FYI: QUEUE & ipqmpd bugs

FYI: QUEUE & ipqmpd bugs

[Jean-Michel Hemstedt]

FYI,

I upgraded to iptables-1.2.6a (user & kernel-2.4.18 patches)
and got the following (maybe known) problems:

- QUEUE target is NOK with kernel compiled with CONFIG_IP_NF_QUEUE=m
  => the packets are queued, but ipq_create_handle() returns 
     "can't create netlink socket"
     "ERROR: Unable to create netlink socket: Connection refused"
    (problem with exported symbols?)
  =>quick fix: compile kernel with CONFIG_IP_NF_QUEUE=y

- ipqmpd-0.3: default verdict NF_ACCEPT is not applied when no
  process has attached to it. In fact ipqmpd starts, but it seems
  that it never receives any packet (in ipq_inp). When one process
  attaches to it, with a mark different from the queued packet, then
  the default NF_ACCEPT is applied correctly. When all processes have
  detached from ipqmpd, the default NF_ACCEPT continues to be applied
  correctly.

kr,
_______________________________________________________________________
-jmhe-               He who expects nothing shall never be disappointed

Re: FYI: QUEUE & ipqmpd bugs

[James Morris]

On Fri, 5 Jul 2002, Jean-Michel Hemstedt wrote:

> FYI,
> 
> I upgraded to iptables-1.2.6a (user & kernel-2.4.18 patches)
> and got the following (maybe known) problems:
> 
> - QUEUE target is NOK with kernel compiled with CONFIG_IP_NF_QUEUE=m
>   => the packets are queued, but ipq_create_handle() returns 
>      "can't create netlink socket"
>      "ERROR: Unable to create netlink socket: Connection refused"
>     (problem with exported symbols?)
>   =>quick fix: compile kernel with CONFIG_IP_NF_QUEUE=y
> 

You need to explicitly load the ip_queue module.


- James
-- 
James Morris
<jmorris@intercode.com.au>

Re: FYI: QUEUE & ipqmpd bugs

[James Morris]

On Fri, 5 Jul 2002, Jean-Michel Hemstedt wrote:

> FYI,
> 
> I upgraded to iptables-1.2.6a (user & kernel-2.4.18 patches)
> and got the following (maybe known) problems:
> 
> - QUEUE target is NOK with kernel compiled with CONFIG_IP_NF_QUEUE=m
>   => the packets are queued, but ipq_create_handle() returns 
>      "can't create netlink socket"
>      "ERROR: Unable to create netlink socket: Connection refused"
>     (problem with exported symbols?)
>   =>quick fix: compile kernel with CONFIG_IP_NF_QUEUE=y
> 

You need to explicitly load the ip_queue module.


- James
-- 
James Morris
<jmorris@intercode.com.au>

Re: FYI: QUEUE & ipqmpd bugs

[Harald Welte]

On Fri, Jul 05, 2002 at 04:08:54PM +0200, Jean-Michel Hemstedt wrote:
> FYI,
> 
> I upgraded to iptables-1.2.6a (user & kernel-2.4.18 patches)
> and got the following (maybe known) problems:
> 
> - QUEUE target is NOK with kernel compiled with CONFIG_IP_NF_QUEUE=m
>   => the packets are queued, but ipq_create_handle() returns 
>      "can't create netlink socket"
>      "ERROR: Unable to create netlink socket: Connection refused"
>     (problem with exported symbols?)
>   =>quick fix: compile kernel with CONFIG_IP_NF_QUEUE=y

I think james should be able to answer that.

> - ipqmpd-0.3: default verdict NF_ACCEPT is not applied when no
>   process has attached to it. In fact ipqmpd starts, but it seems
>   that it never receives any packet (in ipq_inp). When one process
>   attaches to it, with a mark different from the queued packet, then
>   the default NF_ACCEPT is applied correctly. When all processes have
>   detached from ipqmpd, the default NF_ACCEPT continues to be applied
>   correctly.

ever looked at the CVS repository? 
http://www.gnumonks.org/cgi-bin/cvsweb.cgi/ipqmpd/

None of that code has been touched since 22 months... I wrote ipqmpd for
fun, and nobody really seemed to use it.  Feel free to submit patches or
take over maintainership of ipqmpd :)

> kr,
> -jmhe-               He who expects nothing shall never be disappointed

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)

Re: FYI: QUEUE & ipqmpd bugs

[Harald Welte]

On Fri, Jul 05, 2002 at 04:08:54PM +0200, Jean-Michel Hemstedt wrote:
> FYI,
> 
> I upgraded to iptables-1.2.6a (user & kernel-2.4.18 patches)
> and got the following (maybe known) problems:
> 
> - QUEUE target is NOK with kernel compiled with CONFIG_IP_NF_QUEUE=m
>   => the packets are queued, but ipq_create_handle() returns 
>      "can't create netlink socket"
>      "ERROR: Unable to create netlink socket: Connection refused"
>     (problem with exported symbols?)
>   =>quick fix: compile kernel with CONFIG_IP_NF_QUEUE=y

I think james should be able to answer that.

> - ipqmpd-0.3: default verdict NF_ACCEPT is not applied when no
>   process has attached to it. In fact ipqmpd starts, but it seems
>   that it never receives any packet (in ipq_inp). When one process
>   attaches to it, with a mark different from the queued packet, then
>   the default NF_ACCEPT is applied correctly. When all processes have
>   detached from ipqmpd, the default NF_ACCEPT continues to be applied
>   correctly.

ever looked at the CVS repository? 
http://www.gnumonks.org/cgi-bin/cvsweb.cgi/ipqmpd/

None of that code has been touched since 22 months... I wrote ipqmpd for
fun, and nobody really seemed to use it.  Feel free to submit patches or
take over maintainership of ipqmpd :)

> kr,
> -jmhe-               He who expects nothing shall never be disappointed

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)

Re: FYI: QUEUE & ipqmpd bugs

[Iain Barnes]

On Fri, 2002-07-05 at 20:15, Harald Welte wrote:
> On Fri, Jul 05, 2002 at 04:08:54PM +0200, Jean-Michel Hemstedt wrote:
> > FYI,
> > 
> > I upgraded to iptables-1.2.6a (user & kernel-2.4.18 patches)
> > and got the following (maybe known) problems:
> > 
> > - QUEUE target is NOK with kernel compiled with CONFIG_IP_NF_QUEUE=m
> >   => the packets are queued, but ipq_create_handle() returns 
> >      "can't create netlink socket"
> >      "ERROR: Unable to create netlink socket: Connection refused"
> >     (problem with exported symbols?)
> >   =>quick fix: compile kernel with CONFIG_IP_NF_QUEUE=y
> 
> I think james should be able to answer that.

The problem is that the ip_queue module isn't loaded automagically
when a program requires it. I have no idea if this can be fixed or not
but the problem is known and can easily be corrected by simply

insmod ip_queue


> 
> > - ipqmpd-0.3: default verdict NF_ACCEPT is not applied when no
> >   process has attached to it. In fact ipqmpd starts, but it seems
> >   that it never receives any packet (in ipq_inp). When one process
> >   attaches to it, with a mark different from the queued packet, then
> >   the default NF_ACCEPT is applied correctly. When all processes have
> >   detached from ipqmpd, the default NF_ACCEPT continues to be applied
> >   correctly.
> 
> ever looked at the CVS repository? 
> http://www.gnumonks.org/cgi-bin/cvsweb.cgi/ipqmpd/
> 
> None of that code has been touched since 22 months... I wrote ipqmpd for
> fun, and nobody really seemed to use it.  Feel free to submit patches or
> take over maintainership of ipqmpd :)
> 
> > kr,
> > -jmhe-               He who expects nothing shall never be disappointed
> 
> -- 
> Live long and prosper
> - Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
> ============================================================================
> GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
> V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
-- 
Iain Barnes <zenadsl3030@zen.co.uk>