NFQUEUE had a bug with the ordering of fanout and bypass options which was arising due to same and odd values for flags and bypass when used together. Because of this, during bitwise ANDing of flags and NFQ_FLAG_CPU_FANOUT, the value always evaluated to false (since NFQ_FLAG_CPU_FANOUT=0x02) and led to skipping of fanout option whenever it was used before bypass because then flags would be 1. Before this patch, $ sudo iptables -A FORWARD -j NFQUEUE -p TCP --sport 80 --queue-balance 0:3 --queue-cpu-fanout --queue-bypass Chain FORWARD (policy ACCEPT) target prot opt source destination NFQUEUE tcp -- anywhere anywhere tcp spt:http NFQUEUE balance 0:3 bypass After this patch, Chain FORWARD (policy ACCEPT) target prot opt source destination NFQUEUE tcp -- anywhere anywhere tcp spt:http NFQUEUE balance 0:3 bypass cpu-fanout Closes bugzilla entry: http://bugzilla.netfilter.org/show_bug.cgi?id=939 Suggested-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> Signed-off-by: Shivani Bhardwaj <shivanib134@xxxxxxxxx> --- extensions/libxt_NFQUEUE.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c index 8115457..0b5becc 100644 --- a/extensions/libxt_NFQUEUE.c +++ b/extensions/libxt_NFQUEUE.c @@ -99,7 +99,7 @@ static void NFQUEUE_parse_v2(struct xt_option_call *cb) NFQUEUE_parse_v1(cb); switch (cb->entry->id) { case O_QUEUE_BYPASS: - info->bypass = 1; + info->bypass |= NFQ_FLAG_BYPASS; break; } } -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
