Inject packet to a different NFQUEUE

Question

I have an NFQUEUE, for IPv6 packets hooked to PREROUTING chain of mangle table in ip6tables. Once I receive a packet in user application, I modified the header. Infact, modified the header from IPv6 to IPv4 and reinjected the packet. But, from the logs, I see that the IPv4 packet is being treated like an IPv6 packet.

Since each NFQUEUE is mapped to either AF_INET or AF_INET6, is it possible for a single NFQUEUE to handle both IPv4 and IPv6 packets?
Is it possible to receive the packet from one queue but inject in a different queue? It doesn't make sense but I would like to inject a packet to the IP stack directly with the IP header formatted in userspace.
- It is not advisable to use raw sockets with IPv6 as per RFC 3542.
- I am not able to use TUN device for performance issues. Lot of packets are being dropped with TUN devices.

I am trying to implement NAT64. IPv6 <-> IPv4 NAT. As part of it, I need to modify the IP header and src,dst IP addresses. — Aditya Kanchibhotla, Feb 20 '13 at 05:37
I don't think you can do that solely within ip(6)tables, since the IPv4 and IPv6 stacks are completely separate. Better to solve the performance problem with your tun device and then use tayga. — Michael Hampton, Feb 20 '13 at 05:43

score 2 · Answer 1 · edited Jun 09 '14 at 11:46

You can use a single queue for both IPv4 and IPv6 by binding to both.

e.g.
```
nfq_bind_pf(h, AF_INET)
```
then
```
nfq_bind_pf(h, AF_INET6)
```
Then the queue will handle both 4 and 6, you still need to make your application 4/6 aware so it can parse the IP headers appropriately.
You can pass the packet to another queue.

Setting NF_QUEUE along with the queue number in nfq_set_verdict. (the high 16 bits of the verdict value is used when the lower bit give you the NF_QUEUE value).

Inject packet to a different NFQUEUE

1 Answers1