On Tue, May 08, 2012 at 03:14:30PM +0530, Krishna Kumar wrote:
> Change NFQUEUE handler to return >0 value on queue full
> to signify "fail-open".
>
> Signed-off-by: Krishna Kumar <krkumar2@xxxxxxxxxx>
> Signed-off-by: Vivek Kashyap <vivk@xxxxxxxxxx>
> Signed-off-by: Sridhar Samudrala <samudrala@xxxxxxxxxx>
> ---
> net/netfilter/nfnetlink_queue.c | 15 ++++++++++-----
> 1 file changed, 10 insertions(+), 5 deletions(-)
>
> diff -ruNp org/net/netfilter/nfnetlink_queue.c new/net/netfilter/nfnetlink_queue.c
> --- org/net/netfilter/nfnetlink_queue.c 2012-05-08 12:57:39.225755227 +0530
> +++ new/net/netfilter/nfnetlink_queue.c 2012-05-08 12:57:55.515816567 +0530
> @@ -433,11 +433,16 @@ nfqnl_enqueue_packet(struct nf_queue_ent
> goto err_out_free_nskb;
> }
> if (queue->queue_total >= queue->queue_maxlen) {
> - queue->queue_dropped++;
> - if (net_ratelimit())
> - printk(KERN_WARNING "nf_queue: full at %d entries, "
> - "dropping packets(s).\n",
> - queue->queue_total);
> + if (queue->fail_open) {
> + /* Accept the packet temporarily skipping rules */
> + err = 1;
Please, return -ENOSPC and handle this special case in nf_queue.
> + } else {
> + queue->queue_dropped++;
> + if (net_ratelimit())
> + printk(KERN_WARNING "nf_queue: full at %d "
> + "entries, dropping packets(s).\n",
> + queue->queue_total);
> + }
> goto err_out_free_nskb;
> }
> entry->id = ++queue->id_sequence;
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
