This was very helpful. However I think I'm not quite to the end of this path yet. I have the following rules in the mangle section of my iptables: iptables -t mangle -A PREROUTING -p tcp --dport 9999 -j NFQUEUE --queue-balance 0:1 iptables -t mangle -A PREROUTING -p tcp --sport 9999 -j NFQUEUE --queue-balance 0:1 I create 2 threads.Each thread does a nfq_open. So far so good. Thread 1 has his nfq_handle and thread 2 has his nfq_handle. Thread 1 does a nfq_create_queue on queue 0, and Thread 2 does a nfq_create_queue on queue 1. Each thread then opens a netlink handle. Each thread does this independently with the handle returned from nfq_open. Each thread gets an independent fd. When I run, only one thread receives traffic (queue 0 on thread #1). I am using iperf -P 8 for example (8 simultaneous threads/connections). Frankly I must be missing something since I don't see any relationship between the result of nfq_create_queue (which presumably binds to the queue number given in the second argument), and the file descriptor we get from nfnl_fd (unless there is a side-effect of this routine to bind the queue ID to the nfq_handle!). I can sort of see how nfq_handle_packet will make that association (presumably the queue # is squirreled away in some piece of state and that finds the right callback, etc.). I think I've misunderstood the basic structure, especially with respect to what should be in a thread. Or perhaps my complete naivete on iptables means I've screwed up that configuration. So either I've set my stuff up wrong (you can see the code below), or the iptables stuff isn't really distributing the requests across queues, or some of both자세한 사항 (소스 포함)
http://www.spinics.net/lists/netfilter/msg54528.html
댓글
댓글 쓰기