From: Florian Westphal <fw@strlen.de>
Date: Thu, 28 Apr 2016 17:13:42 +0000 (+0200)
Subject: netfilter: conntrack: don't attempt to iterate over empty table
X-Git-Url: http://drtracing.org/?a=commitdiff_plain;h=88b68bc5237c84c6ff6f78568653780869a94a95;p=deliverable%2Flinux.git

netfilter: conntrack: don't attempt to iterate over empty table

Once we place all conntracks into same table iteration becomes more
costly because the table contains conntracks that we are not interested
in (belonging to other netns).

So don't bother scanning if the current namespace has no entries.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 29fa08b3ab82..f2e75a54408b 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1428,6 +1428,9 @@ void nf_ct_iterate_cleanup(struct net *net,
 
 	might_sleep();
 
+	if (atomic_read(&net->ct.count) == 0)
+		return;
+
 	while ((ct = get_next_corpse(net, iter, data, &bucket)) != NULL) {
 		/* Time to push up daises... */
 		if (del_timer(&ct->timeout))