops forwarding with the message "nf_conntrack: table is full" and conntrack -F doesn't help - nf_conntrack_count remains large - about 200k. Can anyone advise me how to fix this issue? > > You need to nf_ct_put(ct) once you're done with ct. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
