lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20100831201530.GE11893@miggy.org>
Date:	Tue, 31 Aug 2010 21:15:30 +0100
From:	Athanasius <link@...gy.org>
To:	linux-kernel <linux-kernel@...r.kernel.org>
Cc:	netfilter@...r.kernel.org
Subject: NF_QUEUE: nfq_bind_pf() fails - solution

  In the hope that this will make it into Google and help others, and
maybe someone will clarify the Kconfig....

  I've just spent a gew hours trying to figure out why simple code
attempting to use Netfilter Queues has been failing to even do the nice
simple nfq_bind_pf(h, AF_INET).  I eventually spotted some /proc code
that lead me to find /proc/net/netfilter/nf_queue which contained:

 0 NONE
 1 NONE
 2 ip_queue
 3 NONE
 4 NONE
 5 NONE
 6 NONE
 7 NONE
 8 NONE
 9 NONE
10 NONE
11 NONE
12 NONE

And indeed '2' is AF_INET.  So, what's this ip_queue ?  It's an
implementation of the *OLD* ip_queue interface using the new
nfnetlink_queue interface.  But this being in place totally blocks
anything else from binding to AF_INET.

So, it's this kernel option:

config IP_NF_QUEUE
        tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
        depends on NETFILTER_ADVANCED
        help
          Netfilter has the ability to queue packets to user space: the
          netlink device can be used to access them using this driver.

          This option enables the old IPv4-only "ip_queue" implementation
          which has been obsoleted by the new "nfnetlink_queue" code (see
          CONFIG_NETFILTER_NETLINK_QUEUE).

          To compile it as a module, choose M here.  If unsure, say N.

I feel this could be a little more explicit that "if you have this
active then nothing else will be able to use nfnetlink_queue instead".

Yes, now I'm wishing I compiled this stuff as modules so I could just
remove the bugger.

-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ