From 51be576a303a485d707f132fe7d1a44c8bfd2e7b Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Mon, 11 Jan 2010 22:25:22 +0100 Subject: [PATCH] nfq: modify queue length computation logic This patch modifies max queue length computation logic. The max queue length was set to MAX_PENDING which is the total number of packet processed simultaneously in suricata. This value is correct but this will not permit to take all burst effects into account (read sudden quantity of packet that arrives faster than suricata is enable to parse). Furthermore there is a delaying system when suricata gets overloaded which make necessary to have packet storable into kernel for some time. To improve this situation the patch increases the maximum queue length to NFQ_BURST_FACTOR (4) time the MAX_PENDING packet and it also increase the nfnetlink buffer size to be able to store all packets waiting for suricata in the netlink receive buffer. --- src/source-nfq.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/source-nfq.c b/src/source-nfq.c index 8e825fd85f..fddfbe3bbf 100644 --- a/src/source-nfq.c +++ b/src/source-nfq.c @@ -65,6 +65,10 @@ TmEcode NoNFQSupportExit(ThreadVars *tv, void *initdata, void **data) #else /* implied we do have NFQ support */ +#define NFQ_BURST_FACTOR 4 +#define NFQ_DFT_QUEUE_LEN NFQ_BURST_FACTOR * MAX_PENDING +#define NFQ_NF_BUFSIZE 1500 * NFQ_DFT_QUEUE_LEN + /* shared vars for all for nfq queues and threads */ static NFQGlobalVars nfq_g; @@ -258,6 +262,9 @@ TmEcode NFQInitThread(NFQThreadVars *nfq_t, uint16_t queue_num, uint32_t queue_m } #endif /* HAVE_NFQ_MAXLEN */ + /* set netlink buffer size to a decent value */ + nfnl_rcvbufsiz(nfq_nfnlh(nfq_t->h), NFQ_NF_BUFSIZE); + nfq_t->nh = nfq_nfnlh(nfq_t->h); nfq_t->fd = nfnl_fd(nfq_t->nh); @@ -289,7 +296,7 @@ TmEcode ReceiveNFQThreadInit(ThreadVars *tv, void *initdata, void **data) { * as we will need it in our callback function */ ntv->tv = tv; - int r = NFQInitThread(ntv,receive_queue_num,MAX_PENDING); + int r = NFQInitThread(ntv,receive_queue_num, NFQ_DFT_QUEUE_LEN); if (r < 0) { SCLogError(SC_NFQ_THREAD_INIT, "nfq thread failed to initialize");