NFQUEUE nfq_set_verdict_mark and "iptables -m mark" interaction problem

Kiba da Fucka dkiba at yandex.ru
Sun Nov 27 02:24:51 CET 2005


Hi all.

I'm trying to use queing mechanisms of 2.6.14, NFQUEUE.

My task is to set firewall mark from userspace, and make filtering decision in filter table or for example corresponding DNAT action in nat PREROUTING.

My test firewall rules:

IPTABLES -t mangle -A PREROUTING -p ICMP -j NFQUEUE --queue-num 3

IPTABLES -P INPUT DROP
IPTABLES -A INPUT -m mark --mark 1 -j ACCEPT

I uset nfqnl_test provided in libnetfilter_queue to test this approach:
Set up  the queue:

qh = nfq_create_queue(h,  3, &cb, NULL);

And in callback I call ipq_set_verdict_mark() instead of ipq_set_verdict()

    u_int32_t id = print_pkt(nfa);
    printf("entering callback\n");
    return nfq_set_verdict_mark(qh, id, NF_ACCEPT, 1,0, NULL);

Program catches packets from netlink socket and setting verdict, but it seems not to mark with  "1", because iptables rule that accepts only marked packets doesn't work, but all queued traffic goes in/out without it.

Looking over code of libnetfilter_queue doesn't give me much, but as far as i understand, I don't have to pass packet data and datalen to this  function if I just want to set netfilter mark. Am I right?

Or i should pass pointers to data and data length even if I just set mark?
Or maybe there is an issue with netfilter -m mark match interaction?

KdF



More information about the netfilter mailing list