Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: [ CC Bernhard ] > On Thu, Oct 29, 2015 at 10:23:44PM +0100, Martin Gröger wrote: > > I'm trying to build a transparent filter with application level filtering. > > First experiment with ip and output hook and queue to userspace was > > successful. Then I changed to bridge filtering with forward hook. With > > counter action I see that the packets match the rule, but the queue to the > > usersapce doesn't work. > > > > Am I right, that this fuction should work? nfqueue backend only works with NFPROTO_IPV4 and _IPV6 at the moment, i.e. nft ip and nft ip6, or via bridge_netfilter hack (which 'pushes' packets though ipv4/ipv6 netfilter hooks). > Florian told me he will come up sooner or later with native queue > support for nft (ie. no bridge_netfilter required anymore). Argh. I'm a moron and forgot about this. I still have the q&d hack that makes it work but no reroute (re-bridge, cough) support, just dump-to-userspace. Bernhard, did you have time to work on this? If not, I think I can make time available soon since the other work (nft bridge conntrack, nf netns hook stuff) is delayed at the moment anyways. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
