Re: libnetfilter_queue - remove packet from kernel buffer, and reinject later

[Mistick Levi <gmistick@gmail.com>]

2010/1/20 Eric Leblond <eric@inl.fr>:
> Hello,
>
> Le mardi 19 janvier 2010 à 21:25 +0200, Mistick Levi a écrit :
>> Hi,
>> I've worked with libipq, and libnetfilter_queue, and i got to a place
>> where my userspace code can't get anymore packets( with the message:
>> netlink message: no buffer space available ) .
>>
>> Now what i want to do is this:
>> Read a packet from the queue, copy it to my own queue/location in my
>> program, and re injecting the packet later on with my verdict, after i
>> finished.
>
> This is how it works ;)
>
> In fact, the 'no buffer space available' message is due to your program
> not getting packets as fast as needed: The kernel is sending packet to a
> netlink socket and the internal buffer of the socket gets filled with
> the packets waiting to be read.
>
> What you need to do is:
>      * read packet as fast as you can (your callback function has to be
>        fast)
>      * do the intensive or delay needing work outside of the callback
>        (via a thread or something)

What do you mean by doing the delay needing work outside of the
callback? in the end of the callback i should give a verdict, no ?

>
> It last option is not possible, you can increase the netlink buffer size
> via the nfnl_rcvbufsiz function. "Standard" syntax is the following:
>        nfnl_rcvbufsiz(nfq_nfnlh(my_nfq_handle), NFQ_NF_BUFSIZE);
>

I will try that. what i have tried so far is increasing the:
wmem_default, wmem_max, rmem_default and rmem_max.
> BR,
>
>>
>> but to my best of my understanding, until i send a verdict the packet
>> still takes place in the queue.
>> and i've read something about using NF_STOLEN and then reinject, but i
>> dont think that NF_STOLEN is a valid verdict.
>>
>> Any ideas on how i can do what it is i wish to do? ( Clear the kernel
>> queue by transferring the packets to my queue ).
>>
>> Kind regards
>> Levi Yechiel
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
> --
> Eric Leblond <eric@inl.fr>
> INL: http://www.inl.fr/
> NuFW: http://www.nufw.org/
>
Well, I have to do some logic before deciding if the packet ACCEPTED
or DROPPED. and the callback is the one that decide that(send the
verdict),

My original phrasing was bad so :
Question: is it possible to take the packet out from the internal
socket(as with nfq_handle packet or recv() ) and return some verdict
like: "NF_STOLEN" ,then do the delay needing work, and then re inject
the packet to continue its normal traversal.

Thanks in advance,
Levi Yechiel
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html