[Oisf-users] Packets stucked in Nfqueue when running inline
Eric Leblond
eric at regit.org
Thu Jun 30 15:13:15 UTC 2011
Hi,
On Tue, 2011-06-21 at 10:35 +0200, Victor Julien wrote:
> On 06/21/2011 02:36 AM, Fernando Ortiz wrote:
> > Thank you so much for your suggestion.
> >
> > I compiled the last revision from git. The same problem. I followed your
> > steps:
> >
...
> > Q1-> Pkts accepted 166705, dropped 206, replaced 0
> > Q2-> Pkts accepted 166692, dropped 219, replaced 0
> >
> > So, in Q1 166705 + 206 = 166911 = 166919 - 8
> > Same in Q2 166692 + 219 = 266911 = 166920 - 9
> >
> > You are right, these 17 packets are not seen by suricata, therefore, no one
> > make a verdict and they are stucked in the queues waiting for one.
>
> It might still be a Suricata issue though. If Suricata reads a packet
> but somehow messes up before it counts a new packet you might get the
> above numbers.
It could be but this will not explained why the kernel says some packets
have been forgotten (no decision taken on them). I've ask Fernando is
ruleset to check if Dave idea about tunneled packets could be involved.
> Both NFQCallBack and NFQSetupPkt should be reviewed
> carefully for it's error-behavior I think.
I agree on the carefull review which has to be done.
BR,
--
Eric Leblond
Blog: http://home.regit.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110630/6e719b0b/attachment.sig>
More information about the Oisf-users
mailing list