Re: [PATCH V5] netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_max sysctl
From: lvxiafei
Date: Sat Apr 12 2025 - 21:15:43 EST
> If you CC netdev@ please do not post multiple versions a day.
> Please wait with posting v6 until you get some feedback (and
> this email does not count).
Thanks for the reminder and the review.
I’ll hold off on posting v6 until I receive proper feedback.
Also, I’ll double-check the Kconfig dependencies and ensure the
file doesn’t break builds when conntrack is not enabled.
Appreciate your time!
Sincerely.
> You need to be careful with the Kconfig, this file may be included
> when contrack is not built:
>
> In file included from ./include/linux/kernel.h:28,
> from ./include/linux/cpumask.h:11,
> from ./arch/x86/include/asm/cpumask.h:5,
> from ./arch/x86/include/asm/msr.h:11,
> from ./arch/x86/include/asm/tsc.h:10,
> from ./arch/x86/include/asm/timex.h:6,
> from ./include/linux/timex.h:67,
> from ./include/linux/time32.h:13,
> from ./include/linux/time.h:60,
> from ./include/linux/compat.h:10,
> from ./include/linux/ethtool.h:17,
> from drivers/net/vrf.c:12:
> include/net/netfilter/nf_conntrack.h:365:25: error: ‘struct net’ has no member named ‘ct’
> 365 | min(init_net.ct.sysctl_max, net->ct.sysctl_max) :
> | ^
Add conditional compilation protection:
+static inline unsigned int nf_conntrack_max(const struct net *net)
+{
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+ return likely(init_net.ct.sysctl_max && net->ct.sysctl_max) ?
+ min(init_net.ct.sysctl_max, net->ct.sysctl_max) :
+ max(init_net.ct.sysctl_max, net->ct.sysctl_max);
+#else
+ return 0;
+#endif
+}