Why libnetfilter_queue(nfqnl_test) drop all the packets?

Programming languages, Coding, executables, and scripting.
Post Reply
Message
Author
ackema
Posts: 1
Joined: 2022-08-05 06:41

Why libnetfilter_queue(nfqnl_test) drop all the packets?

#1 Post by ackema »

Hello, I followed this tutorials https://wiki.nftables.org/wiki-nftables ... _userspace, but found libnetfilter_queue(nfqnl_test) drop all the packets.

Here are my situation:

1. Debian11 running on x86 board as a router, it works fine before I do the following steps. Computers connect to router can access internet.

2. I run "./nfqnl_test 0" on the system. I did not change any code of nfqnl_test.
3. I set some rules to nft like this:

Code: Select all

nft 'add chain ip filter xxx { type filter hook prerouting priority security; policy accept; }'
nft add ip filter janus counter queue num 0 bypass
4. I can see nfqnl_test receives a lot of packets and set 'NF_ACCEPT' to every packet.

5. However, Computers can't access internet.

6. I run tcpdump on router, found like this (only tcp syn packets, looks like all packets were droped by libnetfilter_queue):

Code: Select all

root@edge:/tmp# tcpdump -i br0 tcp -nn 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:13:02.176120 IP 10.10.0.101.50648 > 223.166.152.100.80: Flags [S], seq 3275466283, win 65535, options [mss 1400,sackOK,TS val 771931995 ecr 0,nop,wscale 8], length 0
15:13:02.503564 IP 10.10.0.101.46502 > 101.91.37.47.80: Flags [S], seq 1165380086, win 65535, options [mss 1400,sackOK,TS val 771932315 ecr 0,nop,wscale 8], length 0
15:13:02.593763 IP 10.10.0.101.45040 > 223.166.152.101.80: Flags [S], seq 351905689, win 65535, options [mss 1400,sackOK,TS val 771932415 ecr 0,nop,wscale 8], length 0
15:13:02.626100 IP 10.10.0.101.38726 > 123.151.190.252.8080: Flags [S], seq 3440132546, win 65535, options [mss 1400,sackOK,TS val 771932447 ecr 0,nop,wscale 8], length 0
15:13:02.911174 IP 10.10.0.101.35700 > 117.68.25.13.80: Flags [F.], seq 1446696559, ack 2445992548, win 65535, length 0
15:13:02.911504 IP 10.10.0.101.42180 > 117.68.25.62.80: Flags [S], seq 2471821306, win 65535, options [mss 1460,sackOK,TS val 771932731 ecr 0,nop,wscale 8], length 0
15:13:03.031874 IP 10.10.0.100.54527 > 142.250.204.42.443: Flags [S], seq 2035448939, win 65535, options [mss 65496,nop,wscale 8,nop,nop,sackOK], length 0
15:13:03.033886 IP 10.10.0.100.54528 > 142.250.204.42.443: Flags [S], seq 177114614, win 65535, options [mss 65496,nop,wscale 8,nop,nop,sackOK], length 0
15:13:03.036884 IP 10.10.0.100.54529 > 172.217.163.42.443: Flags [S], seq 2044175391, win 65535, options [mss 65496,nop,wscale 8,nop,nop,sackOK], length 0
15:13:03.135798 IP 10.10.0.101.41658 > 42.187.182.106.80: Flags [S], seq 3178900530, win 65535, options [mss 1400,sackOK,TS val 771932955 ecr 0,nop,wscale 8], length 0
15:13:03.165705 IP 10.10.0.101.57540 > 117.68.25.83.80: Flags [S], seq 1333538340, win 65535, options [mss 1460,sackOK,TS val 771932987 ecr 0,nop,wscale 8], length 0
15:13:03.212680 IP 10.10.0.100.54530 > 172.217.163.42.443: Flags [S], seq 4202285807, win 65535, options [mss 65496,nop,wscale 8,nop,nop,sackOK], length 0
15:13:03.227897 IP 101.91.37.28.80 > 10.10.0.101.35482: Flags [P.], seq 3016674904:3016674945, ack 2546257783, win 4115, length 41: HTTP
15:13:03.230419 IP 10.10.0.101.50654 > 223.166.152.100.80: Flags [S], seq 1511268503, win 65535, options [mss 1400,sackOK,TS val 771933051 ecr 0,nop,wscale 8], length 0

LE_746F6D617A7A69
Posts: 837
Joined: 2020-05-03 14:16
Has thanked: 4 times
Been thanked: 50 times

Re: Why libnetfilter_queue(nfqnl_test) drop all the packets?

#2 Post by LE_746F6D617A7A69 »

.. and what would happen if You don't run the nfqnl_test, but only add the nft queue rules (with the bypass flag)?

Besides,Your invocations of nft are inconsistent: what is the "janus" filter agument?
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed

Post Reply