Kuzin Andrey wrote: > This is patch for problem with stucked packets in nf_queue if > something going wrong in userspace program. Automatically drop packets > without any verdict after timeout defined by NFQNL_TIMEOUT_ENTRY_DROP. I don't want to add per-packet timeouts. The number one problem cause I've seen in userspace programs so far has been "missed" packets by incorrect application logic/error handling. These applications usually continue to send verdicts, they just miss some packets, which accumulate in the queue until it is full. There's a very easy and cheap way to handle this. The packets have sequence numbers and userspace should issues verdicts in ascending order anyways to avoid reordering. Just add something that will drop everything in the queue up to the sequence number contained in the netlink message. And if you want to make it seem like something that isn't just meant to work around buggy application behaviour, you can use the same mechanism to add verdict batching :) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
