In: /usr/src/kernels/2.6.9-5.EL-i686/.config I find: CONFIG_IP_NF_QUEUE=m where other items have "=y" instrad of "=m". Might this be related to my problem? Do I have to recompile the kernel? Thanks, Mike. -- Michael D. Berger m.d.berger@xxxxxxxx > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Michael D. Berger > Sent: Saturday, May 07, 2005 2:44 PM > To: netfilter > Subject: QUEUE problem on RH-E-WS-4 > > > Using RH-E-WS-4 that has kernel kernel-2.6.9-5.EL, > all freshly installed, I downloaded and installed > iptables-1.3.1 using the install script shown below. > > I wrote the simple test program below, following > man libipq. > > When I run it, and then send pings from another > box, the program prints "started", and nothing > else, indicating that the ipq_read never returns. > The pings get no response. I note that if I > change QUEUE to ACCEPT in the iptables -A, the > pings respond appropriately. > > Advice would be much appreciated. > > Mike. > > -- > Michael D. Berger > m.d.berger@xxxxxxxx > -- > > *** install script *** > > make KERNEL_DIR=/usr/src BINDIR=/usr/bin LIBDIR=/usr/lib > MANDIR=/usr/share/man > make install KERNEL_DIR=/usr/src BINDIR=/usr/bin LIBDIR=/usr/lib > MANDIR=/usr/share/man install > make install KERNEL_DIR=/usr/src BINDIR=/usr/bin LIBDIR=/usr/lib > MANDIR=/usr/share/man install-devel > > *** start sequence *** > > modprobe iptable_filter > modprobe ip_queue > iptables -A OUTPUT -p icmp -j QUEUE > netqueue # the name of my program > > *** iptables-save output *** > > # Generated by iptables-save v1.2.11 on Sat May 7 14:03:44 2005 > *filter > :INPUT ACCEPT [30:6804] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [46:5164] > -A OUTPUT -p icmp -j QUEUE > COMMIT > # Completed on Sat May 7 14:03:44 2005 > > *** code *** > > // netqueue.c 05/07/05 > > #include <linux/netfilter.h> > #include <libipq.h> > #include <stdio.h> > > #define BUFSIZE 2048 > > static void die (struct ipq_handle *hand) > { > ipq_perror("passer"); > ipq_destroy_handle(hand); > exit(1); > } > > int main(int argc, char* argv[]) > { > int status; > unsigned char buf[BUFSIZE]; > struct ipq_handle* ipqHand; > > ipqHand = ipq_create_handle(0,PF_INET); > > if (ipqHand == 0) > die(ipqHand); > > int cnt = 0; > while (cnt++ < 3) > { > fprintf(stderr,"started\n"); > status = ipq_read(ipqHand,buf,BUFSIZE,0); > fprintf(stderr,"read\n"); > > if (status < 0) > die(ipqHand); > > switch(ipq_message_type(buf)) > { > case NLMSG_ERROR: > fprintf(stderr,"Error msg: > %s\n",ipq_get_msgerr(buf)); > break; > > default: > { > ipq_packet_msg_t* msg = ipq_get_packet(buf); > fprintf (stderr,"Type = > %d\n",ipq_message_type(buf)); > status = ipq_set_verdict(ipqHand,msg->packet_id, > NF_ACCEPT,0,NULL); > if (status < 0) > die(ipqHand); > } > }; > } > > ipq_destroy_handle(ipqHand); > return 0; > } > > > >
