[Oisf-users] need help with nfqueue and suri (little to)

Victor Julien lists at inliniac.net
Tue Mar 19 11:31:03 UTC 2013


On 03/18/2013 08:26 PM, Stefan Sabolowitsch wrote:
> Hi Julien,
>> I noticed you got some help on the netfilter list about it.
> Yes, but dit help my out.
> I found myself the solution, only vlan tagged flows through this bridge.
> The trick is this switch "bridge-nf-filter-vlan-tagged" set to 1
> It should be set to 1 if you want tagged traffic to pass iptables.

Cool, glad you got it working. May be nice to the netfilter ppl to post
is there as well, so others can learn.

Cheers,
Victor

> regards
> Stefan
> 
> Am 18.03.2013 18:52, schrieb Victor Julien:
>> On 03/14/2013 05:53 PM, Stefan Sabolowitsch wrote:
>>> Hi all, i get with this Problem gray Hair
>>>
>>> i have here Centos 6.4 with 3.8.2-2.el6.elrepo.x86_64 kernel an latest iptables.
>>>
>>> I have the following Queue:
>>> iptables -A FORWARD -i br0 -j NFQUEUE --queue-bypass --queue-num 1
>>> iptables -A FORWARD -i br1 -j NFQUEUE --queue-bypass --queue-num 2
>>> iptables -A FORWARD -i br2 -j NFQUEUE --queue-bypass --queue-num 3
>>>
>>> Queue 1 and 2 have data but not 3 (br2)
>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>> num   pkts bytes target     prot opt in     out     source               destination         
>>> 1     901K  728M NFQUEUE    all  --  br0    *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 1 bypass
>>> 2     117K 9150K NFQUEUE    all  --  br1    *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 2 bypass
>>> 3        0     0 NFQUEUE    all  --  br2    *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 3 bypass
>>>
>>> However br2 gets packets, you can see it with tcpdump
>>>
>>> [root at ipd2 Wecker-DMZ]# tcpdump -i br2
>>> tcpdump: WARNING: br2: no IPv4 address assigned
>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>> listening on br2, link-type EN10MB (Ethernet), capture size 65535 bytes
>>> 14:48:12.557657 ARP, Reply 192.168.22.13 is-at d4:20:6d:4b:dc:4f (oui Unknown), length 46
>>> 14:48:14.872485 ARP, Reply 192.168.22.11 is-at 1c:b0:94:49:81:ad (oui Unknown), length 46
>>> 14:48:17.366026 ARP, Request who-has 192.168.21.1 tell 192.168.21.12, length 46
>>> 14:48:17.366332 ARP, Reply 192.168.21.1 is-at 00:10:db:d0:90:07 (oui Unknown), length 46
>>> 14:48:17.674916 IP 192.168.21.12.55191 > 239.255.255.250.ssdp: UDP, length 133
>>> 14:48:20.682336 IP 192.168.21.12.55191 > 239.255.255.250.ssdp: UDP, length 133
>>> 14:48:23.777492 IP 192.168.21.12.55191 > 239.255.255.250.ssdp: UDP, length 133
>>> 14:48:26.735148 IP 192.168.21.12.55191 > 239.255.255.250.ssdp: UDP, length 133
>>> 14:48:27.733482 ARP, Reply 192.168.22.13 is-at d4:20:6d:4b:dc:4f (oui Unknown), length 46
>>> 14:48:29.741766 IP 192.168.21.12.55191 > 239.255.255.250.ssdp: UDP, length 133
>>> 14:48:29.983638 ARP, Reply 192.168.22.11 is-at 1c:b0:94:49:81:ad (oui Unknown), length 46
>>> 14:48:32.752335 IP 192.168.21.12.55191 > 239.255.255.250.ssdp: UDP, length 133
>>> 14:48:36.645248 IP 192.168.21.12.netbios-dgm > 192.168.21.255.netbios-dgm: NBT UDP PACKET(138)
>>> 14:48:42.909740 ARP, Reply 192.168.22.13 is-at d4:20:6d:4b:dc:4f (oui Unknown), length 46
>>> 14:48:45.098749 ARP, Reply 192.168.22.11 is-at 1c:b0:94:49:81:ad (oui Unknown), length 46
>>> 14:48:53.830337 IP 192.168.21.16.54218 > fa-in-f108.1e100.net.imaps: Flags [S], seq 4290929463, win 14600, options [mss 1460,sackOK,TS val 56595795 ecr 0,nop,wscale 6], length 0
>>> 14:48:54.126394 IP 192.168.22.13.39232 > 173.192.219.140-static.reverse.softlayer.com.https: Flags [P.], seq 2793050904:2793050905, ack 1478286381, win 8120, options [nop,nop,TS val 3886140 ecr 3960200924], length 1
>>> 14:48:54.269009 IP 173.192.219.140-static.reverse.softlayer.com.https > 192.168.22.13.39232: Flags [.], ack 1, win 513, options [nop,nop,TS val 3960484207 ecr 3886140], length 0
>>> 14:48:55.165501 IP 192.168.22.13.39232 > 173.192.219.140-static.reverse.softlayer.com.https: Flags [P.], seq 1:3, ack 1, win 8120, options [nop,nop,TS val 3886198 ecr 3960484207], length 2
>>> 14:48:55.308009 IP 173.192.219.140-static.reverse.softlayer.com.https > 192.168.22.13.39232: Flags [.], ack 3, win 513, options [nop,nop,TS val 3960485246 ecr 3886198], length 0
>>>
>>> any idea ?
>>> thanks for any help
>> Did you get this sorted out? I noticed you got some help on the
>> netfilter list about it.
>>
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list