This configuration marks target packets as 1 (mark=1) and accepting it. Also by policy rules, marks other packets as 0 (mark=0) and REPEAT it. In our case iplist is sending other packets again in the beginning of PREROUTING - it leads to cycling.
How to RETURN packets from NFQUEUE like "iptables ... -j RETURN" ???
Roman.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Marking packets with 0 means it is umarked. There is no way to return packets. Instead this can be achieved by repeating and using the mark module of iptables to avoid cycles. The example 1 in the manpage (man 8 iplist) shows how to simulate RETURN.
This example is not good... Packet twice entering in PREROUTING.
If 10 rules with NFQUEUE in PREROUTING, packet with unranged IP will be returned in PREROUTING of ~100 times!
Any idea?
Roman.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This results that every packet will be repeated n times (if n queues are used). Every packet (default mark is zero, umarked) goes to queue 1, which repeats and delegates it to queue 2, queue 2 repeats it so that queue 3 can handle it, ... . At the end the packet will be marked with 4 in which case the rest of the iptables rules are applied.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
For this sample - every unranged packets, 4 times entered into IPLIST, and 10 times will pass through rules iptables. If rules will be 10, then 10 and 55, accordingly. Not good...
I do not know API queue iptables, but I wish to ask - whether there is a technical possibility to return a packet from user application queue, back to iptables rule (like iptables -j return)? To place a NFQUEUE rule in a separate chain?
Roman.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
No. The nfqueue module and userspace library don't allow to return packets like in iptables. Due to that IPblock only looks at packets that initiate new connections (-m state --state NEW) which improves efficiency.
Packets will be repeated in the build-in chain INPUT, OUTPUT or FORWARD regardless whether they were redirected to nfqueue from a custom chain.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello!
I have N route tables. Any my IP have same route table number.
I wish to mark packets by iplist (for routing).
# iptables -t mangle -L PREROUTING --line-numbers -n
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 NFQUEUE 0 -- 10.0.0.0/8 !10.0.0.0/8 NFQUEUE num 1
2 NFQUEUE 0 -- 10.0.0.0/8 !10.0.0.0/8 NFQUEUE num 2
3 NFQUEUE 0 -- 10.0.0.0/8 !10.0.0.0/8 NFQUEUE num 3
4 NFQUEUE 0 -- 10.0.0.0/8 !10.0.0.0/8 NFQUEUE num 4
5 NFQUEUE 0 -- 10.0.0.0/8 !10.0.0.0/8 NFQUEUE num 5
iplist --daemon --insert --queue-num=1 --policy=repeat --policy-mark=0 --target=accept --target-mark=1 /list-of-ip-for-gw1
...
This configuration marks target packets as 1 (mark=1) and accepting it. Also by policy rules, marks other packets as 0 (mark=0) and REPEAT it. In our case iplist is sending other packets again in the beginning of PREROUTING - it leads to cycling.
How to RETURN packets from NFQUEUE like "iptables ... -j RETURN" ???
Roman.
Marking packets with 0 means it is umarked. There is no way to return packets. Instead this can be achieved by repeating and using the mark module of iptables to avoid cycles. The example 1 in the manpage (man 8 iplist) shows how to simulate RETURN.
http://iplist.sourceforge.net/iplist.8.html
Regards,
Serkan
This example is not good... Packet twice entering in PREROUTING.
If 10 rules with NFQUEUE in PREROUTING, packet with unranged IP will be returned in PREROUTING of ~100 times!
Any idea?
Roman.
Correcting: ~100 times will pass through PREROUTING rules.
Roman.
For more than one queue a different approach is needed:
iptables -I INPUT 1 -m mark --mark 0 -j NFQUEUE --queue-num 1
iptables -I INPUT 2 -m mark --mark 1 -j NFQUEUE --queue-num 2
iptables -I INPUT 3 -m mark --mark 2 -j NFQUEUE --queue-num 3
iptables -I INPUT 4 -m mark --mark 3 -j NFQUEUE --queue-num 4
...
iplist --insert --queue-num=1 --policy=repeat --policy-mark=1 --target=accept /list-for-1
iplist --insert --queue-num=2 --policy=repeat --policy-mark=2 --target=accept /list-for-2
iplist --insert --queue-num=3 --policy=repeat --policy-mark=3 --target=accept /list-for-3
iplist --insert --queue-num=4 --policy=repeat --policy-mark=4 --target=accept /list-for-4
This results that every packet will be repeated n times (if n queues are used). Every packet (default mark is zero, umarked) goes to queue 1, which repeats and delegates it to queue 2, queue 2 repeats it so that queue 3 can handle it, ... . At the end the packet will be marked with 4 in which case the rest of the iptables rules are applied.
For this sample - every unranged packets, 4 times entered into IPLIST, and 10 times will pass through rules iptables. If rules will be 10, then 10 and 55, accordingly. Not good...
I do not know API queue iptables, but I wish to ask - whether there is a technical possibility to return a packet from user application queue, back to iptables rule (like iptables -j return)? To place a NFQUEUE rule in a separate chain?
Roman.
No. The nfqueue module and userspace library don't allow to return packets like in iptables. Due to that IPblock only looks at packets that initiate new connections (-m state --state NEW) which improves efficiency.
Packets will be repeated in the build-in chain INPUT, OUTPUT or FORWARD regardless whether they were redirected to nfqueue from a custom chain.
Many thanks!
Roman.
After start, I have received messages:
Dec 16 13:46:06 ktmlaggregator kernel: printk: 17 messages suppressed.
Dec 16 13:46:06 ktmlaggregator kernel: ip_conntrack: table full, dropping packet.
Dec 16 13:46:12 ktmlaggregator kernel: printk: 13 messages suppressed.
Dec 16 13:46:12 ktmlaggregator kernel: ip_conntrack: table full, dropping packet.
Dec 16 13:46:16 ktmlaggregator kernel: printk: 2 messages suppressed.
Dec 16 13:46:16 ktmlaggregator kernel: ip_conntrack: table full, dropping packet.
Dec 16 13:46:21 ktmlaggregator kernel: printk: 6 messages suppressed.
Dec 16 13:46:21 ktmlaggregator kernel: ip_conntrack: table full, dropping packet.
Dec 16 13:46:26 ktmlaggregator kernel: printk: 5 messages suppressed.
Dec 16 13:46:26 ktmlaggregator kernel: ip_conntrack: table full, dropping packet.
After messages, iplist has ceased to work.
Action NOTRACK has not helped with table RAW/PREROUTING.
Any ideas?