Eric Leblond wrote: > Hi Victor, > > Le mercredi 19 mai 2010 à 12:15 +0200, Victor Julien a écrit : >> Hi all, >> >> I'm using libnetfilter_queue for inline mode in the Suricata IDS/IPS >> (www.openinfosecfoundation.org). I'm using a callback that makes the >> packet(s) available to the detection engine. In some special cases the >> call back could fail (only malloc failure atm). >> >> I was wondering what the proper response would be to such an event. I'm >> assuming nfq_handle_packet() would return an (non zero) error code in >> that case. >> >> Should I verdict the packet? (drop to be safe) > > Yes, clearly ! If you don't do this the packet will get stuck inside the > kernel and nothing will released it (and free associated structures). > > The only other mean to free queued packet is to unregister from the NF > queue. Thanks Eric, I will implement the verdict in case of error. Cheers, Victor -- --------------------------------------------- Victor Julien http://www.inliniac.net/ PGP: http://www.inliniac.net/victorjulien.asc --------------------------------------------- -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
