Re: libnetfilter_queue: Some accepted packets get lost

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Fabien C." <7o5fzvj4duxjxzp@jetable.org>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: libnetfilter_queue: Some accepted packets get lost
Date: Thu, 10 Mar 2011 22:21:18 +0100	[thread overview]
Message-ID: <4D7940CE.8080602@jetable.org> (raw)
In-Reply-To: <4D78D77E.6040703@netfilter.org>

>> perhaps you're hitting this problem?:
>> http://marc.info/?l=netfilter-devel&m=129016166319433&w=2
>> It triggers when your receive a 2nd UDP packet with the same
>> address/port pair while the 1st packet is still queued.
> 
> Fabien, to confirm that this is the problem, please use the following rule:
> iptables -A OUTPUT -t raw -p udp --dport 53 -j NFQUEUE --queue-num 666
> and retest. Let us know if that fixed it.

Yes, that fixed it, thank you for the information!

It's just a bit sad not being able to use conntracking, it avoided some packets
going through userland once one had already been accepted on the same source
ip/port.

Do you think it's not technically possible to fix that race condition in a
proper way?

Fabien

     prev parent reply	other threads:[~2011-03-10 21:21 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-04 23:04 libnetfilter_queue: Some accepted packets get lost Fabien C.
2011-03-09 13:44 ` Pablo Neira Ayuso
2011-03-09 23:27   ` Fabien C.
2011-03-10  6:29     ` Florian Westphal
2011-03-10 13:51       ` Pablo Neira Ayuso
2011-03-10 21:21         ` Fabien C. [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4D7940CE.8080602@jetable.org \
    --to=7o5fzvj4duxjxzp@jetable.org \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.