* [RFC] [PATCH 1/4] netfilter: Define FAILOPEN flag
2012-05-07 6:03 [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE Krishna Kumar
@ 2012-05-07 6:03 ` Krishna Kumar
2012-05-07 6:04 ` [RFC] [PATCH 2/4] netfilter: Add new argument to enqueue handlers Krishna Kumar
` (3 subsequent siblings)
4 siblings, 0 replies; 11+ messages in thread
From: Krishna Kumar @ 2012-05-07 6:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: svajipay, vivk, Krishna Kumar, sri
Define a new verdict: FAIL_OPEN
Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
---
include/linux/netfilter.h | 1 +
1 file changed, 1 insertion(+)
diff -ruNp org/include/linux/netfilter.h new/include/linux/netfilter.h
--- org/include/linux/netfilter.h 2012-05-07 09:20:53.763813313 +0530
+++ new/include/linux/netfilter.h 2012-05-07 09:20:53.738752088 +0530
@@ -30,6 +30,7 @@
#define NF_VERDICT_MASK 0x000000ff
/* extra verdict flags have mask 0x0000ff00 */
+#define NF_VERDICT_FLAG_FAIL_OPEN 0x00004000
#define NF_VERDICT_FLAG_QUEUE_BYPASS 0x00008000
/* queue number (NF_QUEUE) or errno (NF_DROP) */
^ permalink raw reply [flat|nested] 11+ messages in thread* [RFC] [PATCH 2/4] netfilter: Add new argument to enqueue handlers
2012-05-07 6:03 [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE Krishna Kumar
2012-05-07 6:03 ` [RFC] [PATCH 1/4] netfilter: Define FAILOPEN flag Krishna Kumar
@ 2012-05-07 6:04 ` Krishna Kumar
2012-05-07 6:04 ` [RFC] [PATCH 3/4] netfilter: Add support for failopen in nf_queue() Krishna Kumar
` (2 subsequent siblings)
4 siblings, 0 replies; 11+ messages in thread
From: Krishna Kumar @ 2012-05-07 6:04 UTC (permalink / raw)
To: netfilter-devel; +Cc: svajipay, vivk, Krishna Kumar, sri
Add a new argument to enqueue handlers. Change handlers to return
>0 value to signify "failopen". This value is not passed up the
stack but intercepted by nf_queue() which calls okfn() and returns
0 to upper layers. This also means ipqueue should return 0 and not
skb->len on success.
Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
---
include/net/netfilter/nf_queue.h | 3 ++-
net/ipv4/netfilter/ip_queue.c | 5 +++--
net/ipv6/netfilter/ip6_queue.c | 5 +++--
net/netfilter/nf_queue.c | 2 +-
net/netfilter/nfnetlink_queue.c | 18 ++++++++++++------
5 files changed, 21 insertions(+), 12 deletions(-)
diff -ruNp org/include/net/netfilter/nf_queue.h new/include/net/netfilter/nf_queue.h
--- org/include/net/netfilter/nf_queue.h 2012-05-07 09:20:53.740752995 +0530
+++ new/include/net/netfilter/nf_queue.h 2012-05-07 09:20:53.818751053 +0530
@@ -20,7 +20,8 @@ struct nf_queue_entry {
/* Packet queuing */
struct nf_queue_handler {
int (*outfn)(struct nf_queue_entry *entry,
- unsigned int queuenum);
+ unsigned int queuenum,
+ int failopen);
char *name;
};
diff -ruNp org/net/ipv4/netfilter/ip_queue.c new/net/ipv4/netfilter/ip_queue.c
--- org/net/ipv4/netfilter/ip_queue.c 2012-05-07 09:20:53.750813313 +0530
+++ new/net/ipv4/netfilter/ip_queue.c 2012-05-07 09:20:53.821751520 +0530
@@ -225,7 +225,8 @@ nlmsg_failure:
}
static int
-ipq_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
+ipq_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum,
+ int failopen)
{
int status = -EINVAL;
struct sk_buff *nskb;
@@ -262,7 +263,7 @@ ipq_enqueue_packet(struct nf_queue_entry
__ipq_enqueue_entry(entry);
spin_unlock_bh(&queue_lock);
- return status;
+ return 0;
err_out_free_nskb:
kfree_skb(nskb);
diff -ruNp org/net/ipv6/netfilter/ip6_queue.c new/net/ipv6/netfilter/ip6_queue.c
--- org/net/ipv6/netfilter/ip6_queue.c 2012-05-07 09:20:53.749814751 +0530
+++ new/net/ipv6/netfilter/ip6_queue.c 2012-05-07 09:20:53.819751460 +0530
@@ -225,7 +225,8 @@ nlmsg_failure:
}
static int
-ipq_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
+ipq_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum,
+ int failopen)
{
int status = -EINVAL;
struct sk_buff *nskb;
@@ -262,7 +263,7 @@ ipq_enqueue_packet(struct nf_queue_entry
__ipq_enqueue_entry(entry);
spin_unlock_bh(&queue_lock);
- return status;
+ return 0;
err_out_free_nskb:
kfree_skb(nskb);
diff -ruNp org/net/netfilter/nfnetlink_queue.c new/net/netfilter/nfnetlink_queue.c
--- org/net/netfilter/nfnetlink_queue.c 2012-05-07 09:20:53.757813707 +0530
+++ new/net/netfilter/nfnetlink_queue.c 2012-05-07 09:20:53.830751555 +0530
@@ -401,7 +401,8 @@ nla_put_failure:
}
static int
-nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
+nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum,
+ int failopen)
{
struct sk_buff *nskb;
struct nfqnl_instance *queue;
@@ -432,11 +433,16 @@ nfqnl_enqueue_packet(struct nf_queue_ent
goto err_out_free_nskb;
}
if (queue->queue_total >= queue->queue_maxlen) {
- queue->queue_dropped++;
- if (net_ratelimit())
- printk(KERN_WARNING "nf_queue: full at %d entries, "
- "dropping packets(s).\n",
- queue->queue_total);
+ if (failopen) {
+ /* Accept the packet temporarily skipping rules */
+ err = 1;
+ } else {
+ queue->queue_dropped++;
+ if (net_ratelimit())
+ printk(KERN_WARNING "nf_queue: full at %d "
+ "entries, dropping packets(s).\n",
+ queue->queue_total);
+ }
goto err_out_free_nskb;
}
entry->id = ++queue->id_sequence;
diff -ruNp org/net/netfilter/nf_queue.c new/net/netfilter/nf_queue.c
--- org/net/netfilter/nf_queue.c 2012-05-07 09:20:53.754813853 +0530
+++ new/net/netfilter/nf_queue.c 2012-05-07 10:15:51.882590018 +0530
@@ -185,7 +185,7 @@ static int __nf_queue(struct sk_buff *sk
#endif
skb_dst_force(skb);
afinfo->saveroute(skb, entry);
- status = qh->outfn(entry, queuenum);
+ status = qh->outfn(entry, queuenum, 0);
rcu_read_unlock();
^ permalink raw reply [flat|nested] 11+ messages in thread* [RFC] [PATCH 3/4] netfilter: Add support for failopen in nf_queue()
2012-05-07 6:03 [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE Krishna Kumar
2012-05-07 6:03 ` [RFC] [PATCH 1/4] netfilter: Define FAILOPEN flag Krishna Kumar
2012-05-07 6:04 ` [RFC] [PATCH 2/4] netfilter: Add new argument to enqueue handlers Krishna Kumar
@ 2012-05-07 6:04 ` Krishna Kumar
2012-05-07 6:04 ` [RFC] [PATCH 4/4] netfilter: Enable fail-open Krishna Kumar
2012-05-07 8:10 ` [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE Florian Westphal
4 siblings, 0 replies; 11+ messages in thread
From: Krishna Kumar @ 2012-05-07 6:04 UTC (permalink / raw)
To: netfilter-devel; +Cc: svajipay, vivk, Krishna Kumar, sri
Pass FAILOPEN flags, add support for fail-open, add support for
GSO skb. If __nf_queue() returns >0 to indicate fail-open, we
call okfn() immediately and return 0 to caller.
Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
---
net/netfilter/core.c | 4 ++
net/netfilter/nf_internals.h | 3 +-
net/netfilter/nf_queue.c | 47 ++++++++++++++++++++++++---------
3 files changed, 40 insertions(+), 14 deletions(-)
diff -ruNp org/net/netfilter/core.c new/net/netfilter/core.c
--- org/net/netfilter/core.c 2012-05-07 09:20:53.828751916 +0530
+++ new/net/netfilter/core.c 2012-05-07 09:20:53.868813999 +0530
@@ -192,7 +192,9 @@ next_hook:
ret = -EPERM;
} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
int err = nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
- verdict >> NF_VERDICT_QBITS);
+ verdict >> NF_VERDICT_QBITS,
+ verdict & NF_VERDICT_FLAG_FAIL_OPEN);
+
if (err < 0) {
if (err == -ECANCELED)
goto next_hook;
diff -ruNp org/net/netfilter/nf_internals.h new/net/netfilter/nf_internals.h
--- org/net/netfilter/nf_internals.h 2012-05-07 09:20:53.827751461 +0530
+++ new/net/netfilter/nf_internals.h 2012-05-07 09:20:53.867814083 +0530
@@ -29,7 +29,8 @@ extern int nf_queue(struct sk_buff *skb,
struct net_device *indev,
struct net_device *outdev,
int (*okfn)(struct sk_buff *),
- unsigned int queuenum);
+ unsigned int queuenum,
+ int flags);
extern int __init netfilter_queue_init(void);
/* nf_log.c */
diff -ruNp org/net/netfilter/nf_queue.c new/net/netfilter/nf_queue.c
--- org/net/netfilter/nf_queue.c 2012-05-07 10:15:51.882590018 +0530
+++ new/net/netfilter/nf_queue.c 2012-05-07 09:20:53.866762950 +0530
@@ -123,7 +123,8 @@ static int __nf_queue(struct sk_buff *sk
struct net_device *indev,
struct net_device *outdev,
int (*okfn)(struct sk_buff *),
- unsigned int queuenum)
+ unsigned int queuenum,
+ int flags)
{
int status = -ENOENT;
struct nf_queue_entry *entry = NULL;
@@ -185,11 +186,11 @@ static int __nf_queue(struct sk_buff *sk
#endif
skb_dst_force(skb);
afinfo->saveroute(skb, entry);
- status = qh->outfn(entry, queuenum, 0);
+ status = qh->outfn(entry, queuenum, flags);
rcu_read_unlock();
- if (status < 0) {
+ if (status) {
nf_queue_entry_release_refs(entry);
goto err;
}
@@ -230,15 +231,25 @@ int nf_queue(struct sk_buff *skb,
struct net_device *indev,
struct net_device *outdev,
int (*okfn)(struct sk_buff *),
- unsigned int queuenum)
+ unsigned int queuenum,
+ int flags)
{
struct sk_buff *segs;
int err = -EINVAL;
unsigned int queued;
- if (!skb_is_gso(skb))
- return __nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
- queuenum);
+ if (!skb_is_gso(skb)) {
+ err = __nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
+ queuenum, flags);
+ if (err > 0) {
+ /* Queue failed due to queue-full and handler
+ * returned >0 indicating fail-open - temporarily
+ * accept packets.
+ */
+ err = okfn(skb);
+ }
+ return err;
+ }
switch (pf) {
case NFPROTO_IPV4:
@@ -266,16 +277,28 @@ int nf_queue(struct sk_buff *skb,
if (err == 0) {
nf_bridge_adjust_segmented_data(segs);
err = __nf_queue(segs, elem, pf, hook, indev,
- outdev, okfn, queuenum);
+ outdev, okfn, queuenum, flags);
}
- if (err == 0)
+
+ if (err == 0) {
queued++;
- else
+ } else if (err > 0) {
+ /* Queue failed due to queue-full and handler
+ * returned >0 indicating fail-open - accept
+ * this and remaining segments.
+ */
+ okfn(segs);
+ } else {
+ /* Queue failed due to queue-full and handler
+ * returned <0 - free this and remaining skb
+ * segments.
+ */
kfree_skb(segs);
+ }
segs = nskb;
} while (segs);
- if (queued) {
+ if (queued || err > 0) {
kfree_skb(skb);
return 0;
}
@@ -325,7 +348,7 @@ void nf_reinject(struct nf_queue_entry *
case NF_QUEUE:
err = __nf_queue(skb, elem, entry->pf, entry->hook,
entry->indev, entry->outdev, entry->okfn,
- verdict >> NF_VERDICT_QBITS);
+ verdict >> NF_VERDICT_QBITS, 0);
if (err < 0) {
if (err == -ECANCELED)
goto next_hook;
^ permalink raw reply [flat|nested] 11+ messages in thread* [RFC] [PATCH 4/4] netfilter: Enable fail-open
2012-05-07 6:03 [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE Krishna Kumar
` (2 preceding siblings ...)
2012-05-07 6:04 ` [RFC] [PATCH 3/4] netfilter: Add support for failopen in nf_queue() Krishna Kumar
@ 2012-05-07 6:04 ` Krishna Kumar
2012-05-07 7:56 ` Florian Westphal
2012-05-07 8:10 ` [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE Florian Westphal
4 siblings, 1 reply; 11+ messages in thread
From: Krishna Kumar @ 2012-05-07 6:04 UTC (permalink / raw)
To: netfilter-devel; +Cc: svajipay, vivk, Krishna Kumar, sri
Define xt_NFQ_info_v3 to get fail-open argument from iptables. Also
enable FAIL_OPEN.
Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
---
include/linux/netfilter/xt_NFQUEUE.h | 7 +++++++
net/netfilter/xt_NFQUEUE.c | 19 +++++++++++++++++++
2 files changed, 26 insertions(+)
diff -ruNp org/include/linux/netfilter/xt_NFQUEUE.h new/include/linux/netfilter/xt_NFQUEUE.h
--- org/include/linux/netfilter/xt_NFQUEUE.h 2012-05-07 10:17:28.117870787 +0530
+++ new/include/linux/netfilter/xt_NFQUEUE.h 2012-05-07 09:20:53.783813702 +0530
@@ -26,4 +26,11 @@ struct xt_NFQ_info_v2 {
__u16 bypass;
};
+struct xt_NFQ_info_v3 {
+ __u16 queuenum;
+ __u16 queues_total;
+ __u16 bypass;
+ __u16 fail_open;
+};
+
#endif /* _XT_NFQ_TARGET_H */
diff -ruNp org/net/netfilter/xt_NFQUEUE.c new/net/netfilter/xt_NFQUEUE.c
--- org/net/netfilter/xt_NFQUEUE.c 2012-05-07 09:20:53.871815019 +0530
+++ new/net/netfilter/xt_NFQUEUE.c 2012-05-07 09:20:53.808751034 +0530
@@ -94,6 +94,17 @@ nfqueue_tg_v2(struct sk_buff *skb, const
return ret;
}
+static unsigned int
+nfqueue_tg_v3(struct sk_buff *skb, const struct xt_action_param *par)
+{
+ const struct xt_NFQ_info_v3 *info = par->targinfo;
+ unsigned int ret = nfqueue_tg_v1(skb, par);
+
+ if (info->fail_open)
+ ret |= NF_VERDICT_FLAG_FAIL_OPEN;
+ return ret;
+}
+
static int nfqueue_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_NFQ_info_v2 *info = par->targinfo;
@@ -144,6 +155,14 @@ static struct xt_target nfqueue_tg_reg[]
.targetsize = sizeof(struct xt_NFQ_info_v2),
.me = THIS_MODULE,
},
+ {
+ .name = "NFQUEUE",
+ .revision = 3,
+ .family = NFPROTO_UNSPEC,
+ .target = nfqueue_tg_v3,
+ .targetsize = sizeof(struct xt_NFQ_info_v3),
+ .me = THIS_MODULE,
+ },
};
static int __init nfqueue_tg_init(void)
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: [RFC] [PATCH 4/4] netfilter: Enable fail-open
2012-05-07 6:04 ` [RFC] [PATCH 4/4] netfilter: Enable fail-open Krishna Kumar
@ 2012-05-07 7:56 ` Florian Westphal
2012-05-07 9:04 ` Pablo Neira Ayuso
0 siblings, 1 reply; 11+ messages in thread
From: Florian Westphal @ 2012-05-07 7:56 UTC (permalink / raw)
To: Krishna Kumar; +Cc: netfilter-devel, svajipay, vivk, sri
Krishna Kumar <krkumar2@in.ibm.com> wrote:
> Define xt_NFQ_info_v3 to get fail-open argument from iptables. Also
> enable FAIL_OPEN.
>
> Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
> diff -ruNp org/include/linux/netfilter/xt_NFQUEUE.h new/include/linux/netfilter/xt_NFQUEUE.h
> --- org/include/linux/netfilter/xt_NFQUEUE.h 2012-05-07 10:17:28.117870787 +0530
> +++ new/include/linux/netfilter/xt_NFQUEUE.h 2012-05-07 09:20:53.783813702 +0530
> @@ -26,4 +26,11 @@ struct xt_NFQ_info_v2 {
> __u16 bypass;
> };
>
> +struct xt_NFQ_info_v3 {
> + __u16 queuenum;
> + __u16 queues_total;
> + __u16 bypass;
> + __u16 fail_open;
> +};
Minor nit:
This shouldn't be necessary; bypass is always 0 or 1.
You could just rename it to "options" or something
like that. Would also mean that you could have the v2 target
revision use the same target callback as v3 (since struct layout would
be the same).
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: [RFC] [PATCH 4/4] netfilter: Enable fail-open
2012-05-07 7:56 ` Florian Westphal
@ 2012-05-07 9:04 ` Pablo Neira Ayuso
0 siblings, 0 replies; 11+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-07 9:04 UTC (permalink / raw)
To: Florian Westphal; +Cc: Krishna Kumar, netfilter-devel, svajipay, vivk, sri
On Mon, May 07, 2012 at 09:56:47AM +0200, Florian Westphal wrote:
> Krishna Kumar <krkumar2@in.ibm.com> wrote:
> > Define xt_NFQ_info_v3 to get fail-open argument from iptables. Also
> > enable FAIL_OPEN.
> >
> > Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
> > diff -ruNp org/include/linux/netfilter/xt_NFQUEUE.h new/include/linux/netfilter/xt_NFQUEUE.h
> > --- org/include/linux/netfilter/xt_NFQUEUE.h 2012-05-07 10:17:28.117870787 +0530
> > +++ new/include/linux/netfilter/xt_NFQUEUE.h 2012-05-07 09:20:53.783813702 +0530
> > @@ -26,4 +26,11 @@ struct xt_NFQ_info_v2 {
> > __u16 bypass;
> > };
> >
> > +struct xt_NFQ_info_v3 {
> > + __u16 queuenum;
> > + __u16 queues_total;
> > + __u16 bypass;
> > + __u16 fail_open;
> > +};
>
> Minor nit:
>
> This shouldn't be necessary; bypass is always 0 or 1.
> You could just rename it to "options" or something
> like that. Would also mean that you could have the v2 target
> revision use the same target callback as v3 (since struct layout would
> be the same).
Yes, something like "flags" can make it.
Where flag (1 << 0) is bypass to ensure backward compatibility.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE
2012-05-07 6:03 [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE Krishna Kumar
` (3 preceding siblings ...)
2012-05-07 6:04 ` [RFC] [PATCH 4/4] netfilter: Enable fail-open Krishna Kumar
@ 2012-05-07 8:10 ` Florian Westphal
2012-05-07 9:14 ` Pablo Neira Ayuso
2012-05-07 13:51 ` Krishna Kumar2
4 siblings, 2 replies; 11+ messages in thread
From: Florian Westphal @ 2012-05-07 8:10 UTC (permalink / raw)
To: Krishna Kumar; +Cc: netfilter-devel, svajipay, vivk, sri
Krishna Kumar <krkumar2@in.ibm.com> wrote:
> Many users of an IBM security product, which uses netfilter's NFQUEUE
> target to process packets in userspace, face a problem of dropped
> connections during heavy load. Incoming packets are queued and
> processed by the security module, which does deep packet analysis to
> decide whether to accept or reject them. However during heavy load,
> NFQUEUE queue (default 1024 entries) fills up and connections fail
> after large number of packets drop during enqueue. Increasing the
> queue size delays the problem and also worsens latency.
>
> This patch set implements a "failopen" support to help keep connections
> open during such failures. This is achieved by allowing acceptance of
> packets temporarily when the queue is full, which enables existing
> connections to be kept alive. Customers prefer this option as similar
> feature is available on other systems.
>
> This patch set implements failopen for NFQUEUE (though a similar patch
> for IPQUEUE is also implemented but not submitted at this time). I will
> submit the iptables changes which controls turning failopen mode on/off
> later. The original requirement for sysctl option is not implemented -
> please let me know whether that is acceptable/preferable.
I think that exposing this feature as userspace-changeable via netlink
(eg. by adding "NFQA_CFG_FAILOPEN" attribute) rather than via ruleset
would make most sense, as only the application can know wheter it
can cope with missing packets.
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE
2012-05-07 8:10 ` [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE Florian Westphal
@ 2012-05-07 9:14 ` Pablo Neira Ayuso
2012-05-07 13:51 ` Krishna Kumar2
1 sibling, 0 replies; 11+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-07 9:14 UTC (permalink / raw)
To: Florian Westphal; +Cc: Krishna Kumar, netfilter-devel, svajipay, vivk, sri
On Mon, May 07, 2012 at 10:10:29AM +0200, Florian Westphal wrote:
> Krishna Kumar <krkumar2@in.ibm.com> wrote:
> > Many users of an IBM security product, which uses netfilter's NFQUEUE
> > target to process packets in userspace, face a problem of dropped
> > connections during heavy load. Incoming packets are queued and
> > processed by the security module, which does deep packet analysis to
> > decide whether to accept or reject them. However during heavy load,
> > NFQUEUE queue (default 1024 entries) fills up and connections fail
> > after large number of packets drop during enqueue. Increasing the
> > queue size delays the problem and also worsens latency.
> >
> > This patch set implements a "failopen" support to help keep connections
> > open during such failures. This is achieved by allowing acceptance of
> > packets temporarily when the queue is full, which enables existing
> > connections to be kept alive. Customers prefer this option as similar
> > feature is available on other systems.
> >
> > This patch set implements failopen for NFQUEUE (though a similar patch
> > for IPQUEUE is also implemented but not submitted at this time). I will
> > submit the iptables changes which controls turning failopen mode on/off
> > later. The original requirement for sysctl option is not implemented -
> > please let me know whether that is acceptable/preferable.
>
> I think that exposing this feature as userspace-changeable via netlink
> (eg. by adding "NFQA_CFG_FAILOPEN" attribute) rather than via ruleset
> would make most sense, as only the application can know wheter it
> can cope with missing packets.
Agreed.
I have a patch here to add NFAQ_CFG_FLAGS attribute, we can add some
new flag to specify this behaviour.
I'm using that with NFQNL_F_CONNTRACK flag to integrate
nfnetlink_queue with conntrack so it sends the conntrack together with
the packet via nfnetlink_queue.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE
2012-05-07 8:10 ` [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE Florian Westphal
2012-05-07 9:14 ` Pablo Neira Ayuso
@ 2012-05-07 13:51 ` Krishna Kumar2
2012-05-07 14:52 ` Florian Westphal
1 sibling, 1 reply; 11+ messages in thread
From: Krishna Kumar2 @ 2012-05-07 13:51 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel, sri, Sulakshan Vajipayajula, vivk
Florian Westphal <fw@strlen.de> wrote on 05/07/2012 01:40:29 PM:
> Re: [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE
>
> Krishna Kumar <krkumar2@in.ibm.com> wrote:
> > Many users of an IBM security product, which uses netfilter's NFQUEUE
> > target to process packets in userspace, face a problem of dropped
> > connections during heavy load. Incoming packets are queued and
> > processed by the security module, which does deep packet analysis to
> > decide whether to accept or reject them. However during heavy load,
> > NFQUEUE queue (default 1024 entries) fills up and connections fail
> > after large number of packets drop during enqueue. Increasing the
> > queue size delays the problem and also worsens latency.
> >
> > This patch set implements a "failopen" support to help keep connections
> > open during such failures. This is achieved by allowing acceptance of
> > packets temporarily when the queue is full, which enables existing
> > connections to be kept alive. Customers prefer this option as similar
> > feature is available on other systems.
> >
> > This patch set implements failopen for NFQUEUE (though a similar patch
> > for IPQUEUE is also implemented but not submitted at this time). I will
> > submit the iptables changes which controls turning failopen mode on/off
> > later. The original requirement for sysctl option is not implemented -
> > please let me know whether that is acceptable/preferable.
>
> I think that exposing this feature as userspace-changeable via netlink
> (eg. by adding "NFQA_CFG_FAILOPEN" attribute) rather than via ruleset
> would make most sense, as only the application can know wheter it
> can cope with missing packets.
Thanks for your review. With this change, is there any reason to
modify xt_NFQ_info_v2's bypass field, since app can specify this
option directly? I tested without this for now and it works.
Thanks,
- KK
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE
2012-05-07 13:51 ` Krishna Kumar2
@ 2012-05-07 14:52 ` Florian Westphal
0 siblings, 0 replies; 11+ messages in thread
From: Florian Westphal @ 2012-05-07 14:52 UTC (permalink / raw)
To: Krishna Kumar2
Cc: Florian Westphal, netfilter-devel, sri, Sulakshan Vajipayajula,
vivk
Krishna Kumar2 <krkumar2@in.ibm.com> wrote:
> Florian Westphal <fw@strlen.de> wrote on 05/07/2012 01:40:29 PM:
> > I think that exposing this feature as userspace-changeable via netlink
> > (eg. by adding "NFQA_CFG_FAILOPEN" attribute) rather than via ruleset
> > would make most sense, as only the application can know wheter it
> > can cope with missing packets.
>
> Thanks for your review. With this change, is there any reason to
> modify xt_NFQ_info_v2's bypass field, since app can specify this
> option directly? I tested without this for now and it works.
I don't think so. If the netlink attribute works for you we should
leave xt_NFQUEUE as-is.
Regards,
Florian
^ permalink raw reply [flat|nested] 11+ messages in thread