Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: iptables: Devel

netfilter queue not on filter table

  

 
iptables devel RSS feed   Index | Next | Previous | View Threaded


viraptor at gmail

Jul 3, 2007, 7:39 AM

Post #1 of 7 (1160 views)
Permalink
netfilter queue not on filter table
Hi,
I'm trying to write a specific load-balancing filter with
libnetfilter_queue, but I've run into a problem (or 2):
- QUEUE target works as expected on filter/INPUT, but I don't catch
any packets if I try to set it up in nat/PREROUTING or
mangle/PREROUTING. What can be the cause? -j QUEUE is the only rule
and I'm not using any filtering with that. But I don't get any packets
- I'm checking that as the first thing in the callback function.
- When I redirect to my gateway a packet sent to some internet host it
works even in filter/INPUT. When I redirect packet from internet host
a.b.c.d to internet host e.f.g.h in filter/INPUT it doesn't work. What
can be the reason? (it's sent on the same interface)

Thanks for ideas
Stanisław Pitucha


viraptor at gmail

Jul 3, 2007, 8:14 AM

Post #2 of 7 (1110 views)
Permalink
Re: netfilter queue not on filter table [In reply to]
I made a mistake before:
> - QUEUE target works as expected on filter/INPUT, but I don't catch
> any packets if I try to set it up in nat/PREROUTING or
> mangle/PREROUTING. What can be the cause?


viraptor at gmail

Jul 3, 2007, 8:18 AM

Post #3 of 7 (1107 views)
Permalink
Re: netfilter queue not on filter table [In reply to]
I made a mistake before:
> - QUEUE target works as expected on filter/INPUT, but I don't catch
> any packets if I try to set it up in nat/PREROUTING or
> mangle/PREROUTING. What can be the cause?

I see incoming messages in mangle/PREROUTING, but not outgoing ones.
OTOH they are shown in wireshark at the same time, and are sent.

(Sorry for lame tripple post)


yasuyuki.kozakai at toshiba

Jul 3, 2007, 8:07 PM

Post #4 of 7 (1102 views)
Permalink
Re: netfilter queue not on filter table [In reply to]
From: "Stanisław Pitucha" <viraptor [at] gmail>
Date: Tue, 3 Jul 2007 16:18:56 +0100

> I made a mistake before:
> > - QUEUE target works as expected on filter/INPUT, but I don't catch
> > any packets if I try to set it up in nat/PREROUTING or
> > mangle/PREROUTING. What can be the cause?

Only the initial packets of connection see rules in PREROUTING in nat table.

> I see incoming messages in mangle/PREROUTING, but not outgoing ones.
> OTOH they are shown in wireshark at the same time, and are sent.

If you mean that 'outgoing ones' are the packets generated at the local
node queueing packets, they don't pass through PREROUTING, but OUTPUT.

Please refer following.

http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSINGOFTABLES

-- Yasuyuki Kozakai


viraptor at gmail

Jul 4, 2007, 5:00 AM

Post #5 of 7 (1096 views)
Permalink
Re: netfilter queue not on filter table [In reply to]
> If you mean that 'outgoing ones' are the packets generated at the local
> node queueing packets, they don't pass through PREROUTING, but OUTPUT.
>
> Please refer following.
> ...

Great - thanks! That solved the capturing problem. Now I'm using QUEUE
on both PREROUTING and OUTPUT.
But now I've got another one:
I'm rewriting addresses like in standard dnat:
client <-> gateway (choosing server) <-> servers

Outgoing ones are delivered as they should: (own logging fragment)
Tried packet: From: 192.168.1.37:32938 to: 192.168.1.111:53
Redirection! - Sent packet: From: 192.168.1.37:32938 to: 192.168.1.1:53

Incoming packet gets changed:
Got packet: From: 192.168.1.1:53 to: 192.168.1.37:32938 'n redirected
Delivered packet: From: 192.168.1.111:53 to: 192.168.1.37:32938

but application doesn't see it. Additionally wireshark sees outgoing
packet changed, but incoming one original:
192.168.1.1:53->192.168.1.37:32938. Is that normal? What can be the
reason? If I leave source address unchanged, packet arrives to the app
with real source without problems.

Thanks


degraaf at cpsc

Jul 4, 2007, 9:15 AM

Post #6 of 7 (1102 views)
Permalink
Re: netfilter queue not on filter table [In reply to]
Stanisław Pitucha wrote:
> Great - thanks! That solved the capturing problem. Now I'm using QUEUE
> on both PREROUTING and OUTPUT.
> But now I've got another one:
> I'm rewriting addresses like in standard dnat:
> client <-> gateway (choosing server) <-> servers
>
> Outgoing ones are delivered as they should: (own logging fragment)
> Tried packet: From: 192.168.1.37:32938 to: 192.168.1.111:53
> Redirection! - Sent packet: From: 192.168.1.37:32938 to: 192.168.1.1:53
>
> Incoming packet gets changed:
> Got packet: From: 192.168.1.1:53 to: 192.168.1.37:32938 'n redirected
> Delivered packet: From: 192.168.1.111:53 to: 192.168.1.37:32938
>
> but application doesn't see it. Additionally wireshark sees outgoing
> packet changed, but incoming one original:
> 192.168.1.1:53->192.168.1.37:32938. Is that normal? What can be the
> reason? If I leave source address unchanged, packet arrives to the app
> with real source without problems.
>
> Thanks


Are you getting messages similar to "ip_rt_bug" in dmesg when incoming
packets get redirected? If so, see this thread:
http://lists.netfilter.org/pipermail/netfilter-devel/2007-May/027849.html

As for wireshark, I think that it sees incoming packets before netfilter
does and outgoing packets after netfilter finishes with them. That
would explain the behaviour that you're seeing.

Rennie deGraaf
Attachments: signature.asc (0.18 KB)


viraptor at gmail

Jul 17, 2007, 8:34 AM

Post #7 of 7 (1074 views)
Permalink
Re: netfilter queue not on filter table [In reply to]
On 7/4/07, Rennie deGraaf <degraaf [at] cpsc> wrote:
> Are you getting messages similar to "ip_rt_bug" in dmesg when incoming
> packets get redirected? If so, see this thread:
> http://lists.netfilter.org/pipermail/netfilter-devel/2007-May/027849.html

Just so thread won't stay unresolved - bug was on my side - forgot to
swap bytes in ip address in message going one direction, but others
were correct.

> As for wireshark, I think that it sees incoming packets before netfilter
> does and outgoing packets after netfilter finishes with them. That
> would explain the behaviour that you're seeing.

That's right. Thank you.

iptables devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.