Hello, Le mercredi 19 novembre 2008 à 20:28 +0100, sriliam a écrit : > Hi all, > > Some days ago, I present a question and I been oriented to NFQUEUE. > Ok ... but how does it work ? > I said : "~# iptables -I INPUT -j NFQUEUE". > > So, I suppose that I will have all packets of INPUT filter table playing > with NFQUEUE : am I wrong ? No. > > Next, I rely this to some example programs in order to ACCEPT the > packet, like from net-perl-bindings : I made a network mirror like. > You can give a try to some high level binding if you want: http://software.inl.fr/trac/wiki/nfqueue-bindings > > Questions : > > First, not all packets get through NFQUEUE : with perl and more > dramaticaly with C too. It looks like a problem in your program, a project like snort-inline is able to handle all traffic. > Second, not all packets get the policy ACCEPT, so my browser don't get > images ... but only text, perfectly indeed. Is there a way to get ACCEPT > on an handler that have no lenght ? Same remark. Do you use a call like: nfq_set_verdict(hndl, PACKETID, DECISION, 0 , NULL) > If someone know about this, I would happy to read an HowTo. The libnetfilter_queue.c has recently been documented: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_queue.git;a=blob;f=src/libnetfilter_queue.c This is with nufw or snort-inline code, the only doc I know. BR, -- Eric Leblond <eric@xxxxxx> INL
Attachment:
signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
