Do nfnl_query and nfnl_catch are blocking fuctions ?

Do nfnl_query and nfnl_catch are blocking fuctions ?

[Nishit Shah]

Hi,
                Is it possible that on high rate of conntrack
addition/deletion/updation, nfnl_query or nfnl_catch, If space is not
available at the sending socket these fuctions will block as they are using
sendto and recvmsg calls ?

Rgds,
Nishit Shah. 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Do nfnl_query and nfnl_catch are blocking fuctions ?

[Pablo Neira Ayuso]

Nishit Shah wrote:
> Hi,
>                 Is it possible that on high rate of conntrack
> addition/deletion/updation, nfnl_query or nfnl_catch, If space is not
> available at the sending socket these fuctions will block as they are using
> sendto and recvmsg calls ?

What kind of behaviour are you observing? Please elaborate.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

RE: Do nfnl_query and nfnl_catch are blocking fuctions ?

[Nishit Shah]

Yes,
	I am using libnetfilter_conntrack for adding expected connection
through Application Proxies. Now, sometimes my proxy hangs and when I do gdb
on the core generated, recvmsg call is in waiting mode.

	I have changed libnetfilter_conntrack slightly to make it single
socket for my Proxy. I do nfct_open at time of proxy start, do
nfct_create_expectation every time request comes and nfct_close when proxy
ends.

Rgds,
Nishit Shah.    

-----Original Message-----
From: netfilter-devel-owner@vger.kernel.org
[mailto:netfilter-devel-owner@vger.kernel.org] On Behalf Of Pablo Neira
Ayuso
Sent: Thursday, March 13, 2008 10:06 PM
To: Nishit Shah
Cc: netfilter-devel@vger.kernel.org
Subject: Re: Do nfnl_query and nfnl_catch are blocking fuctions ?

Nishit Shah wrote:
> Hi,
>                 Is it possible that on high rate of conntrack
> addition/deletion/updation, nfnl_query or nfnl_catch, If space is not
> available at the sending socket these fuctions will block as they are
using
> sendto and recvmsg calls ?

What kind of behaviour are you observing? Please elaborate.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Do nfnl_query and nfnl_catch are blocking fuctions ?

[Pablo Neira Ayuso]

Nishit Shah wrote:
> Yes,
> 	I am using libnetfilter_conntrack for adding expected connection
> through Application Proxies. Now, sometimes my proxy hangs and when I do gdb
> on the core generated, recvmsg call is in waiting mode.

Does this happen under heavy load? Probably the ack message from netlink
is getting lost. You can change the socket behaviour accessing the
descriptor with nfct_fd(...)

> 	I have changed libnetfilter_conntrack slightly to make it single
> socket for my Proxy. I do nfct_open at time of proxy start, do
> nfct_create_expectation every time request comes and nfct_close when proxy
> ends.

BTW, not directly related but I suggest you to if you move to the new
API, the old one is deprecated and broken in some specific aspects.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers