Le jeudi 30 juin 2011 à 13:59 +0200, Patrick McHardy a écrit : > Thanks Eric, I agree. Give us data and we'll fix it if really is a bug. > > The fact that the timeout patch apparently helps indicates that some > packets don't receive verdicts. My rough guess is that this user application gets an error in its nfq_set_verdict() call ( maybe a transient out of memory indication) and packet never gets its verdict. libnetfilter_queue/utils/nfqnl_test.c is buggy in this regard : It should at least log an error if nfq_set_verdict() fails, so that programmer using nfqnl_test.c as a template is aware of a possible problem here. utils/nfqnl_test.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/utils/nfqnl_test.c b/utils/nfqnl_test.c index a554f2d..b7e0cf9 100644 --- a/utils/nfqnl_test.c +++ b/utils/nfqnl_test.c @@ -69,8 +69,13 @@ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { u_int32_t id = print_pkt(nfa); + int res; + printf("entering callback\n"); - return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); + res = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); + if (res == -1) + printf("nfq_set_verdict() error %d (packet stuck in queue !)\n", errno); + return res; } int main(int argc, char **argv) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html