[pve-devel] [PATCH firewall] make nfct_catch non-blocking

[David Limbeck]

nfct_catch blocks if the callback always returns NFCT_CB_CONTINUE. this
works around the problem by setting the underlying file descriptor to
O_NONBLOCK. this should allow the callback to run multiple times and
catch as many events as possible before nfct_catch returns.

Signed-off-by: David Limbeck <d.limbeck at proxmox.com>
---
maybe this improves the ENOBUFS situation? it should result in equal or
more messages though as the callback is run multiple times before
nfct_catch returns.

 src/pvefw-logger.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/pvefw-logger.c b/src/pvefw-logger.c
index f77f56f..89c9635 100644
--- a/src/pvefw-logger.c
+++ b/src/pvefw-logger.c
@@ -944,7 +944,7 @@ nfct_cb(const struct nlmsghdr *nlh,
 
     queue_log_entry(le);
 
-    return NFCT_CB_STOP;
+    return NFCT_CB_CONTINUE;
 }
 
 static gboolean
@@ -956,7 +956,7 @@ nfct_read_cb(GIOChannel *source,
     if ((res = nfct_catch(nfcth)) < 0) {
         if (errno == ENOBUFS) {
             log_status_message(3, "nfct_catch returned ENOBUFS: conntrack information may be incomplete");
-        } else {
+        } else if (errno != EAGAIN) {
             log_status_message(3, "error catching nfct: %s", strerror(errno));
             return FALSE;
         }
@@ -1151,6 +1151,8 @@ main(int argc, char *argv[])
     if (conntrack) {
         nfct_callback_register2(nfcth, NFCT_T_NEW|NFCT_T_DESTROY, &nfct_cb, NULL);
         int nfctfd = nfct_fd(nfcth);
+        int status_flags = fcntl(nfctfd, F_GETFL);
+        fcntl(nfctfd, F_SETFL, status_flags | O_NONBLOCK);
         GIOChannel *nfct_ch = g_io_channel_unix_new(nfctfd);
         g_io_add_watch(nfct_ch, G_IO_IN, nfct_read_cb, NULL);
     }
-- 
2.11.0