From: Eric Dumazet <edumazet@google.com>
Date: Wed, 24 Sep 2025 07:27:09 +0000 (+0000)
Subject: netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack
X-Git-Tag: v6.18-rc1~132^2~69^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c5ba345b2d358b07cc4f07253ba1ada73e77d586;p=thirdparty%2Flinux.git

netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack

ct_seq_show() has an opportunistic garbage collector :

if (nf_ct_should_gc(ct)) {
    nf_ct_kill(ct);
    goto release;
}

So if one nf_conn is killed there, next time ct_get_next() runs,
we skip the following item in the bucket, even if it should have
been displayed if gc did not take place.

We can decrement st->skip_elems to tell ct_get_next() one of the items
was removed from the chain.

Fixes: 58e207e4983d ("netfilter: evict stale entries when user reads /proc/net/nf_conntrack")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 1f14ef0436c65..708b79380f047 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -317,6 +317,9 @@ static int ct_seq_show(struct seq_file *s, void *v)
 	smp_acquire__after_ctrl_dep();
 
 	if (nf_ct_should_gc(ct)) {
+		struct ct_iter_state *st = s->private;
+
+		st->skip_elems--;
 		nf_ct_kill(ct);
 		goto release;
 	}