libnetfilter_queue question

libnetfilter_queue question

[Victor Julien]

Hi all,

I'm using libnetfilter_queue for inline mode in the Suricata IDS/IPS
(www.openinfosecfoundation.org). I'm using a callback that makes the
packet(s) available to the detection engine. In some special cases the
call back could fail (only malloc failure atm).

I was wondering what the proper response would be to such an event. I'm
assuming nfq_handle_packet() would return an (non zero) error code in
that case.

Should I verdict the packet? (drop to be safe)

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

Re: libnetfilter_queue question

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 904 bytes --]

Hi Victor,

Le mercredi 19 mai 2010 à 12:15 +0200, Victor Julien a écrit :
> Hi all,
> 
> I'm using libnetfilter_queue for inline mode in the Suricata IDS/IPS
> (www.openinfosecfoundation.org). I'm using a callback that makes the
> packet(s) available to the detection engine. In some special cases the
> call back could fail (only malloc failure atm).
> 
> I was wondering what the proper response would be to such an event. I'm
> assuming nfq_handle_packet() would return an (non zero) error code in
> that case.
> 
> Should I verdict the packet? (drop to be safe)

Yes, clearly ! If you don't do this the packet will get stuck inside the
kernel and nothing will released it (and free associated structures).

The only other mean to free queued packet is to unregister from the NF
queue.

BR,
-- 
Eric Leblond <eric@inl.fr>
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 190 bytes --]

Re: libnetfilter_queue question

[Victor Julien]

Eric Leblond wrote:
> Hi Victor,
> 
> Le mercredi 19 mai 2010 à 12:15 +0200, Victor Julien a écrit :
>> Hi all,
>>
>> I'm using libnetfilter_queue for inline mode in the Suricata IDS/IPS
>> (www.openinfosecfoundation.org). I'm using a callback that makes the
>> packet(s) available to the detection engine. In some special cases the
>> call back could fail (only malloc failure atm).
>>
>> I was wondering what the proper response would be to such an event. I'm
>> assuming nfq_handle_packet() would return an (non zero) error code in
>> that case.
>>
>> Should I verdict the packet? (drop to be safe)
> 
> Yes, clearly ! If you don't do this the packet will get stuck inside the
> kernel and nothing will released it (and free associated structures).
> 
> The only other mean to free queued packet is to unregister from the NF
> queue.

Thanks Eric, I will implement the verdict in case of error.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: libnetfilter_queue question

[Victor Julien]

Victor Julien wrote:
> Eric Leblond wrote:
>> Hi Victor,
>>
>> Le mercredi 19 mai 2010 à 12:15 +0200, Victor Julien a écrit :
>>> Hi all,
>>>
>>> I'm using libnetfilter_queue for inline mode in the Suricata IDS/IPS
>>> (www.openinfosecfoundation.org). I'm using a callback that makes the
>>> packet(s) available to the detection engine. In some special cases the
>>> call back could fail (only malloc failure atm).
>>>
>>> I was wondering what the proper response would be to such an event. I'm
>>> assuming nfq_handle_packet() would return an (non zero) error code in
>>> that case.
>>>
>>> Should I verdict the packet? (drop to be safe)
>> Yes, clearly ! If you don't do this the packet will get stuck inside the
>> kernel and nothing will released it (and free associated structures).
>>
>> The only other mean to free queued packet is to unregister from the NF
>> queue.
> 
> Thanks Eric, I will implement the verdict in case of error.

Actually, after giving it some more thought I was wondering if the
verdict would need to be issued in the failing callback function itself.

As far as I understand, nfq_handle_packet can process multiple packets
after a single recv.

What would be the appropriate place to issue the verdict?

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html