[Oisf-users] Packets stucked in Nfqueue when running inline

Eric Leblond eric at regit.org
Thu Aug 18 20:48:03 UTC 2011 

Hi,

On Thu, 2011-08-18 at 13:07 -0500, Fernando Ortiz wrote:
> These are some of the thousand warnings.
> 
> 
> [27240] 18/8/2011 -- 12:57:22 - (tmqh-packetpool.c:165) <Info>
> (TmqhOutputPacketpool) -- Packet 0x3dc33e0 has been outed without
> verdict, dropping it

Are you using something like gre or ppp tunel through the box ?

The message appears in the tunnel related code. I've introduced it in
the latest patch 'IPS: be sure to destroy packet when cleaning'. I don't
know well this part of the code. Suricata is using internally a
"pseudopacket" in two cases, tunnel or tcp stream reassembly in inline
mode. As the message is not systematic, it may be tcp stream related.

BR,

> [27240] 18/8/2011 -- 12:57:22 - (source-nfq.c:932) <Warning>
> (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] - trying to
> issue verdict on 302469
> [27228] 18/8/2011 -- 12:57:22 - (source-nfq.c:701) <Warning>
> (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] - nfq_handle_packet error
> -1: 0:Success
> [27240] 18/8/2011 -- 12:57:22 - (tmqh-packetpool.c:165) <Info>
> (TmqhOutputPacketpool) -- Packet 0x3e54f20 has been outed without
> verdict, dropping it
> [27240] 18/8/2011 -- 12:57:22 - (source-nfq.c:932) <Warning>
> (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] - trying to
> issue verdict on 302485
> [27227] 18/8/2011 -- 12:57:22 - (source-nfq.c:701) <Warning>
> (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] - nfq_handle_packet error
> -1: 0:Success
> [27240] 18/8/2011 -- 12:57:23 - (tmqh-packetpool.c:165) <Info>
> (TmqhOutputPacketpool) -- Packet 0x2e223c0 has been outed without
> verdict, dropping it
> [27240] 18/8/2011 -- 12:57:23 - (source-nfq.c:932) <Warning>
> (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] - trying to
> issue verdict on 304279
> [27228] 18/8/2011 -- 12:57:23 - (source-nfq.c:701) <Warning>
> (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] - nfq_handle_packet error
> -1: 0:Success
> [27240] 18/8/2011 -- 12:57:23 - (tmqh-packetpool.c:165) <Info>
> (TmqhOutputPacketpool) -- Packet 0x37a94e0 has been outed without
> verdict, dropping it
> [27240] 18/8/2011 -- 12:57:23 - (source-nfq.c:932) <Warning>
> (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] - trying to
> issue verdict on 304696
> [27228] 18/8/2011 -- 12:57:23 - (source-nfq.c:701) <Warning>
> (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] - nfq_handle_packet error
> -1: 0:Success
> [27240] 18/8/2011 -- 12:57:23 - (tmqh-packetpool.c:165) <Info>
> (TmqhOutputPacketpool) -- Packet 0x37c09e0 has been outed without
> verdict, dropping it
> [27240] 18/8/2011 -- 12:57:23 - (source-nfq.c:932) <Warning>
> (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] - trying to
> issue verdict on 304699
> [27228] 18/8/2011 -- 12:57:23 - (source-nfq.c:701) <Warning>
> (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] - nfq_handle_packet error
> -1: 0:Success
> [27240] 18/8/2011 -- 12:57:23 - (tmqh-packetpool.c:165) <Info>
> (TmqhOutputPacketpool) -- Packet 0x3f2f800 has been outed without
> verdict, dropping it
> [27240] 18/8/2011 -- 12:57:23 - (source-nfq.c:932) <Warning>
> (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] - trying to
> issue verdict on 305025
> [27228] 18/8/2011 -- 12:57:23 - (source-nfq.c:701) <Warning>
> (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] - nfq_handle_packet error
> -1: 0:Success
> 
> 
> Hope it helps. 
> 
> 2011/8/18 Fernando Ortiz <fernando.ortiz.f at gmail.com>
>         Sure, I will test that patch right now. I have on question.
>         The warning says it is dropping packets.
>         
>         (TmqhOutputPacketpool) -- Packet 0x4baa760 has been outed
>         without verdict, dropping it
>         
>         
>         There are a lot of this messages. I am a little worried about
>         too many drops although nobody has complaint in the network.
>         Why exactly are these drops about?
>          
>         
>         
>         
>         2011/8/18 Eric Leblond <eric at regit.org>
>         
>                 Hi,
>                 
>                 On Thu, 2011-08-18 at 12:22 -0500, Fernando Ortiz
>                 wrote:
>                 > All right. Now it is compiled and running.
>                 >
>                 >
>                 > Got several of these messages
>                 >
>                 >
>                 > [19643] 18/8/2011 -- 12:07:11 -
>                 (tmqh-packetpool.c:165) <Info>
>                 > (TmqhOutputPacketpool) -- Packet 0x4baa760 has been
>                 outed without
>                 > verdict, dropping it
>                 > [19643] 18/8/2011 -- 12:07:11 - (source-nfq.c:929)
>                 <Warning>
>                 > (NFQSetVerdictRescue) -- [ERRCODE:
>                 UNKNOWN_ERROR(77)] - trying to
>                 > issue verdict on 55786
>                 > [19631] 18/8/2011 -- 12:07:11 - (source-nfq.c:698)
>                 <Warning>
>                 > (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] -
>                 nfq_handle_packet error
>                 > -1
>                 
>                 
>                 Ouah sexy ! nfq_handle_packet is returning in error
>                 but the callback
>                 function has not crashed (no message from her).
>                 
>                 Could you try with the atached patch ? It could help
>                 to see what's going
>                 on.
>                 
>                 BR
>                 
>                 
>                 
> 
> 
> 
> 
> -- 
> Fernando Ortiz 
> Twitter: http://twitter.com/FernandOrtizF
>  

-- 
Eric Leblond 
Blog: http://home.regit.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110818/4bd443f2/attachment.sig>

More information about the Oisf-users mailing list