Pablo Neira Ayuso [off-list ref] wrote:

quoted

I was thinking of the cleanup we do in the netns exit path
(in nf_conntrack_cleanup_net_list() ).

Right, but in that path we still have entries in the table.

Not necessarily, they might have already been removed
(timeout, close).

quoted

If you don't like this I can move the check here:

i_see_dead_people:
    busy = 0;
    list_for_each_entry(net, net_exit_list, exit_list) {
    // here
    if (atomic_read .. > 0)
       nf_ct_iterate_cleanup(net, kill_all, ...

I don't mind about placing this or there, as I said, my question is
how often we will hit this optimization in a real scenario.

If you think the answer is often, then this will help.

I think the extra atomic_read in this code does no harm and
saves us the entire scan.  Also, in the exit path, when we hit the
'i_see_dead_people' label we restart the entire loop, so if we
have 200 netns on the list and the last one caused that restart,
we re-iterate needlesly for 199 netns...

Otherwise, every time we'll go container destruction path, we'll hit
slow path, ie.  scanning the full table.

Yes, but I see no other choice.