libnetfilter_queue large packets problem

Patrick McHardy kaber at
Fri Feb 24 06:16:19 CET 2006

Gregor Maier wrote:
> Hi,
> I think I encountered a problem when using libnetfilter_queue with
> packets larger than the recv buffer specified when recv()-ing from the
> socket of the queue.
> The kernel truncates(*) the packet delivered to userspace an thus
> nfnl_handle_packet() returns -1 (**), since there's a mismatch between
> the length of the buffer and the recorded length in struct nlmsghdr.
> This means that the callback function is never called an therefore we
> are never able to issue a verdict for the packet and the packet is stuck
> forever.

It seems libnetfilter_queue somehow must deal with errors reported to
the socket. I'm thinking of something like adding sequence numbers to
the queued packets and flushing all queued packets with sequence
numbers above the last successfully received one when an error is
reported. Alternatively we could use NLM_F_ACK and expect userspace
to acknowledge successfully received packets.

More information about the netfilter-devel mailing list