* Fix filename in file header
* If the kernel or netlink socket becomes over loaded,
the kernel starts printing error messages like:
nf_queue: full at 1024 entries, dropping packets(s). Dropped: 1
nf_queue: full at 1024 entries, dropping packets(s). Dropped: 2
nf_queue: full at 1024 entries, dropping packets(s). Dropped: 3
So detect out of order packet ID's and set the NF_ACCEPT verdictÂ,
so they will be removed from the kernel queue.
* increase socket buffer to improve performance
without these changes sending more than 100 KB/s over tcp HTTP lo(localhost)
was difficult on my core2 duo machine, due to so many dropped packets.
After these changes over 150 MB/s was easy.
* improve help text
Signed-off-by: Karl Hiramoto <karl@hiramoto.org>
Currently two attributes are regarded as different if they are absent in
both objects to be compared. This is obviously incorrect, change to
regard objects as different if an attribute is only present on one of
them or if the attribute data differs.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Rules don't have unique identifiers, so all attributes are compared
by initializing the ID mask to ~0. This doesn't work however since
nl_object_identical verifies whether the ID attributes are actually
present before comparing the objects, which is never the case.
Work around by using the intersection of present attributes when
comparing two rule objects.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Neighbour entries for the same destination may exist on multiple
interfaces. Include the interface in the ID attributes.
Signed-off-by: Patrick McHardy <kaber@trash.net>
When resyncing a cache, there are no delete messages, so they need to
be synthesized for deleted objects.
Signed-off-by: Patrick McHardy <kaber@trash.net>
I've noticed a wrong behavior when setting up some delays in a netem
qdisc. I will try to make the things easier for the reader describing
the calls path.
To set up a delay (or jitter...) I use 'rtnl_netem_set_delay' which
requires an int parameter that tells the delay in micro seconds. Inside
this func, the delay is set up with the help of 'nl_us2ticks', which is
just an arithmetic operation (us * ticks_per_usec), where us is the
input parameter and ticks_per_usec is a global variable initialized in
'get_psched_settings'. And here is the problem:
If this variable is going to be calculated using '/proc/net/psched', I
think the file scan is not done properly.
I don't understand what the meaning of the asterisk is here:
int r = fscanf(fd, "%08x%08x%08x%*08x", &tick, &us, &nom);
if (4 == r && nom == 1000000 && !got_tick)
ticks_per_usec = (double)tick/(double)us;
The execution path never gets in the if statement, because r is always
3, and if the fourth parameter is read (avoiding the asterisk), there is
no variable to store it in, so it comes a segv. In my opinion we can get
rid of the if statement, because I think the proc psched file has always
a fixed format of 4 parameters, and 'nom' is always 1000000
(http://lxr.linux.no/#linux+v2.6.32/net/sched/sch_api.c#L1678).
Find attached a patch I did, if I am correct.
nfnl_queue_msg_send_verdict_payload() will to send the verdict, mark,
and possibly changed payload through the netlink socket.
Add a few docbook comments in other funcs.
Signed-off-by: Karl Hiramoto <karl@hiramoto.org>
Create new function nl_send_iovec() to be used to send multiple 'struct iovec'
through the netlink socket. This will be used for NF_QUEUE, to send
packet payload of a modified packet.
Refactor nl_send() to use nl_send_iovec() sending a single struct iovec.
Create new function nl_auto_complete() by refactoring nl_send_auto_complete(),
so other functions that call nl_send may also use nl_auto_complete()
Signed-off-by: Karl Hiramoto <karl@hiramoto.org>
libnl-route must be handled before libnl-nf in lib_LTLIBRARIES since
the later depends on the former. Additionally nf-monitor, nl-list-caches,
nl-list-sockets and nl-util-addr have been dropped from the Makefile.
Signed-off-by: Patrick McHardy <kaber@trash.net>
addr_obj.ops.oo_id_attrs included ADDR_ATTR_PEER, so any address that
didn't have a peer address set would compare as unequal to itself,
meaning it could never be removed from a cache after it was added, etc.
I found the following bug, where nlmsg_ok() in lib/msg.c would
incorrectly return 'true' when the input argument 'remaining' was a negative
number. This happens when the message is not aligned the way that libnl
expects (although it is still legal).
In the comparison of the signed and unsigned numbers on line 284, the signed
number gets converted to an unsigned number, which is unexpected and
naturally produces a bug. My patch is below. The cast is ugly, but it
fixes the problem.
Issues solved:
* PACKAGE_VERSION was abused for SOVERSION
* unneeded DEP stage
* did not support out-of-tree builds
* no way to turn off silent mode
* overriding CFLAGS at make time was not supported
* no static libs were provided
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Current calculation is always off, not reflecting the right position
in the bitmap, which results in failures due to conflicts (detected at
the kernel level) when trying to open a new handle.
Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
Instead of calling the membership functions several times it is
helpfull to extend the API and make the single group functions a
special case.
The value 0 (NFNLGRP_NONE) terminates this list.
Example use:
nl_socket_add_memberships(sock, group_1, group_2, 0);
nl_socket_drop_memberships(sock, group_1, group_2, 0);
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
commit e92539843a0c7e5116254382626cce226bf2135e
Author: Patrick McHardy <kaber@trash.net>
Date: Thu Oct 23 13:46:16 2008 +0200
libnl: nfqueue: add nfqueue specific socket allocation function
nfqueue users usually send verdict messages from the receive callback.
When waiting for ACKs, the receive callback might be called again
recursively until the stack blows up.
Add a nfqueue specific socket allocation function that automatically
disables ACKing for the socket.
Signed-off-by: Patrick McHardy <kaber@trash.net>
