On 06/30/2011 11:15 AM, Eric Dumazet wrote:
Le jeudi 30 juin 2011 à 13:59 +0200, Patrick McHardy a écrit :
Thanks Eric, I agree. Give us data and we'll fix it if really is a bug.
The fact that the timeout patch apparently helps indicates that some
packets don't receive verdicts.
My rough guess is that this user application gets an error in its
nfq_set_verdict() call ( maybe a transient out of memory indication) and
packet never gets its verdict.
libnetfilter_queue/utils/nfqnl_test.c is buggy in this regard : It
should at least log an error if nfq_set_verdict() fails, so that
programmer using nfqnl_test.c as a template is aware of a possible
problem here.
utils/nfqnl_test.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/utils/nfqnl_test.c b/utils/nfqnl_test.c
index a554f2d..b7e0cf9 100644
--- a/utils/nfqnl_test.c
+++ b/utils/nfqnl_test.c
@@ -69,8 +69,13 @@ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
struct nfq_data *nfa, void *data)
{
u_int32_t id = print_pkt(nfa);
+ int res;
+
printf("entering callback\n");
- return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
+ res = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
+ if (res == -1)
+ printf("nfq_set_verdict() error %d (packet stuck in queue !)\n", errno);
+ return res;
}
int main(int argc, char **argv)
So if you receive a -1 the proper recovery is to call nfq_set_verdict()
again?
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
