libnetfilter_queue - remove packet from kernel buffer, and reinject later

libnetfilter_queue - remove packet from kernel buffer, and reinject later

[Mistick Levi]

Hi,
I've worked with libipq, and libnetfilter_queue, and i got to a place
where my userspace code can't get anymore packets( with the message:
netlink message: no buffer space available ) .

Now what i want to do is this:
Read a packet from the queue, copy it to my own queue/location in my
program, and re injecting the packet later on with my verdict, after i
finished.

but to my best of my understanding, until i send a verdict the packet
still takes place in the queue.
and i've read something about using NF_STOLEN and then reinject, but i
dont think that NF_STOLEN is a valid verdict.

Any ideas on how i can do what it is i wish to do? ( Clear the kernel
queue by transferring the packets to my queue ).

Kind regards
Levi Yechiel

Re: libnetfilter_queue - remove packet from kernel buffer, and reinject later

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 1894 bytes --]

Hello,

Le mardi 19 janvier 2010 à 21:25 +0200, Mistick Levi a écrit :
> Hi,
> I've worked with libipq, and libnetfilter_queue, and i got to a place
> where my userspace code can't get anymore packets( with the message:
> netlink message: no buffer space available ) .
> 
> Now what i want to do is this:
> Read a packet from the queue, copy it to my own queue/location in my
> program, and re injecting the packet later on with my verdict, after i
> finished.

This is how it works ;)

In fact, the 'no buffer space available' message is due to your program
not getting packets as fast as needed: The kernel is sending packet to a
netlink socket and the internal buffer of the socket gets filled with
the packets waiting to be read.

What you need to do is:
      * read packet as fast as you can (your callback function has to be
        fast)
      * do the intensive or delay needing work outside of the callback
        (via a thread or something)

It last option is not possible, you can increase the netlink buffer size
via the nfnl_rcvbufsiz function. "Standard" syntax is the following:
	nfnl_rcvbufsiz(nfq_nfnlh(my_nfq_handle), NFQ_NF_BUFSIZE);

BR,

> 
> but to my best of my understanding, until i send a verdict the packet
> still takes place in the queue.
> and i've read something about using NF_STOLEN and then reinject, but i
> dont think that NF_STOLEN is a valid verdict.
> 
> Any ideas on how i can do what it is i wish to do? ( Clear the kernel
> queue by transferring the packets to my queue ).
> 
> Kind regards
> Levi Yechiel
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
Eric Leblond <eric@inl.fr>
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: libnetfilter_queue - remove packet from kernel buffer, and reinject later

[Mistick Levi]

2010/1/20 Eric Leblond <eric@inl.fr>:
> Hello,
>
> Le mardi 19 janvier 2010 à 21:25 +0200, Mistick Levi a écrit :
>> Hi,
>> I've worked with libipq, and libnetfilter_queue, and i got to a place
>> where my userspace code can't get anymore packets( with the message:
>> netlink message: no buffer space available ) .
>>
>> Now what i want to do is this:
>> Read a packet from the queue, copy it to my own queue/location in my
>> program, and re injecting the packet later on with my verdict, after i
>> finished.
>
> This is how it works ;)
>
> In fact, the 'no buffer space available' message is due to your program
> not getting packets as fast as needed: The kernel is sending packet to a
> netlink socket and the internal buffer of the socket gets filled with
> the packets waiting to be read.
>
> What you need to do is:
>      * read packet as fast as you can (your callback function has to be
>        fast)
>      * do the intensive or delay needing work outside of the callback
>        (via a thread or something)

What do you mean by doing the delay needing work outside of the
callback? in the end of the callback i should give a verdict, no ?

>
> It last option is not possible, you can increase the netlink buffer size
> via the nfnl_rcvbufsiz function. "Standard" syntax is the following:
>        nfnl_rcvbufsiz(nfq_nfnlh(my_nfq_handle), NFQ_NF_BUFSIZE);
>

I will try that. what i have tried so far is increasing the:
wmem_default, wmem_max, rmem_default and rmem_max.
> BR,
>
>>
>> but to my best of my understanding, until i send a verdict the packet
>> still takes place in the queue.
>> and i've read something about using NF_STOLEN and then reinject, but i
>> dont think that NF_STOLEN is a valid verdict.
>>
>> Any ideas on how i can do what it is i wish to do? ( Clear the kernel
>> queue by transferring the packets to my queue ).
>>
>> Kind regards
>> Levi Yechiel
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
> --
> Eric Leblond <eric@inl.fr>
> INL: http://www.inl.fr/
> NuFW: http://www.nufw.org/
>
Well, I have to do some logic before deciding if the packet ACCEPTED
or DROPPED. and the callback is the one that decide that(send the
verdict),

My original phrasing was bad so :
Question: is it possible to take the packet out from the internal
socket(as with nfq_handle packet or recv() ) and return some verdict
like: "NF_STOLEN" ,then do the delay needing work, and then re inject
the packet to continue its normal traversal.

Thanks in advance,
Levi Yechiel
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: libnetfilter_queue - remove packet from kernel buffer, and reinject later

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 1509 bytes --]

Hello,

Le mercredi 20 janvier 2010 à 22:13 +0200, Mistick Levi a écrit :
> 2010/1/20 Eric Leblond <eric@inl.fr>:
> > Hello,
> >
> > Le mardi 19 janvier 2010 à 21:25 +0200, Mistick Levi a écrit :
> >> Hi,
> >> I've worked with libipq, and libnetfilter_queue, and i got to a place
> >> where my userspace code can't get anymore packets( with the message:
> >> netlink message: no buffer space available ) .
> >>
> >> Now what i want to do is this:
> >> Read a packet from the queue, copy it to my own queue/location in my
> >> program, and re injecting the packet later on with my verdict, after i
> >> finished.
> >
> > This is how it works ;)
> >
> > In fact, the 'no buffer space available' message is due to your program
> > not getting packets as fast as needed: The kernel is sending packet to a
> > netlink socket and the internal buffer of the socket gets filled with
> > the packets waiting to be read.
> >
> > What you need to do is:
> >      * read packet as fast as you can (your callback function has to be
> >        fast)
> >      * do the intensive or delay needing work outside of the callback
> >        (via a thread or something)
> 
> What do you mean by doing the delay needing work outside of the
> callback? in the end of the callback i should give a verdict, no ?

No, this is not necessary. The verdict can be called from anywhere else
in your program.

BR,


-- 
Eric Leblond <eric@inl.fr>
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]