Am 29.10.2015 23:23, schrieb Florian Westphal:
Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
[ CC Bernhard ]
On Thu, Oct 29, 2015 at 10:23:44PM +0100, Martin Gröger wrote:
I'm trying to build a transparent filter with application level filtering.
First experiment with ip and output hook and queue to userspace was
successful. Then I changed to bridge filtering with forward hook. With
counter action I see that the packets match the rule, but the queue to the
usersapce doesn't work.
Am I right, that this fuction should work?
nfqueue backend only works with NFPROTO_IPV4 and _IPV6 at the moment,
i.e. nft ip and nft ip6, or via bridge_netfilter hack (which 'pushes'
packets though ipv4/ipv6 netfilter hooks).
Ok, this explains why my experiment with ip work, but not the one with
bridge family.
Florian told me he will come up sooner or later with native queue
support for nft (ie. no bridge_netfilter required anymore).
Argh. I'm a moron and forgot about this.
How does a native (indepent on bridge) queue support should work ?
I still have the q&d hack that makes it work but no reroute (re-bridge,
cough) support, just dump-to-userspace.
As far as I understand this would be sufficient for my usecase, since I
want simply to inspect the packets and then decide to accept or drop them.
Bernhard, did you have time to work on this?
If not, I think I can make time available soon since the other work
(nft bridge conntrack, nf netns hook stuff) is delayed at the moment
anyways.
Would be great, if you can help me!
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
