Reputation: 475
Linux kernel conntrack drop statistics
In Linux kernel conntrack subsystem sources I see a lot of statistic ticks like this:
ret = resolve_normal_ct(net, tmpl, skb, dataoff, pf, protonum, l4proto);
if (ret < 0) {
/* Too stressed to deal. */
NF_CT_STAT_INC_ATOMIC(net, drop);
ret = NF_DROP;
goto out;
}
But I really can't figure out how in Linux (from user-mode) can I check this statistics. F.e. where can I find conntrack drops count? There is nothing similar in /proc/sys/net/netfilter/nf_conntrack*.
Sorry if obvious.
Upvotes: 0
Views: 539
Answers (1)
Reputation: 1494
First, you can see the statics in some tools like netstat or ss or nstat.
Then the problem about how the NF_CT_STAT_INC_ATOMIC counts drop need to trace the function itself. I think it's more interesting to do it by yourself since you are curious about it.
#define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
From here we can see that actually count is in ct.stat->drop. By searching this you can find your answer.
Upvotes: 0
Related Questions
- iptables LOG and DROP in one rule
- Details of /proc/net/ip_conntrack and /proc/net/nf_conntrack
- How can I check the hit count for each rule in iptables?
- Fetch dropped packet count of an interface with netlink sockets
- tc filter drop matched packets
- Set CONNMARK in netfilter module
- How to use libnetfilter_conntrack to query a conntrack?
- How to obtain number of packets dropped over past 30 seconds
- Difference between net.nf_conntrack_max and net.netfilter.nf_conntrack_max
- How to use netfilter to drop some package have some spec data on Linux?