bugzilla-daemon at netfilter.org
2013-Aug-02 08:50 UTC
[Bug 837] New: Large ICMP packets are lost
https://bugzilla.netfilter.org/show_bug.cgi?id=837
Summary: Large ICMP packets are lost
Product: libnetfilter_queue
Version: unspecified
Platform: x86_64
OS/Version: other
Status: NEW
Severity: normal
Priority: P5
Component: libnetfilter_queue
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: jutaky at gmail.com
Estimated Hours: 0.0
I discovered a problem with NFQUEUE and large ICMP packets. First I
thought it was something in my packet processor implementation, but the
example code from netfilter.org reproduces the issue I faced.
http://netfilter.org/projects/libnetfilter_queue/doxygen/nfqnl__test_8c_source.html
Compiled with:
$ gcc nfqnl_test.c -o nfqnl_test -lnetfilter_queue
Test setup:
# iptables -F
# iptables -I INPUT -j NFQUEUE --queue-num 1
# ./nfqnl_test
So far everything is ok. I can see packets flowing via the queue.
First a working large ICMP packet:
$ ping -c 4 -s 3980 localhost
PING localhost.localdomain (127.0.0.1) 3980(4008) bytes of data.
3988 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.069
ms
3988 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.078
ms
3988 bytes from localhost.localdomain (127.0.0.1): icmp_seq=3 ttl=64 time=0.091
ms
3988 bytes from localhost.localdomain (127.0.0.1): icmp_seq=4 ttl=64 time=0.083
ms
--- localhost.localdomain ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.069/0.080/0.091/0.010 ms
And then the problematic size:
$ ping -c 4 -s 3981 localhost
PING localhost.localdomain (127.0.0.1) 3981(4009) bytes of data.
--- localhost.localdomain ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3007ms
And verifying such large packet works without NFQUEUE:
# iptables -F
$ ping -c 4 -s 3981 localhost
PING localhost.localdomain (127.0.0.1) 3981(4009) bytes of data.
3989 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.028
ms
3989 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.037
ms
3989 bytes from localhost.localdomain (127.0.0.1): icmp_seq=3 ttl=64 time=0.031
ms
3989 bytes from localhost.localdomain (127.0.0.1): icmp_seq=4 ttl=64 time=0.036
ms
--- localhost.localdomain ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.028/0.033/0.037/0.003 ms
Am I doing something wrong?
Tested on Arch Linux 64bit with libnetfilter_queue 1.0.2.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Aug-02 18:37 UTC
[Bug 837] Large ICMP packets are lost
https://bugzilla.netfilter.org/show_bug.cgi?id=837
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |pablo at netfilter.org
Resolution| |WONTFIX
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> 2013-08-02
20:37:53 CEST ---
You may have to use larger buffer to catch packets. Note that the example is
using:
char buf[4096] __attribute__ ((aligned));
That needs to be adapted to the maximum packets length you plan to catch,
maximum packet length supported by nfnetlink_queue is 65535 - 4.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Apparently Analagous Threads
- traffic distribution not happening in centos 6.5
- [Bug 1440] New: kernel oops allowing a connection with nfq_set_verdict() on kernel 5.7.x with hardening parameters
- [Bug 708] New: Some accepted packets get lost
- [Bug 743] New: Errors in compiling nfqnl_test.c
- forwarding packets to service in same host without using loopback network