summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2012-09-10 13:17:24 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2012-09-10 13:24:59 +0200
commitfebb3cceac1889fb6558b8ef40ac733072fdcd47 (patch)
tree30c4174e6ff8a83826d17928d0c9409d41dd4859
parent46faeab56cf4117f41cb6f1f1c40a9c18a81372f (diff)
downloadconntrack-tools-febb3cceac1889fb6558b8ef40ac733072fdcd47.tar.gz
conntrack-tools-febb3cceac1889fb6558b8ef40ac733072fdcd47.zip
conntrackd: cthelper: add QueueLen option
This patch adds the QueueLen option, that allows you to increase the maximum number of packets waiting in the nfnetlink_queue to receive a verdict from userspace. Rising the default value (1024) is useful to avoid hitting the following error message: "nf_queue: full at X entries, dropping packets(s)". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--doc/helper/conntrackd.conf13
-rw-r--r--include/helper.h1
-rw-r--r--src/cthelper.c6
-rw-r--r--src/read_config_lex.l1
-rw-r--r--src/read_config_yy.y23
5 files changed, 40 insertions, 4 deletions
diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf
index 80f1f92..56f5162 100644
--- a/doc/helper/conntrackd.conf
+++ b/doc/helper/conntrackd.conf
@@ -14,6 +14,16 @@ Helper {
# the kernel.
#
QueueNum 0
+
+ #
+ # Maximum number of packets waiting in the queue to receive
+ # a verdict from user-space. Default is 1024.
+ #
+ # Rise value if you hit the following error message:
+ # "nf_queue: full at X entries, dropping packets(s)"
+ #
+ QueueLen 10240
+
#
# Set the Expectation policy for this helper.
#
@@ -30,6 +40,7 @@ Helper {
}
Type rpc inet tcp {
QueueNum 1
+ QueueLen 10240
Policy rpc {
ExpectMax 1
ExpectTimeout 300
@@ -37,6 +48,7 @@ Helper {
}
Type rpc inet udp {
QueueNum 2
+ QueueLen 10240
Policy rpc {
ExpectMax 1
ExpectTimeout 300
@@ -44,6 +56,7 @@ Helper {
}
Type tns inet tcp {
QueueNum 3
+ QueueLen 10240
Policy tns {
ExpectMax 1
ExpectTimeout 300
diff --git a/include/helper.h b/include/helper.h
index 329fd2d..9d96fb7 100644
--- a/include/helper.h
+++ b/include/helper.h
@@ -35,6 +35,7 @@ struct ctd_helper {
struct ctd_helper_instance {
struct list_head head;
uint32_t queue_num;
+ uint32_t queue_len;
uint16_t l3proto;
uint8_t l4proto;
struct ctd_helper *helper;
diff --git a/src/cthelper.c b/src/cthelper.c
index c119869..307be96 100644
--- a/src/cthelper.c
+++ b/src/cthelper.c
@@ -353,8 +353,9 @@ static int cthelper_setup(struct ctd_helper_instance *cur)
nfct_helper_attr_set_u32(t, NFCTH_ATTR_STATUS,
NFCT_HELPER_STATUS_ENABLED);
- dlog(LOG_NOTICE, "configuring helper `%s' with queuenum=%d",
- cur->helper->name, cur->queue_num);
+ dlog(LOG_NOTICE, "configuring helper `%s' with queuenum=%d and "
+ "queuelen=%d", cur->helper->name, cur->queue_num,
+ cur->queue_len);
for (j=0; j<CTD_HELPER_POLICY_MAX; j++) {
struct nfct_helper_policy *p;
@@ -433,6 +434,7 @@ static int cthelper_nfqueue_setup(struct ctd_helper_instance *cur)
nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_PACKET, 0xffff);
mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_CONNTRACK));
mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(0xffffffff));
+ mnl_attr_put_u32(nlh, NFQA_CFG_QUEUE_MAXLEN, htonl(cur->queue_len));
if (mnl_socket_sendto(STATE_CTH(nl), nlh, nlh->nlmsg_len) < 0) {
dlog(LOG_ERR, "failed to send configuration");
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index 31fa32e..bec2d81 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -144,6 +144,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
"ErrorQueueLength" { return T_ERROR_QUEUE_LENGTH; }
"Helper" { return T_HELPER; }
"QueueNum" { return T_HELPER_QUEUE_NUM; }
+"QueueLen" { return T_HELPER_QUEUE_LEN; }
"Policy" { return T_HELPER_POLICY; }
"ExpectMax" { return T_HELPER_EXPECT_MAX; }
"ExpectTimeout" { return T_HELPER_EXPECT_TIMEOUT; }
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index c9235d3..72a9654 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -56,6 +56,7 @@ struct stack symbol_stack;
enum {
SYMBOL_HELPER_QUEUE_NUM,
+ SYMBOL_HELPER_QUEUE_LEN,
SYMBOL_HELPER_POLICY_EXPECT_ROOT,
SYMBOL_HELPER_EXPECT_POLICY_LEAF,
};
@@ -86,8 +87,8 @@ enum {
%token T_SCHEDULER T_TYPE T_PRIO T_NETLINK_EVENTS_RELIABLE
%token T_DISABLE_INTERNAL_CACHE T_DISABLE_EXTERNAL_CACHE T_ERROR_QUEUE_LENGTH
%token T_OPTIONS T_TCP_WINDOW_TRACKING T_EXPECT_SYNC
-%token T_HELPER T_HELPER_QUEUE_NUM T_HELPER_POLICY T_HELPER_EXPECT_MAX
-%token T_HELPER_EXPECT_TIMEOUT
+%token T_HELPER T_HELPER_QUEUE_NUM T_HELPER_QUEUE_LEN T_HELPER_POLICY
+%token T_HELPER_EXPECT_TIMEOUT T_HELPER_EXPECT_MAX
%token <string> T_IP T_PATH_VAL
%token <val> T_NUMBER
@@ -1639,6 +1640,13 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}'
stack_item_free(e);
break;
}
+ case SYMBOL_HELPER_QUEUE_LEN: {
+ int *qlen = (int *) &e->data;
+
+ helper_inst->queue_len = *qlen;
+ stack_item_free(e);
+ break;
+ }
case SYMBOL_HELPER_POLICY_EXPECT_ROOT: {
struct ctd_helper_policy *pol =
(struct ctd_helper_policy *) &e->data;
@@ -1696,6 +1704,17 @@ helper_type: T_HELPER_QUEUE_NUM T_NUMBER
stack_item_push(&symbol_stack, e);
};
+helper_type: T_HELPER_QUEUE_LEN T_NUMBER
+{
+ int *qlen;
+ struct stack_item *e;
+
+ e = stack_item_alloc(SYMBOL_HELPER_QUEUE_LEN, sizeof(int));
+ qlen = (int *) e->data;
+ *qlen = $2;
+ stack_item_push(&symbol_stack, e);
+};
+
helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
{
struct stack_item *e;