bugzilla-daemon at netfilter.org
2013-Aug-02 08:50 UTC
[Bug 837] New: Large ICMP packets are lost
https://bugzilla.netfilter.org/show_bug.cgi?id=837 Summary: Large ICMP packets are lost Product: libnetfilter_queue Version: unspecified Platform: x86_64 OS/Version: other Status: NEW Severity: normal Priority: P5 Component: libnetfilter_queue AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: jutaky at gmail.com Estimated Hours: 0.0 I discovered a problem with NFQUEUE and large ICMP packets. First I thought it was something in my packet processor implementation, but the example code from netfilter.org reproduces the issue I faced. http://netfilter.org/projects/libnetfilter_queue/doxygen/nfqnl__test_8c_source.html Compiled with: $ gcc nfqnl_test.c -o nfqnl_test -lnetfilter_queue Test setup: # iptables -F # iptables -I INPUT -j NFQUEUE --queue-num 1 # ./nfqnl_test So far everything is ok. I can see packets flowing via the queue. First a working large ICMP packet: $ ping -c 4 -s 3980 localhost PING localhost.localdomain (127.0.0.1) 3980(4008) bytes of data. 3988 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.069 ms 3988 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.078 ms 3988 bytes from localhost.localdomain (127.0.0.1): icmp_seq=3 ttl=64 time=0.091 ms 3988 bytes from localhost.localdomain (127.0.0.1): icmp_seq=4 ttl=64 time=0.083 ms --- localhost.localdomain ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 0.069/0.080/0.091/0.010 ms And then the problematic size: $ ping -c 4 -s 3981 localhost PING localhost.localdomain (127.0.0.1) 3981(4009) bytes of data. --- localhost.localdomain ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3007ms And verifying such large packet works without NFQUEUE: # iptables -F $ ping -c 4 -s 3981 localhost PING localhost.localdomain (127.0.0.1) 3981(4009) bytes of data. 3989 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.028 ms 3989 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.037 ms 3989 bytes from localhost.localdomain (127.0.0.1): icmp_seq=3 ttl=64 time=0.031 ms 3989 bytes from localhost.localdomain (127.0.0.1): icmp_seq=4 ttl=64 time=0.036 ms --- localhost.localdomain ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2997ms rtt min/avg/max/mdev = 0.028/0.033/0.037/0.003 ms Am I doing something wrong? Tested on Arch Linux 64bit with libnetfilter_queue 1.0.2. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Aug-02 18:37 UTC
[Bug 837] Large ICMP packets are lost
https://bugzilla.netfilter.org/show_bug.cgi?id=837 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |pablo at netfilter.org Resolution| |WONTFIX --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> 2013-08-02 20:37:53 CEST --- You may have to use larger buffer to catch packets. Note that the example is using: char buf[4096] __attribute__ ((aligned)); That needs to be adapted to the maximum packets length you plan to catch, maximum packet length supported by nfnetlink_queue is 65535 - 4. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Reasonably Related Threads
- traffic distribution not happening in centos 6.5
- [Bug 1440] New: kernel oops allowing a connection with nfq_set_verdict() on kernel 5.7.x with hardening parameters
- [Bug 708] New: Some accepted packets get lost
- [Bug 743] New: Errors in compiling nfqnl_test.c
- forwarding packets to service in same host without using loopback network