how to bind NF_ARP family in netfilter queue

Linux Netfilter discussions
 help / color / mirror / Atom feed

* how to bind NF_ARP family in netfilter queue
@ 2015-02-14 18:54 Stéphane Charette
  2015-02-14 19:14 ` Noel Kuntze
  0 siblings, 1 reply; 4+ messages in thread
From: Stéphane Charette @ 2015-02-14 18:54 UTC (permalink / raw)
  To: netfilter

Is it possible to bind multiple address families in netfilter queue?
I see IPv4 show up in my queue, but not ARP.  With error code removed,
here is how I'm calling nfq_bind:

netfilterqueue_handle = nfq_open();
netfilterqueue_queue = nfq_create_queue( netfilterqueue_handle, 0,
&q_callback, this );
nfq_bind_pf( netfilterqueue_handle, AF_INET );
nfq_bind_pf( netfilterqueue_handle, NF_ARP );

I'm thinking the more likely possibility is the iptable rules I'm
using to send traffic to the queue are too restrictive.  Here are the
rules I have:

# Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
*nat
:PREROUTING ACCEPT [161:14105]
:INPUT ACCEPT [56:4995]
:OUTPUT ACCEPT [56:4496]
:POSTROUTING ACCEPT [56:4496]
-A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Feb 14 10:40:46 2015
# Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
*filter
:INPUT ACCEPT [1017:217421]
:FORWARD DROP [53:2307]
:OUTPUT ACCEPT [934:211104]
:MYRA - [0:0]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j MYRA
-A FORWARD -s 10.0.1.0/24 -o eth0 -m conntrack --ctstate NEW -j MYRA
-A MYRA -j NFQUEUE --queue-num 0 --queue-bypass
COMMIT
# Completed on Sat Feb 14 10:40:46 2015

Do I have to add another FORWARD line to get ARP to jump to MYRA?
What would it look like?

Thanks in advance.

St√©phane Charette

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: how to bind NF_ARP family in netfilter queue
  2015-02-14 18:54 how to bind NF_ARP family in netfilter queue Stéphane Charette
@ 2015-02-14 19:14 ` Noel Kuntze
  2015-02-14 20:33   ` Pascal Hambourg
  0 siblings, 1 reply; 4+ messages in thread
From: Noel Kuntze @ 2015-02-14 19:14 UTC (permalink / raw)
  To: Stéphane Charette, netfilter


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Stéphane,

You need to use ebtables to get arp messages.
iptables and ip6tables only get IP and IPv6 traffic.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 14.02.2015 um 19:54 schrieb Stéphane Charette:
> Is it possible to bind multiple address families in netfilter queue?
> I see IPv4 show up in my queue, but not ARP.  With error code removed,
> here is how I'm calling nfq_bind:
>
> netfilterqueue_handle = nfq_open();
> netfilterqueue_queue = nfq_create_queue( netfilterqueue_handle, 0,
> &q_callback, this );
> nfq_bind_pf( netfilterqueue_handle, AF_INET );
> nfq_bind_pf( netfilterqueue_handle, NF_ARP );
>
> I'm thinking the more likely possibility is the iptable rules I'm
> using to send traffic to the queue are too restrictive.  Here are the
> rules I have:
>
> # Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
> *nat
> :PREROUTING ACCEPT [161:14105]
> :INPUT ACCEPT [56:4995]
> :OUTPUT ACCEPT [56:4496]
> :POSTROUTING ACCEPT [56:4496]
> -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
> COMMIT
> # Completed on Sat Feb 14 10:40:46 2015
> # Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
> *filter
> :INPUT ACCEPT [1017:217421]
> :FORWARD DROP [53:2307]
> :OUTPUT ACCEPT [934:211104]
> :MYRA - [0:0]
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j MYRA
> -A FORWARD -s 10.0.1.0/24 -o eth0 -m conntrack --ctstate NEW -j MYRA
> -A MYRA -j NFQUEUE --queue-num 0 --queue-bypass
> COMMIT
> # Completed on Sat Feb 14 10:40:46 2015
>
> Do I have to add another FORWARD line to get ARP to jump to MYRA?
> What would it look like?
>
> Thanks in advance.
>
> Stéphane Charette
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU3558AAoJEDg5KY9j7GZY6ZUP/R1uyq5YGpNnnP7978/2R58c
Nv8DLoTu8kOIRQye6IxfFiHDWHoSL3y+kclalhpbOqpkbqUWXDtV6/dr+oTFTPDN
y9AbrtQyRIisGtceGRSibOlYx5J6hEYrg9vNlr7U0Jxx+a4q+GO02MxfFjBLnKNI
qsVjRDnFPzwfmmmIFdZgychUA+TWYivciWi6bgYZ8aDaaxgsj6ff33NKmhNvoCjN
7+1ReL/W6b7O9w6awGZnkJ/HQ9QCZIouRrDtwBpn6nOiCDhTbFNDRbcJo9LnsuVG
rNfLPaEqslcm/QS1m21dE7p66uRHyQhFbJcH9Ch8uM8i+Mx3sJGR+AWGn9clB06U
hYp9+LHgUKvVuiW0Y+Ak/VYdmoF9AR3ZgJ8BT1Xmk7/dXg4s6+CamYCjG3MJ/qCy
O6LKzXi7npFSAapRuL/P89IlEDTAMllBnzgs/IleOD6sx22435vjwDyc4WUI6ZuM
PA+BQchXvwcS1KGm1exwC0t2vzX8Uucp1hgUyqo1FsWBTz3OhLQtsAoJckuedN35
Bo3b3fQmI/L48tqlohuna8DIfrpPPMnzkD+/7AekN71zLAHmXW95xFEeFztw0sPQ
pX9Tb5hJ8N2U8v/YDKmpRIpkg3Z7CPhHSeNHykoocNy+OAPNYunXhJYac3ps8X5z
SfkmUr7v3dr8nf4RgJGs
=BNeU
-----END PGP SIGNATURE-----


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: how to bind NF_ARP family in netfilter queue
  2015-02-14 19:14 ` Noel Kuntze
@ 2015-02-14 20:33   ` Pascal Hambourg
  2015-02-14 20:40     ` Noel Kuntze
  0 siblings, 1 reply; 4+ messages in thread
From: Pascal Hambourg @ 2015-02-14 20:33 UTC (permalink / raw)
  To: netfilter

Noel Kuntze a écrit :
> 
> You need to use ebtables to get arp messages.

Or arptables. ebtables only works with a bridge. But AFAICS neither
arptables nor ebtables seems to have a queue or nfqueue target.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: how to bind NF_ARP family in netfilter queue
  2015-02-14 20:33   ` Pascal Hambourg
@ 2015-02-14 20:40     ` Noel Kuntze
  0 siblings, 0 replies; 4+ messages in thread
From: Noel Kuntze @ 2015-02-14 20:40 UTC (permalink / raw)
  To: Pascal Hambourg, netfilter


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Pascal,

It is correct that neither have nfqueue support.
I specifically checked the arptables and ebtables man pages for nflog though
and found it for ebtables.
The versions I checked were 0.0.4 for arptables
and 2.0.10_4 for ebtables. The kernel version was 3.14.32.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 14.02.2015 um 21:33 schrieb Pascal Hambourg:
> Noel Kuntze a écrit :
>>
>> You need to use ebtables to get arp messages.
>
> Or arptables. ebtables only works with a bridge. But AFAICS neither
> arptables nor ebtables seems to have a queue or nfqueue target.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU37K+AAoJEDg5KY9j7GZYeGQP/iV6iktFAR8T9q2WWFMTcMwA
DoP5zGUiwwGMNX2gSTl/RbJq/JA5ClBEfpV9sitdm7aPTm3Et4cZ0oGUMtq9QfBY
p7TBUZOvgynbMiTVOlcbRp5uQlrRiqXmXYsnr6VgpLHN2E0SKXZQCzSEn4jmi+J3
bn7p2MSjH9UmB2LCd3KcYexkszPz3DZk4ckvF/hoExH6ZzF5yVLhRgDFLctSe0Nz
OV2qApWHdGc3Cq6b8jXAkd2auFSq2lrzmcqdL+ppWEAjHVE/n65JuebU6jwbcbqm
cksOFGKCaR9fkO4kppYd3Dg7iMrWcyNzX2JPVoWmk77GGARFUj8pTDqGAdmfoQD2
OBhlyXfaGb0O0ok5O9ytC3fcwuGHTyGZtg1tBh4K0gRXfoupufSsYLOho8m8lnP+
hENhDQ9K4Izf7xcWmemTtLGNXlUddvt8p2ofGETmayQbk3iLLMqQzjKywOQlB5qm
o3SGJne0gMy/Im553FLMWegjX1QTDUDnxVE6Rmel0JiH0O4rgS8kHbVvMBnJlLyC
C31xjy56tANhWZtDFwnNQZeZlml4pcCyU+jnza2bmJTpAfA6Hj74JoBuBYo2KfX+
zJJXvLmzBKgR2Tq2a3cyoWStggbxxBvHL62l1PWeCapiHWwmCBhCmr7fr6ASyOLT
8f4qAYr1EEd74psZmkb8
=zXwD
-----END PGP SIGNATURE-----


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2015-02-14 20:40 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-02-14 18:54 how to bind NF_ARP family in netfilter queue Stéphane Charette
2015-02-14 19:14 ` Noel Kuntze
2015-02-14 20:33   ` Pascal Hambourg
2015-02-14 20:40     ` Noel Kuntze

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox