Hello All,
OS: OpenSuSE 12.3 x86_64
A little while back I installed Snort 2.9.6 and was trying to use the NFQ module along with it for packet acquisition but got errors that the module is not present. If I run:
# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv
As you can see the Netfilter_Queue (NFQ) module is not present there. Even though I know that I have the netfilter_queue files installed. I installed them using YaST Software Manager.
The package names I installed were:
libnetfilter_queue1 and libnetfilter_queue-devel (*I also installed the 32 bit version, but that didn't change anything so I removed that one after it was unsuccessful again...)
I first had version 1.0.2-3.1.1 installed from the Software Manager program, but still had trouble when installing DAQ because it was saying those modules weren't present. So I then tried installing version 1.0.2-6.7 from an RPM file I found online, but that seemed to make no difference anyway. I also tried uninstalling them completely and reinstalling them a few times.
So what happens when I run the configure command for DAQ is that I see the following messages:
*I also see that the IPQ module also isn't being enabled either, but I really wasn't worried about that one...
# ./configure --libdir=/usr/lib64 --prefix=/usr --enable-nfq-module=yes
:.......
:.......
checking libipq.h usability... no
checking libipq.h presence... no
checking for libipq.h... no
checking for linux/netfilter.h... yes
checking for netinet/in.h... (cached) yes
checking libnetfilter_queue/libnetfilter_queue.h usability... no
checking libnetfilter_queue/libnetfilter_queue.h presence... no
checking for libnetfilter_queue/libnetfilter_queue.h... no
checking for linux/netfilter.h... (cached) yes
:....
:........
Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes
Not sure why it isn't finding it or what, but I'm pretty sure I have ALL the required files for the libnetfilter_queue (*NFQ) module. I was assuming since it said:
"checking libnetfilter_queue/libnetfilter_queue.h presence... no"
That it just wasn't finding it... Could that be the case?
Kind of stuck here and have been so now for weeks. Any thoughts or suggestions would be GREATLY appreciated!
Thanks in Advance,
Matt
---------- Post updated at 01:17 PM ---------- Previous update was at 12:32 PM ----------
Ughh... Sorry guys I feel a bit silly now. I think I figured it out.
I was browsing the output from trying to configure the daq program (*i.e. config.log file) and I noticed it was looking for the libnetfilter_queue package in:
checking for libnetfilter_queue/libnetfilter_queue.h
Prefix=/usr/include
So I checked for "/usr/include/libnetfilter_queue" and humm... I only had "/usr/include/libnetfilter_queue-1.0.2/" and the header files were actually located at:
# ls -l /usr/include/libnetfilter_queue-1.0.2
-rw-r--r-- 1 root root 656 Apr 9 16:37 internal.h
drwxr-xr-x 2 root root 4096 Jun 5 12:14 libnetfilter_queue
# cd libnetfilter_queue
# pwd
/usr/include/libnetfilter_queue-1.0.2/libnetfilter_queue
# ls -l
-rw-r--r-- 1 root root 4566 Apr 9 16:37 libnetfilter_queue.h
-rw-r--r-- 1 root root 496 Apr 9 16:37 libnetfilter_queue_ipv4.h
-rw-r--r-- 1 root root 316 Apr 9 16:37 libnetfilter_queue_ipv6.h
-rw-r--r-- 1 root root 694 Apr 9 16:37 libnetfilter_queue_tcp.h
-rw-r--r-- 1 root root 663 Apr 9 16:37 libnetfilter_queue_udp.h
-rw-r--r-- 1 root root 2598 Apr 9 16:37 linux_nfnetlink_queue.h
-rw-r--r-- 1 root root 916 Apr 9 16:37 pktbuff.h
So what I did was I moved ALL the files above into "/usr/include/libnetfilter_queue-1.0.2/".
I then renamed that dir above to just "/usr/include/libnetfilter_queue/"
Re-ran the configure command and the error for libnetfilter_queue was gone.
But there was now a new error. The new one was pretty much the exact same thing above except it was looking for "/usr/include/libnfnetlink/" but I only had "/usr/include/libnfnetlink-1.0.1".
So I did the same thing I did for libnetfilter_queue and renamed the dir to the one it was looking for and now thew configure command succeeded for the NFQ Module..!!!
# ./configure --enable-nfq-module=yes --prefix=/usr --libdir=/usr/lib64
:.....
:.......
checking libipq.h usability... no
checking libipq.h presence... no
checking for libipq.h... no
checking for linux/netfilter.h... yes
checking for netinet/in.h... (cached) yes
checking libnetfilter_queue/libnetfilter_queue.h usability... yes
checking libnetfilter_queue/libnetfilter_queue.h presence... yes
checking for libnetfilter_queue/libnetfilter_queue.h... yes
checking for linux/netfilter.h... (cached) yes
:.......
:.....
:...
Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes
So it looks like it is now good...
Hopefully this helps someone else with a similar problem. I thought I was going to go bald trying to figure this out.... Aghh the little things, like renaming a directory.
Thanks Anyways,
Matt