[Oisf-users] Packets stucked in Nfqueue when running inline
Eric Leblond
eric at regit.org
Fri Aug 19 12:39:13 UTC 2011
Hi,
On Thu, 2011-08-18 at 16:47 -0500, Fernando Ortiz wrote:
> Yes, but neither gre nor ppp (at least during these last tests, when I
> first open this threat suricata was in another place where there was
> gre) Here there are ip in ip tunnels.
Ok, from what I've seen in the code, ipip is not decoded and will not
trigger the creation of pseudopacket.
> Remember also that packets that I don't get stuck packets when I run
> only one queue.
Hmm, very good to point that out! This open a new possibility which is
the fact, the thread treatment could trigger some packets inversion.
I've read on the thread that you have a 2.6.32 kernel. You can thus use
the --queue-balance option of iptables to queue the packets. The syntax
is simple:
iptables STANDARD_COMMAND -j NFQUEUE --queue-balance 0:3
This will queue all the packet of a given flow to the same queue. Thus
there is no possibility with that setup to have "artificial"
out-of-order packet.
Could you try that and tell me if there is still ghost packets ?
> > As the message is not systematic, it may be tcp stream related.
>
>
> I did not understand the message is not systematic part. Could you
> explain it a little please?
There is some distance between the packet id (which are almost
sequential). As trafic is almost always bursty in the case of a tunnel
we should see packets with close ids.
> Also, the message logged says some packets are being dropped
> >> (TmqhOutputPacketpool) -- Packet 0x3e54f20 has been outed without
> verdict, dropping it
>
>
> I checked the code, and I couldn't find any part where a packet gets
> dropped.
This is here:
+ SCLogInfo("Packet %p has been outed without verdict, dropping it", p);
+ p->action |= ACTION_DROP;
+ NFQSetVerdictRescue(p);
I attach to the mail a little patch over the previous series. It should
fix the annoying "outed" warning you saw.
BR,
>
>
> 2011/8/18 Eric Leblond <eric at regit.org>
> Hi,
>
> On Thu, 2011-08-18 at 13:07 -0500, Fernando Ortiz wrote:
> > These are some of the thousand warnings.
> >
> >
> > [27240] 18/8/2011 -- 12:57:22 - (tmqh-packetpool.c:165)
> <Info>
> > (TmqhOutputPacketpool) -- Packet 0x3dc33e0 has been outed
> without
> > verdict, dropping it
>
>
> Are you using something like gre or ppp tunel through the
> box ?
>
> The message appears in the tunnel related code. I've
> introduced it in
> the latest patch 'IPS: be sure to destroy packet when
> cleaning'. I don't
> know well this part of the code. Suricata is using internally
> a
> "pseudopacket" in two cases, tunnel or tcp stream reassembly
> in inline
> mode. As the message is not systematic, it may be tcp stream
> related.
>
> BR,
>
>
> > [27240] 18/8/2011 -- 12:57:22 - (source-nfq.c:932) <Warning>
> > (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] -
> trying to
> > issue verdict on 302469
> > [27228] 18/8/2011 -- 12:57:22 - (source-nfq.c:701) <Warning>
> > (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] -
> nfq_handle_packet error
> > -1: 0:Success
> > [27240] 18/8/2011 -- 12:57:22 - (tmqh-packetpool.c:165)
> <Info>
> > (TmqhOutputPacketpool) -- Packet 0x3e54f20 has been outed
> without
> > verdict, dropping it
> > [27240] 18/8/2011 -- 12:57:22 - (source-nfq.c:932) <Warning>
> > (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] -
> trying to
> > issue verdict on 302485
> > [27227] 18/8/2011 -- 12:57:22 - (source-nfq.c:701) <Warning>
> > (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] -
> nfq_handle_packet error
> > -1: 0:Success
> > [27240] 18/8/2011 -- 12:57:23 - (tmqh-packetpool.c:165)
> <Info>
> > (TmqhOutputPacketpool) -- Packet 0x2e223c0 has been outed
> without
> > verdict, dropping it
> > [27240] 18/8/2011 -- 12:57:23 - (source-nfq.c:932) <Warning>
> > (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] -
> trying to
> > issue verdict on 304279
> > [27228] 18/8/2011 -- 12:57:23 - (source-nfq.c:701) <Warning>
> > (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] -
> nfq_handle_packet error
> > -1: 0:Success
> > [27240] 18/8/2011 -- 12:57:23 - (tmqh-packetpool.c:165)
> <Info>
> > (TmqhOutputPacketpool) -- Packet 0x37a94e0 has been outed
> without
> > verdict, dropping it
> > [27240] 18/8/2011 -- 12:57:23 - (source-nfq.c:932) <Warning>
> > (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] -
> trying to
> > issue verdict on 304696
> > [27228] 18/8/2011 -- 12:57:23 - (source-nfq.c:701) <Warning>
> > (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] -
> nfq_handle_packet error
> > -1: 0:Success
> > [27240] 18/8/2011 -- 12:57:23 - (tmqh-packetpool.c:165)
> <Info>
> > (TmqhOutputPacketpool) -- Packet 0x37c09e0 has been outed
> without
> > verdict, dropping it
> > [27240] 18/8/2011 -- 12:57:23 - (source-nfq.c:932) <Warning>
> > (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] -
> trying to
> > issue verdict on 304699
> > [27228] 18/8/2011 -- 12:57:23 - (source-nfq.c:701) <Warning>
> > (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] -
> nfq_handle_packet error
> > -1: 0:Success
> > [27240] 18/8/2011 -- 12:57:23 - (tmqh-packetpool.c:165)
> <Info>
> > (TmqhOutputPacketpool) -- Packet 0x3f2f800 has been outed
> without
> > verdict, dropping it
> > [27240] 18/8/2011 -- 12:57:23 - (source-nfq.c:932) <Warning>
> > (NFQSetVerdictRescue) -- [ERRCODE: UNKNOWN_ERROR(77)] -
> trying to
> > issue verdict on 305025
> > [27228] 18/8/2011 -- 12:57:23 - (source-nfq.c:701) <Warning>
> > (NFQRecvPkt) -- [ERRCODE: UNKNOWN_ERROR(76)] -
> nfq_handle_packet error
> > -1: 0:Success
> >
> >
> > Hope it helps.
> >
> > 2011/8/18 Fernando Ortiz <fernando.ortiz.f at gmail.com>
> > Sure, I will test that patch right now. I have on
> question.
> > The warning says it is dropping packets.
> >
> > (TmqhOutputPacketpool) -- Packet 0x4baa760 has been
> outed
> > without verdict, dropping it
> >
> >
> > There are a lot of this messages. I am a little
> worried about
> > too many drops although nobody has complaint in the
> network.
> > Why exactly are these drops about?
> >
> >
> >
> >
> > 2011/8/18 Eric Leblond <eric at regit.org>
> >
> > Hi,
> >
> > On Thu, 2011-08-18 at 12:22 -0500, Fernando
> Ortiz
> > wrote:
> > > All right. Now it is compiled and running.
> > >
> > >
> > > Got several of these messages
> > >
> > >
> > > [19643] 18/8/2011 -- 12:07:11 -
> > (tmqh-packetpool.c:165) <Info>
> > > (TmqhOutputPacketpool) -- Packet 0x4baa760
> has been
> > outed without
> > > verdict, dropping it
> > > [19643] 18/8/2011 -- 12:07:11 -
> (source-nfq.c:929)
> > <Warning>
> > > (NFQSetVerdictRescue) -- [ERRCODE:
> > UNKNOWN_ERROR(77)] - trying to
> > > issue verdict on 55786
> > > [19631] 18/8/2011 -- 12:07:11 -
> (source-nfq.c:698)
> > <Warning>
> > > (NFQRecvPkt) -- [ERRCODE:
> UNKNOWN_ERROR(76)] -
> > nfq_handle_packet error
> > > -1
> >
> >
> > Ouah sexy ! nfq_handle_packet is returning
> in error
> > but the callback
> > function has not crashed (no message from
> her).
> >
> > Could you try with the atached patch ? It
> could help
> > to see what's going
> > on.
> >
> > BR
> >
> >
> >
> >
> >
> >
> >
> > --
> > Fernando Ortiz
> > Twitter: http://twitter.com/FernandOrtizF
> >
>
>
>
> --
> Eric Leblond
> Blog: http://home.regit.org/
>
>
>
>
>
> --
> Fernando Ortiz
> Twitter: http://twitter.com/FernandOrtizF
>
>
--
Eric Leblond
Blog: http://home.regit.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-IPS-mode-don-t-try-to-drop-pseudo-packets.patch
Type: text/x-patch
Size: 3996 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110819/19193281/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110819/19193281/attachment.sig>
More information about the Oisf-users
mailing list