Le jeudi 30 juin 2011 à 19:07 +0200, Eric Leblond a écrit : > As the verdict failure is bound to occur in a high load time, > retransmission of the verdict (which is necessary) will not help the > system to recover. Userspace has to deal with it but it has another > consequences which is that userspace software may suffer of case where > successive failures occurs. > > In this scope, Florian's patch "netfilter: nfqueue: batch verdict > support" could be really useful. It could be used by userspace to > trigger an decide on all stucked packets. Issuing a massive ACCEPT could > lead to dynosaurus packet coming from ancient time but it could be ok if > batch occurs enough often. > > Is there a plan to accept it in mainstream ? Given that apparently some apps are not aware some of their verdicts are lost, I consider the BATCH idea would be a bad idea, unless DROP is used. If you have any doubt, only sane thing is to drop packets, not accept them. Maybe a single queue flag is needed : DROP_OLD_PACKETS, if user application is handling packets in order. Every time a verdict is given by application, automatically DROP all previous un-verdicted packets. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
