Hello,

On Thu, 2011-06-30 at 16:51 +0200, Patrick McHardy wrote:
> On 30.06.2011 16:32, Stephen Clark wrote:
> > On 06/30/2011 11:15 AM, Eric Dumazet wrote:
> >> Le jeudi 30 juin 2011 à 13:59 +0200, Patrick McHardy a écrit :
> >>
> >>   
> >>> Thanks Eric, I agree. Give us data and we'll fix it if really is a bug.
...
> > 
> > So if you receive a -1 the proper recovery is to call nfq_set_verdict()
> > again?
> 
> Look at errno to see what's happening. But yes, this indicates the
> verdict wasn't issues successfully, so you need to retransmit.

As the verdict failure is bound to occur in a high load time,
retransmission of the verdict (which is necessary) will not help the
system to recover. Userspace has to deal with it but it has another
consequences which is that userspace software may suffer of case where
successive failures occurs.

In this scope, Florian's patch "netfilter: nfqueue: batch verdict
support" could be really useful. It could be used by userspace to
trigger an decide on all stucked packets. Issuing a massive ACCEPT could
lead to dynosaurus packet coming from ancient time but it could be ok if
batch occurs enough often.

Is there a plan to accept it in mainstream ?

BR,
-- 
Eric Leblond 
Blog: http://home.regit.org/