go-nfqueue icon indicating copy to clipboard operation
go-nfqueue copied to clipboard
verified publisher icon florianl

error "netlink receive: no such file or directory"

Open aojea opened this issue 10 months ago • 6 comments

Thanks for this great project, really useful ... I'm happily using it for two kubernetes projects

https://github.com/kubernetes-sigs/kube-network-policies/ https://github.com/aojea/kindnet

The later project also vendors the forme.

I have an issue that I'm puzzled with trying to solve, I've implemented a dnscache using nfqueue , basically I send the packet to userspace and if it is cached it drops the packet and I spoof the answer, and if there is any error or not cached, the packet is accepted and it goes through.

The problem is that I started to see errors where the packets are dropped, https://github.com/aojea/kindnet/issues/158 , no such file or directory that IIUIC is ENOENT , but I would not expect to have data loss

The nftables rules are very simple, it just matches dns packets sent to some specific ips from some predetermined range

table inet kindnet-dnscache {
        set set-v4-nameservers {
                type ipv4_addr
                elements = { 1.1.1.1 }
        }

        set set-v6-nameservers {
                type ipv6_addr
                elements = { fd00::1 }
        }
        chain prerouting {
                type filter hook prerouting priority raw; policy accept;
                ip saddr 10.0.0.0/24 ip daddr @set-v4-nameservers udp dport 53 queue flags bypass to 103
                ip6 saddr 2001:db8::/112 ip6 daddr @set-v6-nameservers udp dport 53 queue flags bypass to 103
        }
        chain output {
                type filter hook output priority raw; policy accept;
                meta mark 0x0000006e udp sport 53 notrack
        }
}

Appreciate If you have any thoughts or hints to try to solve that problem

aojea avatar Jan 29 '25 09:01 aojea

Hey 👋 Glad to hear this package helps you.

From the top of my head, I can't name a reason for ENOENT at this point. Maybe the queue is overloaded and elements in the queue are dropped? Would it be possible to track the packet IDs and looks for jumps in the packet IDs for such cases?

The problem is that I started to see errors where the packets are dropped, [..], no such file or directory that IIUIC is ENOENT [..]

You mean, this issue happens only if you set a verdict for a packet?

florianl avatar Jan 29 '25 19:01 florianl

I'm logging stats and there are no drops on kernel or user space https://github.com/aojea/kindnet/pull/181#issuecomment-2621824979 The problem is that the packets are dropped, if it errors I expected the packet to go through but I may be misunderstanding this ..

I wonder if the problem is that it takes too much to emit a verdict...

aojea avatar Jan 29 '25 21:01 aojea

Could you provide a minimal reproducible example?

florianl avatar Feb 01 '25 15:02 florianl

I see them in the CI jobs I have , https://github.com/aojea/kindnet/actions/runs/13032434599 but that is a very complex environment , is a kubernetes cluster will multiple applications running ... I can try to get a reproducer or more info, do you have some suggestion on some instrumentation I can add to when it fails so we can have more information?

aojea avatar Feb 01 '25 16:02 aojea

Can you check and log the returned error for d.nfq.SetVerdict()? I'm wondering if this reveals more information.

florianl avatar Feb 01 '25 20:02 florianl

Can you check and log the returned error for d.nfq.SetVerdict()? I'm wondering if this reveals more information.

no luck, there is no errors setting the verdict

aojea avatar Feb 02 '25 18:02 aojea

Will reopen if there’s progress

aojea avatar Oct 27 '25 22:10 aojea