conntrackd: cthelper: add QueueLen option

This patch adds the QueueLen option, that allows you to increase
the maximum number of packets waiting in the nfnetlink_queue to
receive a verdict from userspace.

Rising the default value (1024) is useful to avoid hitting the following
error message: "nf_queue: full at X entries, dropping packets(s)".

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

3 files changed, 26 insertions, 4 deletions

diff --git a/src/cthelper.c b/src/cthelper.c
index c119869..307be96 100644
--- a/src/cthelper.c
+++ b/src/cthelper.c
@@ -353,8 +353,9 @@ static int cthelper_setup(struct ctd_helper_instance *cur)
 	nfct_helper_attr_set_u32(t, NFCTH_ATTR_STATUS,
 					NFCT_HELPER_STATUS_ENABLED);
 
-	dlog(LOG_NOTICE, "configuring helper `%s' with queuenum=%d",
-		cur->helper->name, cur->queue_num);
+	dlog(LOG_NOTICE, "configuring helper `%s' with queuenum=%d and "
+			 "queuelen=%d", cur->helper->name, cur->queue_num,
+			 cur->queue_len);
 
 	for (j=0; j<CTD_HELPER_POLICY_MAX; j++) {
 		struct nfct_helper_policy *p;
@@ -433,6 +434,7 @@ static int cthelper_nfqueue_setup(struct ctd_helper_instance *cur)
 	nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_PACKET, 0xffff);
 	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_CONNTRACK));
 	mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(0xffffffff));
+	mnl_attr_put_u32(nlh, NFQA_CFG_QUEUE_MAXLEN, htonl(cur->queue_len));
 
 	if (mnl_socket_sendto(STATE_CTH(nl), nlh, nlh->nlmsg_len) < 0) {
 		dlog(LOG_ERR, "failed to send configuration");
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index 31fa32e..bec2d81 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -144,6 +144,7 @@ notrack		[N|n][O|o][T|t][R|r][A|a][C|c][K|k]
 "ErrorQueueLength"		{ return T_ERROR_QUEUE_LENGTH; }
 "Helper"			{ return T_HELPER; }
 "QueueNum"			{ return T_HELPER_QUEUE_NUM; }
+"QueueLen"			{ return T_HELPER_QUEUE_LEN; }
 "Policy"			{ return T_HELPER_POLICY; }
 "ExpectMax"			{ return T_HELPER_EXPECT_MAX; }
 "ExpectTimeout"			{ return T_HELPER_EXPECT_TIMEOUT; }
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index c9235d3..72a9654 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -56,6 +56,7 @@ struct stack symbol_stack;
 
 enum {
 	SYMBOL_HELPER_QUEUE_NUM,
+	SYMBOL_HELPER_QUEUE_LEN,
 	SYMBOL_HELPER_POLICY_EXPECT_ROOT,
 	SYMBOL_HELPER_EXPECT_POLICY_LEAF,
 };
@@ -86,8 +87,8 @@ enum {
 %token T_SCHEDULER T_TYPE T_PRIO T_NETLINK_EVENTS_RELIABLE
 %token T_DISABLE_INTERNAL_CACHE T_DISABLE_EXTERNAL_CACHE T_ERROR_QUEUE_LENGTH
 %token T_OPTIONS T_TCP_WINDOW_TRACKING T_EXPECT_SYNC
-%token T_HELPER T_HELPER_QUEUE_NUM T_HELPER_POLICY T_HELPER_EXPECT_MAX
-%token T_HELPER_EXPECT_TIMEOUT
+%token T_HELPER T_HELPER_QUEUE_NUM T_HELPER_QUEUE_LEN T_HELPER_POLICY
+%token T_HELPER_EXPECT_TIMEOUT T_HELPER_EXPECT_MAX
 
 %token <string> T_IP T_PATH_VAL
 %token <val> T_NUMBER
@@ -1639,6 +1640,13 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list  '}'
 			stack_item_free(e);
 			break;
 		}
+		case SYMBOL_HELPER_QUEUE_LEN: {
+			int *qlen = (int *) &e->data;
+
+			helper_inst->queue_len = *qlen;
+			stack_item_free(e);
+			break;
+		}
 		case SYMBOL_HELPER_POLICY_EXPECT_ROOT: {
 			struct ctd_helper_policy *pol =
 				(struct ctd_helper_policy *) &e->data;
@@ -1696,6 +1704,17 @@ helper_type: T_HELPER_QUEUE_NUM T_NUMBER
 	stack_item_push(&symbol_stack, e);
 };
 
+helper_type: T_HELPER_QUEUE_LEN T_NUMBER
+{
+	int *qlen;
+	struct stack_item *e;
+
+	e = stack_item_alloc(SYMBOL_HELPER_QUEUE_LEN, sizeof(int));
+	qlen = (int *) e->data;
+	*qlen = $2;
+	stack_item_push(&symbol_stack, e);
+};
+
 helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
 {
 	struct stack_item *e;