Multiple programs for QUEUE target

Multiple programs for QUEUE target

[David Vogt]

Dear all,

as far as I understand libipq it is not possible to register more than
one program that handles packets that are queued (using -j QUEUE),
since only one pid can be registered at /proc/net/ip_queue. Is that
right?

Now I have two questions:
1) Does libnetfilter_queue solve that problem
2) Will packets be processed by both applications?

The problem is that I use a closed source program here as well, that
employs libipq. Altough I could rewrite my own application to use
libnetfiter_queue I would highly appreciate a solution that uses
libipq. I am sure I read something about a "dispachter"-like program,
but I can't find it.

Thanks,
David

Re: Multiple programs for QUEUE target

[David Vogt]

2006/4/4, David Vogt <beunlovable@gmail.com>:
> I am sure I read something about a "dispachter"-like program,
> but I can't find it.

Of course I found it right after posting to the list. ipqmpd it is
called, however, it requires rewriting the program to some extend.
Since this is not possible for the closed source program, any advice
on how a solution to that problem might look like are highly
appreciated.

David

Re: Multiple programs for QUEUE target

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1112 bytes --]

On Tue, Apr 04, 2006 at 04:02:41PM +0200, David Vogt wrote:
> 2006/4/4, David Vogt <beunlovable@gmail.com>:
> > I am sure I read something about a "dispachter"-like program,
> > but I can't find it.
> 
> Of course I found it right after posting to the list. ipqmpd it is
> called, however, it requires rewriting the program to some extend.
> Since this is not possible for the closed source program, any advice
> on how a solution to that problem might look like are highly
> appreciated.

Please don't use any of that old 'crap' (I'm the author, so I can call
it that).  These days, you use NFQUEUE, nf_queue, nfnetlink_queue,
libnetfilter_queue, and you get up to 65535 distinct queues for
different userespace processes.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

Re: Multiple programs for QUEUE target

[David Vogt]

2006/4/5, Harald Welte <laforge@netfilter.org>:
> On Tue, Apr 04, 2006 at 04:02:41PM +0200, David Vogt wrote:
> Please don't use any of that old 'crap' (I'm the author, so I can call
> it that).  These days, you use NFQUEUE, nf_queue, nfnetlink_queue,
> libnetfilter_queue, and you get up to 65535 distinct queues for
> different userespace processes.

Is it possible to run libnetfilter_queue and libipq (for old
applications) in parallel? I did some testing and it doesn't seem to
work.

Thanks,
David

Re: Multiple programs for QUEUE target

[Patrick McHardy]

David Vogt wrote:
> 2006/4/5, Harald Welte <laforge@netfilter.org>:
> 
>>On Tue, Apr 04, 2006 at 04:02:41PM +0200, David Vogt wrote:
>>Please don't use any of that old 'crap' (I'm the author, so I can call
>>it that).  These days, you use NFQUEUE, nf_queue, nfnetlink_queue,
>>libnetfilter_queue, and you get up to 65535 distinct queues for
>>different userespace processes.
> 
> 
> Is it possible to run libnetfilter_queue and libipq (for old
> applications) in parallel? I did some testing and it doesn't seem to
> work.

Only a single queue handler can register for an address family inside
the kernel, so most likely one of them is simply not receiving any
packets. There is an ipq compat library for nfnetlink_queue, I'm not
sure but I think you should be able to use those in parallel.

Re: Multiple programs for QUEUE target

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1138 bytes --]

On Thu, Apr 06, 2006 at 12:50:05PM +0200, David Vogt wrote:
> 2006/4/5, Harald Welte <laforge@netfilter.org>:
> > On Tue, Apr 04, 2006 at 04:02:41PM +0200, David Vogt wrote:
> > Please don't use any of that old 'crap' (I'm the author, so I can call
> > it that).  These days, you use NFQUEUE, nf_queue, nfnetlink_queue,
> > libnetfilter_queue, and you get up to 65535 distinct queues for
> > different userespace processes.
> 
> Is it possible to run libnetfilter_queue and libipq (for old
> applications) in parallel? I did some testing and it doesn't seem to
> work.

you can run the libraries in parallel, but not the kernel code.

Why would you want to do that anyway?  libnetfilter_queue provides a
backwards compatibility API for libipq apps.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]