NFQUEUE nfq_set_verdict_mark and "iptables -m mark" interaction
Kiba da Fucka
dkiba at yandex.ru
Sun Nov 27 02:24:51 CET 2005
I'm trying to use queing mechanisms of 2.6.14, NFQUEUE.
My task is to set firewall mark from userspace, and make filtering decision in filter table or for example corresponding DNAT action in nat PREROUTING.
My test firewall rules:
IPTABLES -t mangle -A PREROUTING -p ICMP -j NFQUEUE --queue-num 3
IPTABLES -P INPUT DROP
IPTABLES -A INPUT -m mark --mark 1 -j ACCEPT
I uset nfqnl_test provided in libnetfilter_queue to test this approach:
Set up the queue:
qh = nfq_create_queue(h, 3, &cb, NULL);
And in callback I call ipq_set_verdict_mark() instead of ipq_set_verdict()
u_int32_t id = print_pkt(nfa);
return nfq_set_verdict_mark(qh, id, NF_ACCEPT, 1,0, NULL);
Program catches packets from netlink socket and setting verdict, but it seems not to mark with "1", because iptables rule that accepts only marked packets doesn't work, but all queued traffic goes in/out without it.
Looking over code of libnetfilter_queue doesn't give me much, but as far as i understand, I don't have to pass packet data and datalen to this function if I just want to set netfilter mark. Am I right?
Or i should pass pointers to data and data length even if I just set mark?
Or maybe there is an issue with netfilter -m mark match interaction?
More information about the netfilter