Re: Multiple nf_bind_pf to the same protocol

[Patrick McHardy <kaber@trash.net>]

Mattias Rönnblom wrote:
> Patrick McHardy <kaber@trash.net> writes:
> 
>> Mattias Rönnblom wrote:
>>> Hi,
>>>
>>> with NFQUEUE and the libnetfilter_queue library, is it possible to
>>> bind several applications to same protocol (for example, AF_INET)?
>>>
>>> That would be useful if you want to do load balancing on a multicore
>>> system, with a thread/process serving each NFQUEUE queue.
>>>
>>> After having a brief look at the NFQUEUE/libnetfilter_queue code, it
>>> looks like there's only single netlink fd for all queues, and the
>>> library does the demultiplexing. Would that mean I have to have a
>>> "front-end" thread distributing different servering threads?
>> You can bind them to different group numbers for the same AF.
>> The latest version of the NFQUEUE target even supports automatic
>> balancing between those groups based on a simple flow hash.
> 
> Do you by "group number" mean NFQUEUE queue number? If so, how would I
> do that?

Yes. You can specify the netlink group number in the nfq_create_queue()
call.

> The data comes on a single netlink fd, which is serviced by
> one thread, which is suppose to give the data chunk to
> libnetfilter_queue (nfq_handle_packet). The libary executes a callback
> (depending on queue number) in the context of that thread. At least
> that is my understanding of NFQUEUE/libnetfilter_queue.

You can start multiple processes and bind each one to a seperate queue.
Alternatively you can create multiple queue handles in a multithreaded
programm.