From: Florian Westphal <fw@strlen.de>
To: Andreas Schultz <aschultz@tpip.net>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: nftables queue target aborts rules processing unconditionally
Date: Fri, 3 Mar 2017 17:01:49 +0100 [thread overview]
Message-ID: <20170303160149.GI29213@breakpoint.cc> (raw)
In-Reply-To: <323159116.287095.1488556655720.JavaMail.zimbra@tpip.net>
Andreas Schultz <aschultz@tpip.net> wrote:
> ok, somewhat unexpected (or rather undocumented), but I can live
> with that.
>
> I've now experimented with NF_REPEAT to achieve something similar.
> Can I assume that NF_REPEAT should restart the current "netfilter hook*?
Yes.
> e.g. when we are somewhere in FILTER FORWARD, it will restart with the
> first rule of that hook?
It restarts the hook, yes.
> My experiments show that this works with nft when I don't modify the
> ruleset. However, when I modify the ruleset before returning NF_REPEAT,
> the packet will skip the current hook completely.
Hmm, that shouldn't happen.
REPEAT should always just re-start the current hook.
If that hook gets deleted (and possibly re-created) while packet was
queued the kernel is supposed to drop the packet.
> I don't modify the chain the packet is currently traversing. I only add
> new chains and modify the vmap.
The netfilter infrastructure is a layer below nftables/iptables so it
is not even aware of rule set modifications.
> >> It also appears as if the nft trace infrastructure does not now how to
> >> deal with queues. The above rules lead to this annotated trace output:
> >>
> >> > trace id 10d53daf ip filter client_to_any packet: iif "upstream" oif "ens256"
> >> > ether saddr 00:50:56:96:9b:1c ether daddr 00:0c:29:46:1f:53 ether type ip6
> >>
> >> That's rule #11... Where is the hit on the queue rule and the return??
> >
> > No idea, I will have a closer look next week.
> > Glancing at the code it should work just fine.
>
> There might a event buffering issue. I have now sometimes seen the queueing
> trace. At other times the event is lost. So maybe the netlink buffer is not
> large enough?
How many events are there...?
If there aren't hundreds of events going on that really should not be an
issue.
next prev parent reply other threads:[~2017-03-03 16:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-03 15:01 nftables queue target aborts rules processing unconditionally Andreas Schultz
2017-03-03 15:41 ` Florian Westphal
2017-03-03 15:57 ` Andreas Schultz
2017-03-03 16:01 ` Florian Westphal [this message]
2017-03-03 16:24 ` Andreas Schultz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170303160149.GI29213@breakpoint.cc \
--to=fw@strlen.de \
--cc=aschultz@tpip.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.