From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Helmut Grohne <h.grohne@cygnusnetworks.de>
Cc: netfilter@vger.kernel.org
Subject: Re: What does nflog_unbind_pf actually do?
Date: Thu, 03 Feb 2011 14:27:28 +0100 [thread overview]
Message-ID: <4D4AAD40.1060204@netfilter.org> (raw)
In-Reply-To: <20110203120052.GA4217@buero.cygnusnet.de>
On 03/02/11 13:00, Helmut Grohne wrote:
> Thanks to Florian Westphal (fw on Freenode) for helping me sort this
> out.
>
> On Tue, Jan 25, 2011 at 01:54:27PM +0100, Helmut Grohne wrote:
>> I was wondering what nflog_unbind_pf actually does. The doxygen comment
>> suggests it to be a harmless setup function acting on a given handle:
>>
>> libnetfilter-log src/libnetfilter_log.c:
>> | /**
>> | * nflog_unbind_pf - unbind nflog handler from a protocol family
>> | * \param h Netfilter log handle obtained via call to nflog_open()
>> | * \param pf protocol family to unbind family from
>> | *
>> | * Unbinds the given nflog handle from processing packets belonging
>> | * to the given protocol family.
>> | */
>
> This comment is indeed very misleading.
Let's fix it then :-)
> Actually the passed handle plays
> no role in the modification apart from providing access. The NFLOG
> iptables target has different ways to log packets. Currently the only
> logger is netlink. The state can be observed by examining
> /proc/net/netfilter/nf_log. This file maps protocol numbers to loggers.
> So nflog_{,un}bind_pf really modifies a global and persistent kernel
> data structure. The default logger is "NONE" or "NULL" which means no
> logging, so it has to be set up once. Trying to do so in parallel will
> result in race conditions.
Please, would you send me a patch so others can benefit for this
conclusion in the official documentation? I'd appreciate it.
> Furthermore I'd like to remark that if you handle lots of packets the in
> kernel buffer might be too small. This can result in packets being
> dropped which is signaled by ENOBUFS being returned from recv. The
> socket can be used normally after this error. To avoid this situation
> the receive buffer size can be increased using setsockopt
> SO_RCVBUFFORCE.
There is other things that you can do to avoid ENOBUFS, it is documented
in libnetfilter_queue but it also applies to libnetfilter_log:
http://www.netfilter.org/projects/libnetfilter_queue/doxygen/
See performance, the last two items do not apply to libnetfilter_log.
Another patch for this would be great.
next prev parent reply other threads:[~2011-02-03 13:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-25 12:54 What does nflog_unbind_pf actually do? Helmut Grohne
2011-02-03 12:00 ` Helmut Grohne
2011-02-03 13:27 ` Pablo Neira Ayuso [this message]
2011-02-03 17:24 ` Helmut Grohne
2011-02-04 9:56 ` Pablo Neira Ayuso
2011-02-10 8:52 ` Helmut Grohne
2011-02-11 14:29 ` Pablo Neira Ayuso
2011-02-14 14:31 ` ENOBUFS missing in man recv(2) [Initially: What does nflog_unbind_pf actually do?] Helmut Grohne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D4AAD40.1060204@netfilter.org \
--to=pablo@netfilter.org \
--cc=h.grohne@cygnusnetworks.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox