netfilter: conntrack: don't attempt to iterate over empty table

Once we place all conntracks into same table iteration becomes more costly because the table contains conntracks that we are not interested in (belonging to other netns). So don't bother scanning if the current namespace has no entries. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2016-04-28 17:13:42 (GMT)
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2016-05-05 14:39:44 (GMT)
commit: 88b68bc5237c84c6ff6f78568653780869a94a95 (patch)
tree: 3501a26e75aefc8551c823ec70ae646a16aadccd /net
parent: 5e3c61f981756361e7dc74e2c673121028449e35 (diff)
download: linux-88b68bc5237c84c6ff6f78568653780869a94a95.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 29fa08b..f2e75a5 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1428,6 +1428,9 @@ void nf_ct_iterate_cleanup(struct net *net,
 
 	might_sleep();
 
+	if (atomic_read(&net->ct.count) == 0)
+		return;
+
 	while ((ct = get_next_corpse(net, iter, data, &bucket)) != NULL) {
 		/* Time to push up daises... */
 		if (del_timer(&ct->timeout))
author	Florian Westphal <fw@strlen.de>	2016-04-28 17:13:42 (GMT)
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2016-05-05 14:39:44 (GMT)
commit	88b68bc5237c84c6ff6f78568653780869a94a95 (patch)
tree	3501a26e75aefc8551c823ec70ae646a16aadccd /net
parent	5e3c61f981756361e7dc74e2c673121028449e35 (diff)
download	linux-88b68bc5237c84c6ff6f78568653780869a94a95.tar.xz