Negative value in /proc/net/netfilter/nfnetlink

All of lore.kernel.org
 help / color / mirror / Atom feed

* Negative value in /proc/net/netfilter/nfnetlink_queue
       [not found] <CAAitQh=ZUM8+8TqO8EFNrT7GL8VThvDje_Vfc4P0e3T60QVpSA@mail.gmail.com>
@ 2013-05-26 10:28 ` Alex Maltinsky
  2013-05-26 10:42   ` Florian Westphal
  0 siblings, 1 reply; 5+ messages in thread
From: Alex Maltinsky @ 2013-05-26 10:28 UTC (permalink / raw)
  To: netfilter-devel

Hi

I've stumbled across the issue on a heavily loaded system that uses
the nfqueue. After a few days, the number of packets wraps around:

root@xxxx ~ # cat /proc/net/netfilter/nfnetlink_queue
    1   2401  1024 2  4096 247495836     0 -894731272  1

The negative value messes up the application layer statistics.

Is this a new issue or has it been fixed in recent versions?

I couldn't find anything in the changelog so I've decided not to
update libnfnetlink since it's an otherwise stable production machine
running a three year old version (0.0.39).
Second, is there a way of getting the correct value besides keeping
track of the number of wraparounds and compensating for them?

Thanks!

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Negative value in /proc/net/netfilter/nfnetlink_queue
  2013-05-26 10:28 ` Negative value in /proc/net/netfilter/nfnetlink_queue Alex Maltinsky
@ 2013-05-26 10:42   ` Florian Westphal
  2013-05-26 12:19     ` Alex Maltinsky
  0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2013-05-26 10:42 UTC (permalink / raw)
  To: Alex Maltinsky; +Cc: netfilter-devel

Alex Maltinsky <maltalex@gmail.com> wrote:
> I've stumbled across the issue on a heavily loaded system that uses
> the nfqueue. After a few days, the number of packets wraps around:
> 
> root@xxxx ~ # cat /proc/net/netfilter/nfnetlink_queue
>     1   2401  1024 2  4096 247495836     0 -894731272  1

-8.... is not the number of packets, its the nfqueue sequence number,
which is a 32bit value (admittingly, it should use %u instead of %d
to avoid the '-' silliness).

> Is this a new issue or has it been fixed in recent versions?

No, it has been like this forever.

> I couldn't find anything in the changelog so I've decided not to
> update libnfnetlink since it's an otherwise stable production machine
> running a three year old version (0.0.39).

Has nothing todo with libnfnetlink, the procfs contents are
from netfilter_queue kernel part.

> Second, is there a way of getting the correct value besides keeping
> track of the number of wraparounds and compensating for them?

If you want to know the number of packets processed by application
you should simply add uint64_t counter in userspace and increment
it per-packet.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Negative value in /proc/net/netfilter/nfnetlink_queue
  2013-05-26 10:42   ` Florian Westphal
@ 2013-05-26 12:19     ` Alex Maltinsky
  2013-05-26 13:42       ` Florian Westphal
  0 siblings, 1 reply; 5+ messages in thread
From: Alex Maltinsky @ 2013-05-26 12:19 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

Thanks for the quick reply.

The system I'm dealing often has traffic spikes that cause NFQ packet
drops. So I can't put a counter in userspace because it would miss
dropped packets. Counting dropped packets (as a percentage of the
total number of packets) is the main reason why I'm trying to get the
correct number of packets sent to the NFQ in the first place...

On Sun, May 26, 2013 at 1:42 PM, Florian Westphal <fw@strlen.de> wrote:
> Alex Maltinsky <maltalex@gmail.com> wrote:
>> I've stumbled across the issue on a heavily loaded system that uses
>> the nfqueue. After a few days, the number of packets wraps around:
>>
>> root@xxxx ~ # cat /proc/net/netfilter/nfnetlink_queue
>>     1   2401  1024 2  4096 247495836     0 -894731272  1
>
> -8.... is not the number of packets, its the nfqueue sequence number,
> which is a 32bit value (admittingly, it should use %u instead of %d
> to avoid the '-' silliness).
>
>> Is this a new issue or has it been fixed in recent versions?
>
> No, it has been like this forever.
>
>> I couldn't find anything in the changelog so I've decided not to
>> update libnfnetlink since it's an otherwise stable production machine
>> running a three year old version (0.0.39).
>
> Has nothing todo with libnfnetlink, the procfs contents are
> from netfilter_queue kernel part.
>
>> Second, is there a way of getting the correct value besides keeping
>> track of the number of wraparounds and compensating for them?
>
> If you want to know the number of packets processed by application
> you should simply add uint64_t counter in userspace and increment
> it per-packet.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Negative value in /proc/net/netfilter/nfnetlink_queue
  2013-05-26 12:19     ` Alex Maltinsky
@ 2013-05-26 13:42       ` Florian Westphal
  2013-05-26 13:43         ` Alex Maltinsky
  0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2013-05-26 13:42 UTC (permalink / raw)
  To: Alex Maltinsky; +Cc: Florian Westphal, netfilter-devel

Alex Maltinsky <maltalex@gmail.com> wrote:
> The system I'm dealing often has traffic spikes that cause NFQ packet
> drops. So I can't put a counter in userspace because it would miss
> dropped packets. Counting dropped packets (as a percentage of the
> total number of packets) is the main reason why I'm trying to get the
> correct number of packets sent to the NFQ in the first place...

As i said, there is no kernel counter that increments per-packet
delivery, except the queue packet id, which is only 32bit (and this
cannot be changed).

You could use the iptables rule count of your 'NFQUEUE' rules,
though since these will increment for every packet (and they're 64bit).

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Negative value in /proc/net/netfilter/nfnetlink_queue
  2013-05-26 13:42       ` Florian Westphal
@ 2013-05-26 13:43         ` Alex Maltinsky
  0 siblings, 0 replies; 5+ messages in thread
From: Alex Maltinsky @ 2013-05-26 13:43 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

Ok, thanks a lot.

On Sun, May 26, 2013 at 4:42 PM, Florian Westphal <fw@strlen.de> wrote:
> Alex Maltinsky <maltalex@gmail.com> wrote:
>> The system I'm dealing often has traffic spikes that cause NFQ packet
>> drops. So I can't put a counter in userspace because it would miss
>> dropped packets. Counting dropped packets (as a percentage of the
>> total number of packets) is the main reason why I'm trying to get the
>> correct number of packets sent to the NFQ in the first place...
>
> As i said, there is no kernel counter that increments per-packet
> delivery, except the queue packet id, which is only 32bit (and this
> cannot be changed).
>
> You could use the iptables rule count of your 'NFQUEUE' rules,
> though since these will increment for every packet (and they're 64bit).

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2013-05-26 13:43 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <CAAitQh=ZUM8+8TqO8EFNrT7GL8VThvDje_Vfc4P0e3T60QVpSA@mail.gmail.com>
2013-05-26 10:28 ` Negative value in /proc/net/netfilter/nfnetlink_queue Alex Maltinsky
2013-05-26 10:42   ` Florian Westphal
2013-05-26 12:19     ` Alex Maltinsky
2013-05-26 13:42       ` Florian Westphal
2013-05-26 13:43         ` Alex Maltinsky

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.