'swap table' feature

I knew I'd eventually remember why I subscribed to this list....

While working on enhancing my firewall, it occurred to me that it'd be real 
nice to have a 'swap chain' feature in iptables that is equivalent to the 
'swap set' feature in ipset.

Such a feature would minimize the amount of time that rules are unavailable 
when adding, changing or deleting them. At present, all the rules in the chain 
being modified are deleted, then the new rules are added. So there is a period 
of time, albeit brief, that rules are not available in that chain.

Were there a 'swap chain' command, one could build a new chain of the changed 
rules, swap the new and old chains, then flush and delete the new (now old) 
chain. This would all but guarantee that no packets 'slip by' (are 
overlooked).

Thanks,
N
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

connlimit and rejected connections staying in conntrack table

Hello,

I am trying to limit the total number of concurrent connections that may be established on a given port. I
need additional connection attempts to be explicitly rejected, so I went for something like:

iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 512 --connlimit-mask 0 -j REJECT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

My problem is, when the limit is reached and new connections are rejected, those stay in the conntrack table
in a SYN_SENT / UNREPLIED state, and are only cleaned up after 120 seconds
(ip_conntrack_tcp_timeout_syn_sent). As such, they are accounted for as active connections by
connlimit, and new connections keep being rejected even though the number of established connections
is, in fact, lower than the limit that I set. If connections keep coming in at a fast pace, it may just never
accept a connection again. I've tried "--reject-with tcp-reset" and the behavior was the same.

Would there be a way to work around it? I was hoping RESET'ed connections would not cause an entry to exist in
the conntrack table at all (as if I did a DROP). Otherwise, connlimit would have to know somehow that those
are dead connections. Lowering tcp_timeout_syn_sent mitigates the problem, but isn't a definitive solution.

Version details (Debian Squeeze):
Linux 2.6.32-5-amd64
iptables v1.4.8

Thanks,

--

-- 
Eric--
To unsubscribe from this list: send the line "unsubscribe netfilter" in

Packet dropped without reason

Hi

I follow a ping through my gateway with log-commands at the end of each
chain:

Receiving a echo request on eth1 and forwarding it encrypted to a gateway on
eth0 works as expected:
(Although nat_OUTPUT is missing between step 9 and 10 and nat_POSTROUTING is
missing after step 11 compared to http://inai.de/images/nf-packet-flow.png,
but I expect this to be correct, as I do not use nat.)

1. May 19 18:58:11 vpn-a kernel: [ 4396.217687] raw_PREROUTING: IN=eth1 OUT=
MAC=00:16:3e:0f:01:01:00:16:3e:0f:03:00:08:00 SRC=10.1.1.2 DST=10.2.1.2
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=41230
SEQ=1

2. May 19 18:58:11 vpn-a kernel: [ 4396.217702] mangle_PREROUTING: IN=eth1
OUT= MAC=00:16:3e:0f:01:01:00:16:3e:0f:03:00:08:00 SRC=10.1.1.2 DST=10.2.1.2
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=41230
SEQ=1 MARK=0x1

3. May 19 18:58:11 vpn-a kernel: [ 4396.217710] nat_PREROUTING: IN=eth1 OUT=
MAC=00:16:3e:0f:01:01:00:16:3e:0f:03:00:08:00 SRC=10.1.1.2 DST=10.2.1.2
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=41230
SEQ=1 MARK=0x1

4. May 19 18:58:11 vpn-a kernel: [ 4396.217725] mangle_FORWARD: IN=eth1
OUT=eth0 MAC=00:16:3e:0f:01:01:00:16:3e:0f:03:00:08:00 SRC=10.1.1.2
DST=10.2.1.2 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=41230 SEQ=1 MARK=0x1

ebtables queue/nfqueue target

hi guys,

has anyone ever tried queue/nfqueue target in ebtables? I'm not sure
if it has been implemented in ebtables, though it has in iptables. Or
does community plan to implement it in the future?

thank you very much

BRs
jerry
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[ANNOUNCE] libnetfilter_conntrack 1.0.1 release

Hi!

The Netfilter project proudly presents:

        libnetfilter_conntrack 1.0.1

libnetfilter_conntrack is a userspace library providing a programming
interface (API) to the in-kernel connection tracking state table.
This library is currently used by conntrack-tools among many other
applications.

This release includes important improvements for the expectation
support.

See ChangeLog that comes attached to this email for more details.

You can download it from:

http://www.netfilter.org/projects/libnetfilter_conntrack/downloads.html
ftp://ftp.netfilter.org/pub/libnetfilter_conntrack/

Have fun!

Kelvie Wong (1):
      expect: support NFCT_Q_CREATE_UPDATE in nfexp_query

Pablo Neira Ayuso (15):
      expect: add XML support for nfexp_snprintf()
      expect: add class support

SNAT/MASQ on a single subnet

Hi I'm trying to work out what I guess might not be possible
with iptables or is simple and I"m just missing something

I have 3 devices on the same subnet

192.168.0.1 ADSL Router
192.168.0.240 Linux Server
192.168.0.100 Windows PC

The Linux server has no rules and ACCEPT on all

What would the minimum necessary rule(s) to get the Linux Server
to forward (with SNAT or MASQUERADE) packets through the Router
from 192.168.0.100 and also send the replies back?

The Linux Server has 192.168.0.1 as it's gateway and also
has ip forwarding enabled

I set the gateway on the windows PC to 192.168.0.240

I tried a few simple single rules and failed.
(Just the single rule and deleted it after)
2 examples were:

iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/24 ! -d
192.168.0.0/24 -j SNAT --to 192.168.0.240

iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/24 -j SNAT --to
192.168.0.240

iptable stop hung

Hi,

"iptable stop" got hung in the server, so I killed that process. But 
still there is a modprobe process running there, that I can't kill.

oot     13834 99.8  0.0   3884   596 ?        R    11:15 132:39 
/sbin/modprobe -q -r ipt_state ip_nat_ftp iptable_nat xt_NOTRACK 
ip_conntrack_ftp ip_conntrack_netbios_ns xt_connlimit ip_conntrack 
ipt_recent

This is what I can see in dmesg

http://pastebin.com/BxEsyByC

--Unni
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Need info about how to run nfqnl_test.c !!

You may call nfq_create_queue() several times and specify each queue
with different number (the 2nd param in the function) and different
callback routine. However, I'm not sure how the incoming packets are
delivered to different queues. Maybe you should use select() or poll()
here.

Wentao

2012/5/16 Sudheer <sudheer.d <at> oneconvergence.com>:
> Thanks Wentao for your reply.
>
>  I wanna use 3 queues for the same application. is it possible to
> create 3 queues in same application and use to queue the packets into
> each queue ?
>
>
>
> On Wed, May 16, 2012 at 12:36 PM, Wentao Shang <wentaoshang <at> gmail.com> wrote:
>> Simply compile it and run it. Then it will start printing information
>> about the IPv4 packets received on your machine:)
>>
>> Wentao
>>
>> 2012/5/16 Sudheer <sudheer.d <at> oneconvergence.com>:
>>> Hi ,
>>>
>>>    I am new to the concept of netfilters so i have downloaded the
>>> "nfqnl_test.c"  from the website and compiled it. Could you please let
>>> me know how to run this code and check the output.  Do we need to
>>> execute any others commands before running this code ??

ulog2 final release

Hi,

Is there any plans to release the version 2 of ulog ?

It would be nice it is included in Wheezy version of Debian, which
must be frozen soon.

Thanks !
Benoît.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Need info about how to run nfqnl_test.c !!

Hi ,

    I am new to the concept of netfilters so i have downloaded the
"nfqnl_test.c"  from the website and compiled it. Could you please let
me know how to run this code and check the output.  Do we need to
execute any others commands before running this code ??

  It will be very useful for me if you let me know the procedure to
use the "nfqnl_test.c" code.

--

-- 
Best Regards,
Sudheer
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

How to mark packet by reqid?

Hi

I have the following problem. I have SAs that use firewall marks. So only
packets that have that mark get encoded and decoded.
I managed to set the mark for packets that shall be encoded but I cannot get
the other side working.

I have incoming packets that need to be decrypted and I need to set the
correct mark for those.
I CAN actually set the mark using the following command:

  iptables -t mangle -A PREROUTING --proto esp -j MARK --set-mark 1

BUT that rule matches ALL incoming esp packets. Yet I will have multiple SAs
and I need to set different marks.
I tried to use select by reqid or by spi, but as soon as I try that, the
rule does not match anything any more.

Can someone help me to get that iptables command right?

Best regards,
  Steffen

root <at> vpn-b:~# setkey -D
10.5.0.2 10.5.0.1
        esp mode=tunnel spi=3296784692(0xc480f134) reqid=1(0x00000001)
        E: aes-cbc  c5eb72ab 906d5717 67e405f5 cfe73f7a
        A: hmac-sha1  6935290e e51f0965 06577876 0d6237d6 45a0083d
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: May 15 22:23:06 2012   current: May 15 22:24:43 2012