1

I'm configuring Netfilter Tables to queue packets to and from the userspace, and the table configuration I have so far looks like:

table inet filter {

        # protocols to allow
        set allowed_protocols {
                type inet_proto
                elements = { icmp, icmpv6 }
        }

        # interfaces to accept any traffic on
        set allowed_interfaces {
                type ifname
                elements = { "lo" }
        }

        # services to allow
        set allowed_tcp_dports {
                type inet_service
                elements = { ssh, 9090 }
        }

        # this chain gathers all accept conditions
        chain allow {
                ct state established,related accept

                meta l4proto @allowed_protocols accept
                iifname @allowed_interfaces accept
                tcp dport @allowed_tcp_dports accept
        }

        # base-chain for traffic to this host
        chain INPUT {
                type filter hook input priority filter + 20
                policy accept

                jump allow
                reject with icmpx type port-unreachable
        }

        chain input {
                type filter hook input priority 0;
        }

        chain forward {
                type filter hook forward priority 0;
        }

        chain output {
                type filter hook output priority 0;
        }
}

So far, this seems to load fine with nft -f.

However, when I run either of these commands...

nft add inet filter input counter queue num 0

or

nft add inet filter output counter queue num 1

...my VM completely stops responding to input, and when I terminate the connection and vagrant reload, I'm told my VM has to be forcefully shut down before it can reboot. Any help on how I can properly configure these queues would be appreciated!

OS: Linux fedora 5.19.8-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Sep 8 19:02:21 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Vagrant: Vagrant 2.3.0

Improve this question
3
  • Can you tell more about the userpace process(es) used to retrieve the queued packets? Commented Sep 21, 2022 at 18:33
  • My understanding is I need to set up the nftables queues first before installing the userspace process, but perhaps this is not accurate? Commented Sep 26, 2022 at 23:14
  • Indeed this is not accurate (but see also the available answer). Commented Sep 27, 2022 at 6:17

1 Answer 1

Reset to default
2

Try bypass so packets are accepted if your application not listen on queue

nft add inet filter input counter queue num 0 bypass

Read this https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.