From febb3cceac1889fb6558b8ef40ac733072fdcd47 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 10 Sep 2012 13:17:24 +0200
Subject: conntrackd: cthelper: add QueueLen option

This patch adds the QueueLen option, that allows you to increase
the maximum number of packets waiting in the nfnetlink_queue to
receive a verdict from userspace.

Rising the default value (1024) is useful to avoid hitting the following
error message: "nf_queue: full at X entries, dropping packets(s)".

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/helper/conntrackd.conf | 13 +++++++++++++
 include/helper.h           |  1 +
 src/cthelper.c             |  6 ++++--
 src/read_config_lex.l      |  1 +
 src/read_config_yy.y       | 23 +++++++++++++++++++++--
 5 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf
index 80f1f92..56f5162 100644
--- a/doc/helper/conntrackd.conf
+++ b/doc/helper/conntrackd.conf
@@ -14,6 +14,16 @@ Helper {
 		# the kernel.
 		#
 		QueueNum 0
+
+		#
+		# Maximum number of packets waiting in the queue to receive
+		# a verdict from user-space. Default is 1024.
+		#
+		# Rise value if you hit the following error message:
+		# "nf_queue: full at X entries, dropping packets(s)"
+		#
+		QueueLen 10240
+
 		#
 		# Set the Expectation policy for this helper.
 		#
@@ -30,6 +40,7 @@ Helper {
 	}
 	Type rpc inet tcp {
 		QueueNum 1
+		QueueLen 10240
 		Policy rpc {
 			ExpectMax 1
 			ExpectTimeout 300
@@ -37,6 +48,7 @@ Helper {
 	}
 	Type rpc inet udp {
 		QueueNum 2
+		QueueLen 10240
 		Policy rpc {
 			ExpectMax 1
 			ExpectTimeout 300
@@ -44,6 +56,7 @@ Helper {
 	}
 	Type tns inet tcp {
 		QueueNum 3
+		QueueLen 10240
 		Policy tns {
 			ExpectMax 1
 			ExpectTimeout 300
diff --git a/include/helper.h b/include/helper.h
index 329fd2d..9d96fb7 100644
--- a/include/helper.h
+++ b/include/helper.h
@@ -35,6 +35,7 @@ struct ctd_helper {
 struct ctd_helper_instance {
 	struct list_head	head;
 	uint32_t		queue_num;
+	uint32_t		queue_len;
 	uint16_t		l3proto;
 	uint8_t			l4proto;
 	struct ctd_helper	*helper;
diff --git a/src/cthelper.c b/src/cthelper.c
index c119869..307be96 100644
--- a/src/cthelper.c
+++ b/src/cthelper.c
@@ -353,8 +353,9 @@ static int cthelper_setup(struct ctd_helper_instance *cur)
 	nfct_helper_attr_set_u32(t, NFCTH_ATTR_STATUS,
 					NFCT_HELPER_STATUS_ENABLED);
 
-	dlog(LOG_NOTICE, "configuring helper `%s' with queuenum=%d",
-		cur->helper->name, cur->queue_num);
+	dlog(LOG_NOTICE, "configuring helper `%s' with queuenum=%d and "
+			 "queuelen=%d", cur->helper->name, cur->queue_num,
+			 cur->queue_len);
 
 	for (j=0; j<CTD_HELPER_POLICY_MAX; j++) {
 		struct nfct_helper_policy *p;
@@ -433,6 +434,7 @@ static int cthelper_nfqueue_setup(struct ctd_helper_instance *cur)
 	nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_PACKET, 0xffff);
 	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_CONNTRACK));
 	mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(0xffffffff));
+	mnl_attr_put_u32(nlh, NFQA_CFG_QUEUE_MAXLEN, htonl(cur->queue_len));
 
 	if (mnl_socket_sendto(STATE_CTH(nl), nlh, nlh->nlmsg_len) < 0) {
 		dlog(LOG_ERR, "failed to send configuration");
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index 31fa32e..bec2d81 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -144,6 +144,7 @@ notrack		[N|n][O|o][T|t][R|r][A|a][C|c][K|k]
 "ErrorQueueLength"		{ return T_ERROR_QUEUE_LENGTH; }
 "Helper"			{ return T_HELPER; }
 "QueueNum"			{ return T_HELPER_QUEUE_NUM; }
+"QueueLen"			{ return T_HELPER_QUEUE_LEN; }
 "Policy"			{ return T_HELPER_POLICY; }
 "ExpectMax"			{ return T_HELPER_EXPECT_MAX; }
 "ExpectTimeout"			{ return T_HELPER_EXPECT_TIMEOUT; }
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index c9235d3..72a9654 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -56,6 +56,7 @@ struct stack symbol_stack;
 
 enum {
 	SYMBOL_HELPER_QUEUE_NUM,
+	SYMBOL_HELPER_QUEUE_LEN,
 	SYMBOL_HELPER_POLICY_EXPECT_ROOT,
 	SYMBOL_HELPER_EXPECT_POLICY_LEAF,
 };
@@ -86,8 +87,8 @@ enum {
 %token T_SCHEDULER T_TYPE T_PRIO T_NETLINK_EVENTS_RELIABLE
 %token T_DISABLE_INTERNAL_CACHE T_DISABLE_EXTERNAL_CACHE T_ERROR_QUEUE_LENGTH
 %token T_OPTIONS T_TCP_WINDOW_TRACKING T_EXPECT_SYNC
-%token T_HELPER T_HELPER_QUEUE_NUM T_HELPER_POLICY T_HELPER_EXPECT_MAX
-%token T_HELPER_EXPECT_TIMEOUT
+%token T_HELPER T_HELPER_QUEUE_NUM T_HELPER_QUEUE_LEN T_HELPER_POLICY
+%token T_HELPER_EXPECT_TIMEOUT T_HELPER_EXPECT_MAX
 
 %token <string> T_IP T_PATH_VAL
 %token <val> T_NUMBER
@@ -1639,6 +1640,13 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list  '}'
 			stack_item_free(e);
 			break;
 		}
+		case SYMBOL_HELPER_QUEUE_LEN: {
+			int *qlen = (int *) &e->data;
+
+			helper_inst->queue_len = *qlen;
+			stack_item_free(e);
+			break;
+		}
 		case SYMBOL_HELPER_POLICY_EXPECT_ROOT: {
 			struct ctd_helper_policy *pol =
 				(struct ctd_helper_policy *) &e->data;
@@ -1696,6 +1704,17 @@ helper_type: T_HELPER_QUEUE_NUM T_NUMBER
 	stack_item_push(&symbol_stack, e);
 };
 
+helper_type: T_HELPER_QUEUE_LEN T_NUMBER
+{
+	int *qlen;
+	struct stack_item *e;
+
+	e = stack_item_alloc(SYMBOL_HELPER_QUEUE_LEN, sizeof(int));
+	qlen = (int *) e->data;
+	*qlen = $2;
+	stack_item_push(&symbol_stack, e);
+};
+
 helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
 {
 	struct stack_item *e;
-- 
cgit v1.2.3