top button
Flag Notify
    Connect to us
      Facebook Login
      Site Registration Why to Join

Facebook Login
Site Registration

Parts of libnetfilter_queue deprecated?

0 votes
141 views

While I was looking for ways to move some firewalling functionality into user space (parse packet to decide whether to drop or accept the packet along with some reporting in the drop case), I came across iptable's NFQUEUE target, which, along with libnetfilter_queue, seems to be a perfect match for my use case.
However, parts of the doxygen documentation (at https://www.netfilter.org/projects/libnetfilter_queue/doxygen/html/modules.html )
are marked deprecated (i.e. Queue handling, Library setup, Message parsing functions, and Printing).

I may have missed it while I was searching the netfilter mailing list archives in this context, but I could not find any hint on the reason why these parts of libnetfilter_queue are deprecated (apart from nfq_set_verdict_mark() being marked as deprecated) nor did I find any hint on a replacement. Could you enlighten me here?

posted May 25, 2018 by anonymous

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

0 votes

These apis are not extensible, they hide too much netlink details.

You can use this example:
http://git.netfilter.org/libnetfilter_queue/tree/examples/nf-queue.c

With old api, you can't set conntrack mark for instance or examine e.g. checksum-not-ready flag.

answer May 25, 2018 by Jagan Mishra
Similar Questions
0 votes

I am trying to queue the packets of a process so I can use libnetfilter_queue to modify them.

I read in the documentation that I should use --pid-owner processid to filter packets of a process and iptables -I

  -j NFQUEUE --queue-num  to add them to the queue.

I read the documentation but I am still confused how to do this. If any one can help me to understand this command I would appreciate it a lot.

+1 vote

I've done some digging but really can't find a good explanation of the syntax for matching TCP flags in nftables. In iptables a rule can be written like:

-A TEST_BADFLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG_BADFLAGS

How do I do the equivalent in nftables? Also are we still able to use the "ALL" and "NONE" keywords?

0 votes

I have a setup* in which I have a server with multiple virtual network interfaces (vif1 .. vifX) that are connected (bridged) to one virtual machine each (vm1 .. vmX) which all have the same IP and MAC (let's say 192.168.1.100 resp. 00:11:22:33:44:55). In addition to that my server also has one regular network interface (eth0) connected to the rest of my network (10.0.0.0/16).

Now I would like to be able to provide NAT-like capabilities such that every packet coming from vm1 reaches the regular network as coming from 10.0.1.1, every packet coming from vm2 as 10.0.1.2 and so on. Of course, packets coming from the network destined towards 10.0.1.x should also be correctly translated by the server such that vmX will receive them.

From what I understand I could use ebtables with the snat-target to rewrite the MAC addresses for the vifX bridges, such that the remaining network would see at least a different MAC address per VM. However, I cannot see an easy solution to rewrite the IP. Using iptables nat-table and the snat-target will not work, since I would need to also filter on the source-mac or incoming device, but the snat-target is only available on the POSTROUTING chain.

One possible to solution would be to write a small program that listens on a rawsocket on every interface, rewrites packets and re-sends them on the correct interface, but I'd rather avoid that and use standard tools instead.

I would be very grateful for ideas/tips,

+1 vote

Is there a way to find out if there any iptables rules set on a machine ?

There are some indirect ways which will not always work; for example, I know that on most hosts, iptables -S will return the following output (when no iptable rules are set)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

So you can check whether or not the number of output lines is greater than 3 (as an indication of whether or not iptables rules are set). But there are hosts on which there are more chains then these 3; these chains are set by application/services, even without any iptable rules which are set. And after running iptables -F on these machines, iptables -S will still show more than 3 chains, even that there are no iptables rules set in these chains.

So the question is - is there a way to know whether or not netfilter rules are set on a host, regardless of the number of chains ?

+1 vote

I'm looking at a strange phenomenon that occurs on an iptables firewall. There is a DNAT rule configured that maps a public IP to a private one where a web serve is listening. Normal request operate as expected that is the destination ip is modified to the private one when the request arrives at the firewall and on the response packet the private ip is mapped back to the public one.
What I noticed though is that for some response packets the source ip is *not* mapped back to the public ip and instead tcpdump shows that the packets are sent out with the private source ip. The thing all these packets have in common is that they have the RST flag set.

What could be the reason for this? Is there some particular iptables behavior that could explain this?

Contact Us
+91 9880187415
sales@queryhome.net
support@queryhome.net
#280, 3rd floor, 5th Main
6th Sector, HSR Layout
Bangalore-560102
Karnataka INDIA.
QUERY HOME
...