EL> I don't think the described mechanism is generic enough to be a default EL> behaviour. It should be useful for projects like snort-inline but it EL> will really a problem for software like NuFW which are asynchronous by EL> design. EL> In NuFW, packet authentication is triggered by a user message (signing EL> of packet is done is userspace). Thus the ordering of the answer depends EL> of the ordering of user messages. As NuFW authenticate packet at network EL> scale (there is thus plenty of users), it is not possible to assume that EL> the answer will be ordered. EL> Thus, even if it could be useful, this mechanism should only be EL> activated by an explicit userspace query. Indeed. I use nfqueue for traffic accounting on network gateway. And as i describe in previous letters after _several tens of millions_ packets every time i have one or more such packets without verdict. I can't find any errors in userspace, and i think that Patrick way may be don't work for catching problem place, earlier i try to use nfqnl_test example program (easier can't be imagine) for verdict sending, and some packets don't get verdicts. May be errors take place in kernel on high load bandwidths due to some SMP/RCU bugs, skbuf or hardware drivers bugs (forcedeth for example is not so perfect driver because write by reverse engineering way). So this patch for me can automatically erase any delays on gateway due to trash queue fills. I think this feature need to be realize as menu config options (for people who really need this). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
