[Oisf-users] Suricata in Inline Mode - ERRCODE: SC_ERR_NFQ_UNBIND(70)
Srijan Nandi
srijan.nandi at gmail.com
Sun Dec 11 08:38:46 UTC 2011
Hello Everyone,
I just compiled and configure Suricata v 1.1 and it works perfect in packet
capture mode. However, as soon as I start it as inline mode with queuing, I
get the error message as:
[23869] 11/12/2011 -- 13:55:27 - (source-nfq.c:373) <Error> (NFQInitThread)
-- [ERRCODE: SC_ERR_NFQ_UNBIND(70)] - nfq_unbind_pf() for AF_INET failed
I searched the forum and figured out that this error message is because
both ip_queue and nf_queue conflict with each other and the solution
provided is to remove the ip_queue module. However, I have configured both
ip_queue and nf_queue as parameters in my kernel and not as modules. So if
I do a lsmod, I neither see ip_queue nor nf_queue as modules there.
nf_queue works fine because, IPtables does not complain while using -j
NFQUEUE and in /proc/net/netfilter I have the followings files:
-r--r--r-- 1 root root 0 Dec 11 14:00 nf_log
-r--r--r-- 1 root root 0 Dec 11 14:00 nf_queue
-r--r----- 1 root root 0 Dec 11 14:00 nfnetlink_log
-r--r----- 1 root root 0 Dec 11 14:00 nfnetlink_queue
Also if I do a cat /proc/net/netfilter/nf_queue, i get:
0 NONE
1 NONE
2 ip_queue
3 NONE
4 NONE
5 NONE
6 NONE
7 NONE
8 NONE
9 NONE
10 NONE
11 NONE
12 NONE
Doing a cat /proc/net/netfilter/nfnetlink_queue yields nothing.
Can anyone please help me with this? I need Suricata to work via nf_queue
and also I cannot remove ip_queue as it is inbuilt in my kernel.
--
-=Srijan Nandi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111211/9175bb01/attachment-0002.html>
More information about the Oisf-users
mailing list