[Oisf-devel] [PATCH] nfq: modify queue length computation logic
Victor Julien
victor at inliniac.net
Wed Jan 13 14:31:33 UTC 2010
Awesome, thanks Eric. Running NFQ on my firewall so I'll be testing
this. Patch applied.
Cheers,
Victor
Eric Leblond wrote:
> This patch modifies max queue length computation logic. The max queue
> length was set to MAX_PENDING which is the total number of packet
> processed simultaneously in suricata.
>
> This value is correct but this will not permit to take all burst
> effects into account (read sudden quantity of packet that arrives
> faster than suricata is enable to parse). Furthermore there is a
> delaying system when suricata gets overloaded which make necessary
> to have packet storable into kernel for some time.
>
> To improve this situation the patch increases the maximum queue
> length to NFQ_BURST_FACTOR (4) time the MAX_PENDING packet and
> it also increase the nfnetlink buffer size to be able to store
> all packets waiting for suricata in the netlink receive buffer.
> ---
> src/source-nfq.c | 9 ++++++++-
> 1 files changed, 8 insertions(+), 1 deletions(-)
>
> diff --git a/src/source-nfq.c b/src/source-nfq.c
> index 8e825fd..fddfbe3 100644
> --- a/src/source-nfq.c
> +++ b/src/source-nfq.c
> @@ -65,6 +65,10 @@ TmEcode NoNFQSupportExit(ThreadVars *tv, void *initdata, void **data)
>
> #else /* implied we do have NFQ support */
>
> +#define NFQ_BURST_FACTOR 4
> +#define NFQ_DFT_QUEUE_LEN NFQ_BURST_FACTOR * MAX_PENDING
> +#define NFQ_NF_BUFSIZE 1500 * NFQ_DFT_QUEUE_LEN
> +
> /* shared vars for all for nfq queues and threads */
> static NFQGlobalVars nfq_g;
>
> @@ -258,6 +262,9 @@ TmEcode NFQInitThread(NFQThreadVars *nfq_t, uint16_t queue_num, uint32_t queue_m
> }
> #endif /* HAVE_NFQ_MAXLEN */
>
> + /* set netlink buffer size to a decent value */
> + nfnl_rcvbufsiz(nfq_nfnlh(nfq_t->h), NFQ_NF_BUFSIZE);
> +
> nfq_t->nh = nfq_nfnlh(nfq_t->h);
> nfq_t->fd = nfnl_fd(nfq_t->nh);
>
> @@ -289,7 +296,7 @@ TmEcode ReceiveNFQThreadInit(ThreadVars *tv, void *initdata, void **data) {
> * as we will need it in our callback function */
> ntv->tv = tv;
>
> - int r = NFQInitThread(ntv,receive_queue_num,MAX_PENDING);
> + int r = NFQInitThread(ntv,receive_queue_num, NFQ_DFT_QUEUE_LEN);
> if (r < 0) {
> SCLogError(SC_NFQ_THREAD_INIT, "nfq thread failed to initialize");
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list