extensions: NFQUEUE: Document queue-balance limitation

The range is not communicated as "min and max queue number", but "first
queue number and count" instead. With 16bits for each value, it is not
possible to balance between all 65536 possible queues. Although probably
never used in practice, point this detail out in man page and make the
parser complain instead of the cryptic "xt_NFQUEUE: number of total
queues is 0" emitted by the kernel module.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c
index fe5190789e306e65c0a8b54918fb89c59b8da500..ca6cdaf49703c775da081de83f59c6254ff90452 100644 (file)
--- a/extensions/libxt_NFQUEUE.c
+++ b/extensions/libxt_NFQUEUE.c
@@ -64,7 +64,7 @@ static const struct xt_option_entry NFQUEUE_opts[] = {
        {.name = "queue-num", .id = O_QUEUE_NUM, .type = XTTYPE_UINT16,
         .flags = XTOPT_PUT, XTOPT_POINTER(s, queuenum),
         .excl = F_QUEUE_BALANCE},
-       {.name = "queue-balance", .id = O_QUEUE_BALANCE,
+       {.name = "queue-balance", .id = O_QUEUE_BALANCE, .max = UINT16_MAX - 1,
         .type = XTTYPE_UINT16RC, .excl = F_QUEUE_NUM},
        {.name = "queue-bypass", .id = O_QUEUE_BYPASS, .type = XTTYPE_NONE},
        {.name = "queue-cpu-fanout", .id = O_QUEUE_CPU_FANOUT,

diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man
index 1bfb7b843587fb20f965bee4fb9c2454e0be96af..950b0d2412e589bdbbb47a67481b6ae6062e9d6d 100644 (file)
--- a/extensions/libxt_NFQUEUE.man
+++ b/extensions/libxt_NFQUEUE.man
@@ -18,6 +18,8 @@ This specifies a range of queues to use. Packets are then balanced across the gi
 This is useful for multicore systems: start multiple instances of the userspace program on
 queues x, x+1, .. x+n and use "\-\-queue\-balance \fIx\fP\fB:\fP\fIx+n\fP".
 Packets belonging to the same connection are put into the same nfqueue.
+Due to implementation details, a lower range value of 0 limits the higher range
+value to 65534, i.e. one can only balance between at most 65535 queues.
 .PP
 .TP
 \fB\-\-queue\-bypass\fP

diff --git a/extensions/libxt_NFQUEUE.t b/extensions/libxt_NFQUEUE.t
index b51b19fd435f719929649afc5ba304ec472a8f4f..5a2df6e7d00d04fadc4a70dd088a1b5b7aebcbf6 100644 (file)
--- a/extensions/libxt_NFQUEUE.t
+++ b/extensions/libxt_NFQUEUE.t
@@ -4,9 +4,8 @@
 -j NFQUEUE --queue-num 65535;=;OK
 -j NFQUEUE --queue-num 65536;;FAIL
 -j NFQUEUE --queue-num -1;;FAIL
-# it says "NFQUEUE: number of total queues is 0", overflow in NFQUEUE_parse_v1?
-# ERROR: cannot load: iptables -A INPUT -j NFQUEUE --queue-balance 0:65535
-# -j NFQUEUE --queue-balance 0:65535;=;OK
+-j NFQUEUE --queue-balance 0:65534;=;OK
+-j NFQUEUE --queue-balance 0:65535;;FAIL
 -j NFQUEUE --queue-balance 0:65536;;FAIL
 -j NFQUEUE --queue-balance -1:65535;;FAIL
 -j NFQUEUE --queue-num 10 --queue-bypass;=;OK