Hello, On Thu, 2011-06-30 at 16:51 +0200, Patrick McHardy wrote: > On 30.06.2011 16:32, Stephen Clark wrote: > > On 06/30/2011 11:15 AM, Eric Dumazet wrote: > >> Le jeudi 30 juin 2011 à 13:59 +0200, Patrick McHardy a écrit : > >> > >> > >>> Thanks Eric, I agree. Give us data and we'll fix it if really is a bug. ... > > > > So if you receive a -1 the proper recovery is to call nfq_set_verdict() > > again? > > Look at errno to see what's happening. But yes, this indicates the > verdict wasn't issues successfully, so you need to retransmit. As the verdict failure is bound to occur in a high load time, retransmission of the verdict (which is necessary) will not help the system to recover. Userspace has to deal with it but it has another consequences which is that userspace software may suffer of case where successive failures occurs. In this scope, Florian's patch "netfilter: nfqueue: batch verdict support" could be really useful. It could be used by userspace to trigger an decide on all stucked packets. Issuing a massive ACCEPT could lead to dynosaurus packet coming from ancient time but it could be ok if batch occurs enough often. Is there a plan to accept it in mainstream ? BR, -- Eric Leblond Blog: http://home.regit.org/
Attachment:
signature.asc
Description: This is a digitally signed message part
