Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote on 05/08/2012 05:58:28 PM:
> > + if (!skb_is_gso(skb)) {
> > + err = __nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
> > queuenum);
> > + if (err > 0) {
> > + /* Queue failed due to queue-full and handler
> > + * returned >0 indicating fail-open - temporarily
> > + * accept packets.
> > + */
> > + err = okfn(skb);
>
> You cannot invoke okfn here. If you do so, you'll skip the remaining
> hooks.
>
> Return the error and handle the -ENOSPC in nf_hook_slow.
>
> (Note that the -ENOSPC is the error value I'm proposing you to use for
> this special case).
Are you suggesting to change nf_hook_slow to:
if (err == -ENOSPC || err == -ECANCELED)
goto next_hook;
In that case, how should the GSO case be handled (code below)?
Thanks for your feedback,
- KK
> > @@ -268,14 +277,26 @@ int nf_queue(struct sk_buff *skb,
> > err = __nf_queue(segs, elem, pf, hook, indev,
> > outdev, okfn, queuenum);
> > }
> > - if (err == 0)
> > +
> > + if (err == 0) {
> > queued++;
> > - else
> > + } else if (err > 0) {
> > + /* Queue failed due to queue-full and handler
> > + * returned >0 indicating fail-open - accept
> > + * this and remaining segments.
> > + */
> > + okfn(segs);
> > + } else {
> > + /* Queue failed due to queue-full and handler
> > + * returned <0 - free this and remaining skb
> > + * segments.
> > + */
> > kfree_skb(segs);
> > + }
> > segs = nskb;
> > } while (segs);
> >
> > - if (queued) {
> > + if (queued || err > 0) {
> > kfree_skb(skb);
> > return 0;
> > }
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
