I have netfilter queues setup more-or-less like the Doxygen pages describe:
nfq_open();
// nfq_bind_pf( h, AF_INET ); -- commented out
nfq_create_queue( ... );
nfq_set_mode( q, NFQNL_COPY_PACKET, 0xffff );
nfq_fd( h );
...read from fd...
nfq_handle_packet( h, buffer, bytes_read );
And my callback is doing a hex dump of the payload and calling
nfq_set_verdict(...);
All is well, but I'm only seeing IPv4+TCP packets. I have a few
related questions:
1) Is there another API I must call to see all traffic?
2) ...or are my iptable rules the likely culprit?
3) Some web pages say nfq_bind_pf() is ignored, is that true?
The rules I'm currently using to get traffic to flow to my queues:
iptables --table filter --new-chain MYQ
iptables --table filter --append MYQ --jump NFQUEUE \
--queue-balance 0:3 --queue-bypass
iptables --table nat --append POSTROUTING \
--source 10.0.1.0/24 --out-interface eth0 \
--jump MASQUERADE
iptables --table filter --append FORWARD --jump MYQ
I had more elaborate rules, but I simplified it to these for testing.
I'm just trying to get all traffic forwarded by this device to go
through the netfilter queues.
Thanks for any pointers.
Stéphane
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
