From d378220c96c3c8b6f27dca33e7d8ba03318f9c2d Mon Sep 17 00:00:00 2001 From: Karl Hiramoto Date: Thu, 18 Mar 2010 17:50:20 +0100 Subject: src/nf-queue.c: cleanup and improve performance of test program for NF_QUEUE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix filename in file header * If the kernel or netlink socket becomes over loaded, the kernel starts printing error messages like: nf_queue: full at 1024 entries, dropping packets(s). Dropped: 1 nf_queue: full at 1024 entries, dropping packets(s). Dropped: 2 nf_queue: full at 1024 entries, dropping packets(s). Dropped: 3 So detect out of order packet ID's and set the NF_ACCEPT verdictÂ, so they will be removed from the kernel queue. * increase socket buffer to improve performance without these changes sending more than 100 KB/s over tcp HTTP lo(localhost) was difficult on my core2 duo machine, due to so many dropped packets. After these changes over 150 MB/s was easy. * improve help text Signed-off-by: Karl Hiramoto --- src/nf-queue.c | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/src/nf-queue.c b/src/nf-queue.c index 5874688..3fb3c11 100644 --- a/src/nf-queue.c +++ b/src/nf-queue.c @@ -1,5 +1,5 @@ /* - * src/nf-log.c Monitor netfilter queue events + * src/nf-queue.c Monitor netfilter queue events * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -7,6 +7,7 @@ * of the License. * * Copyright (c) 2007, 2008 Patrick McHardy + * Copyright (c) 2010 Karl Hiramoto */ @@ -40,7 +41,31 @@ static void obj_input(struct nl_object *obj, void *arg) .dp_fd = stdout, .dp_dump_msgtype = 1, }; + uint32_t packet_id = nfnl_queue_msg_get_packetid(msg); + static uint32_t next_packet_id = 0; + struct nfnl_queue_msg *lost_msg = NULL; + uint8_t family; + uint16_t group; + + if (packet_id > next_packet_id) { + printf("Warning: %d Out of order packets. Queue or socket overload \n", packet_id - next_packet_id); + group = nfnl_queue_msg_get_group(msg); + family = nfnl_queue_msg_get_family(msg); + lost_msg = nfnl_queue_msg_alloc(); + + do { + nfnl_queue_msg_set_group(lost_msg, group); + nfnl_queue_msg_set_family(lost_msg, family); + nfnl_queue_msg_set_packetid(lost_msg, next_packet_id); + nfnl_queue_msg_set_verdict(lost_msg, NF_ACCEPT); + nfnl_queue_msg_send_verdict(nf_sock, lost_msg); + next_packet_id++; + } while (packet_id > next_packet_id); + + nfnl_queue_msg_put(lost_msg); + } + next_packet_id = packet_id + 1; nfnl_queue_msg_set_verdict(msg, NF_ACCEPT); nl_object_dump(obj, &dp); nfnl_queue_msg_send_verdict(nf_sock, msg); @@ -75,6 +100,9 @@ int main(int argc, char *argv[]) if ((argc > 1 && !strcasecmp(argv[1], "-h")) || argc < 3) { printf("Usage: nf-queue family group [ copy_mode ] " "[ copy_range ]\n"); + printf("family: [ inet | inet6 | ... ] \n"); + printf("group: the --queue-num arg that you gave to iptables\n"); + printf("copy_mode: [ none | meta | packet ] \n"); return 2; } @@ -113,6 +141,8 @@ int main(int argc, char *argv[]) nl_cli_connect(rt_sock, NETLINK_ROUTE); link_cache = nl_cli_link_alloc_cache(rt_sock); + nl_socket_set_buffer_size(nf_sock, 1024*127, 1024*127); + while (1) { fd_set rfds; int nffd, rtfd, maxfd, retval; -- cgit v0.12