[Oisf-users] Packets stucked in Nfqueue when running inline

Fernando Ortiz fernando.ortiz.f at gmail.com
Thu Aug 18 17:11:43 UTC 2011 

I changed this:
*ret = nfq_set_verdict2(t->qh, p->nfq_v.id, NF_DROP, 0, 0, NULL);*
to this:
*ret = nfq_set_verdict2(qh, p->nfq_v.id, NF_DROP, 0, 0, NULL);*

It compiled. Is it ok ? :P

source-nfq.c:

static int NFQCallBack(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
              struct nfq_data *nfa, void *data)
{
    NFQThreadVars *ntv = (NFQThreadVars *)data;
    ThreadVars *tv = ntv->tv;
    int ret;

.......

        SCLogWarning(SC_ERR_NFQ_HANDLE_PKT, "NFQ setup failure");
#ifdef HAVE_NFQ_SET_VERDICT2
      *  *ret = nfq_set_verdict2(qh, p->nfq_v.id, NF_DROP, 0, 0, NULL);**
#else
        ret = nfq_set_verdict(qh, p->nfq_v.id, NF_DROP, 0, NULL);
#endif
        if (ret < 0) {


2011/8/18 Fernando Ortiz <fernando.ortiz.f at gmail.com>

> (Forgot to send this to the list too)
>
> All patches worked find. I got this error again, though
>
> source-nfq.c: In function âNFQCallBackâ:
> source-nfq.c:328:32: error: âtâ undeclared (first use in this function)
> source-nfq.c:328:32: note: each undeclared identifier is reported only once
> for each function it appears in
>
> Regards
>
> 2011/8/18 Fernando Ortiz <fernando.ortiz.f at gmail.com>
>
>> All patches worked find. I got this error again, though
>>
>> source-nfq.c: In function âNFQCallBackâ:
>> source-nfq.c:328:32: error: âtâ undeclared (first use in this function)
>> source-nfq.c:328:32: note: each undeclared identifier is reported only
>> once for each function it appears in
>>
>>
>>
>> 2011/8/18 Fernando Ortiz <fernando.ortiz.f at gmail.com>
>>
>>> Great! I will test this and keep you informed.
>>>
>>> Thanks
>>>
>>>
>>> 2011/8/18 Eric Leblond <eric at regit.org>
>>>
>>>> Hello,
>>>>
>>>> On Thu, 2011-08-18 at 10:32 -0500, Fernando Ortiz wrote:
>>>> > I had problems with both patches:
>>>>
>>>> Oups, at least 4 patches were missing on the way from origin/master to
>>>> this two patches.
>>>>
>>>> In attachement please find the result of a cherry-pick party of all my
>>>> commits on NFQ. They have been applied on origin/master and this should
>>>> thus apply easily on your side.
>>>>
>>>> BR,
>>>>
>>>> >
>>>> > Patch 1:
>>>> > patching file source-nfq.c
>>>> > Hunk #1 FAILED at 247.
>>>> > Hunk #2 FAILED at 320.
>>>> > 2 out of 2 hunks FAILED -- saving rejects to file source-nfq.c.rej
>>>> >
>>>> >
>>>> > Patch 2:
>>>> > patching file decode.h
>>>> > patching file source-ipfw.c
>>>> > Hunk #1 FAILED at 518.
>>>> > 1 out of 1 hunk FAILED -- saving rejects to file source-ipfw.c.rej
>>>> > patching file source-nfq.c
>>>> > Hunk #1 FAILED at 339.
>>>> > Hunk #2 FAILED at 918.
>>>> > 2 out of 2 hunks FAILED -- saving rejects to file source-nfq.c.rej
>>>> > patching file source-nfq.h
>>>> > patching file tmqh-packetpool.c
>>>> > Hunk #1 succeeded at 49 with fuzz 1.
>>>> > Hunk #2 FAILED at 159.
>>>> > Hunk #3 FAILED at 192.
>>>> > 2 out of 3 hunks FAILED -- saving rejects to file
>>>> > tmqh-packetpool.c.rej
>>>> >
>>>> >
>>>> > I manually edited the files. But still have problems in compilation.
>>>> > Specifically with patch 1
>>>> >
>>>> >
>>>> > source-nfq.c: In function âNFQCallBackâ:
>>>> > source-nfq.c:322:32: error: "t" undeclared (first use in this
>>>> > function)
>>>> > source-nfq.c:322:32: note: each undeclared identifier is reported only
>>>> > once for each function it appears in
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > source-nfq.c: In function "NFQSetVerdict":
>>>> > source-nfq.c:798:2: warning: âreturnâ with no value, in function
>>>> > returning non-void
>>>> >
>>>> >
>>>> > In my source-nfq.c I had this function declaration.
>>>> > void NFQSetVerdict(Packet *p) {
>>>> >
>>>> >
>>>> > But in the patch 2, it looks like that function returns TmEcode
>>>> > TmEcode NFQSetVerdict(Packet *p) {
>>>> >
>>>> >
>>>> > I changed it, as it was in the patch thus there is a warning because
>>>> > there is a void return in the code.
>>>> >
>>>> >
>>>> > TmEcode NFQSetVerdict(Packet *p) {
>>>> >     int iter = 0;
>>>> >     /* can't verdict a "fake" packet */
>>>> >     if (p->flags & PKT_PSEUDO_STREAM_END) {
>>>> >           return;
>>>> >     }
>>>> >
>>>> >
>>>> > I am working with the last repository in git. Could you give a hand
>>>> > please?
>>>> >
>>>> >
>>>> >
>>>> > 2011/8/17 Fernando Ortiz <fernando.ortiz.f at gmail.com>
>>>> >         Great! I will test both right now. Thank you.
>>>> >
>>>> >
>>>> >
>>>> >         2011/8/17 Eric Leblond <eric at regit.org>
>>>> >                 Hello again,
>>>> >
>>>> >                 On Wed, 2011-08-17 at 16:53 +0200, Eric Leblond wrote:
>>>> >                 > Hi again,
>>>> >                 >
>>>> >                 > On Wed, 2011-08-17 at 16:28 +0200, Eric Leblond
>>>> >                 wrote:
>>>> >                 > > Hello,
>>>> >                 > >
>>>> >                 > > On Tue, 2011-08-16 at 14:30 -0500, Fernando Ortiz
>>>> >                 wrote:
>>>> >                 > > > Sorry the late of the answer. I got a server to
>>>> >                 make more test in
>>>> >                 > > > production again.
>>>> >                 > >
>>>> >                 > > No problem, I was on holiday :P
>>>> >                 > >
>>>> >                 > > > I patched Suricata. I still have the same
>>>> >                 problem with packets stucked
>>>> >                 > >
>>>> >                 > > Bad news.
>>>> >                 > >
>>>> >                 > > If you have some time, could you test the attached
>>>> >                 patch.
>>>> >                 >
>>>> >                 > This is not necessary to test this patch: I've
>>>> >                 continued to study the
>>>> >                 > problem. There is an issue with the code pointed out
>>>> >                 by the patch but
>>>> >                 > this can not explain the problem.
>>>> >
>>>> >
>>>> >                 Two patches will follow this mail. The fist one
>>>> >                 improves the error
>>>> >                 handling in NFQ and suppress one of the potential
>>>> >                 source of ghost
>>>> >                 packets. The second one is more generic but it should
>>>> >                 fix one other
>>>> >                 potential source.
>>>> >
>>>> >                 Both patches display explicit message in log level
>>>> >                 warning. If something
>>>> >                 occurs, you will not missed it.
>>>> >
>>>> >                 BR,
>>>> >                 --
>>>> >
>>>> >                 Eric Leblond
>>>> >                 Blog: http://home.regit.org/
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>>
>>>> --
>>>> Eric Leblond
>>>> Blog: http://home.regit.org/
>>>>
>>>
>>>
>>>
>>> --
>>> Fernando Ortiz
>>> Twitter: http://twitter.com/FernandOrtizF
>>>
>>>
>>
>>
>>
>> --
>> Fernando Ortiz
>> Twitter: http://twitter.com/FernandOrtizF
>>
>>
>
>
>
> --
> Fernando Ortiz
> Twitter: http://twitter.com/FernandOrtizF
>
>



-- 
Fernando Ortiz
Twitter: http://twitter.com/FernandOrtizF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110818/eabd9f73/attachment-0002.html>

More information about the Oisf-users mailing list