grsecurity forums

Hi.
Problem with iptables and queue. My rules:
$IPTABLES -t mangle -A POSTROUTING -p all -j QUEUE
$IPTABLES -t mangle -A PREROUTING -p all -j QUEUE

After activate grsec i can't connect to anywhere. In kern.log:

Jun 17 11:28:58 mail kernel: NET: 10 messages suppressed.
Jun 17 11:28:58 mail kernel: ip_queue: full at 1024 entries, dropping packet(s).
Jun 17 11:28:58 mail last message repeated 9 times
Jun 17 11:29:03 mail kernel: NET: 60 messages suppressed.
Jun 17 11:29:03 mail kernel: ip_queue: full at 1024 entries, dropping packet(s).

If i disable this rules i can connect.
Can anyone help me?

I'd be suprised if you could connect to anywhere *before* activating grsecurity.. you are queueing all packets on your system to userspace both before and after routing, and I can't think of any daemon that needs packets from both sides of routing. Are you running a userspace networking daemon for some weird routing config/unsupported protocol/etc?

The log message 'ip_queue: full at 1024 entries, dropping packet(s)' means that 1024 packets have been put into the queue to go to userspace but no daemon has picked them up, so there is no room to add any more. If you have a daemon expecting them, then it's misconfigured and is not reading them.

What are you expecting those rules to do?

OK. I use NeTAMS http://www.netams.com and this rules for NeTAMS.
Packets from interface come to queue, then NeTAMS analyzing it.

Before activating grsec it's work.

my acl for netams (after learning):

/usr/bin/netams o {
/var/www/localhost/netams rw
/var/www/localhost
/var/www
/var/run/mysqld/mysqld.sock rw
/var
/usr/bin/netams x
/
-CAP_ALL
}

The first thing that comes to mind is if a capability is needed to use netlink sockets..

CAP_NET_ADMIN is needed.

-Brad

spender wrote:CAP_NET_ADMIN is needed.

-Brad

You right! It's work. Thank you!