nftables queue with script

Question

I am learning nftables and the goal is to filter packets based on ip and port destination. They have to be enqueued to userspace where my script will change the payload field and send out the packet to destination.

The following rule enqueue packet:

% nft add filter input counter queue

I tried to add ip and port but command returns syntax error (unexpected daddr):

% nft add filter input udp daddr 192.168.1.111 dport 10100 counter queue

Next step is to connect a script to the queue to process packets. I installed libnetfilter-queue-dev but not clear how to use it.

score 2 · Answer 1 · answered Mar 15 '21 at 17:15

2

Your arguments are in wrong order. Try the following:

nft add filter input ip daddr 192.168.1.111 udp dport 10100 counter queue

daddr belongs to IP packet matchers, while dport belongs to UDP packet matchers. Therefore the matchers need to be next to the associated protocol.

answered Mar 15 '21 at 17:15

Tero Kilkanen

36,796
3
41
63

I created the rule in this way and looks good: `nft add table filter` `nft create chain ip filter input` `nft add filter input ip daddr 192.168.1.111 udp dport 10100 counter queue` – luke Mar 16 '21 at 12:04

nftables queue with script

1 Answers1