Anyone have any input for me on this.. I have profiled all the code around this and cannot find anything wrong, all I can figure is that the queue is full and it takes time to clear. I have tried moving to a more recent kernel, modifying sysctl parameters but still no luck.
----- Original Message ----
> From: Robert SZABO <mstrfixit@xxxxxxxxxx>
> To: netfilter-devel@xxxxxxxxxxxxxxx
> Sent: Thu, April 1, 2010 12:58:05 PM
> Subject: Netfilter queueing problems
>
> Hi All,
I have built a simple kernel module that listens on the
> interfaces defined in a bridge (Created using bridge-utils) and when it receives
> a particular packet in the tcp stream, the hook queues that packet to user
> space.
In user space I then modify the payload, swap the
> source/destination ip addresses and ports, re-calculate the checksums and put it
> back out using
nfq_set_verdict_mark(q_handle , id,
> NF_ACCEPT, BOOMERANG_NFMARK, datagramSize, datagram);
I then have a hook
> that is invoked set as the last hook in the NF_IP_FORWARD chaing that checks the
> netfilter mark value and if correct, immediately, swaps source/destination mac
> address and the NIC assignments. The idea being that the modified packet is sent
> back to the client.
Here is the hook and the final packet
> manipulation:
unsigned int secondary_hook_cb(
> unsigned int hook,
struct sk_buff **pskb,
> const struct net_device *indev,
const struct net_device
> *outdev,
int (*okfn)(struct sk_buff *))
{
> struct sk_buff *skb;
skb= *pskb;
// we
> skip all interogation and get out of the way
if (skb &&
> skb->nh.iph)
{
switch( (int)
> ntohl(skb->nfmark))
{
> case BOOMERANG_NFMARK:
> if (skb->nh.iph->protocol ==
> IPPROTO_TCP)
> {
> return swapAndQueuePacket(skb,ntohl(skb->nfmark));
> }
> break;
> default:
> break;
}
}
> return NF_ACCEPT;
}
int swapAndQueuePacket(struct sk_buff *skb,
> int mark)
{
struct net_device *odev,*idev;
> struct ethhdr *ethdr;
u_char tmp[6];
> odev = dev_get_by_name(getIngresIf());
idev =
> dev_get_by_name(getEgresIf());
ethdr = (struct ethhdr
> *)skb->mac.raw;
if (ethdr != NULL)
> {
skb->nfmark = htonl(mark);
> skb->dev=odev;
> skb->input_dev=idev;
skb->pkt_type =
> PACKET_OTHERHOST;
skb->protocol =
> __constant_htons(ETH_P_IP);
skb->priority =
> 0;
skb->csum = skb_checksum (skb,
> skb->nh.iph->ihl*4, skb->len - skb->nh.iph->ihl * 4,
> 0);
> memcpy(tmp,ethdr->h_dest,ETH_ALEN);
memcpy
> (ethdr->h_dest, ethdr->h_source, ETH_ALEN);
> memcpy (ethdr->h_source, tmp, ETH_ALEN);
}
> return NF_ACCEPT;
}
This works a treat, however, the issue
> I am running into is that I can pass hundreds of transactions throught the
> system and the throughput is high, then for some reason throughput drops to a
> grinding pace. A few seconds later its as fast a lightning and the whole thing
> repeats itself.
If I simpy use nfq_set_verdict(q_handle ,
> id, NF_ACCEPT, 0,NULL) and avoid not call this last hook, I do not see any
> performance issues, but obviously I do not get the desired
> result.
Any ideas would be greatly
> appreciated..
Cheers,
Bob
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
