* [LARTC] ip_queue module issue
@ 2006-01-03 2:48 Salim
2006-01-03 12:58 ` Patrick McHardy
0 siblings, 1 reply; 7+ messages in thread
From: Salim @ 2006-01-03 2:48 UTC (permalink / raw)
To: lartc
Hi All,
I am adding ip_queue module for snort inline IDS.
I am using snort2.4.0
And iptables-1.3.4.
Userspace Queuing(queue target) is enabled. It is built-in and not built as
a module.
The output of /proc/net/ip_queue is shown below:
cat /proc/net/ip_queue>
Peer PID : 0
Copy mode : 0
Copy range : 0
Queue length : 0
Queue max. length : 1024
IPTABLES 1.3.4 is being used and it is built with install-devel option
And libipq.a is seen in /lib directory.
SNORT is also built in with following options:
./configure --prefix=/usr/local/snort \
--with-libpcap-includes=/usr/local/snort-lib/include \
--with-libpcap-libraries=/usr/local/snort-lib/lib \
--with-libpcre-includes=/usr/local/snort-lib/include \
--with-libpcre-libraries=/usr/local/snort-lib/lib \
--with-libnet-includes=/usr/local/snort-lib/include \
--with-libnet-libraries=/usr/local/snort-lib/lib \
--with-libipq-includes=/usr/local/iptables/include \
--with-libipq-libraries=/usr/local/iptables/lib \
--enable-inline
cat /proc/net/netlink>
sk Eth Pid Groups Rmem Wmem Dump Locks
c11c8040 0 0 00000000 0 0 00000000 2
c7ec0140 3 0 00000000 0 0 00000000 7
c11c8780 4 0 00000000 0 0 00000000 2
c7e74c40 5 0 00000000 0 0 00000000 2
Starting SNORT now:
/usr/local/snort/bin/snort -Q -N -l /var/log/snortlog -t
/var/log/snortlog -s -D>
Initializing Inline mode
Reading from iptables
InitInline: : Failed to send netlink message: Connection refused
Starting snortd: FAILED
cat /proc/net/netlink>
sk Eth Pid Groups Rmem Wmem Dump Locks
c11c8040 0 0 00000000 0 0 00000000 2
c7ec0140 3 0 00000000 0 0 00000000 8 >>>Locks
increasing
c11c8780 4 0 00000000 0 0 00000000 2
c7e74c40 5 0 00000000 0 0 00000000 2
Can anybody please point me as to what could be the issue. As it is the
ip_queue
Is built in kernel and it is running as can be seen from cat
/proc/net/ip_queue
Any pointers would be greatly appreciated.
regards
Salim
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [LARTC] ip_queue module issue
2006-01-03 2:48 [LARTC] ip_queue module issue Salim
@ 2006-01-03 12:58 ` Patrick McHardy
0 siblings, 0 replies; 7+ messages in thread
From: Patrick McHardy @ 2006-01-03 12:58 UTC (permalink / raw)
To: Salim; +Cc: lartc, Netfilter Development Mailinglist
Salim wrote:
> Hi All,
> I am adding ip_queue module for snort inline IDS.
>
> I am using snort2.4.0
> And iptables-1.3.4.
>
> Userspace Queuing(queue target) is enabled. It is built-in and not built as
> a module.
> The output of /proc/net/ip_queue is shown below:
>
> cat /proc/net/ip_queue>
> Peer PID : 0
> Copy mode : 0
> Copy range : 0
> Queue length : 0
> Queue max. length : 1024
>
>
> IPTABLES 1.3.4 is being used and it is built with install-devel option
> And libipq.a is seen in /lib directory.
>
> SNORT is also built in with following options:
> ./configure --prefix=/usr/local/snort \
> --with-libpcap-includes=/usr/local/snort-lib/include \
> --with-libpcap-libraries=/usr/local/snort-lib/lib \
> --with-libpcre-includes=/usr/local/snort-lib/include \
> --with-libpcre-libraries=/usr/local/snort-lib/lib \
> --with-libnet-includes=/usr/local/snort-lib/include \
> --with-libnet-libraries=/usr/local/snort-lib/lib \
> --with-libipq-includes=/usr/local/iptables/include \
> --with-libipq-libraries=/usr/local/iptables/lib \
> --enable-inline
>
> cat /proc/net/netlink>
> sk Eth Pid Groups Rmem Wmem Dump Locks
> c11c8040 0 0 00000000 0 0 00000000 2
> c7ec0140 3 0 00000000 0 0 00000000 7
> c11c8780 4 0 00000000 0 0 00000000 2
> c7e74c40 5 0 00000000 0 0 00000000 2
>
> Starting SNORT now:
> /usr/local/snort/bin/snort -Q -N -l /var/log/snortlog -t
> /var/log/snortlog -s -D>
> Initializing Inline mode
> Reading from iptables
> InitInline: : Failed to send netlink message: Connection refused
> Starting snortd: FAILED
>
> cat /proc/net/netlink>
> sk Eth Pid Groups Rmem Wmem Dump Locks
> c11c8040 0 0 00000000 0 0 00000000 2
> c7ec0140 3 0 00000000 0 0 00000000 8 >>>Locks
> increasing
> c11c8780 4 0 00000000 0 0 00000000 2
> c7e74c40 5 0 00000000 0 0 00000000 2
>
> Can anybody please point me as to what could be the issue. As it is the
> ip_queue
> Is built in kernel and it is running as can be seen from cat
> /proc/net/ip_queue
Does it work if you build it as a module? If not please send the output
of strace -s 1000 -f snort ...
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [LARTC] ip_queue module issue
@ 2006-01-03 12:58 ` Patrick McHardy
0 siblings, 0 replies; 7+ messages in thread
From: Patrick McHardy @ 2006-01-03 12:58 UTC (permalink / raw)
To: Salim; +Cc: lartc, Netfilter Development Mailinglist
Salim wrote:
> Hi All,
> I am adding ip_queue module for snort inline IDS.
>
> I am using snort2.4.0
> And iptables-1.3.4.
>
> Userspace Queuing(queue target) is enabled. It is built-in and not built as
> a module.
> The output of /proc/net/ip_queue is shown below:
>
> cat /proc/net/ip_queue>
> Peer PID : 0
> Copy mode : 0
> Copy range : 0
> Queue length : 0
> Queue max. length : 1024
>
>
> IPTABLES 1.3.4 is being used and it is built with install-devel option
> And libipq.a is seen in /lib directory.
>
> SNORT is also built in with following options:
> ./configure --prefix=/usr/local/snort \
> --with-libpcap-includes=/usr/local/snort-lib/include \
> --with-libpcap-libraries=/usr/local/snort-lib/lib \
> --with-libpcre-includes=/usr/local/snort-lib/include \
> --with-libpcre-libraries=/usr/local/snort-lib/lib \
> --with-libnet-includes=/usr/local/snort-lib/include \
> --with-libnet-libraries=/usr/local/snort-lib/lib \
> --with-libipq-includes=/usr/local/iptables/include \
> --with-libipq-libraries=/usr/local/iptables/lib \
> --enable-inline
>
> cat /proc/net/netlink>
> sk Eth Pid Groups Rmem Wmem Dump Locks
> c11c8040 0 0 00000000 0 0 00000000 2
> c7ec0140 3 0 00000000 0 0 00000000 7
> c11c8780 4 0 00000000 0 0 00000000 2
> c7e74c40 5 0 00000000 0 0 00000000 2
>
> Starting SNORT now:
> /usr/local/snort/bin/snort -Q -N -l /var/log/snortlog -t
> /var/log/snortlog -s -D>
> Initializing Inline mode
> Reading from iptables
> InitInline: : Failed to send netlink message: Connection refused
> Starting snortd: FAILED
>
> cat /proc/net/netlink>
> sk Eth Pid Groups Rmem Wmem Dump Locks
> c11c8040 0 0 00000000 0 0 00000000 2
> c7ec0140 3 0 00000000 0 0 00000000 8 >>>Locks
> increasing
> c11c8780 4 0 00000000 0 0 00000000 2
> c7e74c40 5 0 00000000 0 0 00000000 2
>
> Can anybody please point me as to what could be the issue. As it is the
> ip_queue
> Is built in kernel and it is running as can be seen from cat
> /proc/net/ip_queue
Does it work if you build it as a module? If not please send the output
of strace -s 1000 -f snort ...
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [LARTC] ip_queue module issue
2006-01-03 12:58 ` Patrick McHardy
@ 2006-01-04 2:14 ` Salim
-1 siblings, 0 replies; 7+ messages in thread
From: Salim @ 2006-01-04 2:14 UTC (permalink / raw)
To: Patrick McHardy; +Cc: lartc, Netfilter Development Mailinglist
it does work when iptables as a whole is built as a module.
----- Original Message -----
From: "Patrick McHardy" <kaber@trash.net>
To: "Salim" <salim.si@askey.com.tw>
Cc: <lartc@mailman.ds9a.nl>; "Netfilter Development Mailinglist"
<netfilter-devel@lists.netfilter.org>
Sent: Tuesday, January 03, 2006 8:58 PM
Subject: Re: [LARTC] ip_queue module issue
> Salim wrote:
> > Hi All,
> > I am adding ip_queue module for snort inline IDS.
> >
> > I am using snort2.4.0
> > And iptables-1.3.4.
> >
> > Userspace Queuing(queue target) is enabled. It is built-in and not built
as
> > a module.
> > The output of /proc/net/ip_queue is shown below:
> >
> > cat /proc/net/ip_queue>
> > Peer PID : 0
> > Copy mode : 0
> > Copy range : 0
> > Queue length : 0
> > Queue max. length : 1024
> >
> >
> > IPTABLES 1.3.4 is being used and it is built with install-devel option
> > And libipq.a is seen in /lib directory.
> >
> > SNORT is also built in with following options:
> > ./configure --prefix=/usr/local/snort \
> > --with-libpcap-includes=/usr/local/snort-lib/include \
> > --with-libpcap-libraries=/usr/local/snort-lib/lib \
> > --with-libpcre-includes=/usr/local/snort-lib/include \
> > --with-libpcre-libraries=/usr/local/snort-lib/lib \
> > --with-libnet-includes=/usr/local/snort-lib/include \
> > --with-libnet-libraries=/usr/local/snort-lib/lib \
> > --with-libipq-includes=/usr/local/iptables/include \
> > --with-libipq-libraries=/usr/local/iptables/lib \
> > --enable-inline
> >
> > cat /proc/net/netlink>
> > sk Eth Pid Groups Rmem Wmem Dump Locks
> > c11c8040 0 0 00000000 0 0 00000000 2
> > c7ec0140 3 0 00000000 0 0 00000000 7
> > c11c8780 4 0 00000000 0 0 00000000 2
> > c7e74c40 5 0 00000000 0 0 00000000 2
> >
> > Starting SNORT now:
> > /usr/local/snort/bin/snort -Q -N -l /var/log/snortlog -t
> > /var/log/snortlog -s -D>
> > Initializing Inline mode
> > Reading from iptables
> > InitInline: : Failed to send netlink message: Connection refused
> > Starting snortd: FAILED
> >
> > cat /proc/net/netlink>
> > sk Eth Pid Groups Rmem Wmem Dump Locks
> > c11c8040 0 0 00000000 0 0 00000000 2
> > c7ec0140 3 0 00000000 0 0 00000000 8 >>>Locks
> > increasing
> > c11c8780 4 0 00000000 0 0 00000000 2
> > c7e74c40 5 0 00000000 0 0 00000000 2
> >
> > Can anybody please point me as to what could be the issue. As it is the
> > ip_queue
> > Is built in kernel and it is running as can be seen from cat
> > /proc/net/ip_queue
>
> Does it work if you build it as a module? If not please send the output
> of strace -s 1000 -f snort ...
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ip_queue module issue
@ 2006-01-04 2:14 ` Salim
0 siblings, 0 replies; 7+ messages in thread
From: Salim @ 2006-01-04 2:14 UTC (permalink / raw)
To: Patrick McHardy; +Cc: lartc, Netfilter Development Mailinglist
it does work when iptables as a whole is built as a module.
----- Original Message -----
From: "Patrick McHardy" <kaber@trash.net>
To: "Salim" <salim.si@askey.com.tw>
Cc: <lartc@mailman.ds9a.nl>; "Netfilter Development Mailinglist"
<netfilter-devel@lists.netfilter.org>
Sent: Tuesday, January 03, 2006 8:58 PM
Subject: Re: [LARTC] ip_queue module issue
> Salim wrote:
> > Hi All,
> > I am adding ip_queue module for snort inline IDS.
> >
> > I am using snort2.4.0
> > And iptables-1.3.4.
> >
> > Userspace Queuing(queue target) is enabled. It is built-in and not built
as
> > a module.
> > The output of /proc/net/ip_queue is shown below:
> >
> > cat /proc/net/ip_queue>
> > Peer PID : 0
> > Copy mode : 0
> > Copy range : 0
> > Queue length : 0
> > Queue max. length : 1024
> >
> >
> > IPTABLES 1.3.4 is being used and it is built with install-devel option
> > And libipq.a is seen in /lib directory.
> >
> > SNORT is also built in with following options:
> > ./configure --prefix=/usr/local/snort \
> > --with-libpcap-includes=/usr/local/snort-lib/include \
> > --with-libpcap-libraries=/usr/local/snort-lib/lib \
> > --with-libpcre-includes=/usr/local/snort-lib/include \
> > --with-libpcre-libraries=/usr/local/snort-lib/lib \
> > --with-libnet-includes=/usr/local/snort-lib/include \
> > --with-libnet-libraries=/usr/local/snort-lib/lib \
> > --with-libipq-includes=/usr/local/iptables/include \
> > --with-libipq-libraries=/usr/local/iptables/lib \
> > --enable-inline
> >
> > cat /proc/net/netlink>
> > sk Eth Pid Groups Rmem Wmem Dump Locks
> > c11c8040 0 0 00000000 0 0 00000000 2
> > c7ec0140 3 0 00000000 0 0 00000000 7
> > c11c8780 4 0 00000000 0 0 00000000 2
> > c7e74c40 5 0 00000000 0 0 00000000 2
> >
> > Starting SNORT now:
> > /usr/local/snort/bin/snort -Q -N -l /var/log/snortlog -t
> > /var/log/snortlog -s -D>
> > Initializing Inline mode
> > Reading from iptables
> > InitInline: : Failed to send netlink message: Connection refused
> > Starting snortd: FAILED
> >
> > cat /proc/net/netlink>
> > sk Eth Pid Groups Rmem Wmem Dump Locks
> > c11c8040 0 0 00000000 0 0 00000000 2
> > c7ec0140 3 0 00000000 0 0 00000000 8 >>>Locks
> > increasing
> > c11c8780 4 0 00000000 0 0 00000000 2
> > c7e74c40 5 0 00000000 0 0 00000000 2
> >
> > Can anybody please point me as to what could be the issue. As it is the
> > ip_queue
> > Is built in kernel and it is running as can be seen from cat
> > /proc/net/ip_queue
>
> Does it work if you build it as a module? If not please send the output
> of strace -s 1000 -f snort ...
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [LARTC] ip_queue module issue
2006-01-04 2:14 ` Salim
@ 2006-01-04 7:13 ` Patrick McHardy
-1 siblings, 0 replies; 7+ messages in thread
From: Patrick McHardy @ 2006-01-04 7:13 UTC (permalink / raw)
To: Salim; +Cc: lartc, Netfilter Development Mailinglist
Salim wrote:
> it does work when iptables as a whole is built as a module.
Do you use any patches that might register as queue handler,
like IMQ? Otherwise please check your logs for messages from
ip_queue during boot time, it should have logged the reason
if registration failed.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ip_queue module issue
@ 2006-01-04 7:13 ` Patrick McHardy
0 siblings, 0 replies; 7+ messages in thread
From: Patrick McHardy @ 2006-01-04 7:13 UTC (permalink / raw)
To: Salim; +Cc: lartc, Netfilter Development Mailinglist
Salim wrote:
> it does work when iptables as a whole is built as a module.
Do you use any patches that might register as queue handler,
like IMQ? Otherwise please check your logs for messages from
ip_queue during boot time, it should have logged the reason
if registration failed.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2006-01-04 7:13 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-01-03 2:48 [LARTC] ip_queue module issue Salim
2006-01-03 12:58 ` Patrick McHardy
2006-01-03 12:58 ` Patrick McHardy
2006-01-04 2:14 ` Salim
2006-01-04 2:14 ` Salim
2006-01-04 7:13 ` [LARTC] " Patrick McHardy
2006-01-04 7:13 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.