NF_QUEUE: nfq_bind_pf() fails - solution

From: Athanasius
Date: Tue Aug 31 2010 - 16:35:34 EST


In the hope that this will make it into Google and help others, and
maybe someone will clarify the Kconfig....

I've just spent a gew hours trying to figure out why simple code
attempting to use Netfilter Queues has been failing to even do the nice
simple nfq_bind_pf(h, AF_INET). I eventually spotted some /proc code
that lead me to find /proc/net/netfilter/nf_queue which contained:

0 NONE
1 NONE
2 ip_queue
3 NONE
4 NONE
5 NONE
6 NONE
7 NONE
8 NONE
9 NONE
10 NONE
11 NONE
12 NONE

And indeed '2' is AF_INET. So, what's this ip_queue ? It's an
implementation of the *OLD* ip_queue interface using the new
nfnetlink_queue interface. But this being in place totally blocks
anything else from binding to AF_INET.

So, it's this kernel option:

config IP_NF_QUEUE
tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
depends on NETFILTER_ADVANCED
help
Netfilter has the ability to queue packets to user space: the
netlink device can be used to access them using this driver.

This option enables the old IPv4-only "ip_queue" implementation
which has been obsoleted by the new "nfnetlink_queue" code (see
CONFIG_NETFILTER_NETLINK_QUEUE).

To compile it as a module, choose M here. If unsure, say N.

I feel this could be a little more explicit that "if you have this
active then nothing else will be able to use nfnetlink_queue instead".

Yes, now I'm wishing I compiled this stuff as modules so I could just
remove the bugger.

--
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
Finger athan(at)fysh.org for PGP key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

Attachment: signature.asc
Description: Digital signature