Here are my situation:
1. Debian11 running on x86 board as a router, it works fine before I do the following steps. Computers connect to router can access internet.
2. I run "./nfqnl_test 0" on the system. I did not change any code of nfqnl_test.
3. I set some rules to nft like this:
Code: Select all
nft 'add chain ip filter xxx { type filter hook prerouting priority security; policy accept; }'
nft add ip filter janus counter queue num 0 bypass
5. However, Computers can't access internet.
6. I run tcpdump on router, found like this (only tcp syn packets, looks like all packets were droped by libnetfilter_queue):
Code: Select all
root@edge:/tmp# tcpdump -i br0 tcp -nn
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:13:02.176120 IP 10.10.0.101.50648 > 223.166.152.100.80: Flags [S], seq 3275466283, win 65535, options [mss 1400,sackOK,TS val 771931995 ecr 0,nop,wscale 8], length 0
15:13:02.503564 IP 10.10.0.101.46502 > 101.91.37.47.80: Flags [S], seq 1165380086, win 65535, options [mss 1400,sackOK,TS val 771932315 ecr 0,nop,wscale 8], length 0
15:13:02.593763 IP 10.10.0.101.45040 > 223.166.152.101.80: Flags [S], seq 351905689, win 65535, options [mss 1400,sackOK,TS val 771932415 ecr 0,nop,wscale 8], length 0
15:13:02.626100 IP 10.10.0.101.38726 > 123.151.190.252.8080: Flags [S], seq 3440132546, win 65535, options [mss 1400,sackOK,TS val 771932447 ecr 0,nop,wscale 8], length 0
15:13:02.911174 IP 10.10.0.101.35700 > 117.68.25.13.80: Flags [F.], seq 1446696559, ack 2445992548, win 65535, length 0
15:13:02.911504 IP 10.10.0.101.42180 > 117.68.25.62.80: Flags [S], seq 2471821306, win 65535, options [mss 1460,sackOK,TS val 771932731 ecr 0,nop,wscale 8], length 0
15:13:03.031874 IP 10.10.0.100.54527 > 142.250.204.42.443: Flags [S], seq 2035448939, win 65535, options [mss 65496,nop,wscale 8,nop,nop,sackOK], length 0
15:13:03.033886 IP 10.10.0.100.54528 > 142.250.204.42.443: Flags [S], seq 177114614, win 65535, options [mss 65496,nop,wscale 8,nop,nop,sackOK], length 0
15:13:03.036884 IP 10.10.0.100.54529 > 172.217.163.42.443: Flags [S], seq 2044175391, win 65535, options [mss 65496,nop,wscale 8,nop,nop,sackOK], length 0
15:13:03.135798 IP 10.10.0.101.41658 > 42.187.182.106.80: Flags [S], seq 3178900530, win 65535, options [mss 1400,sackOK,TS val 771932955 ecr 0,nop,wscale 8], length 0
15:13:03.165705 IP 10.10.0.101.57540 > 117.68.25.83.80: Flags [S], seq 1333538340, win 65535, options [mss 1460,sackOK,TS val 771932987 ecr 0,nop,wscale 8], length 0
15:13:03.212680 IP 10.10.0.100.54530 > 172.217.163.42.443: Flags [S], seq 4202285807, win 65535, options [mss 65496,nop,wscale 8,nop,nop,sackOK], length 0
15:13:03.227897 IP 101.91.37.28.80 > 10.10.0.101.35482: Flags [P.], seq 3016674904:3016674945, ack 2546257783, win 4115, length 41: HTTP
15:13:03.230419 IP 10.10.0.101.50654 > 223.166.152.100.80: Flags [S], seq 1511268503, win 65535, options [mss 1400,sackOK,TS val 771933051 ecr 0,nop,wscale 8], length 0