[Oisf-users] Packets stucked in Nfqueue when running inline

Dave Remien dave.remien at gmail.com
Fri Jul 1 01:33:01 UTC 2011 

On Thu, Jun 30, 2011 at 2:53 PM, Eric Leblond <eric at regit.org> wrote:

> Hi,
>
> Could you check by running Suricata with debug at warning level ?
>
> SC_LOG_LEVEL=warn /path/to/suricata $MY_BEAUTIFUL_CUSTOM_PARAMS
>
> Following a related discussion on netfilter-devel mailing list, it
> appears that the problem could be due to a verdict failure. The problem
> is that this case is detected and a message is displayed but only if
> WARN or more log level is set.
>
> I've tried to reproduce the problem here (single powerful laptop and I
> did not manage to make it).
>
>
How many CPUs, at a question? Lots??


> As suggested on Netfilter devel mailing list, I've modified the code to
> try to reissue verdict. I attach the patch to the mail. I've tested this
> patch and it seems to work fine (at least when the problem does not
> occur).
>
>
As it turns out, you can issue verdict on any packet in (or not in 8-) the
nfqueue. I once had code that issued verdict on hundreds of K packets going
backwards, in an attempt to clear the queue.  It'll be interesting to see if
the queue gets cleared with Eric's patch.

Cheers!

Dave


> Could you test it ?
>
> On Wed, 2011-06-22 at 02:50 -0500, Fernando Ortiz wrote:
> >
> > 2011/6/21 Dave Remien <dave.remien at gmail.com>
> >         That's all new enough that the old "stuck packet" problem
> >         shouldn't be reappearing (was a problem up until about 2.6.21
> >         or 22).
> >
> >
> >         Could you try running two instances of Suricata, one on each
> >         queue, rather than a single instance on two queues?
> >
> >
> >
> >
> > I ran two instances of Suricata at a time packets were getting
> > stucked. I let them run for a quarter of hour,  zero packets stucked.
> >
> >
> > Just for be sure I load balanced traffic across 4 queues. I ran 3
> > instances of Suricata
> >
> >
> > suricata -c /etc/suricata/suricata.yaml -q1 -q2 -D
> > suricata -c /etc/suricata/suricata.yaml -q4 -D
> > suricata -c /etc/suricata/suricata.yaml -q3 -D
> >
> >
> > ips2 ~]# cat /proc/net/netfilter/nfnetlink_queue
> >     1   3147    37 2 65535     0     0   325684  1
> >     2  -4292    28 2 65535     0     0   325686  1
> >     3   3692     0 2 65535     0     0   112386  1
> >     4   3706     0 2 65535     0     0   112387  1
> >
> >
> > That was interesting.
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> --
> Eric Leblond
> Blog: http://home.regit.org/
>



-- 
"Of course, someone who knows more about this will correct me if I'm
wrong, and someone who knows less will correct me if I'm right."
David Palmer (palmer at tybalt.caltech.edu)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110630/63538ec3/attachment-0002.html>

More information about the Oisf-users mailing list