[Oisf-devel] [PATCH] nfq: modify queue length computation logic

Eric Leblond eleblond at edenwall.com
Mon Jan 11 21:25:22 UTC 2010 

This patch modifies  max queue length computation logic. The max queue
length was set to MAX_PENDING which is the total number of packet
processed simultaneously in suricata.

This value is correct but this will not permit to take all burst
effects into account (read sudden quantity of packet that arrives
faster than suricata is enable to parse). Furthermore there is a
delaying system when suricata gets overloaded which make necessary
to have packet storable into kernel for some time.

To improve this situation the patch increases the maximum queue
length to NFQ_BURST_FACTOR (4) time the MAX_PENDING packet and
it also increase the nfnetlink buffer size to be able to store
all packets waiting for suricata in the netlink receive buffer.
---
 src/source-nfq.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/src/source-nfq.c b/src/source-nfq.c
index 8e825fd..fddfbe3 100644
--- a/src/source-nfq.c
+++ b/src/source-nfq.c
@@ -65,6 +65,10 @@ TmEcode NoNFQSupportExit(ThreadVars *tv, void *initdata, void **data)
 
 #else /* implied we do have NFQ support */
 
+#define NFQ_BURST_FACTOR 4
+#define NFQ_DFT_QUEUE_LEN NFQ_BURST_FACTOR * MAX_PENDING
+#define NFQ_NF_BUFSIZE 1500 * NFQ_DFT_QUEUE_LEN
+
 /* shared vars for all for nfq queues and threads */
 static NFQGlobalVars nfq_g;
 
@@ -258,6 +262,9 @@ TmEcode NFQInitThread(NFQThreadVars *nfq_t, uint16_t queue_num, uint32_t queue_m
     }
 #endif /* HAVE_NFQ_MAXLEN */
 
+    /* set netlink buffer size to a decent value */
+    nfnl_rcvbufsiz(nfq_nfnlh(nfq_t->h), NFQ_NF_BUFSIZE);
+
     nfq_t->nh = nfq_nfnlh(nfq_t->h);
     nfq_t->fd = nfnl_fd(nfq_t->nh);
 
@@ -289,7 +296,7 @@ TmEcode ReceiveNFQThreadInit(ThreadVars *tv, void *initdata, void **data) {
      * as we will need it in our callback function */
     ntv->tv = tv;
 
-    int r = NFQInitThread(ntv,receive_queue_num,MAX_PENDING);
+    int r = NFQInitThread(ntv,receive_queue_num, NFQ_DFT_QUEUE_LEN);
     if (r < 0) {
         SCLogError(SC_NFQ_THREAD_INIT, "nfq thread failed to initialize");
 
-- 
1.6.6

More information about the Oisf-devel mailing list