libnetfilter_queue hang when flooding

All of lore.kernel.org
 help / color / mirror / Atom feed

* libnetfilter_queue hang when flooding
@ 2006-07-29 12:10 Eric Leblond
  2006-07-29 15:07 ` Patrick McHardy
  0 siblings, 1 reply; 2+ messages in thread
From: Eric Leblond @ 2006-07-29 12:10 UTC (permalink / raw)
  To: Netfilter Development Mailinglist; +Cc: victor, Vincent Deffontaines


[-- Attachment #1.1: Type: text/plain, Size: 1341 bytes --]

Hi,

I've proceed to some stress test of libnetfilter_queue using hping3.

./hping3 -p 5000  --flood localhost


The main issue is that the recv buffer of the netlink socket gets full.
We've got error 105 during recv.
unbinding from queue 0

I provide a patch to print error and avoid printf to be able to test
performance of libnetfilter_queue.

The problem is that when socket is full we disconnect and try to close
the queue :
	got error 105 during recv.
	unbinding from queue 0
It hangs here. gdb shows that we hang in recvmsg.

Here's the backtrace :

#0  0x00002aaaaad98762 in recvmsg () from /lib/libc.so.6
#1  0x00002aaaaaf0aa36 in nfnl_talk (nfnlh=0x502010, n=<value optimized
out>, 
    peer=<value optimized out>, groups=<value optimized out>,
answer=0x0, junk=0, jarg=0x0)
    at libnfnetlink.c:552
#2  0x00002aaaaabc2dff in __build_send_cfg_msg (h=0x5021e0, command=2
'\002', 
    queuenum=<value optimized out>, pf=0) at libnetfilter_queue.c:112
#3  0x00002aaaaabc312d in nfq_destroy_queue (qh=0x502250) at
libnetfilter_queue.c:258
#4  0x0000000000401028 in main ()

In fact, the control message can not be received as the receive buffer
of the socket is full.

I did not find any workaround except brutal cancellation? Any idea are
welcome.

BR,
-- 
Eric Leblond <eric@inl.fr>
INL

[-- Attachment #1.2: nfqnl_test.diff --]
[-- Type: text/x-patch, Size: 1640 bytes --]

Index: utils/nfqnl_test.c
===================================================================
--- utils/nfqnl_test.c	(revision 6652)
+++ utils/nfqnl_test.c	(working copy)
@@ -2,11 +2,14 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
+#include <errno.h>
 #include <netinet/in.h>
 #include <linux/netfilter.h>		/* for NF_ACCEPT */
 
 #include <libnetfilter_queue/libnetfilter_queue.h>
 
+#define PRINT_INFOS 
+
 /* returns packet id */
 static u_int32_t print_pkt (struct nfq_data *tb)
 {
@@ -16,13 +19,17 @@
 	int ret;
 	char *data;
 	
+    id = ntohl(ph->packet_id);
 	ph = nfq_get_msg_packet_hdr(tb);
 	if (ph){
 		id = ntohl(ph->packet_id);
+#ifdef PRINT_INFOS
 		printf("hw_protocol=0x%04x hook=%u id=%u ",
 			ntohs(ph->hw_protocol), ph->hook, id);
+#endif
 	}
 	
+#ifdef PRINT_INFOS
 	mark = nfq_get_nfmark(tb);
 	if (mark)
 		printf("mark=%u ", mark);
@@ -40,7 +47,7 @@
 		printf("payload_len=%d ", ret);
 
 	fputc('\n', stdout);
-
+#endif
 	return id;
 }
 	
@@ -49,7 +56,9 @@
 	      struct nfq_data *nfa, void *data)
 {
 	u_int32_t id = print_pkt(nfa);
+#ifdef PRINT_INFOS
 	printf("entering callback\n");
+#endif
 	return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
 }
 
@@ -96,12 +105,17 @@
 
 	nh = nfq_nfnlh(h);
 	fd = nfnl_fd(nh);
-
 	while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0) {
+#ifdef PRINT_INFOS
 		printf("pkt received\n");
+#endif
 		nfq_handle_packet(h, buf, rv);
 	}
 
+    if (rv<0){
+        printf("got error %d during recv\n",errno);
+    }
+
 	printf("unbinding from queue 0\n");
 	nfq_destroy_queue(qh);
 

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 191 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: libnetfilter_queue hang when flooding
  2006-07-29 12:10 libnetfilter_queue hang when flooding Eric Leblond
@ 2006-07-29 15:07 ` Patrick McHardy
  0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2006-07-29 15:07 UTC (permalink / raw)
  To: Eric Leblond
  Cc: victor, Netfilter Development Mailinglist, Vincent Deffontaines

Eric Leblond wrote:
> Hi,
> 
> I've proceed to some stress test of libnetfilter_queue using hping3.
> 
> ./hping3 -p 5000  --flood localhost
> 
> 
> The main issue is that the recv buffer of the netlink socket gets full.
> We've got error 105 during recv.
> unbinding from queue 0
> 
> I provide a patch to print error and avoid printf to be able to test
> performance of libnetfilter_queue.
> 
> The problem is that when socket is full we disconnect and try to close
> the queue :
> 	got error 105 during recv.
> 	unbinding from queue 0
> It hangs here. gdb shows that we hang in recvmsg.

Its waiting for an ACK from the kernel .. which doesn't seem to
be very reasonable unless measures are taken in case it doesn't
arrive within some timeframe. So I think you could do one of:

- don't require an ACK
- implement timeouts and retransmissions in case ACK doesn't arrive

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2006-07-29 15:07 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-07-29 12:10 libnetfilter_queue hang when flooding Eric Leblond
2006-07-29 15:07 ` Patrick McHardy

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.