Change NFQUEUE handler to return >0 value on queue full
to signify "fail-open".
Signed-off-by: Krishna Kumar <krkumar2@xxxxxxxxxx>
Signed-off-by: Vivek Kashyap <vivk@xxxxxxxxxx>
Signed-off-by: Sridhar Samudrala <samudrala@xxxxxxxxxx>
---
net/netfilter/nfnetlink_queue.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff -ruNp org/net/netfilter/nfnetlink_queue.c new/net/netfilter/nfnetlink_queue.c
--- org/net/netfilter/nfnetlink_queue.c 2012-05-08 12:57:39.225755227 +0530
+++ new/net/netfilter/nfnetlink_queue.c 2012-05-08 12:57:55.515816567 +0530
@@ -433,11 +433,16 @@ nfqnl_enqueue_packet(struct nf_queue_ent
goto err_out_free_nskb;
}
if (queue->queue_total >= queue->queue_maxlen) {
- queue->queue_dropped++;
- if (net_ratelimit())
- printk(KERN_WARNING "nf_queue: full at %d entries, "
- "dropping packets(s).\n",
- queue->queue_total);
+ if (queue->fail_open) {
+ /* Accept the packet temporarily skipping rules */
+ err = 1;
+ } else {
+ queue->queue_dropped++;
+ if (net_ratelimit())
+ printk(KERN_WARNING "nf_queue: full at %d "
+ "entries, dropping packets(s).\n",
+ queue->queue_total);
+ }
goto err_out_free_nskb;
}
entry->id = ++queue->id_sequence;
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
