Victor Julien wrote: > Eric Leblond wrote: >> Hi Victor, >> >> Le mercredi 19 mai 2010 à 12:15 +0200, Victor Julien a écrit : >>> Hi all, >>> >>> I'm using libnetfilter_queue for inline mode in the Suricata IDS/IPS >>> (www.openinfosecfoundation.org). I'm using a callback that makes the >>> packet(s) available to the detection engine. In some special cases the >>> call back could fail (only malloc failure atm). >>> >>> I was wondering what the proper response would be to such an event. I'm >>> assuming nfq_handle_packet() would return an (non zero) error code in >>> that case. >>> >>> Should I verdict the packet? (drop to be safe) >> Yes, clearly ! If you don't do this the packet will get stuck inside the >> kernel and nothing will released it (and free associated structures). >> >> The only other mean to free queued packet is to unregister from the NF >> queue. > > Thanks Eric, I will implement the verdict in case of error. Actually, after giving it some more thought I was wondering if the verdict would need to be issued in the failing callback function itself. As far as I understand, nfq_handle_packet can process multiple packets after a single recv. What would be the appropriate place to issue the verdict? -- --------------------------------------------- Victor Julien http://www.inliniac.net/ PGP: http://www.inliniac.net/victorjulien.asc --------------------------------------------- -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
