[Oisf-users] [PATCH 1/2] nfq: improve error treatment

Eric Leblond eric at regit.org
Wed Aug 17 17:36:04 UTC 2011


This patch improve error treatment in NFQ. It adds error messages
to detect failure and trigger a packet drop if packet setup has
failed. This will permit to avoid any ghost packet coming directly
from NFQ.
---
 src/source-nfq.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/src/source-nfq.c b/src/source-nfq.c
index eba9763..4910005 100644
--- a/src/source-nfq.c
+++ b/src/source-nfq.c
@@ -247,6 +247,9 @@ int NFQSetupPkt (Packet *p, struct nfq_q_handle *qh, void *data)
         p->nfq_v.id = ntohl(ph->packet_id);
         //p->nfq_v.hw_protocol = ntohs(p->nfq_v.ph->hw_protocol);
         p->nfq_v.hw_protocol = ph->hw_protocol;
+    } else {
+        SCLogWarning(SC_ERR_NFQ_RECV, "Unable to get packet id");
+        return -1;
     }
     p->nfq_v.mark = nfq_get_nfmark(tb);
     if (nfq_config.mode == NFQ_REPEAT_MODE) {
@@ -320,6 +323,15 @@ static int NFQCallBack(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
     p->nfq_v.nfq_index = ntv->nfq_index;
     ret = NFQSetupPkt(p, qh, (void *)nfa);
     if (ret == -1) {
+        SCLogWarning(SC_ERR_NFQ_HANDLE_PKT, "NFQ setup failure");
+#ifdef HAVE_NFQ_SET_VERDICT2
+        ret = nfq_set_verdict2(t->qh, p->nfq_v.id, NF_DROP, 0, 0, NULL);
+#else
+        ret = nfq_set_verdict(qh, p->nfq_v.id, NF_DROP, 0, NULL);
+#endif
+        if (ret < 0) {
+            SCLogWarning(SC_ERR_NFQ_SET_VERDICT, "nfq_set_verdict of ghost packet failed");
+        }
 #ifdef COUNTERS
         NFQQueueVars *nfq_q = NFQGetQueue(ntv->nfq_index);
         nfq_q->errs++;
-- 
1.7.5.4




More information about the Oisf-users mailing list