On 30.06.2011 16:32, Stephen Clark wrote:
> On 06/30/2011 11:15 AM, Eric Dumazet wrote:
>> Le jeudi 30 juin 2011 à 13:59 +0200, Patrick McHardy a écrit :
>>
>>
>>> Thanks Eric, I agree. Give us data and we'll fix it if really is a bug.
>>>
>>> The fact that the timeout patch apparently helps indicates that some
>>> packets don't receive verdicts.
>>>
>> My rough guess is that this user application gets an error in its
>> nfq_set_verdict() call ( maybe a transient out of memory indication) and
>> packet never gets its verdict.
>>
>> libnetfilter_queue/utils/nfqnl_test.c is buggy in this regard : It
>> should at least log an error if nfq_set_verdict() fails, so that
>> programmer using nfqnl_test.c as a template is aware of a possible
>> problem here.
>>
>>
>> utils/nfqnl_test.c | 7 ++++++-
>> 1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/utils/nfqnl_test.c b/utils/nfqnl_test.c
>> index a554f2d..b7e0cf9 100644
>> --- a/utils/nfqnl_test.c
>> +++ b/utils/nfqnl_test.c
>> @@ -69,8 +69,13 @@ static int cb(struct nfq_q_handle *qh, struct
>> nfgenmsg *nfmsg,
>> struct nfq_data *nfa, void *data)
>> {
>> u_int32_t id = print_pkt(nfa);
>> + int res;
>> +
>> printf("entering callback\n");
>> - return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
>> + res = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
>> + if (res == -1)
>> + printf("nfq_set_verdict() error %d (packet stuck in queue
>> !)\n", errno);
>> + return res;
>> }
>>
>> int main(int argc, char **argv)
>>
>>
>
> So if you receive a -1 the proper recovery is to call nfq_set_verdict()
> again?
Look at errno to see what's happening. But yes, this indicates the
verdict wasn't issues successfully, so you need to retransmit.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
