Error message NFLOG link-layer type filtering not implemented

[PenelopeFudd]

• This is not a security issue (See first line).

• Tcpdump and libpcap version (tcpdump --version)

$ tcpdump --version

tcpdump version 4.99.5
libpcap version 1.10.5 (with TPACKET_V3)
OpenSSL 3.2.2 4 Jun 2024
64-bit build, 64-bit time_t

• Operating system name and version and any other details that may be relevant (uname -a, compiler name and version, CPU type etc.)
  • Ubuntu 22.04, Fedora 40, x86_64
• Custom configure/cmake flags, if any
  • N/A
• Statement of the problem
  • I'm trying to use tcpdump to show traffic to/from a specific port or ip on an NFLOG group, and it gives the error message
    • tcpdump: NFLOG link-layer type filtering not implemented
    • These are not link-layer filtering options (e.g. ether host xx:xx:xx:xx:xx:xx)
• Steps to reproduce

# mkdir                             /sys/fs/cgroup/net_cls 
# mount -t cgroup -onet_cls net_cls /sys/fs/cgroup/net_cls

# mkdir              /sys/fs/cgroup/net_cls/tcpdump
# pidof my_program > /sys/fs/cgroup/net_cls/tcpdump/tasks
# echo 0x100001    > /sys/fs/cgroup/net_cls/tcpdump/net_cls.classid

# iptables -A INPUT  -m cgroup --cgroup 0x100001 -j NFLOG --nflog-group 123
# iptables -A OUTPUT -m cgroup --cgroup 0x100001 -j NFLOG --nflog-group 123
# tcpdump -i nflog:123

tcpdump: NFLOG link-layer type filtering not implemented

Comment: It would be hard to implement link-layer type filtering, because packets in the NFLOG queue are divorced from their original interfaces. As it stands, the current code seems to misunderstand what is being requested, and blocks normal connection-layer type filtering under the assumption that it's the link-layer type.

[guyharris]

The command line tcpdump -i nflog:123 isn't doing any filtering, so I'm not sure why tcpdump is reporting that. I'll have to look at that.

[guyharris]

I tried it on my 22.04 virtual machine, but couldn't reproduce it.

Make sure you're only typing tcpdump -i nflog:123, with no text after nflog:123.