Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Why libnetfilter_queue(nfqnl_test) drop all the packets?

Programming languages, Coding, Executables, Package Creation, and Scripting.
Post Reply
Message
Author
ackema
Posts: 1
Joined: 2022-08-05 06:41

Why libnetfilter_queue(nfqnl_test) drop all the packets?

#1 Post by ackema »

Hello, I followed this tutorials https://wiki.nftables.org/wiki-nftables ... _userspace, but found libnetfilter_queue(nfqnl_test) drop all the packets.

Here are my situation:

1. Debian11 running on x86 board as a router, it works fine before I do the following steps. Computers connect to router can access internet.

2. I run "./nfqnl_test 0" on the system. I did not change any code of nfqnl_test.
3. I set some rules to nft like this:

Code: Select all

nft 'add chain ip filter xxx { type filter hook prerouting priority security; policy accept; }'
nft add ip filter janus counter queue num 0 bypass
4. I can see nfqnl_test receives a lot of packets and set 'NF_ACCEPT' to every packet.

5. However, Computers can't access internet.

6. I run tcpdump on router, found like this (only tcp syn packets, looks like all packets were droped by libnetfilter_queue):

Code: Select all

root@edge:/tmp# tcpdump -i br0 tcp -nn 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:13:02.176120 IP 10.10.0.101.50648 > 223.166.152.100.80: Flags [S], seq 3275466283, win 65535, options [mss 1400,sackOK,TS val 771931995 ecr 0,nop,wscale 8], length 0
15:13:02.503564 IP 10.10.0.101.46502 > 101.91.37.47.80: Flags [S], seq 1165380086, win 65535, options [mss 1400,sackOK,TS val 771932315 ecr 0,nop,wscale 8], length 0
15:13:02.593763 IP 10.10.0.101.45040 > 223.166.152.101.80: Flags [S], seq 351905689, win 65535, options [mss 1400,sackOK,TS val 771932415 ecr 0,nop,wscale 8], length 0
15:13:02.626100 IP 10.10.0.101.38726 > 123.151.190.252.8080: Flags [S], seq 3440132546, win 65535, options [mss 1400,sackOK,TS val 771932447 ecr 0,nop,wscale 8], length 0
15:13:02.911174 IP 10.10.0.101.35700 > 117.68.25.13.80: Flags [F.], seq 1446696559, ack 2445992548, win 65535, length 0
15:13:02.911504 IP 10.10.0.101.42180 > 117.68.25.62.80: Flags [S], seq 2471821306, win 65535, options [mss 1460,sackOK,TS val 771932731 ecr 0,nop,wscale 8], length 0
15:13:03.031874 IP 10.10.0.100.54527 > 142.250.204.42.443: Flags [S], seq 2035448939, win 65535, options [mss 65496,nop,wscale 8,nop,nop,sackOK], length 0
15:13:03.033886 IP 10.10.0.100.54528 > 142.250.204.42.443: Flags [S], seq 177114614, win 65535, options [mss 65496,nop,wscale 8,nop,nop,sackOK], length 0
15:13:03.036884 IP 10.10.0.100.54529 > 172.217.163.42.443: Flags [S], seq 2044175391, win 65535, options [mss 65496,nop,wscale 8,nop,nop,sackOK], length 0
15:13:03.135798 IP 10.10.0.101.41658 > 42.187.182.106.80: Flags [S], seq 3178900530, win 65535, options [mss 1400,sackOK,TS val 771932955 ecr 0,nop,wscale 8], length 0
15:13:03.165705 IP 10.10.0.101.57540 > 117.68.25.83.80: Flags [S], seq 1333538340, win 65535, options [mss 1460,sackOK,TS val 771932987 ecr 0,nop,wscale 8], length 0
15:13:03.212680 IP 10.10.0.100.54530 > 172.217.163.42.443: Flags [S], seq 4202285807, win 65535, options [mss 65496,nop,wscale 8,nop,nop,sackOK], length 0
15:13:03.227897 IP 101.91.37.28.80 > 10.10.0.101.35482: Flags [P.], seq 3016674904:3016674945, ack 2546257783, win 4115, length 41: HTTP
15:13:03.230419 IP 10.10.0.101.50654 > 223.166.152.100.80: Flags [S], seq 1511268503, win 65535, options [mss 1400,sackOK,TS val 771933051 ecr 0,nop,wscale 8], length 0

LE_746F6D617A7A69
Posts: 932
Joined: 2020-05-03 14:16
Has thanked: 7 times
Been thanked: 65 times

Re: Why libnetfilter_queue(nfqnl_test) drop all the packets?

#2 Post by LE_746F6D617A7A69 »

.. and what would happen if You don't run the nfqnl_test, but only add the nft queue rules (with the bypass flag)?

Besides,Your invocations of nft are inconsistent: what is the "janus" filter agument?
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed

Post Reply