2010/1/20 Eric Leblond <eric@xxxxxx>: > Hello, > > Le mardi 19 janvier 2010 à 21:25 +0200, Mistick Levi a écrit : >> Hi, >> I've worked with libipq, and libnetfilter_queue, and i got to a place >> where my userspace code can't get anymore packets( with the message: >> netlink message: no buffer space available ) . >> >> Now what i want to do is this: >> Read a packet from the queue, copy it to my own queue/location in my >> program, and re injecting the packet later on with my verdict, after i >> finished. > > This is how it works ;) > > In fact, the 'no buffer space available' message is due to your program > not getting packets as fast as needed: The kernel is sending packet to a > netlink socket and the internal buffer of the socket gets filled with > the packets waiting to be read. > > What you need to do is: > * read packet as fast as you can (your callback function has to be > fast) > * do the intensive or delay needing work outside of the callback > (via a thread or something) What do you mean by doing the delay needing work outside of the callback? in the end of the callback i should give a verdict, no ? > > It last option is not possible, you can increase the netlink buffer size > via the nfnl_rcvbufsiz function. "Standard" syntax is the following: > nfnl_rcvbufsiz(nfq_nfnlh(my_nfq_handle), NFQ_NF_BUFSIZE); > I will try that. what i have tried so far is increasing the: wmem_default, wmem_max, rmem_default and rmem_max. > BR, > >> >> but to my best of my understanding, until i send a verdict the packet >> still takes place in the queue. >> and i've read something about using NF_STOLEN and then reinject, but i >> dont think that NF_STOLEN is a valid verdict. >> >> Any ideas on how i can do what it is i wish to do? ( Clear the kernel >> queue by transferring the packets to my queue ). >> >> Kind regards >> Levi Yechiel >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html > > > -- > Eric Leblond <eric@xxxxxx> > INL: http://www.inl.fr/ > NuFW: http://www.nufw.org/ > Well, I have to do some logic before deciding if the packet ACCEPTED or DROPPED. and the callback is the one that decide that(send the verdict), My original phrasing was bad so : Question: is it possible to take the packet out from the internal socket(as with nfq_handle packet or recv() ) and return some verdict like: "NF_STOLEN" ,then do the delay needing work, and then re inject the packet to continue its normal traversal. Thanks in advance, Levi Yechiel -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
