netfilter queue not on filter table

netfilter queue not on filter table

[Stanisław Pitucha]

Hi,
I'm trying to write a specific load-balancing filter with
libnetfilter_queue, but I've run into a problem (or 2):
- QUEUE target works as expected on filter/INPUT, but I don't catch
any packets if I try to set it up in nat/PREROUTING or
mangle/PREROUTING. What can be the cause? -j QUEUE is the only rule
and I'm not using any filtering with that. But I don't get any packets
- I'm checking that as the first thing in the callback function.
- When I redirect to my gateway a packet sent to some internet host it
works even in filter/INPUT. When I redirect packet from internet host
a.b.c.d to internet host e.f.g.h in filter/INPUT it doesn't work. What
can be the reason? (it's sent on the same interface)

Thanks for ideas
Stanisław Pitucha

Re: netfilter queue not on filter table

[Stanisław Pitucha]

I made a mistake before:
> - QUEUE target works as expected on filter/INPUT, but I don't catch
> any packets if I try to set it up in nat/PREROUTING or
> mangle/PREROUTING. What can be the cause?

Re: netfilter queue not on filter table

[Stanisław Pitucha]

I made a mistake before:
> - QUEUE target works as expected on filter/INPUT, but I don't catch
> any packets if I try to set it up in nat/PREROUTING or
> mangle/PREROUTING. What can be the cause?

I see incoming messages in mangle/PREROUTING, but not outgoing ones.
OTOH they are shown in wireshark at the same time, and are sent.

(Sorry for lame tripple post)

Re: netfilter queue not on filter table

[Yasuyuki KOZAKAI]

From: "Stanisław Pitucha" <viraptor@gmail.com>
Date: Tue, 3 Jul 2007 16:18:56 +0100

> I made a mistake before:
> > - QUEUE target works as expected on filter/INPUT, but I don't catch
> > any packets if I try to set it up in nat/PREROUTING or
> > mangle/PREROUTING. What can be the cause?

Only the initial packets of connection see rules in PREROUTING in nat table.

> I see incoming messages in mangle/PREROUTING, but not outgoing ones.
> OTOH they are shown in wireshark at the same time, and are sent.

If you mean that 'outgoing ones' are the packets generated at the local
node queueing packets, they don't pass through PREROUTING, but OUTPUT.

Please refer following.

http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSINGOFTABLES

-- Yasuyuki Kozakai

Re: netfilter queue not on filter table

[Stanisław Pitucha]

> If you mean that 'outgoing ones' are the packets generated at the local
> node queueing packets, they don't pass through PREROUTING, but OUTPUT.
>
> Please refer following.
> ...

Great - thanks! That solved the capturing problem. Now I'm using QUEUE
on both PREROUTING and OUTPUT.
But now I've got another one:
I'm rewriting addresses like in standard dnat:
client <-> gateway (choosing server) <-> servers

Outgoing ones are delivered as they should: (own logging fragment)
Tried packet: From: 192.168.1.37:32938 to: 192.168.1.111:53
Redirection! - Sent packet: From: 192.168.1.37:32938 to: 192.168.1.1:53

Incoming packet gets changed:
Got packet: From: 192.168.1.1:53 to: 192.168.1.37:32938  'n redirected
Delivered packet: From: 192.168.1.111:53 to: 192.168.1.37:32938

but application doesn't see it. Additionally wireshark sees outgoing
packet changed, but incoming one original:
192.168.1.1:53->192.168.1.37:32938. Is that normal? What can be the
reason? If I leave source address unchanged, packet arrives to the app
with real source without problems.

Thanks

Re: netfilter queue not on filter table

[Rennie deGraaf]

[-- Attachment #1: Type: text/plain, Size: 1396 bytes --]

Stanisław Pitucha wrote:
> Great - thanks! That solved the capturing problem. Now I'm using QUEUE
> on both PREROUTING and OUTPUT.
> But now I've got another one:
> I'm rewriting addresses like in standard dnat:
> client <-> gateway (choosing server) <-> servers
> 
> Outgoing ones are delivered as they should: (own logging fragment)
> Tried packet: From: 192.168.1.37:32938 to: 192.168.1.111:53
> Redirection! - Sent packet: From: 192.168.1.37:32938 to: 192.168.1.1:53
> 
> Incoming packet gets changed:
> Got packet: From: 192.168.1.1:53 to: 192.168.1.37:32938  'n redirected
> Delivered packet: From: 192.168.1.111:53 to: 192.168.1.37:32938
> 
> but application doesn't see it. Additionally wireshark sees outgoing
> packet changed, but incoming one original:
> 192.168.1.1:53->192.168.1.37:32938. Is that normal? What can be the
> reason? If I leave source address unchanged, packet arrives to the app
> with real source without problems.
> 
> Thanks


Are you getting messages similar to "ip_rt_bug" in dmesg when incoming
packets get redirected?  If so, see this thread:
http://lists.netfilter.org/pipermail/netfilter-devel/2007-May/027849.html

As for wireshark, I think that it sees incoming packets before netfilter
does and outgoing packets after netfilter finishes with them.  That
would explain the behaviour that you're seeing.

Rennie deGraaf



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: netfilter queue not on filter table

[Stanisław Pitucha]

On 7/4/07, Rennie deGraaf <degraaf@cpsc.ucalgary.ca> wrote:
> Are you getting messages similar to "ip_rt_bug" in dmesg when incoming
> packets get redirected?  If so, see this thread:
> http://lists.netfilter.org/pipermail/netfilter-devel/2007-May/027849.html

Just so thread won't stay unresolved - bug was on my side - forgot to
swap bytes in ip address in message going one direction, but others
were correct.

> As for wireshark, I think that it sees incoming packets before netfilter
> does and outgoing packets after netfilter finishes with them.  That
> would explain the behaviour that you're seeing.

That's right. Thank you.