Question about nfnl_handle_packet/nfnl_process error handling

Question about nfnl_handle_packet/nfnl_process error handling

[Florian Westphal]

libnetfilter_queue has:

int nfq_handle_packet(struct nfq_handle *h, char *buf, int len)
{
   return nfnl_handle_packet(h->nfnlh, buf, len);
}

When an error occurs, for example because a verdict for a bogus packet id was
sent, nfq_handle_packet/nfnl_handle_packet returns -1 with errno == 0.

Using nfnl_process() instead of nfq_handle_packet() sets errno to the expected
ENOENT.

Does anyone know if nfq_handle_packet() "errno 0" behaviour is intentional?
Should I just ignore nfq_handle_packet() return value?
What about deprecating nfnl_handle_packet() and using nfnl_process()
instead?

Thanks,
Florian

Re: Question about nfnl_handle_packet/nfnl_process error handling

[Pablo Neira Ayuso]

Hi Florian,

On Thu, Feb 16, 2012 at 03:15:46PM +0100, Florian Westphal wrote:
> libnetfilter_queue has:
> 
> int nfq_handle_packet(struct nfq_handle *h, char *buf, int len)
> {
>    return nfnl_handle_packet(h->nfnlh, buf, len);
> }
> 
> When an error occurs, for example because a verdict for a bogus packet id was
> sent, nfq_handle_packet/nfnl_handle_packet returns -1 with errno == 0.
> 
> Using nfnl_process() instead of nfq_handle_packet() sets errno to the expected
> ENOENT.
> 
> Does anyone know if nfq_handle_packet() "errno 0" behaviour is intentional?

The initial libnfnetlink API did not set errno, nfnl_handle_packet is
part of that old API.

nfnl_process was added later to try to resolve some limitations by
2006 IIRC.

libmnl provide a neat new API. We have to move to it.

> Should I just ignore nfq_handle_packet() return value?
> What about deprecating nfnl_handle_packet() and using nfnl_process()
> instead?

I have ported libnetfilter_queue to libmnl, I need some spare time to
push the new API to the repository. I'll be happy if you spend some
time looking at it to find some possible issues, the idea is that the
new API resolves the existing API limitations.

Re: Question about nfnl_handle_packet/nfnl_process error handling

[Florian Westphal]

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > When an error occurs, for example because a verdict for a bogus packet id was
> > sent, nfq_handle_packet/nfnl_handle_packet returns -1 with errno == 0.
> > 
> > Using nfnl_process() instead of nfq_handle_packet() sets errno to the expected
> > ENOENT.
> > 
> > Does anyone know if nfq_handle_packet() "errno 0" behaviour is intentional?
> 
> The initial libnfnetlink API did not set errno, nfnl_handle_packet is
> part of that old API.
> 
> nfnl_process was added later to try to resolve some limitations by
> 2006 IIRC.

Ah.  That explains it, thanks.

> > Should I just ignore nfq_handle_packet() return value?
> > What about deprecating nfnl_handle_packet() and using nfnl_process()
> > instead?
> 
> I have ported libnetfilter_queue to libmnl, I need some spare time to
> push the new API to the repository. I'll be happy if you spend some
> time looking at it to find some possible issues, the idea is that the
> new API resolves the existing API limitations.

Nice work. I'd be happy to test and review it.

Thanks, Florian