[Oisf-users] [PATCH 1/2] nfq: improve error treatment
Eric Leblond
eric at regit.org
Wed Aug 17 17:36:04 UTC 2011
This patch improve error treatment in NFQ. It adds error messages
to detect failure and trigger a packet drop if packet setup has
failed. This will permit to avoid any ghost packet coming directly
from NFQ.
---
src/source-nfq.c | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/src/source-nfq.c b/src/source-nfq.c
index eba9763..4910005 100644
--- a/src/source-nfq.c
+++ b/src/source-nfq.c
@@ -247,6 +247,9 @@ int NFQSetupPkt (Packet *p, struct nfq_q_handle *qh, void *data)
p->nfq_v.id = ntohl(ph->packet_id);
//p->nfq_v.hw_protocol = ntohs(p->nfq_v.ph->hw_protocol);
p->nfq_v.hw_protocol = ph->hw_protocol;
+ } else {
+ SCLogWarning(SC_ERR_NFQ_RECV, "Unable to get packet id");
+ return -1;
}
p->nfq_v.mark = nfq_get_nfmark(tb);
if (nfq_config.mode == NFQ_REPEAT_MODE) {
@@ -320,6 +323,15 @@ static int NFQCallBack(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
p->nfq_v.nfq_index = ntv->nfq_index;
ret = NFQSetupPkt(p, qh, (void *)nfa);
if (ret == -1) {
+ SCLogWarning(SC_ERR_NFQ_HANDLE_PKT, "NFQ setup failure");
+#ifdef HAVE_NFQ_SET_VERDICT2
+ ret = nfq_set_verdict2(t->qh, p->nfq_v.id, NF_DROP, 0, 0, NULL);
+#else
+ ret = nfq_set_verdict(qh, p->nfq_v.id, NF_DROP, 0, NULL);
+#endif
+ if (ret < 0) {
+ SCLogWarning(SC_ERR_NFQ_SET_VERDICT, "nfq_set_verdict of ghost packet failed");
+ }
#ifdef COUNTERS
NFQQueueVars *nfq_q = NFQGetQueue(ntv->nfq_index);
nfq_q->errs++;
--
1.7.5.4
More information about the Oisf-users
mailing list