Krishna Kumar <krkumar2@xxxxxxxxxx> wrote:
> diff -ruNp org/net/netfilter/nfnetlink_queue.c new/net/netfilter/nfnetlink_queue.c
> --- org/net/netfilter/nfnetlink_queue.c 2012-05-23 09:52:54.742661899 +0530
> +++ new/net/netfilter/nfnetlink_queue.c 2012-05-24 13:42:24.155860334 +0530
> @@ -52,6 +52,7 @@ struct nfqnl_instance {
>
> u_int16_t queue_num; /* number of this queue */
> u_int8_t copy_mode;
> + u_int32_t flags; /* Set using NFQA_CFG_FLAGS */
> /*
> * Following fields are dirtied for each queued packet,
> * keep them in same cache line if possible.
> @@ -431,9 +432,13 @@ nfqnl_enqueue_packet(struct nf_queue_ent
> goto err_out_free_nskb;
> }
> if (queue->queue_total >= queue->queue_maxlen) {
> - queue->queue_dropped++;
> - net_warn_ratelimited("nf_queue: full at %d entries, dropping packets(s)\n",
> - queue->queue_total);
> + if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
> + err = -ENOSPC;
> + } else {
> + queue->queue_dropped++;
> + net_warn_ratelimited("nf_queue: full at %d entries, dropping packets(s)\n",
> + queue->queue_total);
> + }
> goto err_out_free_nskb;
What about this:
if (queue->queue_total >= queue->queue_maxlen) {
if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
nf_reinject(entry, NF_ACCEPT);
err = 0;
goto err_out_free_nskb;
}
queue->queue_dropped++;
net_warn_ratelimited("nf_queue: full at %d entries, dropping packets(s)\n",
[..]
Do you see any problems with that?
It should do the same as the nf_hook_slow/nf_queue ENOSPC changes while
avoiding modifications outside the queueing backend.
> + if (nfqa[NFQA_CFG_FLAGS]) {
> + __be32 flags, mask;
[..]
> + flags = ntohl(nla_get_be32(nfqa[NFQA_CFG_FLAGS]));
> + mask = ntohl(nla_get_be32(nfqa[NFQA_CFG_MASK]));
ntohl returns __u32 type.
Thanks,
Florian
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
