nfq: close the queue when leaving acquisition.

This patch adds a call to close the queue when the acquisition
loop is ending. This way the incoming packets will be accepted
during all the shutdown phase (if the queue-bypass option of
NFQUEUE is used). At the same time the currently processed packets
will be dropped but the time scale are different: suricata will
drop 20 ms of packets and the shutdown can take 0.5 seconds.

Patch based on an idea of Victor Julien.

diff --git a/src/source-nfq.c b/src/source-nfq.c
index ab22287e3ff1d0373a50bb5c9ce2f6cf688f0303..373842fc9608dde3f954658f19807830313d3def 100644 (file)
--- a/src/source-nfq.c
+++ b/src/source-nfq.c
@@ -839,6 +839,12 @@ TmEcode ReceiveNFQLoop(ThreadVars *tv, void *data, void *slot)
 
     while(1) {
         if (suricata_ctl_flags != 0) {
+            NFQMutexLock(nq);
+            if (nq->qh) {
+                nfq_destroy_queue(nq->qh);
+                nq->qh = NULL;
+            }
+            NFQMutexUnlock(nq);
             break;
         }
         NFQRecvPkt(nq, ntv);