All of lore.kernel.org
 help / color / mirror / Atom feed
* libnetfilter_queue: Access conntrack info
@ 2021-06-28  4:07 Psyspy 22
  2021-06-29  2:20 ` Duncan Roe
  0 siblings, 1 reply; 7+ messages in thread
From: Psyspy 22 @ 2021-06-28  4:07 UTC (permalink / raw)
  To: netfilter

Hello,

Good morning! I am using the nf-queue.c example from
libnetfilter_queue repo. In the queue_cb() function, I am trying to
get the conntrack info but this condition is always false.

if(attr[NFQA_CT])

I can see the flow in conntrack -L output. Anyone know what I am
missing? Appreciate your help!

Kind regards.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: libnetfilter_queue: Access conntrack info
  2021-06-28  4:07 libnetfilter_queue: Access conntrack info Psyspy 22
@ 2021-06-29  2:20 ` Duncan Roe
  2021-06-29  4:02   ` Psyspy 22
  0 siblings, 1 reply; 7+ messages in thread
From: Duncan Roe @ 2021-06-29  2:20 UTC (permalink / raw)
  To: netfilter

On Sun, Jun 27, 2021 at 10:07:18PM -0600, Psyspy 22 wrote:
> Hello,
>
> Good morning! I am using the nf-queue.c example from
> libnetfilter_queue repo. In the queue_cb() function, I am trying to
> get the conntrack info but this condition is always false.
>
> if(attr[NFQA_CT])
>
> I can see the flow in conntrack -L output. Anyone know what I am
> missing? Appreciate your help!
>
> Kind regards.

attr[NFQA_CT] is for a connmark. Please try attr[NFQA_CT_INFO].

Tell the list how that went,

Cheers ... Duncan.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: libnetfilter_queue: Access conntrack info
  2021-06-29  2:20 ` Duncan Roe
@ 2021-06-29  4:02   ` Psyspy 22
  2021-06-29  6:38     ` Florian Westphal
  0 siblings, 1 reply; 7+ messages in thread
From: Psyspy 22 @ 2021-06-29  4:02 UTC (permalink / raw)
  To: netfilter

Hello Duncan,

I actually need connmark and other conntrack fields like secmark etc.
I think attr[NFQA_CT] is the correct way to access it but it's empty
in my case.
The libnetfilter_queue example sets connmark but doesn't show a way to
get connmark from the packet.

Thanks!

On Mon, Jun 28, 2021 at 8:20 PM Duncan Roe <duncan_roe@optusnet.com.au> wrote:
>
> On Sun, Jun 27, 2021 at 10:07:18PM -0600, Psyspy 22 wrote:
> > Hello,
> >
> > Good morning! I am using the nf-queue.c example from
> > libnetfilter_queue repo. In the queue_cb() function, I am trying to
> > get the conntrack info but this condition is always false.
> >
> > if(attr[NFQA_CT])
> >
> > I can see the flow in conntrack -L output. Anyone know what I am
> > missing? Appreciate your help!
> >
> > Kind regards.
>
> attr[NFQA_CT] is for a connmark. Please try attr[NFQA_CT_INFO].
>
> Tell the list how that went,
>
> Cheers ... Duncan.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: libnetfilter_queue: Access conntrack info
  2021-06-29  4:02   ` Psyspy 22
@ 2021-06-29  6:38     ` Florian Westphal
  2021-06-29 14:22       ` Psyspy 22
  0 siblings, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2021-06-29  6:38 UTC (permalink / raw)
  To: Psyspy 22; +Cc: netfilter

Psyspy 22 <psyspy2020@gmail.com> wrote:
> Hello Duncan,
> 
> I actually need connmark and other conntrack fields like secmark etc.
> I think attr[NFQA_CT] is the correct way to access it but it's empty
> in my case.
> The libnetfilter_queue example sets connmark but doesn't show a way to
> get connmark from the packet.

IIRC you need to set NFQA_CFG_F_CONNTRACK in NFQA_CFG_FLAGS when setting
up the queue.  The example only sets F_GSO, so no conntrack info is
added.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: libnetfilter_queue: Access conntrack info
  2021-06-29  6:38     ` Florian Westphal
@ 2021-06-29 14:22       ` Psyspy 22
  2021-06-29 14:38         ` Florian Westphal
  0 siblings, 1 reply; 7+ messages in thread
From: Psyspy 22 @ 2021-06-29 14:22 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter

Thanks Florian. I added that flag, no dice.

If  I run the libmnl dump example, it successfully prints all
conntrack entries. I would assume all the conntrack related kernel
modules are loaded. I am on 4.1 kernel. I could be missing something.

On Tue, Jun 29, 2021 at 12:38 AM Florian Westphal <fw@strlen.de> wrote:
>
> Psyspy 22 <psyspy2020@gmail.com> wrote:
> > Hello Duncan,
> >
> > I actually need connmark and other conntrack fields like secmark etc.
> > I think attr[NFQA_CT] is the correct way to access it but it's empty
> > in my case.
> > The libnetfilter_queue example sets connmark but doesn't show a way to
> > get connmark from the packet.
>
> IIRC you need to set NFQA_CFG_F_CONNTRACK in NFQA_CFG_FLAGS when setting
> up the queue.  The example only sets F_GSO, so no conntrack info is
> added.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: libnetfilter_queue: Access conntrack info
  2021-06-29 14:22       ` Psyspy 22
@ 2021-06-29 14:38         ` Florian Westphal
  2021-07-01 18:13           ` Psyspy 22
  0 siblings, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2021-06-29 14:38 UTC (permalink / raw)
  To: Psyspy 22; +Cc: Florian Westphal, netfilter

Psyspy 22 <psyspy2020@gmail.com> wrote:
> Thanks Florian. I added that flag, no dice.
> 
> If  I run the libmnl dump example, it successfully prints all
> conntrack entries. I would assume all the conntrack related kernel
> modules are loaded. I am on 4.1 kernel. I could be missing something.

No idea.  attr[NFQA_CT] is set as expected on 5.12.12 when I enable
NFQA_CFG_F_CONNTRACK in example/nf-queue.c

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: libnetfilter_queue: Access conntrack info
  2021-06-29 14:38         ` Florian Westphal
@ 2021-07-01 18:13           ` Psyspy 22
  0 siblings, 0 replies; 7+ messages in thread
From: Psyspy 22 @ 2021-07-01 18:13 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter

Maybe I haven't set up iptables rules properly? This is the first rule
in INPUT table:
iptables -I INPUT -p udp -m udp --sport 10080 -j NFQUEUE --queue-num 5
--queue-bypass

Thanks!

On Tue, Jun 29, 2021 at 8:38 AM Florian Westphal <fw@strlen.de> wrote:
>
> Psyspy 22 <psyspy2020@gmail.com> wrote:
> > Thanks Florian. I added that flag, no dice.
> >
> > If  I run the libmnl dump example, it successfully prints all
> > conntrack entries. I would assume all the conntrack related kernel
> > modules are loaded. I am on 4.1 kernel. I could be missing something.
>
> No idea.  attr[NFQA_CT] is set as expected on 5.12.12 when I enable
> NFQA_CFG_F_CONNTRACK in example/nf-queue.c

^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-07-01 18:13 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-28  4:07 libnetfilter_queue: Access conntrack info Psyspy 22
2021-06-29  2:20 ` Duncan Roe
2021-06-29  4:02   ` Psyspy 22
2021-06-29  6:38     ` Florian Westphal
2021-06-29 14:22       ` Psyspy 22
2021-06-29 14:38         ` Florian Westphal
2021-07-01 18:13           ` Psyspy 22

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.