nfq_unbind_pf and nfq_bind_pf return values different in 2.6.23

nfq_unbind_pf and nfq_bind_pf return values different in 2.6.23

[tom]

Hi,

I haven't touched C for a while now, and have been using python.  I used
to rely on python ipqueue, which uses ipq, but it has problems in 64bit,
and rather than fix it myself, I decided to try the netfilter queue, as
implemented in python nfqueue, given that the netfilter queue is
supposed to make ipq obsolete anyhow, and the author of python ipqueue
now recommends nfqueue.  Unfortunately, it seems that nfqueue has been
broken as of kernel 2.6.23 due to changes in the return values of
nfq_bind_pf and the unbind equivalent.  The code expects 0 to be
returned, and complains of failure otherwise.  I was just wondering if
someone could tell me how to interpret the return values and then I can
fix nfqueue. 

At the moment, this is the problem unless I just fudge it so it doesn't
bail out at this point:

localhost Wall # python testq.py
NFNETLINK answers: Invalid argument
Traceback (most recent call last):
  File "testq.py", line 53, in ?
    Queue = NetfilterQueue()
  File "testq.py", line 44, in __init__
    self.queue = nfqueue.Queue(False)
  File "nfqueue.pyx", line 226, in nfqueue.Queue.__new__
StandardError: nfq_unbind_pf failed

If I fudge it so as to just print out the return codes, I get this:

localhost Wall # python testq.py
NFNETLINK answers: Invalid argument
-22
NFNETLINK answers: Device or resource busy
-16


Any help much appreciated.  Thanks. Tom.

Re: nfq_unbind_pf and nfq_bind_pf return values different in 2.6.23

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 1310 bytes --]

Hi,

On Thursday, 2008 February 14 at  1:46:03 +0000, tom wrote:
> Hi,
> 
> I haven't touched C for a while now, and have been using python.  I used
> supposed to make ipq obsolete anyhow, and the author of python ipqueue
> now recommends nfqueue.  Unfortunately, it seems that nfqueue has been
> broken as of kernel 2.6.23 due to changes in the return values of
> nfq_bind_pf and the unbind equivalent.

Return code of nfq_unbind_pf has to be ignored in recent kernel.

> The code expects 0 to be
> returned, and complains of failure otherwise.  I was just wondering if
> someone could tell me how to interpret the return values and then I can
> fix nfqueue. 
> 
> At the moment, this is the problem unless I just fudge it so it doesn't
> bail out at this point:
> If I fudge it so as to just print out the return codes, I get this:
> 
> localhost Wall # python testq.py
> NFNETLINK answers: Invalid argument
> -22
> NFNETLINK answers: Device or resource busy
> -16

This is bad ! someone of my team has just encounter a similar problem on
2.6.24.2. Did you use compiled-in Netfilter (opposed to Netfilter in
loadable modules)

PS: Could you tell me where to find the python binding for NFQUEUE ?

BR,
-- 
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: nfq_unbind_pf and nfq_bind_pf return values different in 2.6.23

[Thomas Boland]

Hi Eric,

Thank you for getting back to me.

> Hi,
>
> On Thursday, 2008 February 14 at  1:46:03 +0000, tom wrote:
>> Hi,
>>
>> I haven't touched C for a while now, and have been using python.  I used
>> supposed to make ipq obsolete anyhow, and the author of python ipqueue
>> now recommends nfqueue.  Unfortunately, it seems that nfqueue has been
>> broken as of kernel 2.6.23 due to changes in the return values of
>> nfq_bind_pf and the unbind equivalent.
>
> Return code of nfq_unbind_pf has to be ignored in recent kernel.
>
>> The code expects 0 to be
>> returned, and complains of failure otherwise.  I was just wondering if
>> someone could tell me how to interpret the return values and then I can
>> fix nfqueue.
>>
>> At the moment, this is the problem unless I just fudge it so it doesn't
>> bail out at this point:
>> If I fudge it so as to just print out the return codes, I get this:
>>
>> localhost Wall # python testq.py
>> NFNETLINK answers: Invalid argument
>> -22
>> NFNETLINK answers: Device or resource busy
>> -16
>
> This is bad ! someone of my team has just encounter a similar problem on
> 2.6.24.2. Did you use compiled-in Netfilter (opposed to Netfilter in
> loadable modules)

Yes, I have been using it compiled in, using 2.6.23.  I am led to believe that
there is no difference on the later kernels, so haven't tried upgrading (despite
the unrelated local root exploit!)

>
> PS: Could you tell me where to find the python binding for NFQUEUE ?
>

I actually got it from the page for the IPQ bindings:

http://woozle.org/~neale/src/ipqueue/


On another note, I tried converting the 3 instances of nfnl_talk to nfnl_query
in libnfnetfilter (or perhaps libnetfilterqueue, I can't remember, I'm at work
at the momment), and it doesn't complain, but I don't think it's working.  My
knowledge of these things isn't enough to debug it properly I'm afraid, but I
gather that it's the return code of nfnl_talk that is causing the problem...  I
haven't got it in front of me (and i should be working at the moment!!!)

Tanks for your help.  Tom.


> BR,
> --
> Eric Leblond
> INL: http://www.inl.fr/
> NuFW: http://www.nufw.org/
>