On Fri, Jan 16, 2015 at 10:04 PM, Stéphane Charette <stephanecharette@xxxxxxxxx> wrote: > I have netfilter queues setup more-or-less like the Doxygen pages describe: > > nfq_open(); > // nfq_bind_pf( h, AF_INET ); -- commented out > nfq_create_queue( ... ); > nfq_set_mode( q, NFQNL_COPY_PACKET, 0xffff ); > nfq_fd( h ); > ...read from fd... > nfq_handle_packet( h, buffer, bytes_read ); > > And my callback is doing a hex dump of the payload and calling > nfq_set_verdict(...); > > All is well, but I'm only seeing IPv4+TCP packets. I have a few > related questions: > > 1) Is there another API I must call to see all traffic? > 2) ...or are my iptable rules the likely culprit? > 3) Some web pages say nfq_bind_pf() is ignored, is that true? > > The rules I'm currently using to get traffic to flow to my queues: > > iptables --table filter --new-chain MYQ > iptables --table filter --append MYQ --jump NFQUEUE \ > --queue-balance 0:3 --queue-bypass > > iptables --table nat --append POSTROUTING \ > --source 10.0.1.0/24 --out-interface eth0 \ > --jump MASQUERADE > > iptables --table filter --append FORWARD --jump MYQ > > I had more elaborate rules, but I simplified it to these for testing. > I'm just trying to get all traffic forwarded by this device to go > through the netfilter queues. > > Thanks for any pointers. > I probably should have included version numbers of what I'm using: > dpkg -l | egrep "iptables|netfilter|linux-generic" ii iptables 1.4.21-2ubuntu1 ii libnetfilter-conntrack3:amd64 1.0.4-1 ii libnetfilter-queue-dev 1.0.2-2 ii libnetfilter-queue1 1.0.2-2 ii libxtables10 1.4.21-2ubuntu1 ii linux-generic 3.16.0.29.30 Stephane -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
