nfct_query hangs after multiple requests

Wed, 07 Dec 2016 09:27:54 -0800 

Hi      
          
I am using nfct_query (libnetfilter_conntrack library) to get a connection from 
the conntrack table and then to update its connmark. This was working ok in a 
development environment, but when testing it in production with a lot of 
traffic, after around a minute, the daemon hangs on nfct_query and does not 
process any more data.      
          
Some background:      
- I am sending packets via NFLOG to the daemon (and setting a connmark 0x2/0x2)
- the daemon polls the NFLOG group and handles the packets via 
nflog_handle_packet      
- the callback registered with the nflog handle extracts the conntrack 
information from the packet header (L4 proto, src/dst ip, src/dst port)      
- an nf_conntrack pointer is created with this information      
- (calling another library which calls another callback)      
- if certain conditions are met      
-- register nfct callback -- nfct_callback_register(h, NFCT_T_ALL, 
my_nfct_callback, h)      
-- nfct_query with NFCT_Q_GET  to get the conntrack connection based on the ct 
data      
-- (in the nfct callback) check the connmark of the connection and run nfct 
query with NFCT_Q_UPDATE to update the connmark of that same connection      

The nfct_handle is opened at the start of the daemon and closed via signal 
handling at termination.      

After placing some debug prints in the code, I discovered that at some point 
nfct_query for NFCT_Q_GET is called, but it never enters the callback function. 
     

Debugging with strace showed the following:      
...      
recvfrom(4,"$\0\0\0\2\0\0\0h\4IX\22(\0\0\0\0\0\0\304\0\0\0\0\1\5\0h\4IX"..., 
8192, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36      
sendto(4,"", 0, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0      
recvfrom(4,
---  and is hanging here.      

I am writing to this mailing list, hoping that somebody would have an idea how 
to proceed with debugging and what the issue might be. Obviously, it's the 
amount of connections. But there must be a way to handle them for longer than a 
minute. Once it hangs, it never resumes.      

Please let me know if you need any further information or part of the code.     
 

Versions used:      
libnetfilter_conntrack - 1.0.4      
libnetfilter_log  - 1.0.1      

Best regards      
Kirila

Reply via email to