[pve-devel] [PATCH firewall] make nfct_catch non-blocking

Alexandre DERUMIER aderumier at odiso.com
Fri Jan 11 18:05:36 CET 2019 

>>Do you have any additional information as to why it stopped? 

no sorry.

>>Maybe we could increase the buffer size via nfnl_set_rcv_buffer_size by 
>>default and continue to ignore ENOBUFS? 

I'll try next week. maybe doing strace on the process to have some clues ? (I'ts crashing after 30min-1h)



----- Mail original -----
De: "David Limbeck" <d.limbeck at proxmox.com>
À: "aderumier" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com>
Cc: "Wolfgang Bumiller" <w.bumiller at proxmox.com>
Envoyé: Vendredi 11 Janvier 2019 16:53:10
Objet: Re: [pve-devel] [PATCH firewall] make nfct_catch non-blocking

Do you have any additional information as to why it stopped? 

Maybe we could increase the buffer size via nfnl_set_rcv_buffer_size by 
default and continue to ignore ENOBUFS? 

On 1/10/19 4:32 PM, Alexandre DERUMIER wrote: 
> Just tested, no difference. (but I don't see ENOBUFS since I have increase net.ipv4.tcp_rmem) 
> 
> But I have reproduce my new hang, 
> and it seem that the pvefw-logger process was not running anymore. (seem to be a crash, I don't seen any out of memory). 
> 
> 
> ----- Mail original ----- 
> De: "Thomas Lamprecht" <t.lamprecht at proxmox.com> 
> À: "pve-devel" <pve-devel at pve.proxmox.com>, "David Limbeck" <d.limbeck at proxmox.com>, "Wolfgang Bumiller" <w.bumiller at proxmox.com> 
> Envoyé: Jeudi 10 Janvier 2019 14:53:11 
> Objet: Re: [pve-devel] [PATCH firewall] make nfct_catch non-blocking 
> 
> On 1/10/19 1:51 PM, David Limbeck wrote: 
>> On 1/10/19 1:49 PM, Wolfgang Bumiller wrote: 
>>> On Thu, Jan 10, 2019 at 12:08:28PM +0100, David Limbeck wrote: 
>>>> nfct_catch blocks if the callback always returns NFCT_CB_CONTINUE. this 
>>>> works around the problem by setting the underlying file descriptor to 
>>>> O_NONBLOCK. this should allow the callback to run multiple times and 
>>>> catch as many events as possible before nfct_catch returns. 
>>>> 
>>>> Signed-off-by: David Limbeck <d.limbeck at proxmox.com> 
>>>> --- 
>>>> maybe this improves the ENOBUFS situation? it should result in equal or 
>>>> more messages though as the callback is run multiple times before 
>>>> nfct_catch returns. 
>>> I wouldn't expect a change in the ENOBUFS situation but rather just more 
>>> output happening which may have previously been lost from already-read 
>>> packet parts. 
>>> 
>>> @Alexandre, could you give this a try? 
>> For ENOBUFS we could try setting NETLINK_NO_ENOBUFS with setsockopt as mentioned by @Thomas. 
> together with NETLINK_BROADCAST_SEND_ERROR[0], ulogd uses this[1] too. 
> 
> [0]: https://patchwork.ozlabs.org/patch/24919/ (second b) bullet point) 
> [1]: https://git.netfilter.org/ulogd2/tree/input/flow/ulogd_inpflow_NFCT.c#n1322 
> 
> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 
>

More information about the pve-devel mailing list