[Oisf-users] nfq_set_mark question

[kay]

Dear Eric,

Thank you for your detailed answers. Now everything is clear for me.

Have a good day!

2012/7/11 Eric Leblond <eric at regit.org>:
> Hello,
>
> Le mercredi 11 juillet 2012 à 18:29 +0400, kay a écrit :
>> Dear Eric,
>>
>> 1)
>> Here is the part of source-nfq.c:
>>
>> ... ... ...
>>     do {
>>         switch (nfq_config.mode) {
>>             default:
>>             case NFQ_ACCEPT_MODE:
>>             case NFQ_ROUTE_MODE:
>>                 if (p->flags & PKT_MARK_MODIFIED) {
>> #ifdef HAVE_NFQ_SET_VERDICT2
>> ... ... ...
>>
>> You can see that NFQ_ACCEPT_MODE doesn't do anything, that is why I am
>> confused. Maybe I'm a dummy but I could not find the code where packet
>> is being marked by rule in accept mode.
>
> You misread the construction. I'm using here a common method which is
> using the fact that if the case match it will start the code at this
> point and execute the code of the following case (you need a break to
> get out of the switch).
>
>>
>> 2) Finally I figured out my mistake. My iptables counter rule was:
>>
>> -A INPUT -m mark --mark 0x80/0x80 -j ACCEPT
>>
>> but should be:
>>
>> -A INPUT -m mark --mark 0x80/0x80
>>
>> 3) My dreams come false. But to be sure I'll ask you once again, is
>> there any possibility to redirect marked traffic to honeypot in
>> realtime?
>
> No, it just can't work. One solution could be to have suricata drop the
> malicious packet and trigger an alert. Then via a external tool you
> parse the alert and add the IP to a list of address which is nat. You
> can use ipset for instance.
>
> BR,