[Oisf-users] Packets stucked in Nfqueue when running inline

Fernando Ortiz fernando.ortiz.f at gmail.com
Thu Aug 18 21:47:46 UTC 2011 

Yes, but neither gre nor ppp (at least during these last tests, when I first
open this threat suricata was in another place where there was gre) Here
there are ip in ip tunnels.
Remember also that packets that I don't get stuck packets when I run only
one queue.

> As the message is not systematic, it may be tcp stream related.

I did not understand  the message is not systematic part. Could you explain
it a little please?

Also, the message logged says some packets are being dropped
>> (TmqhOutputPacketpool) -- Packet 0x3e54f20 has been outed without
verdict, dropping it

I checked the code, and I couldn't find any part where a packet gets
dropped.

2011/8/18 Eric Leblond <eric at regit.org>

> Hi,
>
> On Thu, 2011-08-18 at 13:07 -0500, Fernando Ortiz wrote:
> > These are some of the thousand warnings.
> >
> >
> > [27240] 18/8/2011 -- 12:57:22 - (tmqh-packetpool.c:165) <Info>
> > (TmqhOutputPacketpool) -- Packet 0x3dc33e0 has been outed without
> > verdict, dropping it
>
> Are you using something like gre or ppp tunel through the box ?
>
> The message appears in the tunnel related code. I've introduced it in
> the latest patch 'IPS: be sure to destroy packet when cleaning'. I don't
> know well this part of the code. Suricata is using internally a
> "pseudopacket" in two cases, tunnel or tcp stream reassembly in inline
> mode. As the message is not systematic, it may be tcp stream related.
>
> BR,
>
> > [27240] 18/8/2011 -- 12:57:22 - (source-nfq.c:932) <Warning>
> > (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] - trying to
> > issue verdict on 302469
> > [27228] 18/8/2011 -- 12:57:22 - (source-nfq.c:701) <Warning>
> > (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] - nfq_handle_packet error
> > -1: 0:Success
> > [27240] 18/8/2011 -- 12:57:22 - (tmqh-packetpool.c:165) <Info>
> > (TmqhOutputPacketpool) -- Packet 0x3e54f20 has been outed without
> > verdict, dropping it
> > [27240] 18/8/2011 -- 12:57:22 - (source-nfq.c:932) <Warning>
> > (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] - trying to
> > issue verdict on 302485
> > [27227] 18/8/2011 -- 12:57:22 - (source-nfq.c:701) <Warning>
> > (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] - nfq_handle_packet error
> > -1: 0:Success
> > [27240] 18/8/2011 -- 12:57:23 - (tmqh-packetpool.c:165) <Info>
> > (TmqhOutputPacketpool) -- Packet 0x2e223c0 has been outed without
> > verdict, dropping it
> > [27240] 18/8/2011 -- 12:57:23 - (source-nfq.c:932) <Warning>
> > (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] - trying to
> > issue verdict on 304279
> > [27228] 18/8/2011 -- 12:57:23 - (source-nfq.c:701) <Warning>
> > (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] - nfq_handle_packet error
> > -1: 0:Success
> > [27240] 18/8/2011 -- 12:57:23 - (tmqh-packetpool.c:165) <Info>
> > (TmqhOutputPacketpool) -- Packet 0x37a94e0 has been outed without
> > verdict, dropping it
> > [27240] 18/8/2011 -- 12:57:23 - (source-nfq.c:932) <Warning>
> > (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] - trying to
> > issue verdict on 304696
> > [27228] 18/8/2011 -- 12:57:23 - (source-nfq.c:701) <Warning>
> > (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] - nfq_handle_packet error
> > -1: 0:Success
> > [27240] 18/8/2011 -- 12:57:23 - (tmqh-packetpool.c:165) <Info>
> > (TmqhOutputPacketpool) -- Packet 0x37c09e0 has been outed without
> > verdict, dropping it
> > [27240] 18/8/2011 -- 12:57:23 - (source-nfq.c:932) <Warning>
> > (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] - trying to
> > issue verdict on 304699
> > [27228] 18/8/2011 -- 12:57:23 - (source-nfq.c:701) <Warning>
> > (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] - nfq_handle_packet error
> > -1: 0:Success
> > [27240] 18/8/2011 -- 12:57:23 - (tmqh-packetpool.c:165) <Info>
> > (TmqhOutputPacketpool) -- Packet 0x3f2f800 has been outed without
> > verdict, dropping it
> > [27240] 18/8/2011 -- 12:57:23 - (source-nfq.c:932) <Warning>
> > (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] - trying to
> > issue verdict on 305025
> > [27228] 18/8/2011 -- 12:57:23 - (source-nfq.c:701) <Warning>
> > (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] - nfq_handle_packet error
> > -1: 0:Success
> >
> >
> > Hope it helps.
> >
> > 2011/8/18 Fernando Ortiz <fernando.ortiz.f at gmail.com>
> >         Sure, I will test that patch right now. I have on question.
> >         The warning says it is dropping packets.
> >
> >         (TmqhOutputPacketpool) -- Packet 0x4baa760 has been outed
> >         without verdict, dropping it
> >
> >
> >         There are a lot of this messages. I am a little worried about
> >         too many drops although nobody has complaint in the network.
> >         Why exactly are these drops about?
> >
> >
> >
> >
> >         2011/8/18 Eric Leblond <eric at regit.org>
> >
> >                 Hi,
> >
> >                 On Thu, 2011-08-18 at 12:22 -0500, Fernando Ortiz
> >                 wrote:
> >                 > All right. Now it is compiled and running.
> >                 >
> >                 >
> >                 > Got several of these messages
> >                 >
> >                 >
> >                 > [19643] 18/8/2011 -- 12:07:11 -
> >                 (tmqh-packetpool.c:165) <Info>
> >                 > (TmqhOutputPacketpool) -- Packet 0x4baa760 has been
> >                 outed without
> >                 > verdict, dropping it
> >                 > [19643] 18/8/2011 -- 12:07:11 - (source-nfq.c:929)
> >                 <Warning>
> >                 > (NFQSetVerdictRescue) -- [ERRCODE:
> >                 UNKNOWN_ERROR(77)] - trying to
> >                 > issue verdict on 55786
> >                 > [19631] 18/8/2011 -- 12:07:11 - (source-nfq.c:698)
> >                 <Warning>
> >                 > (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] -
> >                 nfq_handle_packet error
> >                 > -1
> >
> >
> >                 Ouah sexy ! nfq_handle_packet is returning in error
> >                 but the callback
> >                 function has not crashed (no message from her).
> >
> >                 Could you try with the atached patch ? It could help
> >                 to see what's going
> >                 on.
> >
> >                 BR
> >
> >
> >
> >
> >
> >
> >
> > --
> > Fernando Ortiz
> > Twitter: http://twitter.com/FernandOrtizF
> >
>
> --
> Eric Leblond
> Blog: http://home.regit.org/
>



-- 
Fernando Ortiz
Twitter: http://twitter.com/FernandOrtizF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110818/22d17432/attachment-0002.html>

More information about the Oisf-users mailing list