Re: Only the "first" netfilter_queue process receives the packets?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

Le mercredi 04 mai 2011 à 16:13 -0400, brian.adamson@xxxxxxxxxxxx a
écrit :
> Hello,
> 
> I have created an app that is now using netfilter_queue to get packets from iptables (the app used ipqueue previously).
> 
> The first instance of the app installs an OUTPUT chain rule like:
> 
> target		prot	opt	source			destination
> NFQUEUE	all	--	anywhere	BASE-ADDRESS.MCAST.NET/4 NFQUEUE num 1
> 
> and it receives the packets fine and sets an NF_ACCEPT verdict and the packets go merrily along their way ...
> 
> BUT, when I launch a second instance of the app which installs the same rule but with a _different_ --queue-num,:
> 
> arget		prot	opt	source			destination
> NFQUEUE	all	--	anywhere	BASE-ADDRESS.MCAST.NET/4 NFQUEUE num 2
> 
> The second instance doesn't see any packets _until_ the first instance of the app exits.
> 
> However, if I set up each app to filter for a different set of destination addresses, then each instance does receive its exclusive matching packet sets.
> 
> Is this just a limitation of how iptables works or is there something additional I need to do so that two different process can each get the same packets?

This is the way it should work: when a verdict is issued by userspace
the packet is accepted or dropped and leave the current chain (INPUT in
your case).

If you want to chain the packet, you've got to explicitely tell
Netfilter during the verdict.
to be precise: the verdict is a 32bit integer. The first 16 bit are used
for the verdict and the 16 remaining to indicate on which queue number
to reroute the packet.

If you want to route from 1 to 2 you have to do:
	next_queue = 2 << 16;
	verdict = ((uint32_t) NF_QUEUE) | nfq_config.next_queue;
	ret = nfq_set_verdict2(t->qh, p->nfq_v.id, verdict ...

This system is implemented in the IDS/IPS suricata. You can have a look
at the source-nfq.c file. The variable to look for is next_queue:
https://redmine.openinfosecfoundation.org/projects/suricata/repository/entry/src/source-nfq.c?rev=master#L215

BR,
--
Eric Leblond <eric@xxxxxxxxx>

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux