Problem for nfq_set_queue_maxlen of libnetfilter_queue

Problem for nfq_set_queue_maxlen of libnetfilter_queue

[Arthur Liew]

[-- Attachment #1: Type: text/plain, Size: 3151 bytes --]

Dear All,

I don't seem to be able to set max queue len of libnetfilter. The
error I keep getting is

NFNETLINK answers: Invalid argument

Any idea why ?  The code snippet that cause this is

    u_int32_t qlen = 1024;
    if (nfq_set_queue_maxlen(qh, qlen) < 0)

The version of library I use is

libnetfilter_queue-0.0.13
libnfnetlink-0.0.25

I have use the test code from  libnetfilter_queue-0.0.13/utils with
additional nfq_set_queue_maxlen function

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <linux/netfilter.h>		/* for NF_ACCEPT */

#include <libnetfilter_queue/libnetfilter_queue.h>

/* returns packet id */
static u_int32_t print_pkt (struct nfq_data *tb)
{
	int id = 0;
	struct nfqnl_msg_packet_hdr *ph;
	u_int32_t mark,ifi;
	int ret;
	char *data;
	
	ph = nfq_get_msg_packet_hdr(tb);
	if (ph){
		id = ntohl(ph->packet_id);
		printf("hw_protocol=0x%04x hook=%u id=%u ",
			ntohs(ph->hw_protocol), ph->hook, id);
	}
	
	mark = nfq_get_nfmark(tb);
	if (mark)
		printf("mark=%u ", mark);

	ifi = nfq_get_indev(tb);
	if (ifi)
		printf("indev=%u ", ifi);

	ifi = nfq_get_outdev(tb);
	if (ifi)
		printf("outdev=%u ", ifi);

	ret = nfq_get_payload(tb, &data);
	if (ret >= 0)
		printf("payload_len=%d ", ret);

	fputc('\n', stdout);

	return id;
}
	

static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
	      struct nfq_data *nfa, void *data)
{
	u_int32_t id = print_pkt(nfa);
	printf("entering callback\n");
	return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}

int main(int argc, char **argv)
{
	struct nfq_handle *h;
	struct nfq_q_handle *qh;
	struct nfnl_handle *nh;
	int fd;
	int rv;
	char buf[4096];

	printf("opening library handle\n");
	h = nfq_open();
	if (!h) {
		fprintf(stderr, "error during nfq_open()\n");
		exit(1);
	}

	printf("unbinding existing nf_queue handler for AF_INET (if any)\n");
	if (nfq_unbind_pf(h, AF_INET) < 0) {
		fprintf(stderr, "error during nfq_unbind_pf()\n");
		exit(1);
	}

	printf("binding nfnetlink_queue as nf_queue handler for AF_INET\n");
	if (nfq_bind_pf(h, AF_INET) < 0) {
		fprintf(stderr, "error during nfq_bind_pf()\n");
		exit(1);
	}

	printf("binding this socket to queue '0'\n");
	qh = nfq_create_queue(h,  0, &cb, NULL);
	if (!qh) {
		fprintf(stderr, "error during nfq_create_queue()\n");
		exit(1);
	}

	printf("setting copy_packet mode\n");
	if (nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) {
		fprintf(stderr, "can't set packet_copy mode\n");
		exit(1);
	}

    u_int32_t qlen = 128;
    if (nfq_set_queue_maxlen(qh, qlen) < 0)
    {
        fprintf(stderr, "error during nfq_set_queue_maxlen()\n");
   //     exit(1);
    }

	nh = nfq_nfnlh(h);
	fd = nfnl_fd(nh);

	while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0) {
		printf("pkt received\n");
		nfq_handle_packet(h, buf, rv);
	}

	printf("unbinding from queue 0\n");
	nfq_destroy_queue(qh);

#ifdef INSANE
	/* normally, applications SHOULD NOT issue this command, since
	 * it detaches other programs/sockets from AF_INET, too ! */
	printf("unbinding from AF_INET\n");
	nfq_unbind_pf(h, AF_INET);
#endif

	printf("closing library handle\n");
	nfq_close(h);

	exit(0);
}

[-- Attachment #2: nfqnl_test.c --]
[-- Type: text/x-csrc, Size: 2699 bytes --]


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <linux/netfilter.h>		/* for NF_ACCEPT */

#include <libnetfilter_queue/libnetfilter_queue.h>

/* returns packet id */
static u_int32_t print_pkt (struct nfq_data *tb)
{
	int id = 0;
	struct nfqnl_msg_packet_hdr *ph;
	u_int32_t mark,ifi; 
	int ret;
	char *data;
	
	ph = nfq_get_msg_packet_hdr(tb);
	if (ph){
		id = ntohl(ph->packet_id);
		printf("hw_protocol=0x%04x hook=%u id=%u ",
			ntohs(ph->hw_protocol), ph->hook, id);
	}
	
	mark = nfq_get_nfmark(tb);
	if (mark)
		printf("mark=%u ", mark);

	ifi = nfq_get_indev(tb);
	if (ifi)
		printf("indev=%u ", ifi);

	ifi = nfq_get_outdev(tb);
	if (ifi)
		printf("outdev=%u ", ifi);

	ret = nfq_get_payload(tb, &data);
	if (ret >= 0)
		printf("payload_len=%d ", ret);

	fputc('\n', stdout);

	return id;
}
	

static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
	      struct nfq_data *nfa, void *data)
{
	u_int32_t id = print_pkt(nfa);
	printf("entering callback\n");
	return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}

int main(int argc, char **argv)
{
	struct nfq_handle *h;
	struct nfq_q_handle *qh;
	struct nfnl_handle *nh;
	int fd;
	int rv;
	char buf[4096];

	printf("opening library handle\n");
	h = nfq_open();
	if (!h) {
		fprintf(stderr, "error during nfq_open()\n");
		exit(1);
	}

	printf("unbinding existing nf_queue handler for AF_INET (if any)\n");
	if (nfq_unbind_pf(h, AF_INET) < 0) {
		fprintf(stderr, "error during nfq_unbind_pf()\n");
		exit(1);
	}

	printf("binding nfnetlink_queue as nf_queue handler for AF_INET\n");
	if (nfq_bind_pf(h, AF_INET) < 0) {
		fprintf(stderr, "error during nfq_bind_pf()\n");
		exit(1);
	}

	printf("binding this socket to queue '0'\n");
	qh = nfq_create_queue(h,  0, &cb, NULL);
	if (!qh) {
		fprintf(stderr, "error during nfq_create_queue()\n");
		exit(1);
	}

	printf("setting copy_packet mode\n");
	if (nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) {
		fprintf(stderr, "can't set packet_copy mode\n");
		exit(1);
	}

    u_int32_t qlen = 128;
    if (nfq_set_queue_maxlen(qh, qlen) < 0)
    {
        fprintf(stderr, "error during nfq_set_queue_maxlen()\n");
   //     exit(1);
    }

	nh = nfq_nfnlh(h);
	fd = nfnl_fd(nh);

	while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0) {
		printf("pkt received\n");
		nfq_handle_packet(h, buf, rv);
	}

	printf("unbinding from queue 0\n");
	nfq_destroy_queue(qh);

#ifdef INSANE
	/* normally, applications SHOULD NOT issue this command, since
	 * it detaches other programs/sockets from AF_INET, too ! */
	printf("unbinding from AF_INET\n");
	nfq_unbind_pf(h, AF_INET);
#endif

	printf("closing library handle\n");
	nfq_close(h);

	exit(0);
}

Re: Problem for nfq_set_queue_maxlen of libnetfilter_queue

[Pablo Neira Ayuso]

Arthur Liew wrote:
> I don't seem to be able to set max queue len of libnetfilter. The
> error I keep getting is
> 
> NFNETLINK answers: Invalid argument
> 
> Any idea why ?  The code snippet that cause this is
> 
>    u_int32_t qlen = 1024;
>    if (nfq_set_queue_maxlen(qh, qlen) < 0)
> 
> The version of library I use is
> 
> libnetfilter_queue-0.0.13
> libnfnetlink-0.0.25
> 
> I have use the test code from  libnetfilter_queue-0.0.13/utils with
> additional nfq_set_queue_maxlen function

Kernel version?

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Fwd: Problem for nfq_set_queue_maxlen of libnetfilter_queue

[Arthur Liew]

Hi Pablo,

I am using kernel version 2.6.18 fedora core 6 ( kernel
2.6.18-1.2869.fc6 ). Do I need to patch the kernel ? I suppose it
should already be supported in the recent kernel verion like 2.6.18 ?

Hear from you again. Many thanks.

Regards,
Arthur.

On 1/19/07, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Arthur Liew wrote:
> > I don't seem to be able to set max queue len of libnetfilter. The
> > error I keep getting is
> >
> > NFNETLINK answers: Invalid argument
> >
> > Any idea why ?  The code snippet that cause this is
> >
> >    u_int32_t qlen = 1024;
> >    if (nfq_set_queue_maxlen(qh, qlen) < 0)
> >
> > The version of library I use is
> >
> > libnetfilter_queue-0.0.13
> > libnfnetlink-0.0.25
> >
> > I have use the test code from  libnetfilter_queue-0.0.13/utils with
> > additional nfq_set_queue_maxlen function
>
> Kernel version?
>
> --
> The dawn of the fourth age of Linux firewalling is coming; a time of
> great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris
>

Re: Problem for nfq_set_queue_maxlen of libnetfilter_queue

[Arthur Liew]

Hi Pablo,

Do you mind to tell me where to find the patch The link below no longer works

> > http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=3628
> > http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=3629

I suppose how to patch can be found in tutorial right ? Many thanks.

Regards,
Arthur.

On 1/19/07, Pablo Neira Ayuso <pablo@netfilter.org> wrote:

> Arthur,
>
> Arthur Liew wrote:
> > I am using kernel version 2.6.18 fedora core 6 ( kernel
> > 2.6.18-1.2869.fc6 ). Do I need to patch the kernel ? I suppose it
> > should already be supported in the recent kernel verion like 2.6.18 ?
>
> Sorry, it will available in 2.6.20.
>
> http://lists.netfilter.org/pipermail/netfilter-devel/2006-October/025855.html
>
> --
> The dawn of the fourth age of Linux firewalling is coming; a time of
> great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris
>

Re: Problem for nfq_set_queue_maxlen of libnetfilter_queue

[Pablo Neira Ayuso]

Arthur Liew wrote:
> Do you mind to tell me where to find the patch The link below no longer
> works

http://www.linuxarkivet.se/mlists/netfilter-devel/0610/msg00157.htmlhttp://www.linuxarkivet.se/mlists/netfilter-devel/0610/msg00157.html

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Re: Problem for nfq_set_queue_maxlen of libnetfilter_queue

[Pablo Neira Ayuso]

Arthur Liew wrote:
> Do you mind to tell me where to find the patch The link below no longer
> works

http://www.linuxarkivet.se/mlists/netfilter-devel/0610/msg00157.html

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris