Hello, On Thu, 2011-06-30 at 19:45 +0200, Eric Dumazet wrote: > Le jeudi 30 juin 2011 à 19:07 +0200, Eric Leblond a écrit : > > > As the verdict failure is bound to occur in a high load time, > > retransmission of the verdict (which is necessary) will not help the > > system to recover. Userspace has to deal with it but it has another > > consequences which is that userspace software may suffer of case where > > successive failures occurs. > > > > In this scope, Florian's patch "netfilter: nfqueue: batch verdict > > support" could be really useful. It could be used by userspace to > > trigger an decide on all stucked packets. Issuing a massive ACCEPT could > > lead to dynosaurus packet coming from ancient time but it could be ok if > > batch occurs enough often. > > > > Is there a plan to accept it in mainstream ? > > Given that apparently some apps are not aware some of their verdicts are > lost, I consider the BATCH idea would be a bad idea, unless DROP is > used. > > If you have any doubt, only sane thing is to drop packets, not accept > them. All depends of the application. For a security application this is a sane behaviour (and maybe the only one acceptable) but we've seen applications such as NFQUEUE based QoS implementation where ACCEPT may be a decent decision. BR, -- Eric Leblond Blog: http://home.regit.org/
Attachment:
signature.asc
Description: This is a digitally signed message part