What happens to netfilter during end-of-day?

What happens to netfilter during end-of-day?

[Alessandro Vesely]

Hi,

I have a netfilter daemon that makes a looping call to mnl_socket_recvfrom() 
and quickly examines packet headers. It only stops when it's rebooted. However, 
almost every day it receives an ENOBUFS error, just once, around 4 AM, while 
running cron.daily.

I haven't found any useful logs from around the same time that explain what's 
happening. Does anyone have more information?


TIA
Ale
-- 

Re: What happens to netfilter during end-of-day?

[Pablo Neira Ayuso]

On Wed, Jan 14, 2026 at 11:14:49AM +0100, Alessandro Vesely wrote:
> Hi,
> 
> I have a netfilter daemon that makes a looping call to mnl_socket_recvfrom()
> and quickly examines packet headers. It only stops when it's rebooted.
> However, almost every day it receives an ENOBUFS error, just once, around 4
> AM, while running cron.daily.
> 
> I haven't found any useful logs from around the same time that explain
> what's happening. Does anyone have more information?

Where is your program? It sound like it is buggy?

Re: What happens to netfilter during end-of-day?

[Alessandro Vesely]

On Thu 15/Jan/2026 01:52:14 +0100 Pablo Neira Ayuso wrote:
> On Wed, Jan 14, 2026 at 11:14:49AM +0100, Alessandro Vesely wrote:
>> 
>> I have a netfilter daemon that makes a looping call to mnl_socket_recvfrom()
>> and quickly examines packet headers. It only stops when it's rebooted.
>> However, almost every day it receives an ENOBUFS error, just once, around 4
>> AM, while running cron.daily.
>> 
>> I haven't found any useful logs from around the same time that explain
>> what's happening. Does anyone have more information?
> 
> Where is your program? It sound like it is buggy?


The program is part of ipqbdb[*].  The daemon I'm running is slightly different 
from the released one.  I copied its source here, if you'd like to have a look 
at it:
https://www.tana.it/ibd-judge.c
https://www.tana.it/setsig_func.h

The include file is for setting signals.  (Another daemon in the package, the 
log parser, catches USR1.  Normally, no signals are sent to ibd-judge.)

The daemon spends its time in a daemon_loop(), calling mnl_cb_run().  I launch 
the daemon with arguments "q0s" and "q2dm4", which means block source IP in 
queue 0, mark with value 4 destination IP in queue 2.

Can you spot bugs?

Best
Ale

-- 
[*] https://savannah.nongnu.org/projects/ipqbdb/

Re: What happens to netfilter during end-of-day?

[Alessandro Vesely]

I just asked it on superuser:
https://superuser.com/questions/1935167/netfilter-hiccup-during-cron-daily-procedure

Best
Ale

On Thu 15/Jan/2026 12:37:49 +0100 Alessandro Vesely wrote:
> On Thu 15/Jan/2026 01:52:14 +0100 Pablo Neira Ayuso wrote:
>> On Wed, Jan 14, 2026 at 11:14:49AM +0100, Alessandro Vesely wrote:
>>>
>>> I have a netfilter daemon that makes a looping call to mnl_socket_recvfrom()
>>> and quickly examines packet headers. It only stops when it's rebooted.
>>> However, almost every day it receives an ENOBUFS error, just once, around 4
>>> AM, while running cron.daily.
>>>
>>> I haven't found any useful logs from around the same time that explain
>>> what's happening. Does anyone have more information?
>>
>> Where is your program? It sound like it is buggy?
> 
> 
> The program is part of ipqbdb[*].  The daemon I'm running is slightly different 
> from the released one.  I copied its source here, if you'd like to have a look 
> at it:
> https://www.tana.it/ibd-judge.c
> https://www.tana.it/setsig_func.h
> 
> The include file is for setting signals.  (Another daemon in the package, the 
> log parser, catches USR1.  Normally, no signals are sent to ibd-judge.)
> 
> The daemon spends its time in a daemon_loop(), calling mnl_cb_run().  I launch 
> the daemon with arguments "q0s" and "q2dm4", which means block source IP in 
> queue 0, mark with value 4 destination IP in queue 2.
> 
> Can you spot bugs?
> 
> Best
> Ale
>