[pve-devel] [PATCH firewall] log and ignore ENOBUFS in nfct_catch

Wed Jan 9 16:57:22 CET 2019

Ok, it's correctly continue to work after the error message now.

But I still have hang after that (after some seconds, or minutes).
Any error message in this case.


(This is a really busy server, I have around 400MB log for 10minutes)

cat /var/log/pve-firewall.log |grep -c NEW
1465965
# cat /var/log/pve-firewall.log |grep -c DESTROY
658931

maybe it could be great to have an option like ulogd, to choose to log DESTROY or NEW or both.
Maybe able to add some src + dst filtering option. (If I want to filter internal->external traffic for example).


----- Mail original -----
De: "David Limbeck" <d.limbeck at proxmox.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mercredi 9 Janvier 2019 15:32:10
Objet: [pve-devel] [PATCH firewall] log and ignore ENOBUFS in nfct_catch

nfct_catch sets ENOBUFS if not enough buffer space is available. log 
and continue operation instead of stopping. in addition log possible 
other errors set by nfct_catch 

Signed-off-by: David Limbeck <d.limbeck at proxmox.com> 
--- 
src/pvefw-logger.c | 8 ++++++-- 
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/pvefw-logger.c b/src/pvefw-logger.c 
index 9c6fe4a..f77f56f 100644 
--- a/src/pvefw-logger.c 
+++ b/src/pvefw-logger.c 
@@ -954,8 +954,12 @@ nfct_read_cb(GIOChannel *source, 
{ 
int res; 
if ((res = nfct_catch(nfcth)) < 0) { 
- log_status_message(3, "error catching nfct"); 
- return FALSE; 
+ if (errno == ENOBUFS) { 
+ log_status_message(3, "nfct_catch returned ENOBUFS: conntrack information may be incomplete"); 
+ } else { 
+ log_status_message(3, "error catching nfct: %s", strerror(errno)); 
+ return FALSE; 
+ } 
} 
return TRUE; 
} 
-- 
2.11.0 


_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 


