Comments (10)
@elico, you add rules to filter chain, but should at mangle chain.
iptables -t mangle -A PREROUTING -m ndpi --all
iptables -t mangle -A POSTROUTING -m ndpi --all
from ndpi.
@k0ste I configured the next as a test and I really don't know what to say:
# iptables -t mangle -L -nv
Chain PREROUTING (policy ACCEPT 62 packets, 6458 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi all protocols
Chain INPUT (policy ACCEPT 60 packets, 6200 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi all protocols
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi all protocols
Chain OUTPUT (policy ACCEPT 41 packets, 4924 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi all protocols
Chain POSTROUTING (policy ACCEPT 41 packets, 4924 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi all protocols
However I have found this thread: http://www.linux.org.ru/forum/general/9685281/page10#comments
Which seems like IMQ is required but still I am not sure because my native language is not Russian.
from ndpi.
@elico, IMQ is not necessary, so it might seem because of the general pattern of use.
Before use ndpi don't forget empty conntrack table by calling:
conntrack -F
P.S.: @vel21ripn wrote, only since 1.7.0-netfilter-211-e616e74 version works without kernel patch. But all (?) active module users use it only with the kernel patch.
from ndpi.
@k0ste I tried couple things but didn't managed to make it work.
I will try to publish my kernel recompilation script for testing.
from ndpi.
@k0ste @vel21ripn
I created a docker build node and scripts at: https://github.com/elico/osuse-ndpi-docker
I do not know if it is the right way to create the modules or if some kernel patching is required.
I will try to test it now on my router and see if it works with OpenSUSE leap latest kernel and update.
from ndpi.
@k0ste @vel21ripn the results on my router are:
# iptables -t mangle -L PREROUTING -nv
Chain PREROUTING (policy ACCEPT 4271 packets, 15M bytes)
pkts bytes target prot opt in out source destination
12 2344 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi protocol ssh
57 5871 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi protocol bittorrent
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi protocol edonkey
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi protocol gnutella
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi protocol windows_update
75 7637 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi protocol skype
2241 1276K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi protocol google
9337 8111K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi protocol youtube
443 368K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi protocol irc
20 1336 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi protocol http_proxy
9228 3209K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ndpi protocol http
I will try to see how it will work on a new and empty machine.
from ndpi.
@elico, here I wrote, you need add some targets at top on chain to match all incoming and outgoing traffic.
For make modules, is not something special. See PKGBUILD, it's easy.
from ndpi.
@k0ste what do you mean by that:
For make modules, is not something special. See PKGBUILD, it's easy.
Do you mean I can look at an example? if so for what do you mean?
I do not understand why do I need the all?
You mean that if I want to use the filter table I need to add a mangle match for all?
from ndpi.
Do you mean I can look at an example?
Yes.
I do not understand why do I need the all?
A module must pass all packets in both directions.
You mean that if I want to use the filter table I need to add a mangle match for all?
I mean, for property work, all traffic should be matched.
What you wanna do in FILTER? DROP some traffic?
from ndpi.
@k0ste I do not know how the netfilter module works exactly but in general with iptables you don't need the lines you mentioned for every setup.
The nefilter flow graph: https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
describes what happens per packet.
But there are couple things which are involving connection tracking and similar things.
Once a connection entered a connection tracking it's there always never mind what is the state of the connection.
The rule you mentioned is a mangle and "ACCEPT" everything and if it will be the first matched then any later present rule will not be verified and applied.
In the above case it will be useless unless the all rule has a special property like the limit module which needs to be present in order to accept(and be matched) what is not limited and to not accept any connection\packet that passed the limit.
The POSTROUTING and PREROUTING match rules needs to be there in the case I want to mark them or do something else but since it works fine for me and since the PREROUTING will always see the packet in a routing mode.
I do not want to use the filter since it's cruel to drop connections in a router but there are couple scenarios which it's required.
The first example is when the router is a filtering box which needs to allow "non inspected" traffic only to the proxy.
I think that for the case of FILTER + DROP or REJECT I might need the MANGLE all rule but still it would be weird to me that a connection tracking based module will need this.
from ndpi.
Related Issues (20)
- Is this a bug or is it intentional? HOT 2
- При попытке установить ndpi-netfilter на debian 9 возникает ошибка (при этом, библиотека nDPI собирается успешно). HOT 6
- flow_info-4 build errors HOT 1
- how to enable remotescan, qqlive protocols detection (not initialized by default)? HOT 2
- Cant compile HOT 1
- libxt_ndpi.so link error after iptables version 1.8.9 HOT 1
- The --clevel options can not work HOT 2
- nDPI Flow Risk feature HOT 10
- Request for clarification on installing nDPI Netfilter with xtables on Debian 11 HOT 4
- Make throws an error that skbuff.h could not be found HOT 5
- make modules_install with kernel headers of different version HOT 10
- Kernel panic на ядре 4.9 HOT 12
- block icmp
- Block icmp HOT 1
- Risk add command doesn't match actual rule. HOT 5
- protocol line and linecall not recognised by iptables HOT 2
- modify iptables extension for better performance HOT 5
- Policy Based Routing does not work. HOT 10
- Flow Risk ID 27 - Risky Domain Name - Default behavior HOT 6
- New build issues of master HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ndpi.